Synchronizing objects across the Security Fabric

When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the upstream FortiGate to all downstream devices by default. FortiOS has the following settings for object synchronization across the Security Fabric:

• Set object synchronization (fabric-object-unification) to default or local on a downstream device.
• Set a per object option to toggle whether the specific Fabric object will be synchronized or not. After upgrading from 6.4.3, this option is disabled for supported Fabric objects. The synchronized Fabric objects are kept as locally created objects on downstream FortiGates.
• Define the number of task workers to handle synchronizations.

The firewall object synchronization wizard helps identify objects that are not synchronized and resolves any conflicts. A warning message appears in the topology tree if there is a conflict.

Summary of CLI commands

Object synchronization can be configured as follows:

config system csf
    set fabric-object-unification {default | local}
    set configuration-sync {default | local}
    set fabric-workers <integer>
    ...
    next
end

Parameter	Description
fabric-object-unification	default: Global CMDB objects will be synchronized in the Security Fabric. local: Global CMDB objects will not be synchronized to and from this device. This command is available on the root FortiGate. If set to local, the device does not synchronize objects from the root, but will send the synchronized objects downstream.
configuration-sync	default: Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node. local: Do not synchronize configuration with root node. If downstream FortiGates are set to local, the synchronized objects from the root to downstream are not applied locally. However, the downstream FortiGate will send the configuration to lower FortiGates.
fabric-workers	Define how many task worker process are created to handle synchronizations (1- 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds.

The per object setting can be configured on the root FortiGate as follows:

config firewall <object>
    edit <name>
        set fabric-object {enable | disable}
        ...
    next
end

Where:

• <object> is one of the following: address, address6, addrgrp, addrgrp6, service category, service custom, service group, schedule group, schedule onetime, or schedule recurring.

• Enabling fabric-object sets the object as a Security Fabric-wide global object that is synchronized to downstream FortiGates.

• Disabling fabric-object sets the object as local to this Security Fabric member.

• If a device in the Fabric is in multi-VDOM mode, the GUI will not display the Fabric synchronization option. Even if this is enabled in the CLI, the object will not be synchronized to any downstream devices.

Sample topology

In this Security Fabric, the root FortiGate (FGTA-1) has fabric-object-unification set to default so the Fabric objects can be synchronized to the downstream FortiGate. The level 1 downstream FortiGate (FGTB-1) has configuration-sync set to local, so it will not apply the synchronized objects locally. The level 2 downstream FortiGate (FGTC) has configuration-sync set to default, so it will apply the synchronized objects locally.

In this example, firewall addresses and address groups are used. Other supported Fabric objects have the same behaviors. The following use cases illustrate common synchronization scenarios:

• If no conflicts exist, firewall addresses and address groups can be synchronized to downstream FortiGates (see example below).
• If a conflict exists between the root and downstream FortiGates, it can be resolved with the conflict resolution wizard. After the conflict is resolved, the firewall addresses and address groups can be synchronized to downstream FortiGates (see example below).
• If set fabric-object (Fabric synchronization option in the GUI) is disabled for firewall addresses and address groups on the root FortiGate, they will not be synchronized to downstream FortiGates (see example below).

To configure the FortiGates used in this example:

FGTA-1 # config system csf
    set status enable
    set group-name "fabric"
    set fabric-object-unification default
    ...
end

FGTB-1 # config system csf
    set status enable
    set upstream-ip 10.2.200.1
    set configuration-sync local
    ...    
end

FGTC # config system csf
    set status enable
    set upstream-ip 192.168.7.2
    set configuration-sync default
    ...
end

To synchronize a firewall address and address group in the Security Fabric:

1. Configure the firewall address on the root FortiGate:

   FGTA-1 # config firewall address
       edit "add_subnet_1"
           set fabric-object enable
           set subnet 22.22.22.0 255.255.255.0
       next
   end

2. Configure the address group on the root FortiGate:

   FGTA-1 # config firewall addrgrp
       edit "group_subnet_1"
           set member "add_subnet_1"
           set fabric-object enable
       next
   end

3. Check the firewall address and address group on the downstream FortiGates:

   FGTB-1 # show firewall address add_subnet_1
   entry is not found in table
   

   FGTB-1 # show firewall addrgrp group_subnet_1
   entry is not found in table
   

   The synchronized objects are not applied locally on this FortiGate because configuration-sync is set to local.

   FGTC # show firewall address add_subnet_1
   config firewall address
       edit "add_subnet_1"
           set uuid 378a8094-34cb-51eb-ce40-097f298fcfdc
           set fabric-object enable
           set subnet 22.22.22.0 255.255.255.0
       next
   end
   

   FGTC # show firewall addrgrp group_subnet_1
   config firewall addrgrp
       edit "group_subnet_1"
           set uuid 4d7a8a52-34cb-51eb-fce7-d93f76915319
           set member "add_subnet_1"
           set color 19
           set fabric-object enable
       next
   end

   The objects are synchronized on this FortiGate because configuration-sync is set to default.

To resolve a firewall address and address group conflict in the Security Fabric:

1. On FGTC, create a firewall address:
   1. Go to Policy & Objects > Addresses and click Create New > Address.
   2. Configure the following:

      Name	sync_add_1
      IP/Netmask	33.33.33.0 255.255.255.0

   3. Click OK.
2. On FGTA-1 (Fabric root), create the firewall address with same name but a different subnet:
   1. Go to Policy & Objects > Addresses and click Create New > Address.
   2. Configure the following:

      Name	sync_add_1
      IP/Netmask	11.11.11.0 255.255.255.0
      Fabric synchronization	Enable

   3. Click OK.
3. Add the address to a different address group than what is configured on FGTC:
   1. Go to Policy & Objects > Addresses and click Create New > Address Group.
   2. Configure the following:

      Name	sync_group4
      Members	sync_add_1
      Fabric synchronization	Enable

   3. Click OK.
4. Go to Security Fabric > Fabric Connectors. In the topology tree, there is a message that Firewall objects are in conflict with other FortiGates in the fabric.

   

5. Resolve the conflict:
   1. Click Review firewall object conflicts. The Firewall Object Synchronization pane opens.
   2. Click Rename All Objects. The conflicted object will be renamed on the downstream FortiGate.

      

   3. The conflict is resolved. Click Close to exit the Firewall Object Synchronization pane.

      

   4. The topology tree no longer indicates there is a conflict.
6. Verify the results on the downstream FortiGates:
   1. On FGTB-1, go to Policy & Objects > Addresses.
   2. Search for sync_add_1 and sync_group4. No results are found. The synchronized objects are not applied locally on this FortiGate because configuration-sync is set to local.

      

      

   3. On FGTC, go to Policy & Objects > Addresses.
   4. Search for sync_add_1. The original firewall address sync_add_1 was renamed to sync_add_1_FGTC by resolving the conflict on FGTA-1. The address sync_add_1 and address group sync_group4 are synchronized from FGTA-1.

      

To disable Fabric synchronization on the root FortiGate in the GUI:

1. On FGTA-1, create a firewall address:
   1. Go to Policy & Objects > Addresses and click Create New > Address.
   2. Configure the following:

      Name	add_subnet_3
      IP/Netmask	33.33.33.0 255.255.255.0
      Fabric synchronization	Disable

   3. Click OK.
2. Create the firewall address group and add the address:
   1. Go to Policy & Objects > Addresses and click Create New > Address Group.
   2. Configure the following:

      Name	group_subnet_3
      Members	add_subnet_3
      Fabric synchronization	Disable

   3. Click OK.
3. On FGTB-1, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric synchronization is disabled on the root FortiGate (FGTA-1).

   

4. On FGTC, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric synchronization is disabled on the root FortiGate (FGTA-1).

   

To disable Fabric synchronization on the root FortiGate in the CLI:

1. Configure the firewall address on the root FortiGate:

   FGTA-1 # config firewall address
       edit "add_subnet_3"
           set subnet 33.33.33.0 255.255.255.0
           set fabric-object disable
       next
   end

2. Configure the address group on the root FortiGate:

   FGTA-1 # config firewall addrgrp
       edit "group_subnet_3"
           set member "add_subnet_3"
           set fabric-object disable
       next
   end

3. Check the firewall address and address group on the downstream FortiGates:

   FGTB-1 # show firewall address add_subnet_3
   entry is not found in table

   FGTB-1 # show firewall addrgrp group_subnet_3
   entry is not found in table
   

   FGTC # show firewall address add_subnet_3
   entry is not found in table
   

   FGTC # show firewall addrgrp group_subnet_3
   entry is not found in table

   The objects are not synchronized from the root FortiGate (FGTA-1) because the fabric-object setting is disabled.