Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
skrymi
Staff
Staff

Created on ‎11-27-2024 06:49 AM Edited on ‎04-13-2025 10:53 PM By Moderator

Article Id 360538

Technical Tip: The impact of 'set configuration-sync local' on the Security Fabric

Description This article describes the impacts on the Security Fabric Topology when 'set configuration-sync' is set to local.
Scope FortiGate, FortiAnalyzer, and FortiManager.
Solution

In a network topology with a centralized FortiGate (root FortiGate) and downstream FortiGates (all devices are managed by FortiManager), a logging icon showing all is by design when Security Fabric is enabled.

 

If needed to centralize logging management through FortiManager, there is a setting to achieve it:

 

config system csf

    set configuration-sync local

end

 

Below are the impacts on Security Fabric devices when 'set configuration-sync local' is configured on the downstream device:

  • All traffic going through FortiGate firewall policy will be logged regardless if logging is enabled or not in policy configuration.
  • The policies will reflect the logging changes that are pushed from FortiManager.
  •  The connection between downstream FortiGate, FortiAnalyzer and FortiManager will remain established and the downstream FortiGate can be managed by FortiManager.
  • The synchronized Fabric objects are kept as locally created objects on downstream FortiGate.
  • On FortiAnalyzer, the logs from the downstream device will continue to be saved.

 

On the downstream FortiGate:

 

SNAP1.png

 

On the FortiAnalyzer, the connection is UP, and the logs are stored:

 

SNAP2.png

 

SNAP3.png

 

On the FortiManager device, the device is UP and still can be managed by FortiManager:

 

Snap4.png

 

Note: If this option 'configuration-sync' is not configured as 'local' on all downstream FortiGate, those Fabric Objects synchronized from the root FortiGate won't be modified.

 

In certain scenarios that the downstream non-root FortiGate receives the synchronized objects while the FortiManager is not aware of this change. In that case, FortiManager will attempt to delete these synchronized objects when pushing configuration to the FortiGate but will not be successful. The error will be as follows:

 
 

------- Start to retry --------

chewbacca-kvm62 $ config firewall address
chewbacca-kvm62 (address) $ delete "192.168.10.10/32"
Cannot delete fabric object in non-root Security Fabric member.
command_cli_delete:6944 delete table entry 192.168.10.10/32 unset oper error ret=-160
Command fail. Return code -160
chewbacca-kvm62 (address) $ end


---> generating verification report
( firewall address )
delete "192.168.10.10/32"
<--- done generating verification report


install failed

 

This is actually the conflict between the Security Fabric synchronization and FortiManager as both attempt to push changes to non-root FortiGates. To avoid this scenario, it is necessary to configure 'configuration-sync' as 'local' while let the FortiManager manage the synchronization of all objects among all FortiGates in the same ADOM.
821
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.