Configuring an OCI SDN connector using IAM roles
This guide provides a sample configuration of an OCI SDN connector using Identity & Access Management (IAM) roles instead of traditional authentication. Traditional authentication uses certificates from the FortiGate-VM to OCI over TCP/IP. Instead, this configuration uses the IAM role provided by and configurable in the OCI environment for authentication. The IAM role includes permissions that you can give to the instance, so that FortiOS can implicitly access metadata information and communicate to the SDN connector on its own private internal network without further authentication.
FortiOS 7.6.1 and later versions support this feature.
The following shows the topology when using traditional authentication versus IAM roles:
The following prerequisites must be met for this configuration:
- FortiGate located on OCI
- Correct administrative permissions as an administrator on OCI over the FortiGate instance and the environment
- The following summarizes minimum sufficient IAM roles for this deployment. Allow dynamic-group <group_name> to...:
- Read compartments in tenancy
- Read instances in tenancy
- Read vnic-attachments in tenancy
- Read private-ips in tenancy
- Read public-ips in tenancy
- Manage private-ips in tenancy
- Manage public-ips in tenancy
- Manage vnics in tenancy
You can use resource tags to further control the API calls to allow dynamic-group <group_name> to manage:
private-ips in tenancy
public-ips in tenancy where any { target.resource.tag.<namespace>.<tag key>= 'value'}
vnics in tenancy where any { target.resource.tag.<namespace>.<tag key>= 'value'}
Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for more details.
To configure an OCI SDN connector using IAM roles, complete the following steps:
- Configure an IAM role on OCI.
- Configure an SDN connector in .
- Perform testing to ensure that the SDN connector is connected to .
To configure an IAM role on OCI:
- In OCI, go to Compute > Instances, and select the desired FortiGate-VM instance.
- On the Instance Details page, note the instance's OCID. In this example, the OCID is ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq.
- Open the OPC menu and go to Identity > Dynamic Groups. Create a dynamic group with rules that allow instances that match the FortiGate-VM's instance ID. Use the syntax "ALL {instance.id ='instanceID'}" when creating the rule. In this example, the configured rule is "ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq'}". If you have multiple instances to include in the dynamic group, create multiple rules for this dynamic group.
- Go to Identity > Policies. Create a policy that allows the dynamic group to manage the environment. This allows the instance referenced in the dynamic group to query metadata and move resources around if the SDN connector is used for HA. In the STATEMENT field, use the syntax "Allow dynamic-group <group-name> to manage all-resources in TENANCY".
To configure an SDN connector in FortiOS:
To configure an SDN connector in the FortiOS GUI, do the following:
- In FortiOS, go to Security Fabric > Fabric Connectors.
- Click Create New > Oracle Cloud Infrastructure (OCI).
- Enable Use metadata IAM.
- In the Tenant ID field, enter the FortiGate-VM's tenant ID.
- In the Compartment ID field, enter the compartment's tenant ID. This may be the same as the tenant ID depending on your configuration. This limits the scanning of address objects to the configured compartments.
-
In the
config oci-region-list
section, configure one or more OCI-regions. - Configure the other SDN connector settings as required.
- In Security Fabric > Fabric Connectors, ensure that the OCI connector has been created and is enabled and connected.
To configure an SDN connector using the FortiOS CLI, run the following commands:
config system sdn-connector
edit "oci-sdn-connector"
set status enable
set type oci
set ha-status disable
set tenant-id "<tenant ID>"
set user-id ''
config compartment-list
edit "<compartment_ID 1>"
next
edit "<compartment_ID 2>"
next
end
config oci-region-list
edit "us-ashburn-1"
next
edit "us-phoenix-1"
next
end
set oci-cert ''
set use-metadata-iam enable
set update-interval 60
next
end
To perform testing:
To ensure the SDN connector is connected to OCI, run the diagnose sys sdn status
command. The output should display that the SDN connector has a connected status.
You can run the diagnose debug application ocid -1
and diagnose test application ocid
commands for further debugging.
If you have security concerns about the policy allowing the dynamic group access to the entire environment, follow the concept of least privileges detailed in the OPC documentation. For example, if you are not using the SDN connector for failover and instead are using it for querying, you can assign the dynamic group read-only permissions. |