2.4 The Security Fabric
Key Takeaways
- The Fortinet Security Fabric is an integrated architecture that links FortiGate and other Fortinet and third-party products to share telemetry and coordinate response.
- The Security Fabric has a root FortiGate that anchors the topology; downstream FortiGate devices connect upstream toward the root to extend the fabric.
- Fabric connectors integrate external platforms (public cloud, SDN, endpoint, identity) so their objects and posture can be used in FortiGate policies.
- FortiAnalyzer provides centralized logging, analytics, and reporting; FortiManager provides centralized configuration and policy management for fabric devices.
- Automation stitches pair a trigger (such as a detected threat or a failover) with one or more actions (such as quarantine, notification, or a script) for automated response.
What the Security Fabric Is
The Fortinet Security Fabric is Fortinet's integrated security architecture. Instead of operating each device in isolation, the Security Fabric links FortiGate firewalls with other Fortinet products — and selected third-party products — so they can share threat intelligence, telemetry, and device inventory and coordinate automated responses across the whole network. For the NSE 4 exam, you should understand the fabric's structure and the role of each major component.
Core benefits of the Security Fabric:
- Broad visibility — a single topology view of devices, endpoints, and risks across the network.
- Integration — products exchange data through fabric APIs rather than being managed as silos.
- Automation — triggers and actions enable fast, consistent incident response without manual steps.
Root FortiGate and Downstream Devices
The Security Fabric is built as a tree of FortiGate devices:
- The root FortiGate is the device at the top of the fabric. It anchors the topology, aggregates fabric data, and is usually the FortiGate closest to the internet edge. The root is where you typically view the consolidated fabric topology and security rating.
- Downstream FortiGate devices connect upstream toward the root. Each downstream FortiGate joins the fabric by trusting the upstream device's fabric connection, extending visibility to internal segments, branch offices, and additional layers of the network.
This upstream/downstream relationship lets a large network present itself as one coordinated fabric while each FortiGate still enforces its own local policies.
Fabric Connectors
Fabric connectors extend the Security Fabric to platforms beyond core Fortinet appliances. A connector lets the FortiGate import dynamic objects, posture, or telemetry from an external system and use them in firewall policies. Connector categories include:
- Public and private cloud / SDN — connectors to AWS, Microsoft Azure, Google Cloud, VMware NSX, and Cisco ACI so that cloud workload tags or SDN groups become dynamic address objects in policies.
- Endpoint / EMS — the FortiClient EMS connector shares endpoint compliance and posture for identity- and posture-aware policies and ZTNA.
- Identity and threat feeds — connectors to identity sources and external threat-feed sources (malicious IP, URL, or domain lists) that update policy objects automatically.
FortiAnalyzer and FortiManager Integration
Two Fortinet management products are central to a production Security Fabric:
| Product | Role in the Fabric |
|---|---|
| FortiAnalyzer | Centralized logging, analytics, and reporting. Collects logs from all fabric FortiGates and other devices, enables historical analysis, incident investigation, and scheduled reports. |
| FortiManager | Centralized configuration and policy management. Pushes consistent policies, objects, and firmware to many FortiGates, providing change control and provisioning at scale. |
FortiGate sends logs to FortiAnalyzer using the OFTP protocol over TCP port 514 by default, and FortiManager manages devices when FMG-Access is permitted on the interface. Together they give the fabric one place for logs (FortiAnalyzer) and one place for configuration (FortiManager).
Automation Stitches
An automation stitch is the Security Fabric's event-driven automation feature. Each stitch pairs a trigger with one or more actions:
- Trigger — an event such as a detected compromised host or IOC (Indicator of Compromise), a failed HA failover, a high CPU/memory condition, a configuration change, or a security-rating event.
- Action — an automated response such as quarantining an endpoint, sending an email or webhook notification, executing a CLI script, generating a report, or accessing an external connector.
For example, a stitch can watch for a compromised host trigger and automatically run a quarantine action that isolates the device on the network — closing the gap between detection and response without waiting for an administrator. Stitches can run on the local FortiGate or be coordinated across the fabric from the root device.
Security Fabric Components Summary
- Root FortiGate — anchors the fabric topology and consolidated views.
- Downstream FortiGates — extend the fabric to internal and branch segments.
- Fabric connectors — integrate cloud, SDN, endpoint, identity, and threat-feed sources.
- FortiAnalyzer — centralized logs, analytics, and reporting.
- FortiManager — centralized configuration and policy management.
- Automation stitches — trigger-and-action automated incident response.
The Security Rating (Security Fabric Audit)
A distinctive Security Fabric feature is the Security Rating (formerly Security Fabric Audit). The root FortiGate runs a set of best-practice checks across all fabric members — covering security posture, network design, and compliance — and produces a score and ranked list of recommendations, for example "administrative access uses default ports," "interfaces with no policies," or "firmware out of date." Results can be compared against an anonymized peer benchmark. The Security Rating is how the exam expects you to describe the fabric's posture-assessment value, distinct from logging (FortiAnalyzer) or management (FortiManager).
How Devices Authorize Into the Fabric
Joining the fabric is an explicit trust step, not automatic discovery. On the upstream (root or intermediate) FortiGate, the Security Fabric Connection is enabled on the interface facing downstream devices (the allowaccess list must permit FABRIC/CAPWAP-style fabric communication). A downstream FortiGate is configured to point upstream, and the upstream administrator must authorize the new device before it appears in the topology. This authorization model prevents a rogue device from inserting itself into the fabric.
Fabric Roles vs Management Products
| Component | Role | Common confusion |
|---|---|---|
| Root FortiGate | Anchors topology, runs Security Rating | Not a log store and not FortiManager |
| Downstream FortiGate | Extends fabric to segments/branches | Still enforces its own local policies |
| FortiAnalyzer | Centralized logs/analytics/reports | Does not push configuration |
| FortiManager | Centralized configuration/policy push | Does not store long-term logs as primary role |
| Fabric connector | Imports external objects/posture | Does not itself enforce policy |
| Automation stitch | Event-driven response | Trigger + action, runs on FortiGate |
Keeping these roles cleanly separated is the most reliable way to answer Security Fabric questions, which frequently offer plausible-sounding swaps (FortiAnalyzer pushing config, the root replacing FortiManager) as distractors.
Within the Fortinet Security Fabric, what is the role of the root FortiGate?
An administrator wants the FortiGate to automatically isolate an endpoint as soon as the Security Fabric flags it as a compromised host. Which feature provides this?
In a Security Fabric deployment, which statement correctly describes the difference between FortiAnalyzer and FortiManager?