FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help


There are two roles a FortiGate can have in a security fabric:Upstream or Internal Segmentation Firewall (ISFW). Both FortiGates work together to provide Distributing security functions.


The upstream FortiGate is the heart of the security fabric. It is located on the edge of the network, connecting the internal devices and networks to the Internet through your ISP.

From the upstream FortiGate, you can view information about the entire security fabric using FortiView.

Internal Segmentation Firewall (ISFW)

Once an upstream FortiGate has been installed, all other FortiGates in the security fabric act as Internal Segmentation Firewalls (ISFWs).

An ISFW is a firewall that sits at strategic internal points of the internal network, rather than on the network edge. This allows extra security measures to be taken around key network components, such a servers that contain valuable intellectual property.

ISFW FortiGates in a security fabric send traffic and information about their devices to the upstream FortiGate, allowing network visibility.

Distributing security functions

Security Fabric configurations allow you to distribute security functions to different FortiGates in the security fabric. For example, you may want to implement virus scanning on the External FortiGate but add application control and web filtering to the ISFW FortiGates.

This results in distributed processing between the FortiGates in the Security Fabric; reducing the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements. This configuration may result in threats getting through the External FortiGate which means you should very closely limit access to the network connections between the FortiGates in the Security Fabric.

Another strategy you could choose is to have flow-based inspection on the External FortiGate and proxy-based inspection used by the ISFW FortiGates.