Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Contributor II

Security Fabric root change?

I have several FortiGates and due to having added most of them over the last couple of years, my Fabric root is still my main Internet edge firewall. I want to move this to a new core firewall I setup a few weeks ago but am not seeing any mention about this in the admin guide (running fortiOS 7.0.12).


Is it just a simple changing my core to serve as the Fabric root and my edge to that of "Join Existing Fabric" and repoint my other FortiGates to the new Upstream FortiGate IP (core)? I just want to make sure I won't cause any issues with all of the fabric sync'd address objects I have in play now by making such a change by not going through the correct workflow.


Dear Cajuntank,


Thank you for posting to the Fortinet Community Forum.


Problem Description:-

Security Fabric root change?
You can change the core FW status to Fabric root and the edge FW status to Join Existing Fabric and yes you are right you need to change the upstream IP addr on other FGT to the new core FW IP.

Let us know if this helps.



Salon Raj Joshi

I understand the deployment, I was just making sure that if I do make that fabric root change and such, all of the address objects that were being sync'd from the old root, would not break due to now trying to come from a new root (if that makes sense). So for example, when I go to my existing root, the address objects give me a Fabric Sync column and show me which objects are enabled for sync. If I change roots, how will that affect those objects at my other firewalls? Will they sync those from the new root or will I lose sync for those objects until I recreate them from the new root?

Top Kudoed Authors