Configuring FortiPolicy data planes
You need to create a FortiPolicy data plane for each FortiGate device connected to application workloads that need to be secured. The workloads might be connected directly to the FortiGate device or might be connected to FortiSwitch units that are directly connected to the FortiGate device.
For example, in the following topology, you would create a data plane for FGT-3 to secure Application-1, Application-2, and Application-3. You would create a second data plane for FGT-5 to secure Application-4, Application-5, and Application-6.
The data planes determine which workloads Policy Generation will analyze. When you select the FortiGate device for a data plane, Policy Generation will examine the traffic logs from that FortiGate device and the netflows from the FortiSwitch units that are directly wired to the FortiGate device. Policy Generation will analyze the traffic for the workloads connected directly to the FortiGate device and FortiSwitch units.
To create a data plane:
-
Go to Configuration > Data Planes.
-
Click the plus sign on the upper right corner of the Data Planes page.
-
In the Name field, enter a unique name for the new data plane.
-
From the Fabric dropdown list, select the fabric connector that you created.
-
From the Device dropdown list, select the root FortiGate device.
-
From the VDOM dropdown list, select the VDOM.
-
From the LAN Segment Primary Interface dropdown list, select the LAN segment that you want to use as the primary interface. The default LAN segment is
nac_segment. -
In the Segment VLAN Range field, enter a range of VLAN IDs. If you are going to microsegment the workloads, each workload requires a separate VLAN.
-
Click SAVE.
-
In the Add New Data Plane? dialog, click OK.
The new data plane is listed in the Data Planes page.
- Repeat steps 2-10 for each FortiGate device connected to application workloads that need to be secured.