Deploying the Security Fabric in a multi-VDOM environment
A Security Fabric can be enabled in multi-VDOM environments. This allows access to all of the Security Fabric features, including automation, security rating, and topologies, across the VDOM deployment.
-
Users can navigate to downstream FortiGate devices and VDOMs directly from the root FortiGate using the Fabric selection menu.
-
The logical topology shows all of the configured VDOMs.
-
Security rating reports include results for all of the configured VDOMs as well the entire Fabric.
Downstream FortiGate devices must connect to the upstream FortiGate from its management VDOM. |
Topology
In this topology, there is a root FortiGate with three FortiGates connected through two different VDOMs. The root FortiGate is able to manage all devices running in multi-VDOM mode.
This example assumes multi-VDOM mode is already configured on each FortiGate, and that FortiAnalyzer logging is configured on the root FortiGate (see Configuring FortiAnalyzer and Configuring the root FortiGate and downstream FortiGates for more details).
To enable multi-VDOM mode:
config system global set vdom-mode multi-vdom end
Device configurations
Root FortiGate (Root-E)
The Security Fabric is enabled, and configured so that downstream interfaces from all VDOMs can allow other Security Fabric devices to join.
To configure Root-E in the GUI:
- Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
- Set the Security Fabric role to Serve as Fabric Root.
- Enable Allow other Security Fabric devices to join and click the + to add the interfaces (vlan50 and vlan90) from the vdom_nat1 and root VDOMs.
- Configure the other settings as needed.
- Click OK.
To configure Root-E in the CLI:
- Enable the Security Fabric:
config system csf set status enable set group-name "CSF_E" end
- Configure the interfaces:
config system interface edit "vlan50" set vdom "vdom_nat1" ... set allowaccess ping https ssh http fgfm fabric ... next edit "vlan90" set vdom "root" ... set allowaccess ping https ssh http fgfm fabric ... next end
Downstream FortiGate 1 (Downstream-G)
To configure Downstream-G in the GUI:
- Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
- In the Settings tab, set the Security Fabric role to Join Existing Fabric.
- Enter the Upstream FortiGate IP, which is the IP of the root FortiGate vdom_nat1 interface (192.168.5.5). Downstream-G must use the interface from the management VDOM to connect to the upstream FortiGate IP.
- Enable Allow other Security Fabric devices to join and click the + to add the downstream interface (sw-vlan71) from the FG-traffic VDOM.
- Configure the other settings as needed.
- Click OK.
To configure Downstream-G in the CLI:
- Enable the Security Fabric:
config system csf set status enable set upstream-ip 192.168.5.5 end
- Configure the interfaces:
config system interface edit "sw-vlan71" set vdom "FG-traffic" ... set allowaccess ping https ssh http fgfm fabric ... next end
Downstream FortiGate 2 (Level2-downstream-H)
To configure Level2-downstream-H in the GUI:
- Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
- In the Settings tab, set the Security Fabric role to Join Existing Fabric.
- Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Downstream-G (192.168.71.7).
- Configure the other settings as needed.
- Click OK.
To configure Level2-downstream-H in the CLI:
config system csf set status enable set upstream-ip 192.168.71.7 end
Downstream FortiGate 3 (Level1-downstream-10)
To configure Level1-downstream-10 in the GUI:
- Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
- In the Settings tab, set the Security Fabric role to Join Existing Fabric.
- Enter the Upstream FortiGate IP, which is the IP of the root VDOM on Root-E (192.168.9.5).
- Configure the other settings as needed.
- Click OK.
To configure Level1-downstream-10 in the CLI:
config system csf set status enable set upstream-ip 192.168.9.5 end
Device authorization and verification
To authorize the downstream devices on the root FortiGate:
- On Root-E, go to System > Firmware & Registration.
- Select the unauthorized device and click Authorization > Authorize for each downstream FortiGate.
Once all the devices are authorized, the physical topology page shows the root and downstream FortiGates. The logical topology page shows the root and downstream FortiGates connected to interfaces in their corresponding VDOMs.