2.4 The Security Fabric
Key Takeaways
- The Fortinet Security Fabric is an integrated architecture that links FortiGate and other Fortinet and third-party products to share telemetry and coordinate response.
- The Security Fabric has a root FortiGate that anchors the topology; downstream FortiGate devices connect upstream toward the root to extend the fabric.
- Fabric connectors integrate external platforms (public cloud, SDN, endpoint, identity) so their objects and posture can be used in FortiGate policies.
- FortiAnalyzer provides centralized logging, analytics, and reporting; FortiManager provides centralized configuration and policy management for fabric devices.
- Automation stitches pair a trigger (such as a detected threat or a failover) with one or more actions (such as quarantine, notification, or a script) for automated response.
What the Security Fabric Is
The Fortinet Security Fabric is Fortinet's integrated security architecture. Instead of operating each device in isolation, the Security Fabric links FortiGate firewalls with other Fortinet products — and selected third-party products — so they can share threat intelligence, telemetry, and device inventory and coordinate automated responses across the whole network. For the NSE 4 exam, you should understand the fabric's structure and the role of each major component.
Core benefits of the Security Fabric:
- Broad visibility — a single topology view of devices, endpoints, and risks across the network.
- Integration — products exchange data through fabric APIs rather than being managed as silos.
- Automation — triggers and actions enable fast, consistent incident response without manual steps.
Root FortiGate and Downstream Devices
The Security Fabric is built as a tree of FortiGate devices:
- The root FortiGate is the device at the top of the fabric. It anchors the topology, aggregates fabric data, and is usually the FortiGate closest to the internet edge. The root is where you typically view the consolidated fabric topology and security rating.
- Downstream FortiGate devices connect upstream toward the root. Each downstream FortiGate joins the fabric by trusting the upstream device's fabric connection, extending visibility to internal segments, branch offices, and additional layers of the network.
This upstream/downstream relationship lets a large network present itself as one coordinated fabric while each FortiGate still enforces its own local policies.
Fabric Connectors
Fabric connectors extend the Security Fabric to platforms beyond core Fortinet appliances. A connector lets the FortiGate import dynamic objects, posture, or telemetry from an external system and use them in firewall policies. Connector categories include:
- Public and private cloud / SDN — connectors to AWS, Microsoft Azure, Google Cloud, VMware NSX, and Cisco ACI so that cloud workload tags or SDN groups become dynamic address objects in policies.
- Endpoint / EMS — the FortiClient EMS connector shares endpoint compliance and posture for identity- and posture-aware policies and ZTNA.
- Identity and threat feeds — connectors to identity sources and external threat-feed sources (malicious IP, URL, or domain lists) that update policy objects automatically.
FortiAnalyzer and FortiManager Integration
Two Fortinet management products are central to a production Security Fabric:
| Product | Role in the Fabric |
|---|---|
| FortiAnalyzer | Centralized logging, analytics, and reporting. Collects logs from all fabric FortiGates and other devices, enables historical analysis, incident investigation, and scheduled reports. |
| FortiManager | Centralized configuration and policy management. Pushes consistent policies, objects, and firmware to many FortiGates, providing change control and provisioning at scale. |
FortiGate sends logs to FortiAnalyzer using the OFTP protocol over TCP port 514 by default, and FortiManager manages devices when FMG-Access is permitted on the interface. Together they give the fabric one place for logs (FortiAnalyzer) and one place for configuration (FortiManager).
Automation Stitches
An automation stitch is the Security Fabric's event-driven automation feature. Each stitch pairs a trigger with one or more actions:
- Trigger — an event such as a detected compromised host or IOC (Indicator of Compromise), a failed HA failover, a high CPU/memory condition, a configuration change, or a security-rating event.
- Action — an automated response such as quarantining an endpoint, sending an email or webhook notification, executing a CLI script, generating a report, or accessing an external connector.
For example, a stitch can watch for a compromised host trigger and automatically run a quarantine action that isolates the device on the network — closing the gap between detection and response without waiting for an administrator. Stitches can run on the local FortiGate or be coordinated across the fabric from the root device.
Security Fabric Components Summary
- Root FortiGate — anchors the fabric topology and consolidated views.
- Downstream FortiGates — extend the fabric to internal and branch segments.
- Fabric connectors — integrate cloud, SDN, endpoint, identity, and threat-feed sources.
- FortiAnalyzer — centralized logs, analytics, and reporting.
- FortiManager — centralized configuration and policy management.
- Automation stitches — trigger-and-action automated incident response.
Within the Fortinet Security Fabric, what is the role of the root FortiGate?
An administrator wants the FortiGate to automatically isolate an endpoint as soon as the Security Fabric flags it as a compromised host. Which feature provides this?
In a Security Fabric deployment, which statement correctly describes the difference between FortiAnalyzer and FortiManager?