Fortinet black logo

Administration Guide

Deploying the Security Fabric in a multi-VDOM environment

Deploying the Security Fabric in a multi-VDOM environment

A Security Fabric can be enabled in multi-VDOM environments. This allows access to all of the Security Fabric features, including automation, security rating, and topologies, across the VDOM deployment.

  • Users can navigate to downstream FortiGate devices and VDOMs directly from the root FortiGate using the Fabric selection menu.

  • The logical topology shows all of the configured VDOMs.

  • Security rating reports include results for all of the configured VDOMs as well the entire Fabric.

Note

Downstream FortiGate devices must connect to the upstream FortiGate from its management VDOM.

Topology

In this topology, there is a root FortiGate with three FortiGates connected through two different VDOMs. The root FortiGate is able to manage all devices running in multi-VDOM mode.

This example assumes multi-VDOM mode is already configured on each FortiGate, and that FortiAnalyzer logging is configured on the root FortiGate (see Configuring FortiAnalyzer and Configuring the root FortiGate and downstream FortiGates for more details).

To enable multi-VDOM mode:
config system global
    set vdom-mode multi-vdom
end

Device configurations

Root FortiGate (Root-E)

The Security Fabric is enabled, and configured so that downstream interfaces from all VDOMs can allow other Security Fabric devices to join.

To configure Root-E in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. Ensure that the Status is Enabled and the Security Fabric role is set to Serve as Fabric Root.
  3. Enable Allow other Security Fabric devices to join and click the + to add the interfaces (vlan50 and vlan90) from the vdom_nat1 and root VDOMs.

  4. Configure the other settings as needed.
  5. Click OK.
To configure Root-E in the CLI:
  1. Enable the Security Fabric:
    config system csf
        set status enable
        set group-name "CSF_E"
    end
  2. Configure the interfaces:
    config system interface
        edit "vlan50"
            set vdom "vdom_nat1"
            ...
            set allowaccess ping https ssh http fgfm fabric
            ...
        next
        edit "vlan90"
            set vdom "root"
            ...
            set allowaccess ping https ssh http fgfm fabric
            ...
        next
    end

Downstream FortiGate 1 (Downstream-G)

To configure Downstream-G in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, select Enabled and set the role to Join Existing Fabric.
  3. Enter the Upstream FortiGate IP, which is the IP of the root FortiGate vdom_nat1 interface (192.168.5.5). Downstream-G must use the interface from the management VDOM to connect to the upstream FortiGate IP.
  4. Enable Allow other Security Fabric devices to join and click the + to add the downstream interface (sw-vlan71) from the FG-traffic VDOM.

  5. Configure the other settings as needed.
  6. Click OK.
To configure Downstream-G in the CLI:
  1. Enable the Security Fabric:
    config system csf
        set status enable
        set upstream-ip 192.168.5.5
    end
  2. Configure the interfaces:
    config system interface
        edit "sw-vlan71"
            set vdom "FG-traffic"
            ...
            set allowaccess ping https ssh http fgfm fabric
            ...
        next
    end

Downstream FortiGate 2 (Level2-downstream-H)

To configure Level2-downstream-H in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, select Enabled and set the role to Join Existing Fabric.
  3. Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Downstream-G (192.168.71.7).

  4. Configure the other settings as needed.
  5. Click OK.
To configure Level2-downstream-H in the CLI:
config system csf
    set status enable
    set upstream-ip 192.168.71.7
end

Downstream FortiGate 3 (Level1-downstream-10)

To configure Level1-downstream-10 in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, select Enabled and set the role to Join Existing Fabric.
  3. Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Root-E (192.168.9.5).

  4. Configure the other settings as needed.
  5. Click OK.
To configure Level1-downstream-10 in the CLI:
config system csf
    set status enable
    set upstream-ip 192.168.9.5
end

Device authorization and verification

To authorize the downstream devices on the root FortiGate:
  1. On Root-E, go to Security Fabric > Fabric Connectors.
  2. In the topology tree, click the highlighted serial number and select Authorize for each downstream FortiGate.

    Once all the devices are authorized, the physical topology page shows the root and downstream FortiGates. The logical topology page shows the root and downstream FortiGates connected to interfaces in their corresponding VDOMs.

Deploying the Security Fabric in a multi-VDOM environment

A Security Fabric can be enabled in multi-VDOM environments. This allows access to all of the Security Fabric features, including automation, security rating, and topologies, across the VDOM deployment.

  • Users can navigate to downstream FortiGate devices and VDOMs directly from the root FortiGate using the Fabric selection menu.

  • The logical topology shows all of the configured VDOMs.

  • Security rating reports include results for all of the configured VDOMs as well the entire Fabric.

Note

Downstream FortiGate devices must connect to the upstream FortiGate from its management VDOM.

Topology

In this topology, there is a root FortiGate with three FortiGates connected through two different VDOMs. The root FortiGate is able to manage all devices running in multi-VDOM mode.

This example assumes multi-VDOM mode is already configured on each FortiGate, and that FortiAnalyzer logging is configured on the root FortiGate (see Configuring FortiAnalyzer and Configuring the root FortiGate and downstream FortiGates for more details).

To enable multi-VDOM mode:
config system global
    set vdom-mode multi-vdom
end

Device configurations

Root FortiGate (Root-E)

The Security Fabric is enabled, and configured so that downstream interfaces from all VDOMs can allow other Security Fabric devices to join.

To configure Root-E in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. Ensure that the Status is Enabled and the Security Fabric role is set to Serve as Fabric Root.
  3. Enable Allow other Security Fabric devices to join and click the + to add the interfaces (vlan50 and vlan90) from the vdom_nat1 and root VDOMs.

  4. Configure the other settings as needed.
  5. Click OK.
To configure Root-E in the CLI:
  1. Enable the Security Fabric:
    config system csf
        set status enable
        set group-name "CSF_E"
    end
  2. Configure the interfaces:
    config system interface
        edit "vlan50"
            set vdom "vdom_nat1"
            ...
            set allowaccess ping https ssh http fgfm fabric
            ...
        next
        edit "vlan90"
            set vdom "root"
            ...
            set allowaccess ping https ssh http fgfm fabric
            ...
        next
    end

Downstream FortiGate 1 (Downstream-G)

To configure Downstream-G in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, select Enabled and set the role to Join Existing Fabric.
  3. Enter the Upstream FortiGate IP, which is the IP of the root FortiGate vdom_nat1 interface (192.168.5.5). Downstream-G must use the interface from the management VDOM to connect to the upstream FortiGate IP.
  4. Enable Allow other Security Fabric devices to join and click the + to add the downstream interface (sw-vlan71) from the FG-traffic VDOM.

  5. Configure the other settings as needed.
  6. Click OK.
To configure Downstream-G in the CLI:
  1. Enable the Security Fabric:
    config system csf
        set status enable
        set upstream-ip 192.168.5.5
    end
  2. Configure the interfaces:
    config system interface
        edit "sw-vlan71"
            set vdom "FG-traffic"
            ...
            set allowaccess ping https ssh http fgfm fabric
            ...
        next
    end

Downstream FortiGate 2 (Level2-downstream-H)

To configure Level2-downstream-H in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, select Enabled and set the role to Join Existing Fabric.
  3. Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Downstream-G (192.168.71.7).

  4. Configure the other settings as needed.
  5. Click OK.
To configure Level2-downstream-H in the CLI:
config system csf
    set status enable
    set upstream-ip 192.168.71.7
end

Downstream FortiGate 3 (Level1-downstream-10)

To configure Level1-downstream-10 in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
  2. For Status, select Enabled and set the role to Join Existing Fabric.
  3. Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Root-E (192.168.9.5).

  4. Configure the other settings as needed.
  5. Click OK.
To configure Level1-downstream-10 in the CLI:
config system csf
    set status enable
    set upstream-ip 192.168.9.5
end

Device authorization and verification

To authorize the downstream devices on the root FortiGate:
  1. On Root-E, go to Security Fabric > Fabric Connectors.
  2. In the topology tree, click the highlighted serial number and select Authorize for each downstream FortiGate.

    Once all the devices are authorized, the physical topology page shows the root and downstream FortiGates. The logical topology page shows the root and downstream FortiGates connected to interfaces in their corresponding VDOMs.