Fortinet black logo

Handbook

Device polling and controller information

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:442909
Download PDF

Device polling and controller information

Instead of a central controller actively directing and pushing out the devices in response to network topology changes, FortiOS architecture uses device polling to propagate changes across nodes in the VPN. State changes are tracked carefully across the system so all devices always have the same view of the network (with some delay in propagating changes due to polling). Similarly the OCVPN cloud always know the state of each device. This is essential to being able to manage the keys properly, and be able to discard them after they have been installed on each device.

The control layer is implemented on each device as a state machine, where information is translated from the member table into a working configuration with IPsec phase1 and phase2 objects with default parameters, firewall address and address group objects, firewall policies, and static routes. The resulting configuration may be edited normally, e.g. DPD settings, DH group, crypto transform, firewall policy profiles for AV/IPS, etc. This is to provide a level of flexibility and usability.

The control layer's responsibility is to ensure that the network data on any device, and by extension the configuration, always stays in sync with the network view stored in the cloud, and in sync with all the other devices, regardless of intermittent network errors that could occur at any point in the system. The system is designed to handle network errors, changes, and events and keep the IPsec configuration consistently and reliable in sync.

Configuration information is managed in a fixed table: 16 nodes maximum, 16 subnets per node. After the table is populated, full mesh configuration is calculated and installed into the CMDB.

Device polling and controller information

Instead of a central controller actively directing and pushing out the devices in response to network topology changes, FortiOS architecture uses device polling to propagate changes across nodes in the VPN. State changes are tracked carefully across the system so all devices always have the same view of the network (with some delay in propagating changes due to polling). Similarly the OCVPN cloud always know the state of each device. This is essential to being able to manage the keys properly, and be able to discard them after they have been installed on each device.

The control layer is implemented on each device as a state machine, where information is translated from the member table into a working configuration with IPsec phase1 and phase2 objects with default parameters, firewall address and address group objects, firewall policies, and static routes. The resulting configuration may be edited normally, e.g. DPD settings, DH group, crypto transform, firewall policy profiles for AV/IPS, etc. This is to provide a level of flexibility and usability.

The control layer's responsibility is to ensure that the network data on any device, and by extension the configuration, always stays in sync with the network view stored in the cloud, and in sync with all the other devices, regardless of intermittent network errors that could occur at any point in the system. The system is designed to handle network errors, changes, and events and keep the IPsec configuration consistently and reliable in sync.

Configuration information is managed in a fixed table: 16 nodes maximum, 16 subnets per node. After the table is populated, full mesh configuration is calculated and installed into the CMDB.