Fortinet white logo
Fortinet white logo

Administration Guide

Synchronizing objects across the Security Fabric

Synchronizing objects across the Security Fabric

When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the upstream FortiGate to all downstream devices by default. FortiOS has the following settings for object synchronization across the Security Fabric:

  • Set object synchronization (fabric-object-unification) to default or local on the root FortiGate.

  • Set a per object option to toggle whether the specific Fabric object will be synchronized or not. After upgrading from 6.4.3, this option is disabled for supported Fabric objects. The synchronized Fabric objects are kept as locally created objects on downstream FortiGates.

  • Define the number of task workers to handle synchronizations.

The firewall object synchronization wizard helps identify objects that are not synchronized and resolves any conflicts. A warning message appears in the topology tree if there is a conflict.

Summary of CLI commands

To configure object synchronization:
config system csf
    set fabric-object-unification {default | local}
    set configuration-sync {default | local}
    set fabric-workers <integer>
end

Parameter

Description

fabric-object-unification

default: Global CMDB objects will be synchronized in the Security Fabric.

local: Global CMDB objects will not be synchronized to and from this device.

This command is available on the root FortiGate. If set to local, the device does not synchronize objects from the root, but will send the synchronized objects downstream.

configuration-sync

default: Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.

local: Do not synchronize configuration with root node.

If downstream FortiGates are set to local, the synchronized objects from the root to downstream are not applied locally. However, the downstream FortiGate will send the configuration to lower FortiGates.

fabric-workers

Define how many task worker process are created to handle synchronizations (1- 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds.

The per object setting can be configured on the root FortiGate as follows:

config firewall <object>
    edit <name>
        set fabric-object {enable | disable}
    next
end

Where:

  • <object> is one of the following: address, address6, addrgrp, addrgrp6, service category, service custom, service group, schedule group, schedule onetime, or schedule recurring.

  • Enabling fabric-object sets the object as a Security Fabric-wide global object that is synchronized to downstream FortiGates.

  • Disabling fabric-object sets the object as local to this Security Fabric member.

  • If a device in the Fabric is in multi-VDOM mode, the GUI will not display the Fabric synchronization option. Even if this is enabled in the CLI, the object will not be synchronized to any downstream devices.

Sample topology

In this Security Fabric, the root FortiGate (FGTA-1) has fabric-object-unification set to default so the Fabric objects can be synchronized to the downstream FortiGate. The level 1 downstream FortiGate (FGTB-1) has configuration-sync set to local, so it will not apply the synchronized objects locally. The level 2 downstream FortiGate (FGTC) has configuration-sync set to default, so it will apply the synchronized objects locally.

In this example, firewall addresses and address groups are used. Other supported Fabric objects have the same behaviors. The following use cases illustrate common synchronization scenarios:

  • If no conflicts exist, firewall addresses and address groups can be synchronized to downstream FortiGates (see example below).

  • If a conflict exists between the root and downstream FortiGates, it can be resolved with the conflict resolution wizard. After the conflict is resolved, the firewall addresses and address groups can be synchronized to downstream FortiGates (see example below).

  • If set fabric-object (Fabric synchronization option in the GUI) is disabled for firewall addresses and address groups on the root FortiGate, they will not be synchronized to downstream FortiGates (see example below).

To configure the FortiGates used in this example:
FGTA-1 # config system csf
    set status enable
    set group-name "fabric"
    set fabric-object-unification default
    ...
end
FGTB-1 # config system csf
    set status enable
    set upstream-ip 10.2.200.1
    set configuration-sync local
    ...    
end
FGTC # config system csf
    set status enable
    set upstream-ip 192.168.7.2
    set configuration-sync default
    ...
end
To synchronize a firewall address and address group in the Security Fabric:
  1. Configure the firewall address on the root FortiGate:

    FGTA-1 # config firewall address
        edit "add_subnet_1"
            set fabric-object enable
            set subnet 22.22.22.0 255.255.255.0
        next
    end
  2. Configure the address group on the root FortiGate:

    FGTA-1 # config firewall addrgrp
        edit "group_subnet_1"
            set member "add_subnet_1"
            set fabric-object enable
        next
    end
  3. Check the firewall address and address group on the downstream FortiGates:

    FGTB-1 # show firewall address add_subnet_1
    entry is not found in table
    
    FGTB-1 # show firewall addrgrp group_subnet_1
    entry is not found in table
    

    The synchronized objects are not applied locally on this FortiGate because configuration-sync is set to local.

    FGTC # show firewall address add_subnet_1
    config firewall address
        edit "add_subnet_1"
            set uuid 378a8094-34cb-51eb-ce40-097f298fcfdc
            set fabric-object enable
            set subnet 22.22.22.0 255.255.255.0
        next
    end
    
    FGTC # show firewall addrgrp group_subnet_1
    config firewall addrgrp
        edit "group_subnet_1"
            set uuid 4d7a8a52-34cb-51eb-fce7-d93f76915319
            set member "add_subnet_1"
            set color 19
            set fabric-object enable
        next
    end

    The objects are synchronized on this FortiGate because configuration-sync is set to default.

To resolve a firewall address and address group conflict in the Security Fabric:
  1. On FGTC, create a firewall address:

    1. Go to Policy & Objects > Addresses and select Address.

    2. Click Create new.

    3. Configure the following:

      Name

      sync_add_1

      IP/Netmask

      33.33.33.0 255.255.255.0

    4. Click OK.

  2. On FGTA-1 (Fabric root), create the firewall address with same name but a different subnet:

    1. Go to Policy & Objects > Addresses and select Address.

    2. Click Create new.

    3. Configure the following:

      Name

      sync_add_1

      IP/Netmask

      11.11.11.0 255.255.255.0

      Fabric synchronization

      Enable

    4. Click OK.

  3. Add the address to a different address group than what is configured on FGTC:

    1. Go to Policy & Objects > Addresses and select Address Group.

    2. Click Create new.

    3. Configure the following:

      Name

      sync_group4

      Members

      sync_add_1

      Fabric synchronization

      Enable

    4. Click OK.

  4. Open the notification center drop dropdown. There is a message that 1 Firewall object is conflict with other FortiGates in the fabric.

  5. Resolve the conflict:

    1. Click the message in the notification center drop dropdown. The Firewall Object Synchronization pane opens.

    2. Click Rename All Objects. The conflicted object will be renamed on the downstream FortiGate.

    3. The conflict is resolved. Click Close to exit the Firewall Object Synchronization pane.

  6. Verify the results on the downstream FortiGates:

    1. On FGTB-1, go to Policy & Objects > Addresses.

    2. Search for sync_add_1 and sync_group4 in the Address and Group Address pages, respectively. No results are found. The synchronized objects are not applied locally on this FortiGate because configuration-sync is set to local.

    3. On FGTC, go to Policy & Objects > Addresses.

    4. Search for sync_add_1 in the Address page. The original firewall address sync_add_1 was renamed to sync_add_1_FGTC by resolving the conflict on FGTA-1. The address sync_add_1 and address group sync_group4 are synchronized from FGTA-1.

To disable Fabric synchronization on the root FortiGate in the GUI:
  1. On FGTA-1, create a firewall address:

    1. Go to Policy & Objects > Addresses and select Address.

    2. Click Create new.

    3. Configure the following:

      Name

      add_subnet_3

      IP/Netmask

      33.33.33.0 255.255.255.0

      Fabric synchronization

      Disable

    4. Click OK.

  2. Create the firewall address group and add the address:

    1. Go to Policy & Objects > Addresses and select Address Group.

    2. Click Create new.

    3. Configure the following:

      Name

      group_subnet_3

      Members

      add_subnet_3

      Fabric synchronization

      Disable

    4. Click OK.

  3. On FGTB-1, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric synchronization is disabled on the root FortiGate (FGTA-1).

  4. On FGTC, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric synchronization is disabled on the root FortiGate (FGTA-1).

To disable Fabric synchronization on the root FortiGate in the CLI:
  1. Configure the firewall address on the root FortiGate:

    FGTA-1 # config firewall address
        edit "add_subnet_3"
            set subnet 33.33.33.0 255.255.255.0
            set fabric-object disable
        next
    end
  2. Configure the address group on the root FortiGate:

    FGTA-1 # config firewall addrgrp
        edit "group_subnet_3"
            set member "add_subnet_3"
            set fabric-object disable
        next
    end
  3. Check the firewall address and address group on the downstream FortiGates:

    FGTB-1 # show firewall address add_subnet_3
    entry is not found in table
    FGTB-1 # show firewall addrgrp group_subnet_3
    entry is not found in table
    
    FGTC # show firewall address add_subnet_3
    entry is not found in table
    
    FGTC # show firewall addrgrp group_subnet_3
    entry is not found in table

    The objects are not synchronized from the root FortiGate (FGTA-1) because the fabric-object setting is disabled.

Synchronizing objects across the Security Fabric

Synchronizing objects across the Security Fabric

When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the upstream FortiGate to all downstream devices by default. FortiOS has the following settings for object synchronization across the Security Fabric:

  • Set object synchronization (fabric-object-unification) to default or local on the root FortiGate.

  • Set a per object option to toggle whether the specific Fabric object will be synchronized or not. After upgrading from 6.4.3, this option is disabled for supported Fabric objects. The synchronized Fabric objects are kept as locally created objects on downstream FortiGates.

  • Define the number of task workers to handle synchronizations.

The firewall object synchronization wizard helps identify objects that are not synchronized and resolves any conflicts. A warning message appears in the topology tree if there is a conflict.

Summary of CLI commands

To configure object synchronization:
config system csf
    set fabric-object-unification {default | local}
    set configuration-sync {default | local}
    set fabric-workers <integer>
end

Parameter

Description

fabric-object-unification

default: Global CMDB objects will be synchronized in the Security Fabric.

local: Global CMDB objects will not be synchronized to and from this device.

This command is available on the root FortiGate. If set to local, the device does not synchronize objects from the root, but will send the synchronized objects downstream.

configuration-sync

default: Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node.

local: Do not synchronize configuration with root node.

If downstream FortiGates are set to local, the synchronized objects from the root to downstream are not applied locally. However, the downstream FortiGate will send the configuration to lower FortiGates.

fabric-workers

Define how many task worker process are created to handle synchronizations (1- 4, default = 2). The worker processes dies if there is no task to perform after 60 seconds.

The per object setting can be configured on the root FortiGate as follows:

config firewall <object>
    edit <name>
        set fabric-object {enable | disable}
    next
end

Where:

  • <object> is one of the following: address, address6, addrgrp, addrgrp6, service category, service custom, service group, schedule group, schedule onetime, or schedule recurring.

  • Enabling fabric-object sets the object as a Security Fabric-wide global object that is synchronized to downstream FortiGates.

  • Disabling fabric-object sets the object as local to this Security Fabric member.

  • If a device in the Fabric is in multi-VDOM mode, the GUI will not display the Fabric synchronization option. Even if this is enabled in the CLI, the object will not be synchronized to any downstream devices.

Sample topology

In this Security Fabric, the root FortiGate (FGTA-1) has fabric-object-unification set to default so the Fabric objects can be synchronized to the downstream FortiGate. The level 1 downstream FortiGate (FGTB-1) has configuration-sync set to local, so it will not apply the synchronized objects locally. The level 2 downstream FortiGate (FGTC) has configuration-sync set to default, so it will apply the synchronized objects locally.

In this example, firewall addresses and address groups are used. Other supported Fabric objects have the same behaviors. The following use cases illustrate common synchronization scenarios:

  • If no conflicts exist, firewall addresses and address groups can be synchronized to downstream FortiGates (see example below).

  • If a conflict exists between the root and downstream FortiGates, it can be resolved with the conflict resolution wizard. After the conflict is resolved, the firewall addresses and address groups can be synchronized to downstream FortiGates (see example below).

  • If set fabric-object (Fabric synchronization option in the GUI) is disabled for firewall addresses and address groups on the root FortiGate, they will not be synchronized to downstream FortiGates (see example below).

To configure the FortiGates used in this example:
FGTA-1 # config system csf
    set status enable
    set group-name "fabric"
    set fabric-object-unification default
    ...
end
FGTB-1 # config system csf
    set status enable
    set upstream-ip 10.2.200.1
    set configuration-sync local
    ...    
end
FGTC # config system csf
    set status enable
    set upstream-ip 192.168.7.2
    set configuration-sync default
    ...
end
To synchronize a firewall address and address group in the Security Fabric:
  1. Configure the firewall address on the root FortiGate:

    FGTA-1 # config firewall address
        edit "add_subnet_1"
            set fabric-object enable
            set subnet 22.22.22.0 255.255.255.0
        next
    end
  2. Configure the address group on the root FortiGate:

    FGTA-1 # config firewall addrgrp
        edit "group_subnet_1"
            set member "add_subnet_1"
            set fabric-object enable
        next
    end
  3. Check the firewall address and address group on the downstream FortiGates:

    FGTB-1 # show firewall address add_subnet_1
    entry is not found in table
    
    FGTB-1 # show firewall addrgrp group_subnet_1
    entry is not found in table
    

    The synchronized objects are not applied locally on this FortiGate because configuration-sync is set to local.

    FGTC # show firewall address add_subnet_1
    config firewall address
        edit "add_subnet_1"
            set uuid 378a8094-34cb-51eb-ce40-097f298fcfdc
            set fabric-object enable
            set subnet 22.22.22.0 255.255.255.0
        next
    end
    
    FGTC # show firewall addrgrp group_subnet_1
    config firewall addrgrp
        edit "group_subnet_1"
            set uuid 4d7a8a52-34cb-51eb-fce7-d93f76915319
            set member "add_subnet_1"
            set color 19
            set fabric-object enable
        next
    end

    The objects are synchronized on this FortiGate because configuration-sync is set to default.

To resolve a firewall address and address group conflict in the Security Fabric:
  1. On FGTC, create a firewall address:

    1. Go to Policy & Objects > Addresses and select Address.

    2. Click Create new.

    3. Configure the following:

      Name

      sync_add_1

      IP/Netmask

      33.33.33.0 255.255.255.0

    4. Click OK.

  2. On FGTA-1 (Fabric root), create the firewall address with same name but a different subnet:

    1. Go to Policy & Objects > Addresses and select Address.

    2. Click Create new.

    3. Configure the following:

      Name

      sync_add_1

      IP/Netmask

      11.11.11.0 255.255.255.0

      Fabric synchronization

      Enable

    4. Click OK.

  3. Add the address to a different address group than what is configured on FGTC:

    1. Go to Policy & Objects > Addresses and select Address Group.

    2. Click Create new.

    3. Configure the following:

      Name

      sync_group4

      Members

      sync_add_1

      Fabric synchronization

      Enable

    4. Click OK.

  4. Open the notification center drop dropdown. There is a message that 1 Firewall object is conflict with other FortiGates in the fabric.

  5. Resolve the conflict:

    1. Click the message in the notification center drop dropdown. The Firewall Object Synchronization pane opens.

    2. Click Rename All Objects. The conflicted object will be renamed on the downstream FortiGate.

    3. The conflict is resolved. Click Close to exit the Firewall Object Synchronization pane.

  6. Verify the results on the downstream FortiGates:

    1. On FGTB-1, go to Policy & Objects > Addresses.

    2. Search for sync_add_1 and sync_group4 in the Address and Group Address pages, respectively. No results are found. The synchronized objects are not applied locally on this FortiGate because configuration-sync is set to local.

    3. On FGTC, go to Policy & Objects > Addresses.

    4. Search for sync_add_1 in the Address page. The original firewall address sync_add_1 was renamed to sync_add_1_FGTC by resolving the conflict on FGTA-1. The address sync_add_1 and address group sync_group4 are synchronized from FGTA-1.

To disable Fabric synchronization on the root FortiGate in the GUI:
  1. On FGTA-1, create a firewall address:

    1. Go to Policy & Objects > Addresses and select Address.

    2. Click Create new.

    3. Configure the following:

      Name

      add_subnet_3

      IP/Netmask

      33.33.33.0 255.255.255.0

      Fabric synchronization

      Disable

    4. Click OK.

  2. Create the firewall address group and add the address:

    1. Go to Policy & Objects > Addresses and select Address Group.

    2. Click Create new.

    3. Configure the following:

      Name

      group_subnet_3

      Members

      add_subnet_3

      Fabric synchronization

      Disable

    4. Click OK.

  3. On FGTB-1, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric synchronization is disabled on the root FortiGate (FGTA-1).

  4. On FGTC, go to Policy & Objects > Addresses and search for subnet_3. No results are found because Fabric synchronization is disabled on the root FortiGate (FGTA-1).

To disable Fabric synchronization on the root FortiGate in the CLI:
  1. Configure the firewall address on the root FortiGate:

    FGTA-1 # config firewall address
        edit "add_subnet_3"
            set subnet 33.33.33.0 255.255.255.0
            set fabric-object disable
        next
    end
  2. Configure the address group on the root FortiGate:

    FGTA-1 # config firewall addrgrp
        edit "group_subnet_3"
            set member "add_subnet_3"
            set fabric-object disable
        next
    end
  3. Check the firewall address and address group on the downstream FortiGates:

    FGTB-1 # show firewall address add_subnet_3
    entry is not found in table
    FGTB-1 # show firewall addrgrp group_subnet_3
    entry is not found in table
    
    FGTC # show firewall address add_subnet_3
    entry is not found in table
    
    FGTC # show firewall addrgrp group_subnet_3
    entry is not found in table

    The objects are not synchronized from the root FortiGate (FGTA-1) because the fabric-object setting is disabled.