Data planes
You need to create a data plane for each FortiGate device with applications under it that need to be secured. For example, in the following topology, you would create a data plane for FGT-3 to secure Application-1, Application-2, and Application-3. You would create a second data plane for FGT-5 to secure Application-4, Application-5, and Application-6.
The data plane determines what the Policy Generation wizard can analyze and what the proposed rules can secure. When you select the FortiGate device for the data plane, the Policy Generation wizard will examine the traffic logs from that FortiGate device and the netflows from the FortiSwitch units that are directly wired to the FortiGate device. The Policy Generation wizard will analyze the traffic for the workloads connected directly to the FortiGate device or FortiSwitch units.
|
A data plane is deployed only when resource groups are moved from Insertion Staging to a formal COMMIT. |
Go to Configuration > Data Planes to view available data planes or to create data planes.
If there are no rows displayed in the Data Planes page, no data planes have been created.
Click the vertical ellipsis at the start of each row to edit, synchronize, redeploy, or delete data plane configurations. When you click Edit, you can edit the details for the configuration.
Creating a data plane
To create a data plane:
-
Go to Configuration > Data Planes.
-
Click the plus sign on the upper right corner of the Data Planes page.
-
In the Name field, enter a unique name for the new deployment.
-
From the Fabric dropdown list, select a fabric connector.
-
From the Device dropdown list, select the root FortiGate device.
-
From the VDOM dropdown list, select the root virtual domain (VDOM) of the root FortiGate device.
-
From the LAN Segment Primary Interface dropdown list, select the LAN segment that you want to use as the primary interface. The default LAN segment is
nac_segment. -
In the Segment VLAN Range field, enter a range of VLAN IDs. If you are going to microsegment the workloads, each workload requires a separate VLAN.
-
Click SAVE.
-
In the Add New Data Plane? dialog, click OK.
The new data plane is listed in the Data Planes page.
- Repeat steps 2-10 for each FortiGate device with applications under it that need to be secured.
Synchronizing or redeploying a data plane
Go to Configuration > Data Planes to synchronize or redeploy an established data plane:
-
Synchronize the data plane if you want to correct something in your deployment; perhaps creating a data plane failed because there was a “Jobs” error that had to be resolved.
-
Redeploy the data plane if you want to pick up a new data path image.
If a data plane deployment fails, go to Workspace > Logs > Jobs to troubleshoot and resolve the issue and then return to the Data Planes page and select Sync from the vertical ellipse menu. In the confirmation dialog, click YES.
To redeploy a data plane:
-
Go to the Configuration > Data Planes page.
-
Click the vertical ellipsis at the start of the row and select Redeploy.
-
In the confirmation dialog, click YES.
Deployment (or redeployment) of a data plane is performed within seconds.
A message is displayed on the banner on the Data Planes page when redeployment starts, is processing, and is complete.
To synchronize a data plane:
-
Go to the Configuration > Deployments > Data Planes page.
-
Click the vertical ellipsis at the start of the row and select Sync.
-
In the confirmation dialog, click YES.
Deleting a data plane
To delete a data plane:
-
Go to the Configuration > Data Planes page.
-
Click the vertical ellipsis at the start of the row and select Delete.
-
In the confirmation dialog, click YES.
|
If you delete a data plane and then re-create it too quickly, the application tiers might use the previous data plane identifier during automated policy generation. Deploying an application tier that uses the previous data plane identifier causes a FortiPolicy error (no free VLAN identifiers are available). To work around this error:
|