Fortinet black logo

OCI Administration Guide

Configuring an OCI SDN connector using IAM roles

Copy Link
Copy Doc ID 72c23609-8675-11eb-9995-00505692583a:562317
Download PDF

Configuring an OCI SDN connector using IAM roles

This guide provides a sample configuration of an OCI SDN connector using IAM roles instead of traditional authentication. Traditional authentication uses certificates from the FortiGate-VM to OCI over TCP/IP. Instead, this configuration uses the IAM role provided by and configurable in the OCI environment for authentication. The IAM role includes permissions that you can give to the instance, so that FortiOS can implicitly access metadata information and communicate to the SDN connector on its own private internal network without further authentication.

The following shows the topology when using traditional authentication versus IAM roles:

The following prerequisites must be met for this configuration:

  • FortiGate located on OCI
  • Correct administrative permissions as an administrator on OCI over the FortiGate instance and the environment
  • The following summarizes minimum sufficient IAM roles for this deployment:
    • Allow dynamic-group <group_name> to read compartments in tenancy
    • Allow dynamic-group <group_name> to read instances in tenancy
    • Allow dynamic-group <group_name> to read vnic-attachments in tenancy
    • Allow dynamic-group <group_name> to read private-ips in tenancy
    • Allow dynamic-group <group_name> to read public-ips in tenancy
    • Allow dynamic-group <group_name> to manage private-ips in tenancy
    • Allow dynamic-group <group_name> to manage public-ips in tenancy
    • Allow dynamic-group <group_name> to manage vnics in tenancy

    You can use resource tags to further control the API calls, as follows:

    • Allow dynamic-group <group_name> to manage private-ips in tenancy

    • Allow dynamic-group <group_name> to manage public-ips in tenancy where any { target.resource.tag.<namespace>.<tag key>= 'value'}

    • Allow dynamic-group <group_name> to manage vnics in tenancy where any { target.resource.tag.<namespace>.<tag key>= 'value'}

    Note

    Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for more details.

To configure an OCI SDN connector using IAM roles, complete the following steps:

  1. Configure an IAM role on OCI.
  2. Configure an SDN connector in .
  3. Perform testing to ensure that the SDN connector is connected to .
To configure an IAM role on OCI:
  1. In OCI, go to Compute > Instances, and select the desired FortiGate-VM instance.
  2. On the Instance Details page, note the instance's OCID. In this example, the OCID is ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq.
  3. Open the OPC menu and go to Identity > Dynamic Groups. Create a dynamic group with rules that allow instances that match the FortiGate-VM's instance ID. Use the syntax "ALL {instance.id ='instanceID'}" when creating the rule. In this example, the configured rule is "ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq'}". If you have multiple instances to include in the dynamic group, create multiple rules for this dynamic group.
  4. Go to Identity > Policies. Create a policy that allows the dynamic group to manage the environment. This allows the instance referenced in the dynamic group to query metadata and move resources around if the SDN connector is used for HA. In the STATEMENT field, use the syntax "Allow dynamic-group <group-name> to manage all-resources in TENANCY".
To configure an SDN connector in FortiOS:

To configure an SDN connector in the FortiOS GUI, do the following:

  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Click Create New > Oracle Cloud Infrastructure (OCI).
  3. Enable Use metadata IAM.
  4. In the Tenant ID field, enter the FortiGate-VM's tenant ID.
  5. In the Compartment ID field, enter the compartment's tenant ID. This may be the same as the tenant ID depending on your configuration.
  6. Configure the other SDN connector settings as required.
  7. In Security Fabric > Fabric Connectors, ensure that the OCI connector has been created and is enabled and connected.

To configure an SDN connector using the FortiOS CLI, run the following commands:

config system sdn-connector

edit "oci-sdn-connector"

set status enable

set type oci

set ha-status disable

set tenant-id "<tenant ID>"

set user-id ''

set compartment-id "<compartment ID>"

set oci-region phoenix

set oci-cert ''

set use-metadata-iam enable

set update-interval 60

next

end

To perform testing:

To ensure the SDN connector is connected to OCI, run the diagnose sys sdn status command. The output should display that the SDN connector has a connected status.

You can run the diagnose debug application ocid -1 and diagnose test application ocid commands for further debugging.

Note

If you have security concerns about the policy allowing the dynamic group access to the entire environment, follow the concept of least privileges detailed in the OPC documentation. For example, if you are not using the SDN connector for failover and instead are using it for querying, you can assign the dynamic group read-only permissions.

Configuring an OCI SDN connector using IAM roles

This guide provides a sample configuration of an OCI SDN connector using IAM roles instead of traditional authentication. Traditional authentication uses certificates from the FortiGate-VM to OCI over TCP/IP. Instead, this configuration uses the IAM role provided by and configurable in the OCI environment for authentication. The IAM role includes permissions that you can give to the instance, so that FortiOS can implicitly access metadata information and communicate to the SDN connector on its own private internal network without further authentication.

The following shows the topology when using traditional authentication versus IAM roles:

The following prerequisites must be met for this configuration:

  • FortiGate located on OCI
  • Correct administrative permissions as an administrator on OCI over the FortiGate instance and the environment
  • The following summarizes minimum sufficient IAM roles for this deployment:
    • Allow dynamic-group <group_name> to read compartments in tenancy
    • Allow dynamic-group <group_name> to read instances in tenancy
    • Allow dynamic-group <group_name> to read vnic-attachments in tenancy
    • Allow dynamic-group <group_name> to read private-ips in tenancy
    • Allow dynamic-group <group_name> to read public-ips in tenancy
    • Allow dynamic-group <group_name> to manage private-ips in tenancy
    • Allow dynamic-group <group_name> to manage public-ips in tenancy
    • Allow dynamic-group <group_name> to manage vnics in tenancy

    You can use resource tags to further control the API calls, as follows:

    • Allow dynamic-group <group_name> to manage private-ips in tenancy

    • Allow dynamic-group <group_name> to manage public-ips in tenancy where any { target.resource.tag.<namespace>.<tag key>= 'value'}

    • Allow dynamic-group <group_name> to manage vnics in tenancy where any { target.resource.tag.<namespace>.<tag key>= 'value'}

    Note

    Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for more details.

To configure an OCI SDN connector using IAM roles, complete the following steps:

  1. Configure an IAM role on OCI.
  2. Configure an SDN connector in .
  3. Perform testing to ensure that the SDN connector is connected to .
To configure an IAM role on OCI:
  1. In OCI, go to Compute > Instances, and select the desired FortiGate-VM instance.
  2. On the Instance Details page, note the instance's OCID. In this example, the OCID is ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq.
  3. Open the OPC menu and go to Identity > Dynamic Groups. Create a dynamic group with rules that allow instances that match the FortiGate-VM's instance ID. Use the syntax "ALL {instance.id ='instanceID'}" when creating the rule. In this example, the configured rule is "ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq'}". If you have multiple instances to include in the dynamic group, create multiple rules for this dynamic group.
  4. Go to Identity > Policies. Create a policy that allows the dynamic group to manage the environment. This allows the instance referenced in the dynamic group to query metadata and move resources around if the SDN connector is used for HA. In the STATEMENT field, use the syntax "Allow dynamic-group <group-name> to manage all-resources in TENANCY".
To configure an SDN connector in FortiOS:

To configure an SDN connector in the FortiOS GUI, do the following:

  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Click Create New > Oracle Cloud Infrastructure (OCI).
  3. Enable Use metadata IAM.
  4. In the Tenant ID field, enter the FortiGate-VM's tenant ID.
  5. In the Compartment ID field, enter the compartment's tenant ID. This may be the same as the tenant ID depending on your configuration.
  6. Configure the other SDN connector settings as required.
  7. In Security Fabric > Fabric Connectors, ensure that the OCI connector has been created and is enabled and connected.

To configure an SDN connector using the FortiOS CLI, run the following commands:

config system sdn-connector

edit "oci-sdn-connector"

set status enable

set type oci

set ha-status disable

set tenant-id "<tenant ID>"

set user-id ''

set compartment-id "<compartment ID>"

set oci-region phoenix

set oci-cert ''

set use-metadata-iam enable

set update-interval 60

next

end

To perform testing:

To ensure the SDN connector is connected to OCI, run the diagnose sys sdn status command. The output should display that the SDN connector has a connected status.

You can run the diagnose debug application ocid -1 and diagnose test application ocid commands for further debugging.

Note

If you have security concerns about the policy allowing the dynamic group access to the entire environment, follow the concept of least privileges detailed in the OPC documentation. For example, if you are not using the SDN connector for failover and instead are using it for querying, you can assign the dynamic group read-only permissions.