Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cisco ACI Administration Guide

    Home FortiGate Private Cloud 7.6.0 Cisco ACI Administration Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    FortiGate built-in connector

    FortiGate built-in connector

    You can use the Cisco ACI (Application Centric Infrastructure) connector for northbound API integration with a direct connection.

    Multiple server IP addresses can be included for the Cisco APIC cluster active and standby hosts. One server is active, and the rest serve as backups in case the active server fails. The FortiGate checks the status of the servers, and selects one as the active server according to the order of the IP addresses in the list. If the active server fails, the FortiGate changes to the next one down on the list.

    This connector supports the following address filters:

    • Tenant
    • Application
    • Endpoint group
    • Tag
    To configure a Cisco ACI connector in the GUI:
    1. Create the Cisco ACI SDN connector:
      1. Go to Security Fabric > External Connectors and click Create New,.
      2. In the Private SDN section, click Application Centric Infrastructure (ACI).
      3. Configure the Connector Settings as needed. The update interval is in seconds.
      4. In the Cisco ACI Connector section, for Type, select Direct Connection and configure the remaining settings as needed.
      5. Click OK.
    2. Create a dynamic firewall address for the connector:
      1. Go to Policy & Objects > Addresses.
      2. Click Create New > Address and enter a name.
      3. Configure the following settings:
        1. For Type, select Dynamic.
        2. For Sub Type, select Fabric Connector Address.
        3. For SDN Connector, select the connector created in step 1.
        4. For Filter, select an entry from the dropdown list or configure a new filter.
      4. Click OK.
    3. Confirm that the connector resolves the dynamic firewall IP addresses:
      1. Go to Policy & Objects > Addresses.
      2. In the address table, hover over the address created in step 2 to view which IP addresses it resolves to:

    To configure a Cisco ACI connector in the CLI:
    1. Create the Cisco ACI SDN connector:
      config system sdn-connector
    edit "aci_direct1"
        set status enable
        set type aci-direct
        set server "10.100.25.204"
        set username "lzou"
        set password xxxxxxx
        set update-interval 60
    next
end
    2. Create a dynamic firewall address for the connector:
      config firewall address
    edit "aci-direct-app"
        set type dynamic
        set sdn "aci_direct1"
        set color 17
        set filter "Application=lzou-app"
    next
end
    3. Confirm that the connector resolves the dynamic firewall IP addresses:
      config firewall address
    edit "aci-direct-app"
        show
            config firewall address
                edit "aci-direct-app"
                    set uuid 794aaf20-3e33-51ea-57e1-10b5badf3fc7
                    set type dynamic
                    set sdn "aci_direct1"
                    set color 17
                    set filter "Application=lzou-app"
                    config list
                        edit "10.0.5.11"
                        next
                        edit "10.0.5.12"
                        next
                        edit "10.0.6.11"
                        next
                        edit "10.0.6.12"
                        next
                        edit "10.0.6.13"
                        next
                        edit "10.0.6.14"
                        next
                        edit "10.0.7.11"
                        next
                        edit "10.0.7.12"
                        next
                    end
                next
            end
        next
end
    Previous
    Next

    FortiGate built-in connector

    FortiGate built-in connector

    You can use the Cisco ACI (Application Centric Infrastructure) connector for northbound API integration with a direct connection.

    Multiple server IP addresses can be included for the Cisco APIC cluster active and standby hosts. One server is active, and the rest serve as backups in case the active server fails. The FortiGate checks the status of the servers, and selects one as the active server according to the order of the IP addresses in the list. If the active server fails, the FortiGate changes to the next one down on the list.

    This connector supports the following address filters:

    • Tenant
    • Application
    • Endpoint group
    • Tag
    To configure a Cisco ACI connector in the GUI:
    1. Create the Cisco ACI SDN connector:
      1. Go to Security Fabric > External Connectors and click Create New,.
      2. In the Private SDN section, click Application Centric Infrastructure (ACI).
      3. Configure the Connector Settings as needed. The update interval is in seconds.
      4. In the Cisco ACI Connector section, for Type, select Direct Connection and configure the remaining settings as needed.
      5. Click OK.
    2. Create a dynamic firewall address for the connector:
      1. Go to Policy & Objects > Addresses.
      2. Click Create New > Address and enter a name.
      3. Configure the following settings:
        1. For Type, select Dynamic.
        2. For Sub Type, select Fabric Connector Address.
        3. For SDN Connector, select the connector created in step 1.
        4. For Filter, select an entry from the dropdown list or configure a new filter.
      4. Click OK.
    3. Confirm that the connector resolves the dynamic firewall IP addresses:
      1. Go to Policy & Objects > Addresses.
      2. In the address table, hover over the address created in step 2 to view which IP addresses it resolves to:

    To configure a Cisco ACI connector in the CLI:
    1. Create the Cisco ACI SDN connector:
      config system sdn-connector
    edit "aci_direct1"
        set status enable
        set type aci-direct
        set server "10.100.25.204"
        set username "lzou"
        set password xxxxxxx
        set update-interval 60
    next
end
    2. Create a dynamic firewall address for the connector:
      config firewall address
    edit "aci-direct-app"
        set type dynamic
        set sdn "aci_direct1"
        set color 17
        set filter "Application=lzou-app"
    next
end
    3. Confirm that the connector resolves the dynamic firewall IP addresses:
      config firewall address
    edit "aci-direct-app"
        show
            config firewall address
                edit "aci-direct-app"
                    set uuid 794aaf20-3e33-51ea-57e1-10b5badf3fc7
                    set type dynamic
                    set sdn "aci_direct1"
                    set color 17
                    set filter "Application=lzou-app"
                    config list
                        edit "10.0.5.11"
                        next
                        edit "10.0.5.12"
                        next
                        edit "10.0.6.11"
                        next
                        edit "10.0.6.12"
                        next
                        edit "10.0.6.13"
                        next
                        edit "10.0.6.14"
                        next
                        edit "10.0.7.11"
                        next
                        edit "10.0.7.12"
                        next
                    end
                next
            end
        next
end
    Previous
    Next