FCP_FCT_AD-7.2 Security Fabric integration

Security Fabric Integration Detailed Explanation

Security Fabric Integration allows FortiClient EMS to function as a core component of the Fortinet ecosystem. This integration enhances security by enabling centralized management, real-time threat detection, and automated responses across multiple Fortinet products.

1. Overview of Security Fabric Integration

1.1 What is Security Fabric?

The Fortinet Security Fabric is a unified framework that integrates Fortinet devices, endpoints, and services. It provides seamless communication and interoperability to deliver a comprehensive security solution. Key elements include:

1. Integration of Fortinet Products:

   • Includes FortiGate (firewalls), FortiClient (endpoints), FortiAnalyzer (logging and analytics), and FortiSandbox (malware analysis).
   • All components work together to share security intelligence.

2. Real-time Communication and Automation:

   • Enables devices to detect and respond to threats automatically.
   • For example, if a threat is detected on an endpoint, the firewall can automatically block that device.

3. Scalable Security:

   • Designed for organizations of all sizes.
   • Security Fabric can grow with your network and adapt to complex environments.

1.2 Benefits of Security Fabric Integration

1. Centralized Management:

   • Administrators can manage security policies for endpoints, networks, and applications from a single platform.
   • Simplifies policy enforcement and compliance monitoring.

2. Automated Threat Detection and Response:

   • When a threat is detected, Security Fabric components work together to mitigate the risk.
   • Example: An infected endpoint can be isolated from the network until remediated.

3. Improved Visibility:

   • Provides a unified view of all devices, traffic, and applications in the network.
   • Helps identify vulnerabilities and anomalies across the entire infrastructure.

4. Enhanced Compliance:

   • Simplifies reporting for regulatory compliance by consolidating logs and activities in one place.

2. Configuring EMS within the Security Fabric

Integrating FortiClient EMS into the Security Fabric involves connecting it with other Fortinet products, configuring rules, and ensuring seamless communication.

2.1 Connecting EMS to FortiGate

Step 1: Generate an API Key or Certificate in FortiGate

1. Log in to the FortiGate Management Console.
2. Navigate to System → Administrators → Create New.
3. Select REST API Admin and configure:
   • Name: Assign a descriptive name (e.g., EMS_API).
   • IP Restrictions: Restrict API access to the EMS server's IP.
   • Permissions: Grant necessary permissions for endpoint management.
4. Save the configuration and copy the generated API key.

Step 2: Configure EMS to Connect to FortiGate

1. Open the EMS console and go to Fabric Connections.
2. Add a new connection:
   • Type: FortiGate.
   • API Key: Paste the API key from FortiGate.
   • FortiGate IP: Enter the IP address of the FortiGate device.
3. Save the configuration and test the connection.

Step 3: Verify Integration

1. Log back into the FortiGate console.
2. Navigate to Security Fabric → Fabric Devices.
3. Confirm that EMS appears as a connected device in the Security Fabric.

2.2 Endpoint Discovery

Once EMS is connected to FortiGate, the Security Fabric can automatically discover and manage endpoints.

1. Endpoint Discovery Process:

   • EMS shares the list of managed endpoints with FortiGate.
   • FortiGate displays endpoints and their compliance status in its dashboard.

2. Continuous Monitoring:

   • EMS regularly updates endpoint information, including:
     • Security status (e.g., compliant, non-compliant).
     • Threat detections and remediation actions.
   • FortiGate uses this data to enforce network access control.

2.3 Configuring Security Fabric Rules

What Are Security Fabric Rules?

Rules that define how devices in the Security Fabric respond to specific conditions or threats.

Example: Quarantine Non-compliant Endpoints

1. Condition:
   • An endpoint with outdated antivirus definitions or unpatched vulnerabilities is detected.
2. Action:
   • Automatically isolate the endpoint from the network.
   • Allow communication only with EMS for remediation.

How to Configure Rules

1. In the FortiGate console, navigate to Security Fabric → Automation.
2. Create a new automation rule:
   • Trigger: Define the event (e.g., endpoint non-compliance).
   • Action: Select the desired response (e.g., quarantine).
3. Save and test the rule to ensure it works as intended.

3. Key Security Fabric Features

3.1 Real-time Threat Detection

How It Works

1. EMS integrates with FortiSandbox to analyze suspicious files or behaviors.
2. Threat intelligence is shared across the Security Fabric in real time.
   • For example, if malware is detected on one endpoint, all other devices are updated with the same threat signature.

Benefits

• Accelerates threat identification and response.
• Prevents the spread of malware or other threats.

3.2 Quarantine and Isolation

Device Quarantine at the FortiGate Level

1. When an endpoint is identified as compromised, FortiGate enforces isolation:
   • Blocks all network traffic from the device.
   • Allows only communication with remediation servers (e.g., EMS).

Endpoint Isolation by EMS

1. EMS can locally isolate an endpoint:
   • Disconnects it from other devices and resources.
   • Ensures threats do not propagate within the network.

3.3 Zero Trust Network Access (ZTNA)

What is ZTNA?

Zero Trust Network Access restricts access to network resources based on the endpoint’s security status.

ZTNA Checks Include:

1. Antivirus Status:
   • Endpoint must have antivirus enabled and up-to-date.
2. Vulnerability Assessments:
   • Device must not have unpatched critical vulnerabilities.
3. Compliance with Policies:
   • Endpoint must adhere to assigned security policies.

Benefits of ZTNA

• Limits access to only compliant and secure endpoints.
• Reduces the risk of insider threats and lateral movement by attackers.

3.4 Fabric Audit Logs

Audit logs are essential for tracking activities, ensuring compliance, and conducting forensic investigations.

Centralized Logging in FortiAnalyzer

1. Integration with FortiAnalyzer:

   • EMS logs all endpoint-related actions and shares them with FortiAnalyzer.
   • FortiAnalyzer consolidates logs from multiple Security Fabric devices (e.g., FortiGate, FortiClient, FortiSandbox).

2. Key Audit Logs from EMS:

   • Administrative Actions:
     • Changes to policies, configurations, or user roles.
   • Endpoint Events:
     • Policy violations, malware detections, or compliance failures.
   • Threat Responses:
     • Actions taken to quarantine or isolate devices.

3. Using Logs for Compliance:

   • Generate reports to demonstrate compliance with regulations such as GDPR, HIPAA, or PCI DSS.
   • Log retention policies can be customized to meet auditing requirements.

Generating Detailed Reports

1. In FortiAnalyzer, navigate to Reports → Create Report.
2. Select prebuilt templates (e.g., endpoint compliance, threat detection).
3. Customize the time range and data fields.
4. Export the report in PDF or CSV format.

3.5 Real-time Threat Intelligence Sharing

How Threat Intelligence Works in the Security Fabric

1. EMS continuously monitors endpoints for suspicious activity.
2. When a threat is detected:
   • EMS shares the threat signature with FortiGuard and other devices in the Security Fabric (e.g., FortiGate, FortiAnalyzer).
   • All connected devices update their security settings to mitigate similar threats.

Benefits of Threat Intelligence Sharing

• Proactive defense against known and emerging threats.
• Reduced detection-to-response time across the network.

Example Workflow:

1. A suspicious file is detected on an endpoint.
2. EMS sends the file to FortiSandbox for in-depth analysis.
3. FortiSandbox identifies the file as malware and generates a signature.
4. The signature is shared with all Security Fabric devices, blocking the malware from spreading.

4. Advanced Integration Scenarios

Security Fabric Integration extends beyond basic functionality by connecting EMS with other Fortinet products for advanced analytics, automation, and threat response.

4.1 Integration with FortiAnalyzer

Purpose of FortiAnalyzer

FortiAnalyzer serves as a centralized platform for log storage, analytics, and reporting.

Steps to Integrate EMS with FortiAnalyzer

1. Connect EMS to FortiAnalyzer:
   • In the EMS console, navigate to Log Settings.
   • Enter the FortiAnalyzer IP address and authentication credentials.
2. Verify Log Transmission:
   • Log in to FortiAnalyzer and ensure EMS appears in the device list under Log View.
3. Enable Detailed Logging:
   • Configure EMS to send all event logs, including:
     • Endpoint status updates.
     • Threat detections and remediation actions.

Benefits of Integration

1. Comprehensive Log Analysis:
   • Correlate logs from EMS, FortiGate, and other devices to identify attack patterns.
2. Incident Forensics:
   • Investigate the root cause of security incidents.
   • Example: Trace malware activity across endpoints and network devices.
3. Automated Reporting:
   • Create periodic reports on endpoint compliance, threat activity, and administrative actions.

4.2 Integration with FortiSandbox

Purpose of FortiSandbox

FortiSandbox is a powerful tool for analyzing suspicious files in a controlled environment and generating threat intelligence.

Steps to Integrate EMS with FortiSandbox

1. Enable Sandbox Integration:
   • In the EMS console, navigate to Sandbox Settings.
   • Enter the FortiSandbox IP address and credentials.
2. Configure File Submission:
   • Define which files are sent to FortiSandbox:
     • Executables, documents, or scripts flagged by the endpoint antivirus.
3. Test the Integration:
   • Simulate a file submission and verify results in both EMS and FortiSandbox.

Automated Endpoint Actions Based on Sandbox Results

1. If FortiSandbox identifies a file as malicious:
   • EMS quarantines the file on the endpoint.
   • FortiGate blocks the file from being downloaded by other devices.
2. Generate reports for further analysis or compliance documentation.

4.3 Threat Intelligence Sharing

How EMS Shares Threat Intelligence

1. EMS integrates with FortiGuard to receive real-time updates on global threats.
2. EMS shares endpoint telemetry, including:
   • Malware activity.
   • Compliance violations.
   • Device vulnerabilities.
3. Other Security Fabric components use this telemetry to enhance their own security measures.

Leveraging FortiGuard Threat Intelligence

1. Endpoint Protection:
   • Automatically update antivirus definitions and threat signatures.
2. Network Security:
   • FortiGate uses the shared intelligence to block malicious IPs, URLs, or files.

Security Fabric Integration (Additional Content)

Integrating FortiClient EMS with Fortinet’s Security Fabric significantly improves endpoint security visibility, compliance enforcement, and threat intelligence sharing. This section will guide you step by step through the integration process, explaining the components, communication flow, and automated security responses.

3.1 Security Fabric Components

Fortinet's Security Fabric is an interconnected security ecosystem where different Fortinet products share threat intelligence and enforce security policies. When FortiClient EMS integrates with the Security Fabric, it allows seamless monitoring, compliance enforcement, and automated response to security threats.

Key Fortinet Products That Integrate with EMS

FortiClient EMS can integrate with the following Fortinet products:

1. FortiGate (Firewall)

• Purpose:
  • Acts as the central policy enforcement point.
  • Monitors endpoint security posture (e.g., antivirus status, software updates).
  • Blocks or isolates non-compliant devices.
• How It Works:
  • FortiClient agents register with FortiGate Endpoint Control.
  • FortiGate verifies the endpoint's security posture before allowing network access.

2. FortiAnalyzer (Log Management & Security Analytics)

• Purpose:
  • Stores FortiClient logs for compliance and security auditing.
  • Provides real-time insights into endpoint security events.
  • Helps detect unusual behaviors and generate alerts.
• How It Works:
  • EMS forwards logs to FortiAnalyzer.
  • FortiAnalyzer correlates data from multiple sources (firewalls, endpoints, SIEM).

3. FortiSIEM (Security Information and Event Management)

• Purpose:
  • Collects and correlates security events across the network.
  • Detects and responds to security incidents in real-time.
  • Enhances incident investigation and forensic analysis.
• How It Works:
  • EMS sends endpoint security telemetry to FortiSIEM.
  • FortiSIEM identifies potential threats using machine learning and correlation engines.

4. FortiSandbox (Advanced Threat Detection)

• Purpose:
  • Detects and analyzes unknown or zero-day malware.
  • Provides real-time protection by sandboxing suspicious files.
• How It Works:
  • FortiClient sends suspicious files to FortiSandbox.
  • FortiSandbox executes the files in a secure virtual environment to observe their behavior.
  • If a file is identified as malicious, FortiClient blocks it across all endpoints.

3.2 Endpoint and Security Fabric Communication

Once integrated with Security Fabric, FortiClient EMS, FortiGate, and other Fortinet products communicate with each other to share security data and enforce compliance policies.

Key Communication Processes

1. Device Registration

• FortiClient endpoints register with FortiGate when they connect to the network.
• FortiGate retrieves endpoint compliance status from EMS.

2. Compliance Enforcement

• If an endpoint fails security checks (e.g., outdated antivirus, missing patches), FortiGate restricts network access.
• EMS notifies administrators of non-compliant devices.
• Endpoints must meet security requirements before regaining full access.

3. Threat Intelligence Sharing

• FortiClient continuously monitors for malware, vulnerabilities, and policy violations.
• If a threat is detected, EMS sends security telemetry to FortiGate, FortiAnalyzer, and FortiSIEM.
• Security administrators can analyze the data and take necessary actions.

How to Enable Integration

To integrate FortiClient EMS with FortiGate, follow these steps:

On FortiClient EMS

1. Go to System Settings > Security Fabric Integration.
2. Enable Security Fabric Integration and enter the FortiGate IP address.
3. Save changes and ensure endpoints synchronize with EMS.

On FortiGate

1. Enable Endpoint Control:

• Go to Security Fabric > Endpoint Control.
• Enable FortiClient Registration and Enforcement.

2. Configure EMS Connection:

• Navigate to Security Fabric > EMS Settings.
• Enter the EMS Server IP and authentication details.

3. Create Compliance Policies:

• Define security rules (e.g., antivirus must be enabled, OS must be updated).
• Specify actions for non-compliant endpoints (block, quarantine, alert admins).

3.3 Automated Security Response

With Security Fabric integration, FortiClient, EMS, and FortiGate work together to automate threat response. This means that when a security event occurs, the system can detect, respond, and mitigate risks in real-time.

Example: How Automated Security Response Works

Scenario: Malware Detected on an Endpoint

1. FortiClient detects malware and immediately alerts EMS.
2. EMS notifies FortiGate, which applies network access restrictions to the compromised endpoint.
3. FortiAnalyzer logs the security event, providing detailed insights for investigation.
4. FortiSIEM correlates the data and triggers an alert for security teams.
5. FortiSandbox analyzes the malware and updates all endpoints to block similar threats.

Benefits of Automated Security Response

• Faster Threat Mitigation: Blocks threats in real-time before they spread.
• Reduced Admin Overhead: Security teams receive automated alerts and forensic data.
• Proactive Protection: Prevents infected devices from accessing critical network resources.

3.4 Hands-On Examples: Configuring Security Fabric Integration

Example 1: Integrating FortiClient EMS with FortiGate

Scenario:

You are an IT administrator responsible for integrating FortiClient EMS with FortiGate to enforce endpoint compliance policies.

Step-by-Step Configuration Guide

Step 1: Enable Security Fabric on FortiGate

1. Log in to FortiGate via the web interface.
2. Navigate to Security Fabric > Settings.
3. Enable Security Fabric Connection.
4. Click Apply.

Step 2: Configure Endpoint Control on FortiGate

1. Go to Security Fabric > Endpoint Control.
2. Enable FortiClient Registration.
3. Enable Compliance Enforcement.
4. Set the EMS Server Address (IP of FortiClient EMS).
5. Click Apply.

Step 3: Configure Security Fabric Integration on FortiClient EMS

1. Log in to FortiClient EMS.
2. Go to System Settings > Security Fabric Integration.
3. Enable Security Fabric Integration.
4. Enter the FortiGate IP address.
5. Click Save.

Step 4: Verify Endpoint Registration on FortiGate

1. Open FortiGate CLI and run:

diagnose endpoint list

• This will list registered endpoints.

2. Go to Security Fabric > FortiClient Monitor.

• You should see registered endpoints with their compliance status.

Example 2: Enforcing Endpoint Compliance Policies

Scenario:

Your company requires that all devices connecting to the network have updated antivirus software and a specific security patch installed.

Step-by-Step Configuration Guide

Step 1: Define Compliance Policies in EMS

1. Go to Endpoint Profiles > Compliance.
2. Enable Antivirus must be enabled and up to date.
3. Enable Windows Security Patch Requirement.
4. Save the Compliance Profile.

Step 2: Apply Compliance Policy to Endpoints

1. Assign the Compliance Profile to a specific Endpoint Group.
2. Save changes and wait for endpoints to sync.

Step 3: Verify Compliance Enforcement on FortiGate

1. Log in to FortiGate.

2. Go to Security Fabric > Endpoint Control.

3. Check Endpoint Status.

• Non-compliant devices should be marked in Red.

4. Run the command in FortiGate CLI:

diagnose endpoint compliance list

• This will show details of compliant and non-compliant devices.

Step 4: Simulate Non-Compliance

1. On an endpoint, disable antivirus protection.

2. Run the command:

diagnose endpoint compliance list

• The endpoint should now be flagged as non-compliant.

3. FortiGate should automatically block the device from network access.

Example 3: Sending Security Logs to FortiAnalyzer

Scenario:

Your security team needs detailed logs of endpoint security events for compliance monitoring.

Step-by-Step Configuration Guide

Step 1: Configure EMS to Send Logs to FortiAnalyzer

1. Log in to FortiClient EMS.
2. Go to System Settings > Logging & Reporting.
3. Enable Log Forwarding.
4. Enter the FortiAnalyzer IP address.
5. Click Save.

Step 2: Verify Log Collection in FortiAnalyzer

1. Log in to FortiAnalyzer.

2. Go to Log View > Endpoint Logs.

3. Check for logs from EMS.

4. Run the CLI command on FortiAnalyzer:

execute log display | grep "FortiClient"

• This should display real-time logs from FortiClient EMS.

2. Troubleshooting Security Fabric Integration Issues

Issue 1: FortiClient Endpoints Not Registering with FortiGate

Symptoms:

• Endpoints are not appearing in Security Fabric > FortiClient Monitor.
• The CLI command diagnose endpoint list returns no results.

Possible Causes and Solutions

Cause	Solution
EMS is not correctly integrated with FortiGate	Check that Security Fabric Integration is enabled in EMS.
FortiGate Endpoint Control is disabled	Ensure FortiGate > Security Fabric > Endpoint Control is enabled.
Incorrect EMS IP configured in FortiGate	Verify that FortiGate is pointing to the correct EMS IP.
Firewall blocking EMS-FortiGate communication	Ensure that port 8013 (EMS) and 10443 (FortiGate-Client communication) are open.

Diagnostic Command on FortiGate

diagnose test application fgfmd 3

• This command checks if FortiGate can communicate with EMS.

Issue 2: FortiClient Compliance Policies Not Being Enforced

Symptoms:

• Endpoints appear in FortiGate but are not blocked when non-compliant.
• Policy rules in EMS are not applying to endpoints.

Possible Causes and Solutions

Cause	Solution
Compliance policies not assigned	Ensure the Compliance Profile is applied to the correct endpoint group.
Endpoint not synchronizing with EMS	Force sync by running FortiClientConsole.exe /policyUpdate on the endpoint.
FortiGate is not enforcing compliance	Check that Enforcement Mode is enabled in Security Fabric > Endpoint Control.
Outdated FortiClient software	Ensure endpoints are running the latest FortiClient version.

Diagnostic Command on EMS

get system endpoint list

• This will display compliance status of all registered endpoints.

Issue 3: Logs Not Appearing in FortiAnalyzer

Symptoms:

• No logs from EMS are visible in FortiAnalyzer > Log View.
• Running execute log display on FortiAnalyzer does not return EMS logs.

Possible Causes and Solutions

Cause	Solution
EMS log forwarding not enabled	Enable Logging & Reporting > Log Forwarding in EMS settings.
Incorrect FortiAnalyzer IP in EMS	Verify that EMS is sending logs to the correct FortiAnalyzer IP.
Port 514 (Syslog) blocked	Ensure that port 514 is open between EMS and FortiAnalyzer.
FortiAnalyzer storage limit reached	Check FortiAnalyzer disk space using execute log disk-usage.

Diagnostic Command on FortiAnalyzer

execute log display | grep "FortiClient"

• This will display logs specifically related to FortiClient EMS.