Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

SDN connectors

Fabric connectors to SDNs provide integration and orchestration of Fortinet products with SDN solutions. Fabric Connectors ensure that any changes in the SDN environment are automatically updated in your network.

There are four steps to creating and using an SDN connector:

  1. Gather the required information
  2. Create the fabric connector
  3. Create a fabric connector address
  4. Add the address to a firewall policy

An example of creating a Microsoft Azure SDN connector is available at https://docs.fortinet.com/vm/azure/fortigate/6.2/azure‑cookbook/6.2.0/502895.

Required information

Specific information is required to create each connector type:

Service

Required information

Amazon Web Services

  • Access key ID
  • Secret access key
  • Region name
  • VPC ID (optional)

Microsoft Azure

  • Server region
  • Tenant ID
  • Client ID
  • Client secret
  • Subscription ID (optional)
  • Resource group (optional)
  • Login endpoint (Azure Stack only)
  • Resource URL (Azure Stack only)

Google Cloud Platform (GCP)

  • Project name
  • Service account email
  • Private key

Oracle Cloud Infrastructure (OCI)

  • User ID
  • Tenant ID
  • Compartment ID
  • Server region
  • Certificate

AliCloud

  • AccessKey ID
  • AccessKey Secret
  • Region ID

Kubernetes

  • IP address
  • Port
  • Secret token

VMware ESXi and NSX

  • IP address or hostname
  • Username
  • Password

OpenStack (Horizon)

  • IP address
  • Username
  • Password

Application Centric Infrastructure (ACI)

  • IP address
  • Port
  • Username
  • Password

Nuage Virtualized Services Platform

  • IP address
  • Port
  • Username
  • Password

Create the fabric connector

To create an SDN Fabric connector in the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Click on the service that you are using.
  4. Enter the Name, Status, and Update Interval for the connector.
  5. Enter the previously collected information for the specific connector that you are creating.
  6. Click OK.
To create an SDN Fabric connector in the CLI:
config system sdn-connector
    edit <name>
        set status {enable | disable}
        set type {connector type}
        ...
        set update-interval <integer>
    next
end
Note

The available CLI commands will vary depending on the selected SDN connector type.

Create a fabric connector address

A fabric connector address can be used in the following ways:

  • As the source or destination address for firewall policies.
  • To automatically update changes to addresses in the environment of the service that you are using, based on specified filtering conditions.
  • To automatically apply changes to firewall policies that use the address, based on specified filtering conditions.
To create a fabric connector address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Enter a name for the address.
  4. Set the Type to Fabric Connector Address.
  5. Select an SDN Connector from the drop-down list, or click Create New to make a new one.
  6. Set the SDN address type. Only addresses of the selected type will be collected.
  7. Configure the connector specific settings.
  8. Select an Interface for the address, or leave it as any, enable or disable Show in Address List, and optionally add Comments.
  9. Add tags.
  10. Click OK.
To create a fabric connector address in the CLI:
config firewall address
    edit <name>
        set type dynamic
        set sdn <sdn_connector>
        set visibility enable
        set associated-interface <interface_name>
        set color <integer>
        ...
        set comment <comment>
        config tagging
            edit <name>
                set category <string>
                set tags <strings>
            next
        end
    next
end
Note

The available CLI commands will vary depending on the selected SDN connector type.

Add the address to a firewall policy

A fabric connector address can be used as either the source or destination address.

To add the address to a firewall policy in the GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Click Create New.
  3. Enter a name for the policy.
  4. Set the incoming and outgoing interfaces.
  5. Use the fabric connector address as the source or destination address.
  6. Configure the remaining settings as needed.
  7. Click OK.
To add the address to a firewall policy in the CLI:
config firewall policy
    edit 0
        set name <name>
        set srcintf <port_name>
        set dstintf <port_name>
        set srcaddr <firewall_address>
        set dstaddr <firewall_address>
        set action accept
        set schedule <schedule>
        set service <service>
    next
end

SDN connectors

Fabric connectors to SDNs provide integration and orchestration of Fortinet products with SDN solutions. Fabric Connectors ensure that any changes in the SDN environment are automatically updated in your network.

There are four steps to creating and using an SDN connector:

  1. Gather the required information
  2. Create the fabric connector
  3. Create a fabric connector address
  4. Add the address to a firewall policy

An example of creating a Microsoft Azure SDN connector is available at https://docs.fortinet.com/vm/azure/fortigate/6.2/azure‑cookbook/6.2.0/502895.

Required information

Specific information is required to create each connector type:

Service

Required information

Amazon Web Services

  • Access key ID
  • Secret access key
  • Region name
  • VPC ID (optional)

Microsoft Azure

  • Server region
  • Tenant ID
  • Client ID
  • Client secret
  • Subscription ID (optional)
  • Resource group (optional)
  • Login endpoint (Azure Stack only)
  • Resource URL (Azure Stack only)

Google Cloud Platform (GCP)

  • Project name
  • Service account email
  • Private key

Oracle Cloud Infrastructure (OCI)

  • User ID
  • Tenant ID
  • Compartment ID
  • Server region
  • Certificate

AliCloud

  • AccessKey ID
  • AccessKey Secret
  • Region ID

Kubernetes

  • IP address
  • Port
  • Secret token

VMware ESXi and NSX

  • IP address or hostname
  • Username
  • Password

OpenStack (Horizon)

  • IP address
  • Username
  • Password

Application Centric Infrastructure (ACI)

  • IP address
  • Port
  • Username
  • Password

Nuage Virtualized Services Platform

  • IP address
  • Port
  • Username
  • Password

Create the fabric connector

To create an SDN Fabric connector in the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Click on the service that you are using.
  4. Enter the Name, Status, and Update Interval for the connector.
  5. Enter the previously collected information for the specific connector that you are creating.
  6. Click OK.
To create an SDN Fabric connector in the CLI:
config system sdn-connector
    edit <name>
        set status {enable | disable}
        set type {connector type}
        ...
        set update-interval <integer>
    next
end
Note

The available CLI commands will vary depending on the selected SDN connector type.

Create a fabric connector address

A fabric connector address can be used in the following ways:

  • As the source or destination address for firewall policies.
  • To automatically update changes to addresses in the environment of the service that you are using, based on specified filtering conditions.
  • To automatically apply changes to firewall policies that use the address, based on specified filtering conditions.
To create a fabric connector address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Enter a name for the address.
  4. Set the Type to Fabric Connector Address.
  5. Select an SDN Connector from the drop-down list, or click Create New to make a new one.
  6. Set the SDN address type. Only addresses of the selected type will be collected.
  7. Configure the connector specific settings.
  8. Select an Interface for the address, or leave it as any, enable or disable Show in Address List, and optionally add Comments.
  9. Add tags.
  10. Click OK.
To create a fabric connector address in the CLI:
config firewall address
    edit <name>
        set type dynamic
        set sdn <sdn_connector>
        set visibility enable
        set associated-interface <interface_name>
        set color <integer>
        ...
        set comment <comment>
        config tagging
            edit <name>
                set category <string>
                set tags <strings>
            next
        end
    next
end
Note

The available CLI commands will vary depending on the selected SDN connector type.

Add the address to a firewall policy

A fabric connector address can be used as either the source or destination address.

To add the address to a firewall policy in the GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Click Create New.
  3. Enter a name for the policy.
  4. Set the incoming and outgoing interfaces.
  5. Use the fabric connector address as the source or destination address.
  6. Configure the remaining settings as needed.
  7. Click OK.
To add the address to a firewall policy in the CLI:
config firewall policy
    edit 0
        set name <name>
        set srcintf <port_name>
        set dstintf <port_name>
        set srcaddr <firewall_address>
        set dstaddr <firewall_address>
        set action accept
        set schedule <schedule>
        set service <service>
    next
end