Fabric connector

Connectors in GSLB are linked to a physical device at the data center which houses virtual servers, from which the cloud can fetch all the virtual servers running information.

Fabric Connectors can be configured manually on the GSLB > Virtual Server > Fabric connector page in the FortiAppSec Cloud portal, or through One-Click options for other products in the Fortinet Security Fabric. One-Click DNS services connect to a FortiADC/FortiGate/FortiWeb appliance, which automatically creates the connector and GSLB service.

For configuration examples and setup instructions for One-Click Fortinet products and connectors with AWS and Azure, see the following use cases:

• Setting up an FQDN with Generic-Host connector

• FortiADC Integration with One-Click GSLB

• FortiGate Integration

• FortiWeb Integration with One-Click GSLB

• Fabric connectors with AWS and Azure

Create Connector manually

1. Go to GSLB > Virtual Servers > Fabric Connectors and click Create Connector.

   Settings		Guidelines
   Name		The name of the connector. Note: After you initially save the configuration, you can still edit the name later.
   Type		GSLB supports a few types of connectors: Generic-Host The Generic-Host type connector is a third party host system that cannot communicate with the cloud directly. The administrator can add the host IP address on this server, and the administrator cloud can also specify the health check for the host. The cloud will detect the remote host automatically, then the administrator can configure the pool, the GSLB service. FortiGate The FortiGate Connector is for a FortiGate device. The administrator can edit the FortiGate Management IP address or FQDN, port, API version, sync control and authentication for the connector. Once the Fortigate Connector is configured, GSLB will sync the Virtual Server and SD-WAN configuration and run information from the FortiGate host periodically through RestAPI and update automatically. The administrator can specify the SD-WAN member name with the virtual server. The administrator can also create the virtual server manually or specify the health check for the virtual server. AWS The Fabric Connector is for AWS. The administrator can create a connector and virtual servers from a specified AWS region with the provided Access Key and Access Secret. AZURE The Fabric Connector is for AZURE. The administrator can create a connector and virtual servers from a resource group in a specified AZURE location using the provided Tenant ID, Client ID, Client Secret and Subscription ID.
   Generic-Host connector configurations	Data center	Select a data center configuration object. The data center indicates the physical geography location of the connector.
   FortiGate connector configurations	Address type	IPv4 or FQDN
   	Address IPv4	FortiGate management IPv4 address
   	Address	FQDN address
   	Port	FortiGate administrative access port for HTTPS. Default: 443, Range: 1-65535
   	API version	The restful API version that GSLB can use when access FortiGate . Currently only v2 is supported
   	Sync control	User can configure to sync SD-WAN and/or Virtual Server configuration and running information from FortiGate. Default: SD-WAN. Note: The name of the synced SD-WAN and Virtual Server will use VDOM name as prefix, such as root-xxxx.
   	Auth type	The authentication method that GSLB can use when accessing FortiGate. Currently, Auth-Verify and Token authentication are supported. When Auth-Verify is chosen, user needs to provide username and password info; when Token is chosen, user needs to provide the RestAPI Key generated from FortiGate
   	Token	Enter the RestAPI key generated from your FortiGate device.
   	Data Center	Select a data center configuration object. The data center indicates the physical geography location of the connector.
   AWS connector configurations	AWS Access Key	Unique identifier for an IAM user or role; works like a username. Enter the Access Key ID generated from your AWS IAM console
   	AWS Access Secret	Secret paired with the Access Key ID used to authenticate API requests. Enter the corresponding secret key generated alongside the Access Key ID.
   	AWS Region	Select the geographic AWS data center where your resources are hosted.
   Azure connector configurations	Tenant ID	Enter the Tenant ID found in your Azure Active Directory properties.
   	Client ID	Enter the Application (Client) ID from your Azure App Registration.
   	Client Secret	Enter the client secret value generated from your Azure App Registration.
   	Subscription ID	Enter the Subscription ID found in your Azure portal under Subscriptions.
   	Resource Group	Logical container grouping your Azure resources to be accessed by GSLB. Enter the name of the Resource Group where your resources reside.
   	Azure Location	Select a data center configuration object. The data center indicates the physical geography location of the connector.

   
   
2. After the FortiGate Connector is created, the Virtual Servers and SD-WAN member should be synced to GSLB within a couple minutes.

Notes & limitations:

• FortiGate Connector supports FortiGate hosts that run FortiOS version 6.2.5 or higher, due to the supported RestAPIs on FortiGate.
• FortiGate Connector supports Rest API version v2, this is the same Rest API version that FortiGate host currently supports. If in the future, FortiGate supports additional versions, FortiGate Connector will extend to support additional versions as well
• The FortiGate API token needed in FortiGate Connector token authentication can be generated on FortiGate using CLI. Below is an example of how to config an api-user and generate API key:

  config system api-user

  edit "g-api-rw-user"

  set api-key ENC SH2SHFEtfJQ9OsfH/keh4kdULAp3V4ps7HkxBuDIzpR4Cmsckaa9wJ6kw28dFQ=

  set accprofile "super_admin"

  set vdom "root"

  config trusthost

  edit 1

  set ipv4-trusthost 10.6.30.0 255.255.255.0

  next

  end

  next

  end

  execute api-user generate-key g-api-rw-user

• If Virtual Domains(VDOM) are enabled on FortiGate host, the RestAPI administrator configured for FortiGate Connector access should have access to all the VDOMs

How to create a Generic-Host type connector

It is recommended to create only one Connector for each Data Center, unless you have a lot of services and IP addresses for this Data Center (which means you will have a lot of virtual servers, hundreds). In this case, you may need multiple Connectors. For easy management, it is recommended to create a Connector for each hardware device or a set of devices that running the similar service, or a set of devices that for one domain.

Note: The FortiADC type connector is automatically generated and available to use in GSLB once the user enables GSLB service on the FortiADC device. The user does not need to manually create this type of connector.

How to add virtual servers to connectors

To view/manage a Fabric Connector's virtual servers:

1. Click the three dots on the desired virtual server card. This opens a menu of actions you can take on this connector.

2. Click Manage Virtual Server. This navigates to a page that displays all virtual servers associated with the connector.

3. Click Add Virtual Server. This open a modal window.

4. Configure the following settings:

   Setting	Description
   Name	Enter a name to identify this virtual server. Note: Usually, the service name or FQDN name is used for ease of identification. You may still edit it after you initially save the configuration.
   Address Type	Select one of the following: IPv4 IPv6.
   IP Address	Enter the virtual server's IP address.
   Health Check Control	Enable to run health checks on this virtual server. When enabled, configure the Health Check Relationship and Health Check List fields below.
   Health Check Relationship	AND—All of the specified health checks must pass for the virtual server to be considered available. OR—One of the specified health checks must pass for the virtual server to be considered available.
   Health Check List	Specify one or more health check configuration objects.
   SD-WAN Link Name	Specify the SD-WAN member name for the virtual server, applicable to FortiGate type connector only. Notes: The SD-WAN member should be in the same VDOM as the virtual server if the virtual server is synced from FortiGate For a virtual server that is synced from a FortiADC or FortiGate, the synced attributes, such as name, ip address, and etc are not allowed to modify in GSLB.

It is recommended that you reuse the same Virtual Server for different GSLB services if they share the same IP. However, it is also reasonable to have multiple Virtual Servers with the same IP, which then may use different health check for different GSLB services.