Fortinet white logo
Fortinet white logo

GCP Administration Guide

Configuring GCP SDN Connector on FortiGate for GCP

Configuring GCP SDN Connector on FortiGate for GCP

To configure GCP SDN Connector on FortiGate for GCP:
  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Click Create New, and select Google Cloud Platform (GCP).

    Note you can create only one SDN Connector per connector type. For example, you can create one entry for GCP.

  3. Configure the connector as follows:
    1. Name: Enter the desired connector name.
    2. Use metadata IAM: The Google platform requires a certain authentication level to call APIs from the FortiGate.
      1. If you enable Use metadata IAM, ensure that the FortiGate has API access on Google Compute Engine. For details, see Checking metadata API access.
      2. If you do not enable Use metadata IAM, you must specify your own service account.

      The Use metadata IAM option is only available to FortiGate-VMs running on GCP. FortiGates running outside of GCP (including physical FortiGate units and FortiGate-VMs running on other cloud platforms) have a configuration that is equivalent to disabling this option.

    3. GCP project name: Enter the name of the GCP project. The VMs whose IP addresses you want to populate should be running within this project.
    4. GCP service account email: Enter the email address associated with the service account that will call APIs to the GCP project specified above.
    5. GCP private key: Enter the private key statement as shown in the text box. For details, see Creating a GCP service account.
    6. Update interval: the default value is 60 seconds. You can enter a value between 1 and 3600 seconds.
    7. Status: Green means that the connector is enabled. You can disable it at any time by toggling the switch.

    Once the connector is successfully configured, a green indicator appears at the bottom right corner. If the indicator is red, the connector is not working. See Troubleshooting GCP SDN Connector.

Custom role permission guideline

The following provides the least privileged guideline for a custom role when using a GCP SDN connector with a service account for high availability (HA):

  • compute.addresses.get
  • compute.addresses.use
  • compute.instances.addAccessConfig
  • compute.instances.deleteAccessConfig
  • compute.instances.get
  • compute.instances.list
  • compute.instances.updateNetworkInterface
  • compute.networks.updatePolicy
  • compute.networks.useExternalIp
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.routes.create
  • compute.routes.delete
  • compute.routes.get
  • compute.routes.list
Note

This list is a guideline and focuses on the operation of HA between two FortiGate-VMs in a single zone and multizone deployment only. It allows for moving a single public IP address from the primary FortiGate to the secondary and updating the referenced GCP routing table in the FortiOS SDN connector configuration. Your custom role Identity and Access Management (IAM) permissions vary depending on your environment.

Tooltip

The predefined compute admin role includes the aforementioned IAM permissions. See IAM permissions reference.

API calls

The SDN connector uses API calls to GCP API endpoints respective to its function. You can review the methods, calls, and error codes by using the following diagnostics commands:

Command

Description

diagnose debug reset

Clears filters or previous diagnostic configuration in the console or SSH session.

diagnose debug console timestamp enable

Enables timestamp of console output messages.

diagnose debug enable

Enables diagnostic output to the console.

diagnose debug application gcpd -1

Selects the GCP daemon or SDN connector.

The following are references for running a VM with a service account:

Configuring GCP SDN Connector on FortiGate for GCP

Configuring GCP SDN Connector on FortiGate for GCP

To configure GCP SDN Connector on FortiGate for GCP:
  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Click Create New, and select Google Cloud Platform (GCP).

    Note you can create only one SDN Connector per connector type. For example, you can create one entry for GCP.

  3. Configure the connector as follows:
    1. Name: Enter the desired connector name.
    2. Use metadata IAM: The Google platform requires a certain authentication level to call APIs from the FortiGate.
      1. If you enable Use metadata IAM, ensure that the FortiGate has API access on Google Compute Engine. For details, see Checking metadata API access.
      2. If you do not enable Use metadata IAM, you must specify your own service account.

      The Use metadata IAM option is only available to FortiGate-VMs running on GCP. FortiGates running outside of GCP (including physical FortiGate units and FortiGate-VMs running on other cloud platforms) have a configuration that is equivalent to disabling this option.

    3. GCP project name: Enter the name of the GCP project. The VMs whose IP addresses you want to populate should be running within this project.
    4. GCP service account email: Enter the email address associated with the service account that will call APIs to the GCP project specified above.
    5. GCP private key: Enter the private key statement as shown in the text box. For details, see Creating a GCP service account.
    6. Update interval: the default value is 60 seconds. You can enter a value between 1 and 3600 seconds.
    7. Status: Green means that the connector is enabled. You can disable it at any time by toggling the switch.

    Once the connector is successfully configured, a green indicator appears at the bottom right corner. If the indicator is red, the connector is not working. See Troubleshooting GCP SDN Connector.

Custom role permission guideline

The following provides the least privileged guideline for a custom role when using a GCP SDN connector with a service account for high availability (HA):

  • compute.addresses.get
  • compute.addresses.use
  • compute.instances.addAccessConfig
  • compute.instances.deleteAccessConfig
  • compute.instances.get
  • compute.instances.list
  • compute.instances.updateNetworkInterface
  • compute.networks.updatePolicy
  • compute.networks.useExternalIp
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.routes.create
  • compute.routes.delete
  • compute.routes.get
  • compute.routes.list
Note

This list is a guideline and focuses on the operation of HA between two FortiGate-VMs in a single zone and multizone deployment only. It allows for moving a single public IP address from the primary FortiGate to the secondary and updating the referenced GCP routing table in the FortiOS SDN connector configuration. Your custom role Identity and Access Management (IAM) permissions vary depending on your environment.

Tooltip

The predefined compute admin role includes the aforementioned IAM permissions. See IAM permissions reference.

API calls

The SDN connector uses API calls to GCP API endpoints respective to its function. You can review the methods, calls, and error codes by using the following diagnostics commands:

Command

Description

diagnose debug reset

Clears filters or previous diagnostic configuration in the console or SSH session.

diagnose debug console timestamp enable

Enables timestamp of console output messages.

diagnose debug enable

Enables diagnostic output to the console.

diagnose debug application gcpd -1

Selects the GCP daemon or SDN connector.

The following are references for running a VM with a service account: