Synchronizing objects across the Security Fabric
When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the upstream FortiGate to all downstream devices by default. FortiOS has the following settings for object synchronization across the Security Fabric:
-
Set object synchronization (
fabric-object-unification
) todefault
orlocal
on the root FortiGate. -
Set a per object option to toggle whether the specific Fabric object will be synchronized or not. After upgrading from 6.4.3, this option is disabled for supported Fabric objects. The synchronized Fabric objects are kept as locally created objects on downstream FortiGates.
-
Define the number of task workers to handle synchronizations.
The firewall object synchronization wizard helps identify objects that are not synchronized and resolves any conflicts. A warning message appears in the topology tree if there is a conflict.
Summary of CLI commands
To configure object synchronization:
config system csf set fabric-object-unification {default | local} set configuration-sync {default | local} set fabric-workers <integer> end
Parameter |
Description |
---|---|
fabric-object-unification |
default: Global CMDB objects will be synchronized in the Security Fabric. local: Global CMDB objects will not be synchronized to and from this device. This command is available on the root FortiGate. If set to local, the device does not synchronize objects from the root, but will send the synchronized objects downstream. |
configuration-sync |
default: Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node. local: Do not synchronize configuration with root node. If downstream FortiGates are set to local, the synchronized objects from the root to downstream are not applied locally. However, the downstream FortiGate will send the configuration to lower FortiGates. |
fabric-workers |
Define how many task worker process are created to handle synchronizations (1- 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds. |
The per object setting can be configured on the root FortiGate as follows:
config firewall <object> edit <name> set fabric-object {enable | disable} next end
Where:
-
<object>
is one of the following:address
,address6
,addrgrp
,addrgrp6
,service category
,service custom
,service group
,schedule group
,schedule onetime
, orschedule recurring
. -
Enabling
fabric-object
sets the object as a Security Fabric-wide global object that is synchronized to downstream FortiGates. -
Disabling
fabric-object
sets the object as local to this Security Fabric member. -
If a device in the Fabric is in multi-VDOM mode, the GUI will not display the Fabric synchronization option. Even if this is enabled in the CLI, the object will not be synchronized to any downstream devices.
Sample topology
In this Security Fabric, the root FortiGate (FGTA-1) has fabric-object-unification
set to default
so the Fabric objects can be synchronized to the downstream FortiGate. The level 1 downstream FortiGate (FGTB-1) has configuration-sync
set to local
, so it will not apply the synchronized objects locally. The level 2 downstream FortiGate (FGTC) has configuration-sync
set to default
, so it will apply the synchronized objects locally.
In this example, firewall addresses and address groups are used. Other supported Fabric objects have the same behaviors. The following use cases illustrate common synchronization scenarios:
-
If no conflicts exist, firewall addresses and address groups can be synchronized to downstream FortiGates (see example below).
-
If a conflict exists between the root and downstream FortiGates, it can be resolved with the conflict resolution wizard. After the conflict is resolved, the firewall addresses and address groups can be synchronized to downstream FortiGates (see example below).
-
If
set fabric-object
(Fabric synchronization option in the GUI) is disabled for firewall addresses and address groups on the root FortiGate, they will not be synchronized to downstream FortiGates (see example below).
To configure the FortiGates used in this example:
FGTA-1 # config system csf set status enable set group-name "fabric" set fabric-object-unification default ... end
FGTB-1 # config system csf set status enable set upstream-ip 10.2.200.1 set configuration-sync local ... end
FGTC # config system csf set status enable set upstream-ip 192.168.7.2 set configuration-sync default ... end
To synchronize a firewall address and address group in the Security Fabric:
-
Configure the firewall address on the root FortiGate:
FGTA-1 # config firewall address edit "add_subnet_1" set fabric-object enable set subnet 22.22.22.0 255.255.255.0 next end
-
Configure the address group on the root FortiGate:
FGTA-1 # config firewall addrgrp edit "group_subnet_1" set member "add_subnet_1" set fabric-object enable next end
-
Check the firewall address and address group on the downstream FortiGates:
FGTB-1 # show firewall address add_subnet_1 entry is not found in table
FGTB-1 # show firewall addrgrp group_subnet_1 entry is not found in table
The synchronized objects are not applied locally on this FortiGate because
configuration-sync
is set tolocal
.FGTC # show firewall address add_subnet_1 config firewall address edit "add_subnet_1" set uuid 378a8094-34cb-51eb-ce40-097f298fcfdc set fabric-object enable set subnet 22.22.22.0 255.255.255.0 next end
FGTC # show firewall addrgrp group_subnet_1 config firewall addrgrp edit "group_subnet_1" set uuid 4d7a8a52-34cb-51eb-fce7-d93f76915319 set member "add_subnet_1" set color 19 set fabric-object enable next end
The objects are synchronized on this FortiGate because
configuration-sync
is set todefault
.
To resolve a firewall address and address group conflict in the Security Fabric:
-
On FGTC, create a firewall address:
-
Go to Policy & Objects > Addresses and select Address.
-
Click Create new.
-
Configure the following:
Name
sync_add_1
IP/Netmask
33.33.33.0 255.255.255.0
-
Click OK.
-
-
On FGTA-1 (Fabric root), create the firewall address with same name but a different subnet:
-
Go to Policy & Objects > Addresses and select Address.
-
Click Create new.
-
Configure the following:
Name
sync_add_1
IP/Netmask
11.11.11.0 255.255.255.0
Fabric synchronization
Enable
-
Click OK.
-
-
Add the address to a different address group than what is configured on FGTC:
-
Go to Policy & Objects > Addresses and select Address Group.
-
Click Create new.
-
Configure the following:
Name
sync_group4
Members
sync_add_1
Fabric synchronization
Enable
-
Click OK.
-
-
Open the notification center drop dropdown. There is a message that 1 Firewall object is conflict with other FortiGates in the fabric.
-
Resolve the conflict:
-
Click the message in the notification center drop dropdown. The Firewall Object Synchronization pane opens.
-
Click Rename All Objects. The conflicted object will be renamed on the downstream FortiGate.
-
The conflict is resolved. Click Close to exit the Firewall Object Synchronization pane.
-
-
Verify the results on the downstream FortiGates:
-
On FGTB-1, go to Policy & Objects > Addresses.
-
Search for sync_add_1 and sync_group4 in the Address and Group Address pages, respectively. No results are found. The synchronized objects are not applied locally on this FortiGate because
configuration-sync
is set tolocal
. -
On FGTC, go to Policy & Objects > Addresses.
-
Search for sync_add_1 in the Address page. The original firewall address sync_add_1 was renamed to sync_add_1_FGTC by resolving the conflict on FGTA-1. The address sync_add_1 and address group sync_group4 are synchronized from FGTA-1.
-
To disable Fabric synchronization on the root FortiGate in the GUI:
-
On FGTA-1, create a firewall address:
-
Go to Policy & Objects > Addresses and select Address.
-
Click Create new.
-
Configure the following:
Name
add_subnet_3
IP/Netmask
33.33.33.0 255.255.255.0
Fabric synchronization
Disable
-
Click OK.
-
-
Create the firewall address group and add the address:
-
Go to Policy & Objects > Addresses and select Address Group.
-
Click Create new.
-
Configure the following:
Name
group_subnet_3
Members
add_subnet_3
Fabric synchronization
Disable
-
Click OK.
-
-
On FGTB-1, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric synchronization is disabled on the root FortiGate (FGTA-1).
-
On FGTC, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric synchronization is disabled on the root FortiGate (FGTA-1).
To disable Fabric synchronization on the root FortiGate in the CLI:
-
Configure the firewall address on the root FortiGate:
FGTA-1 # config firewall address edit "add_subnet_3" set subnet 33.33.33.0 255.255.255.0 set fabric-object disable next end
-
Configure the address group on the root FortiGate:
FGTA-1 # config firewall addrgrp edit "group_subnet_3" set member "add_subnet_3" set fabric-object disable next end
-
Check the firewall address and address group on the downstream FortiGates:
FGTB-1 # show firewall address add_subnet_3 entry is not found in table
FGTB-1 # show firewall addrgrp group_subnet_3 entry is not found in table
FGTC # show firewall address add_subnet_3 entry is not found in table
FGTC # show firewall addrgrp group_subnet_3 entry is not found in table
The objects are not synchronized from the root FortiGate (FGTA-1) because the
fabric-object
setting is disabled.