Fortinet white logo
Fortinet white logo

OpenStack Administration Guide

Disabling port security for the FortiGate-VM and CirrOS instances

Disabling port security for the FortiGate-VM and CirrOS instances

In OpenStack, the networking component (called Neutron) only allows traffic with known IP/MAC address combinations. This makes the network very secure. However, normal firewall traffic contains very many IP/MAC address combinations, and it is not practical to add them all to the configuration. Instead, to allow normal firewall traffic, you need to disable port security for your FortiGate-VM instance. See Managing port level security in OpenStack.

Use the Horizon Instances view to verify the IP addresses of the FortiGate-VM instances, the CirrOS instances, and the networks that the interfaces are connected to. For example:

From the OpenStack command line, run the following bash script to disable port security on the FortiGate-VM interfaces:

#!/bin/bash

echo

echo 'Disable port_security on fgt-vm-1'

echo

echo

`source /home/stack/overcloudrc_tenant01`

FGT='fgt-vm-1'

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $2}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

neutron port-update $PORTID --no-security-groups --port_security_enabled=False

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $3}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $4}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $5}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

echo 'Disable port-security on fgt-vm-2'

echo

FGT='fgt-vm-2'

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $2}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

neutron port-update $PORTID --no-security-groups --port_security_enabled=False

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $3}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $4}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $5}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

From the OpenStack command line, associate floating IP addresses to the two FortiGate-VMs by entering the following commands:

openstack server add floating ip fgt-vm-1 10.210.9.10

openstack server add floating ip fgt-vm-2 10.210.9.14

Disabling port security for the FortiGate-VM and CirrOS instances

Disabling port security for the FortiGate-VM and CirrOS instances

In OpenStack, the networking component (called Neutron) only allows traffic with known IP/MAC address combinations. This makes the network very secure. However, normal firewall traffic contains very many IP/MAC address combinations, and it is not practical to add them all to the configuration. Instead, to allow normal firewall traffic, you need to disable port security for your FortiGate-VM instance. See Managing port level security in OpenStack.

Use the Horizon Instances view to verify the IP addresses of the FortiGate-VM instances, the CirrOS instances, and the networks that the interfaces are connected to. For example:

From the OpenStack command line, run the following bash script to disable port security on the FortiGate-VM interfaces:

#!/bin/bash

echo

echo 'Disable port_security on fgt-vm-1'

echo

echo

`source /home/stack/overcloudrc_tenant01`

FGT='fgt-vm-1'

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $2}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

neutron port-update $PORTID --no-security-groups --port_security_enabled=False

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $3}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $4}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $5}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

echo 'Disable port-security on fgt-vm-2'

echo

FGT='fgt-vm-2'

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $2}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

neutron port-update $PORTID --no-security-groups --port_security_enabled=False

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $3}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $4}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $5}' | awk -F ";" '{print $1}'`

PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`

`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`

echo

echo $IPADDR

echo `openstack port show $PORTID`

echo

From the OpenStack command line, associate floating IP addresses to the two FortiGate-VMs by entering the following commands:

openstack server add floating ip fgt-vm-1 10.210.9.10

openstack server add floating ip fgt-vm-2 10.210.9.14