Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.5 Administration Guide
    7.0.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Deploying the Security Fabric in a multi-VDOM environment

    Deploying the Security Fabric in a multi-VDOM environment

    A Security Fabric can be enabled in multi-VDOM environments. This allows access to all of the Security Fabric features, including automation, security rating, and topologies, across the VDOM deployment.

    • Users can navigate to downstream FortiGate devices and VDOMs directly from the root FortiGate using the Fabric selection menu.

    • The logical topology shows all of the configured VDOMs.

    • Security rating reports include results for all of the configured VDOMs as well the entire Fabric.

    Note

    Downstream FortiGate devices must connect to the upstream FortiGate from its management VDOM.

    Topology

    In this topology, there is a root FortiGate with three FortiGates connected through two different VDOMs. The root FortiGate is able to manage all devices running in multi-VDOM mode.

    This example assumes multi-VDOM mode is already configured on each FortiGate, and that FortiAnalyzer logging is configured on the root FortiGate (see Configuring FortiAnalyzer and Configuring the root FortiGate and downstream FortiGates for more details).

    To enable multi-VDOM mode:
    config system global
    set vdom-mode multi-vdom
end

    Device configurations

    Root FortiGate (Root-E)

    The Security Fabric is enabled, and configured so that downstream interfaces from all VDOMs can allow other Security Fabric devices to join.

    To configure Root-E in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Ensure that the Status is Enabled and the Security Fabric role is set to Serve as Fabric Root.
    3. Enable Allow other Security Fabric devices to join and click the + to add the interfaces (vlan50 and vlan90) from the vdom_nat1 and root VDOMs.

    4. Configure the other settings as needed.
    5. Click OK.
    To configure Root-E in the CLI:
    1. Enable the Security Fabric:
      config system csf
    set status enable
    set group-name "CSF_E"
end
    2. Configure the interfaces:
      config system interface
    edit "vlan50"
        set vdom "vdom_nat1"
        ...
        set allowaccess ping https ssh http fgfm fabric
        ...
    next
    edit "vlan90"
        set vdom "root"
        ...
        set allowaccess ping https ssh http fgfm fabric
        ...
    next
end

    Downstream FortiGate 1 (Downstream-G)

    To configure Downstream-G in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. For Status, select Enabled and set the role to Join Existing Fabric.
    3. Enter the Upstream FortiGate IP, which is the IP of the root FortiGate vdom_nat1 interface (192.168.5.5). Downstream-G must use the interface from the management VDOM to connect to the upstream FortiGate IP.
    4. Enable Allow other Security Fabric devices to join and click the + to add the downstream interface (sw-vlan71) from the FG-traffic VDOM.

    5. Configure the other settings as needed.
    6. Click OK.
    To configure Downstream-G in the CLI:
    1. Enable the Security Fabric:
      config system csf
    set status enable
    set upstream-ip 192.168.5.5
end
    2. Configure the interfaces:
      config system interface
    edit "sw-vlan71"
        set vdom "FG-traffic"
        ...
        set allowaccess ping https ssh http fgfm fabric
        ...
    next
end

    Downstream FortiGate 2 (Level2-downstream-H)

    To configure Level2-downstream-H in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. For Status, select Enabled and set the role to Join Existing Fabric.
    3. Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Downstream-G (192.168.71.7).

    4. Configure the other settings as needed.
    5. Click OK.
    To configure Level2-downstream-H in the CLI:
    config system csf
    set status enable
    set upstream-ip 192.168.71.7
end

    Downstream FortiGate 3 (Level1-downstream-10)

    To configure Level1-downstream-10 in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. For Status, select Enabled and set the role to Join Existing Fabric.
    3. Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Root-E (192.168.9.5).

    4. Configure the other settings as needed.
    5. Click OK.
    To configure Level1-downstream-10 in the CLI:
    config system csf
    set status enable
    set upstream-ip 192.168.9.5
end

    Device authorization and verification

    To authorize the downstream devices on the root FortiGate:
    1. On Root-E, go to Security Fabric > Fabric Connectors.
    2. In the topology tree, click the highlighted serial number and select Authorize for each downstream FortiGate.

      Once all the devices are authorized, the physical topology page shows the root and downstream FortiGates. The logical topology page shows the root and downstream FortiGates connected to interfaces in their corresponding VDOMs.

    Previous
    Next

    Deploying the Security Fabric in a multi-VDOM environment

    Deploying the Security Fabric in a multi-VDOM environment

    A Security Fabric can be enabled in multi-VDOM environments. This allows access to all of the Security Fabric features, including automation, security rating, and topologies, across the VDOM deployment.

    • Users can navigate to downstream FortiGate devices and VDOMs directly from the root FortiGate using the Fabric selection menu.

    • The logical topology shows all of the configured VDOMs.

    • Security rating reports include results for all of the configured VDOMs as well the entire Fabric.

    Note

    Downstream FortiGate devices must connect to the upstream FortiGate from its management VDOM.

    Topology

    In this topology, there is a root FortiGate with three FortiGates connected through two different VDOMs. The root FortiGate is able to manage all devices running in multi-VDOM mode.

    This example assumes multi-VDOM mode is already configured on each FortiGate, and that FortiAnalyzer logging is configured on the root FortiGate (see Configuring FortiAnalyzer and Configuring the root FortiGate and downstream FortiGates for more details).

    To enable multi-VDOM mode:
    config system global
    set vdom-mode multi-vdom
end

    Device configurations

    Root FortiGate (Root-E)

    The Security Fabric is enabled, and configured so that downstream interfaces from all VDOMs can allow other Security Fabric devices to join.

    To configure Root-E in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Ensure that the Status is Enabled and the Security Fabric role is set to Serve as Fabric Root.
    3. Enable Allow other Security Fabric devices to join and click the + to add the interfaces (vlan50 and vlan90) from the vdom_nat1 and root VDOMs.

    4. Configure the other settings as needed.
    5. Click OK.
    To configure Root-E in the CLI:
    1. Enable the Security Fabric:
      config system csf
    set status enable
    set group-name "CSF_E"
end
    2. Configure the interfaces:
      config system interface
    edit "vlan50"
        set vdom "vdom_nat1"
        ...
        set allowaccess ping https ssh http fgfm fabric
        ...
    next
    edit "vlan90"
        set vdom "root"
        ...
        set allowaccess ping https ssh http fgfm fabric
        ...
    next
end

    Downstream FortiGate 1 (Downstream-G)

    To configure Downstream-G in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. For Status, select Enabled and set the role to Join Existing Fabric.
    3. Enter the Upstream FortiGate IP, which is the IP of the root FortiGate vdom_nat1 interface (192.168.5.5). Downstream-G must use the interface from the management VDOM to connect to the upstream FortiGate IP.
    4. Enable Allow other Security Fabric devices to join and click the + to add the downstream interface (sw-vlan71) from the FG-traffic VDOM.

    5. Configure the other settings as needed.
    6. Click OK.
    To configure Downstream-G in the CLI:
    1. Enable the Security Fabric:
      config system csf
    set status enable
    set upstream-ip 192.168.5.5
end
    2. Configure the interfaces:
      config system interface
    edit "sw-vlan71"
        set vdom "FG-traffic"
        ...
        set allowaccess ping https ssh http fgfm fabric
        ...
    next
end

    Downstream FortiGate 2 (Level2-downstream-H)

    To configure Level2-downstream-H in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. For Status, select Enabled and set the role to Join Existing Fabric.
    3. Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Downstream-G (192.168.71.7).

    4. Configure the other settings as needed.
    5. Click OK.
    To configure Level2-downstream-H in the CLI:
    config system csf
    set status enable
    set upstream-ip 192.168.71.7
end

    Downstream FortiGate 3 (Level1-downstream-10)

    To configure Level1-downstream-10 in the GUI:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. For Status, select Enabled and set the role to Join Existing Fabric.
    3. Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Root-E (192.168.9.5).

    4. Configure the other settings as needed.
    5. Click OK.
    To configure Level1-downstream-10 in the CLI:
    config system csf
    set status enable
    set upstream-ip 192.168.9.5
end

    Device authorization and verification

    To authorize the downstream devices on the root FortiGate:
    1. On Root-E, go to Security Fabric > Fabric Connectors.
    2. In the topology tree, click the highlighted serial number and select Authorize for each downstream FortiGate.

      Once all the devices are authorized, the physical topology page shows the root and downstream FortiGates. The logical topology page shows the root and downstream FortiGates connected to interfaces in their corresponding VDOMs.

    Previous
    Next