Synchronizing objects across the Security Fabric
When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the upstream FortiGate to all downstream devices by default. The firewall object synchronization wizard helps identify objects that are out of sync and resolves any conflicts. Objects that are out of sync are highlighted in yellow in the GUI.
In this example, the notifications icon displays a message that Firewall objects are not synchronized with all the FortiGates in the Fabric. In the topology tree, Branch_Office_02 is highlighted in yellow because it is out of sync.
In this example, the tooltip displays a caution icon that the device is out of sync.
To use the firewall object synchronization wizard in the GUI:
- Go to Security Fabric >Fabric Connectors and click Open Synchronization Wizard.
A list of FortiGates and their synchronization status displays.
- Select a FortiGate that is Out of sync and click Next.
A list of tables and their synchronization status displays.
- Click Synchronize Tables.The FortiGate attempts to automatically resolve the conflicts. In this example, the address table requires manual intervention.
- Click Resolve Conflicts.
- For Strategy, choose one of the following.
- Automatic resolve (automatically resolves all the name conflicts and renames them on the selected FortiGate using the FortiGate name as a suffix):
- Click Automatic.
- Click Rename All Objects.
- Manual resolve:
- Click Manual.
- Double-click an object and re-name it.
- Click OK.
- Automatic resolve (automatically resolves all the name conflicts and renames them on the selected FortiGate using the FortiGate name as a suffix):
- Click Next.
An updated list of FortiGates and their synchronization status displays.
- Click Close.
To verify object synchronization on downstream devices:
- Log in to a downstream device.
- Go to Policy & Objects > Addresses.
An information bubble displays the following: All objects must be created/edited on the root FortiGate, and will be read-only on downstream FortiGates.
- The following example shows an object that exists on both upstream (Enterprise_Second_Floor) and downstream (fshuva-test) FortiGates. On the downstream device, there is an existing gmail.com, and another object, gmail.com_fshuva-test, that was resolved by adding the suffix of the upstream FortiGate name to the end.
In this example, an object created on the upstream FortiGate is synchronized to a downstream FortiGate.
The same object appears automatically on the downstream device.
CLI commands
Object synchronization can be configured with the following commands:
config system csf set fabric-object-unification [default | local] set configuration-sync [default | local] ... next end
Parameter |
Description |
---|---|
fabric-object-unification |
default: Global CMDB objects will be synchronized in Security Fabric. local: Global CMDB objects will not be synchronized to and from this device. |
configuration-sync |
default: Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node. local: Do not synchronize configuration with root node. |