Podcast Beta
Questions and Answers
Which option enables objects or groups to become global CMDB objects distributed to downstream Security Fabric members?
Which device in the Security Fabric logs each session once?
When does an upstream FortiGate device generate another log for a session coming from another member's MAC address?
Which device completes UTM logging for sessions in the Security Fabric?
Signup and view all the answers
What does FortiAnalyzer do to ensure accurate reporting and automation in the Security Fabric?
Signup and view all the answers
What is the behavior of a FortiGate device in the Security Fabric when it receives a packet from another FortiGate in the Security Fabric?
Signup and view all the answers
What is the exception to the behavior of a FortiGate device in the Security Fabric when it receives a packet from another FortiGate in the Security Fabric?
Signup and view all the answers
What happens to logging from leaf FortiGate devices to FortiAnalyzer if the root FortiGate is down?
Signup and view all the answers
What is the purpose of setting firewall policies in the Security Fabric?
Signup and view all the answers
What is the purpose of FortiAnalyzer in the Security Fabric?
Signup and view all the answers
Which type of policy objects and groups are pushed by the root FortiGate in a Security Fabric?
Signup and view all the answers
What command is used to disable configuration synchronization on downstream FortiGate devices?
Signup and view all the answers
What is the default behavior of the root FortiGate in a Security Fabric with regards to pushing CMDB objects?
Signup and view all the answers
What is the purpose of disabling configuration synchronization on downstream FortiGate devices in a Security Fabric?
Signup and view all the answers
What is the effect of setting fabric-object-unification to local on a downstream FortiGate device?
Signup and view all the answers
What is the effect of setting fabric-object-unification to default on a downstream FortiGate device?
Signup and view all the answers
What is the purpose of locally scoping individual objects and groups on the root FortiGate?
Signup and view all the answers
In the example topology shown on the slide, which FortiGate device has fabric-object-unification set to local?
Signup and view all the answers
In the example topology shown on the slide, which FortiGate device will not import objects sent by the root FortiGate?
Signup and view all the answers
In the example topology shown on the slide, which FortiGate device will receive and synchronize the objects sent from the root FortiGate?
Signup and view all the answers
Study Notes
Security Fabric Configuration
- Enabling global CMDB objects is done through the root FortiGate, which distributes them to downstream Security Fabric members.
Log Collection and Analysis
- The root FortiGate logs each session once.
- An upstream FortiGate device generates another log for a session coming from another member's MAC address when the session is forwarded from another FortiGate.
- The root FortiGate completes UTM logging for sessions in the Security Fabric.
- FortiAnalyzer ensures accurate reporting and automation in the Security Fabric by collecting and analyzing logs from all FortiGate devices.
Packet Processing and Forwarding
- When a FortiGate device in the Security Fabric receives a packet from another FortiGate, it forwards the packet to its destination without logging.
- The exception is when the packet is part of a session that is already known to the FortiGate.
Logging and FortiAnalyzer
- If the root FortiGate is down, logging from leaf FortiGate devices to FortiAnalyzer is not affected.
Policy and Object Management
- The purpose of setting firewall policies in the Security Fabric is to define security rules and enforcement.
- The purpose of FortiAnalyzer in the Security Fabric is to collect and analyze logs, and provide reporting and automation.
- The root FortiGate pushes global policy objects and groups to downstream FortiGate devices.
- The command
config system central-management
is used to disable configuration synchronization on downstream FortiGate devices. - The default behavior of the root FortiGate in a Security Fabric is to push CMDB objects to all downstream FortiGate devices.
- Disabling configuration synchronization on downstream FortiGate devices is used to prevent unwanted changes to their configuration.
Fabric Object Unification
- Setting
fabric-object-unification
tolocal
on a downstream FortiGate device allows the device to use local objects and ignores global objects from the root. - Setting
fabric-object-unification
todefault
on a downstream FortiGate device allows the device to use global objects from the root. - Locally scoping individual objects and groups on the root FortiGate is used to control which objects are pushed to downstream FortiGate devices.
Example Topology
- In the example topology, the FortiGate-3 has
fabric-object-unification
set tolocal
. - In the example topology, the FortiGate-2 will not import objects sent by the root FortiGate.
- In the example topology, the FortiGate-1 will receive and synchronize the objects sent from the root FortiGate.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Test your knowledge on FortiGate policy objects and groups, configuration synchronization, and Security Fabric in this quiz.