2.4 The Security Fabric

Key Takeaways

  • The Fortinet Security Fabric is an integrated architecture that links FortiGate and other Fortinet and third-party products to share telemetry and coordinate response.
  • The Security Fabric has a root FortiGate that anchors the topology; downstream FortiGate devices connect upstream toward the root to extend the fabric.
  • Fabric connectors integrate external platforms (public cloud, SDN, endpoint, identity) so their objects and posture can be used in FortiGate policies.
  • FortiAnalyzer provides centralized logging, analytics, and reporting; FortiManager provides centralized configuration and policy management for fabric devices.
  • Automation stitches pair a trigger (such as a detected threat or a failover) with one or more actions (such as quarantine, notification, or a script) for automated response.
Last updated: May 2026

What the Security Fabric Is

The Fortinet Security Fabric is Fortinet's integrated security architecture. Instead of operating each device in isolation, the Security Fabric links FortiGate firewalls with other Fortinet products — and selected third-party products — so they can share threat intelligence, telemetry, and device inventory and coordinate automated responses across the whole network. For the NSE 4 exam, you should understand the fabric's structure and the role of each major component.

Core benefits of the Security Fabric:

  • Broad visibility — a single topology view of devices, endpoints, and risks across the network.
  • Integration — products exchange data through fabric APIs rather than being managed as silos.
  • Automation — triggers and actions enable fast, consistent incident response without manual steps.

Root FortiGate and Downstream Devices

The Security Fabric is built as a tree of FortiGate devices:

  • The root FortiGate is the device at the top of the fabric. It anchors the topology, aggregates fabric data, and is usually the FortiGate closest to the internet edge. The root is where you typically view the consolidated fabric topology and security rating.
  • Downstream FortiGate devices connect upstream toward the root. Each downstream FortiGate joins the fabric by trusting the upstream device's fabric connection, extending visibility to internal segments, branch offices, and additional layers of the network.

This upstream/downstream relationship lets a large network present itself as one coordinated fabric while each FortiGate still enforces its own local policies.

Fabric Connectors

Fabric connectors extend the Security Fabric to platforms beyond core Fortinet appliances. A connector lets the FortiGate import dynamic objects, posture, or telemetry from an external system and use them in firewall policies. Connector categories include:

  • Public and private cloud / SDN — connectors to AWS, Microsoft Azure, Google Cloud, VMware NSX, and Cisco ACI so that cloud workload tags or SDN groups become dynamic address objects in policies.
  • Endpoint / EMS — the FortiClient EMS connector shares endpoint compliance and posture for identity- and posture-aware policies and ZTNA.
  • Identity and threat feeds — connectors to identity sources and external threat-feed sources (malicious IP, URL, or domain lists) that update policy objects automatically.

FortiAnalyzer and FortiManager Integration

Two Fortinet management products are central to a production Security Fabric:

ProductRole in the Fabric
FortiAnalyzerCentralized logging, analytics, and reporting. Collects logs from all fabric FortiGates and other devices, enables historical analysis, incident investigation, and scheduled reports.
FortiManagerCentralized configuration and policy management. Pushes consistent policies, objects, and firmware to many FortiGates, providing change control and provisioning at scale.

FortiGate sends logs to FortiAnalyzer using the OFTP protocol over TCP port 514 by default, and FortiManager manages devices when FMG-Access is permitted on the interface. Together they give the fabric one place for logs (FortiAnalyzer) and one place for configuration (FortiManager).

Automation Stitches

An automation stitch is the Security Fabric's event-driven automation feature. Each stitch pairs a trigger with one or more actions:

  • Trigger — an event such as a detected compromised host or IOC (Indicator of Compromise), a failed HA failover, a high CPU/memory condition, a configuration change, or a security-rating event.
  • Action — an automated response such as quarantining an endpoint, sending an email or webhook notification, executing a CLI script, generating a report, or accessing an external connector.

For example, a stitch can watch for a compromised host trigger and automatically run a quarantine action that isolates the device on the network — closing the gap between detection and response without waiting for an administrator. Stitches can run on the local FortiGate or be coordinated across the fabric from the root device.

Security Fabric Components Summary

  • Root FortiGate — anchors the fabric topology and consolidated views.
  • Downstream FortiGates — extend the fabric to internal and branch segments.
  • Fabric connectors — integrate cloud, SDN, endpoint, identity, and threat-feed sources.
  • FortiAnalyzer — centralized logs, analytics, and reporting.
  • FortiManager — centralized configuration and policy management.
  • Automation stitches — trigger-and-action automated incident response.

The Security Rating (Security Fabric Audit)

A distinctive Security Fabric feature is the Security Rating (formerly Security Fabric Audit). The root FortiGate runs a set of best-practice checks across all fabric members — covering security posture, network design, and compliance — and produces a score and ranked list of recommendations, for example "administrative access uses default ports," "interfaces with no policies," or "firmware out of date." Results can be compared against an anonymized peer benchmark. The Security Rating is how the exam expects you to describe the fabric's posture-assessment value, distinct from logging (FortiAnalyzer) or management (FortiManager).

How Devices Authorize Into the Fabric

Joining the fabric is an explicit trust step, not automatic discovery. On the upstream (root or intermediate) FortiGate, the Security Fabric Connection is enabled on the interface facing downstream devices (the allowaccess list must permit FABRIC/CAPWAP-style fabric communication). A downstream FortiGate is configured to point upstream, and the upstream administrator must authorize the new device before it appears in the topology. This authorization model prevents a rogue device from inserting itself into the fabric.

Fabric Roles vs Management Products

ComponentRoleCommon confusion
Root FortiGateAnchors topology, runs Security RatingNot a log store and not FortiManager
Downstream FortiGateExtends fabric to segments/branchesStill enforces its own local policies
FortiAnalyzerCentralized logs/analytics/reportsDoes not push configuration
FortiManagerCentralized configuration/policy pushDoes not store long-term logs as primary role
Fabric connectorImports external objects/postureDoes not itself enforce policy
Automation stitchEvent-driven responseTrigger + action, runs on FortiGate

Keeping these roles cleanly separated is the most reliable way to answer Security Fabric questions, which frequently offer plausible-sounding swaps (FortiAnalyzer pushing config, the root replacing FortiManager) as distractors.

Loading diagram...
Fortinet Security Fabric Topology
Test Your Knowledge

Within the Fortinet Security Fabric, what is the role of the root FortiGate?

A
B
C
D
Test Your Knowledge

An administrator wants the FortiGate to automatically isolate an endpoint as soon as the Security Fabric flags it as a compromised host. Which feature provides this?

A
B
C
D
Test Your Knowledge

In a Security Fabric deployment, which statement correctly describes the difference between FortiAnalyzer and FortiManager?

A
B
C
D