Configuration
The method that you use to configure a Fabric Connector depends on which type of connector you're using:
- Creating a Fabric connector for SDN
- Creating a Fabric Connector for SSO
- Creating a Fabric Connector for threat feeds
Creating a Fabric connector for SDN
|
FortiOS doesn't support multiple SDN Connector instances to Amazon Web Services, Google Cloud Platform, Microsoft Azure, and VMware NSX. |
Fabric Connectors to Software-Defined Networks (SDNs) Cprovide integration and orchestration of Fortinet products with key SDN solutions. You use Fabric Connectors to make sure that any changes in your SDN environment are automatically updated in your network.
To create Fabric Connector for SDN, you need to do the following:
- Gather required information
- Create the Fabric Connector
- Create a Fabric Connector address
- Add the address to a firewall policy
For an example of how to configure a Fabric Connector for Microsoft Azure, see Automatically Updating Dynamic Addresses Using Fabric Connector.
Gather required information
Before you can create a Fabric Connector, you need to know specific information, which differs depending on which service you're using. You can find this information using your account for the specific service.
Service |
Required information for the service |
---|---|
Amazon Web Services |
|
Cisco Application Centric Infrastructure |
|
Google Cloud Platform |
|
Microsoft Azure (including Azure Stack) |
|
Nuage Virtualized Services Platform |
|
Oracle Cloud Infrastructure |
|
OpenStack (Horizon) |
|
VMware NSX |
|
Create the Fabric Connector
You can create the Fabric Connector using either the GUI or CLI. The CLI commands that are available vary depending on which service you're using.
Creating a Fabric Connector - GUI:
- To create a new connector, go to Security Fabric > Fabric Connectors and select Create New.
- Select the service you're using and enter the required information for that service.
- Select OK.
Creating a Fabric Connector - CLI:
To create a Fabric Connector using the CLI, use the command config system sdn-connector
. For more information about this command, see the FortiOS 6.0 CLI Reference.
Create a Fabric Connector address
You use a Fabric Connector address for the following:
- As the source or destination address for firewall policies
- To automatically update changes to the addresses in the environment of the service you're using, based on specified filtering conditions
- To automatically apply changes to the firewall policies that use the address, based on specified filtering conditions
Creating a Fabric Connector address - GUI:
- To create a new address, go to Policy & Objects > Addresses and select Create New > Address.
- Set a Name for the address.
- Set Type to Fabric Connector Address and set Fabric Connector Type to the new Fabric Connector.
- Set a Filter or Object ID, depending on the type of Fabric Connector. The filter or ID dynamically creates the members of the address. The types of filters or IDs that are supported vary depending on which service you're using.
- Set a specific Interface or leave it as the default any.
- Select OK.
Creating a Fabric Connector address - CLI:
config firewall address
edit <name>
set type dynamic
set comment <comment>
set visibility enable
set associated-interface <interface_name>
set sdn {aci | aws | azure | nsx | nuage | oci}
set filter <filter>
set obj-id <ID>
next
end
Add the address to a firewall policy
You use a Fabric Connector addresses in a firewall policy as either the source or destination address.
Adding the address to a policy - GUI:
- To create a new policy, go to Policy & Objects > IPv4 Policy and select Create New.
- Set a Name for the policy.
- Set the appropriate Incoming Interface and Outgoing Interface.
- Set the Fabric Connector address as either the Source or Destination address, as appropriate.
- Set other policy settings, as required.
- Select OK.
Adding the address to a policy - CLI:
config firewall policy
edit 0
set name <name>
set srcintf <port_name>
set dstintf <port_name>
set srcaddr <firewall_address>
set dstaddr <firewall_address>
set action accept
set schedule <schedule>
set service <service>
next
end
Creating a Fabric Connector for SSO
Fabric Connectors for SSO integrate single sign-on (SSO) authentication in your network. SSO allows users to enter their credentials once and have those credentials reused when they access other network resources through your FortiGate.
Fabric Connectors are available for the following services:
- Poll Active Directory (AD) server
- RADIUS Single Sign-On (RSSO) agent
- Fortinet Single Sign-On (FSSO) agent
Creating a Fabric Connector for threat feeds
Fabric Connectors for threat feeds dynamically import an external block list, in the form of a text file containing a list of either addresses or domains, which resides on an HTTP server. You use block lists to deny access to destination IP addresses in web filter and DNS filter profiles, SSL inspection exemptions, and as sources or destinations in proxy policies.
You can configure Fabric Connectors for the following types of threat feeds:
- FortiGuard category
- IP address
- Domain name