Fortinet Document Library

Version:


Table of Contents

More Links

Instance Principals for Identity and Access Management

New Features

6.2.0
Download PDF
Copy Link

IAM Authentication

This feature adds the ability to use IAM credentials for Oracle Cloud Infrastructure (OCI) SDN connector functionality, including HA and dynamic address updating.

Prior to enabling IAM credentials for an SDN connector, a dynamic group and policy must configured on OCI. The SDN connector can then be configured using the FortiGate CLI or GUI.

To configure OCI:
  1. Create a Dynamic Group that includes rules to allow an instance that matches the FortiGate HA device's instance ID. For example:

    ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljtkqllbq6yxgxtowybgc4ht6sxqpfccckjj23p6pbfmvbl52uttbiq'}

    ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljttcylhekauqy42jzpsnu2dkalbhnlulqxfe2az24fktcuhtj65vnq'}

  2. Create a policy that allows that group to manage all resources:

    Allow dynamic-group API to manage all-resources in TENANCY

To Configure the FortiGate using the CLI:
  1. Configure the SDN connector:

    config system sdn-connector

    edit "oci-sdn"

    set status enable

    set type oci

    set ha-status enable

    set tenant-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"

    set user-id "ocid1.user.oc1..aaaaaaaaq2lfspeo3uetzbzpiv2pqvzzevozccnys347stwssvizqlatfv7q"

    set compartment-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"

    set oci-region ashburn

    set oci-cert ''

    set use-metadata-iam enable

    set update-interval 60

    next

    end

  2. Confirm the HA failover succeeds on the secondary HA device:
    # HA event
    OCI sdn connector oci-sdn updating
    
    Updating Compartment: fortinetoraclecloud1
    VM FAZ-B1750
    ip are 129.213.120.204:10.0.0.5
    VM fmg-b1746
    Become HA master mode 2
    ocid collect vnics info for instance thomas-slave
    vnic state: ATTACHED
    vnic id(1/4): ocid1.vnic.oc1.iad.abuwcljt5f2ehfi2zlkhqqbrewgrnpy7iqhsxuqyad7k6natuq42lsqo3hfq
    ip are 129.213.138.127:10.0.0.5
    VM fmg-b1781
    vnic state: ATTACHED
    vnic id(2/4): ocid1.vnic.oc1.iad.abuwcljtk6t4glgvzjy5rwk3jywsthbyoxjdbojwouppnwdnbpadpnr3unra
    vnic state: ATTACHED
    vnic id(3/4): ocid1.vnic.oc1.iad.abuwcljtipazqefscqemll5forvnzfmo5zh22zjaeahnbph67wjmm7gd6qha
    ip are 132.145.170.31:10.0.0.14
    VM instance-20180813-1141
    vnic state: ATTACHED
    vnic id(4/4): ocid1.vnic.oc1.iad.abuwcljtyy3mvw7uqoefma6vx5y5g7bzjw4hycr37urncf53xyyzntzfeqza
    ocid fail over private ip: 10.0.1.15
    ip are 129.213.124.225:10.0.0.2
    VM instance-20181024-1439
    private ip 10.0.1.15 is attached in remote instance
    attaching private ip 10.0.1.15 to local vnic (ocid1.vnic.oc1.iad.abuwcljtk6t4glgvzjy5rwk3jywsthbyoxjdbojwouppnwdnbpadpnr3unra)
    updating private ip with data: {"vnicId": "ocid1.vnic.oc1.iad.abuwcljtk6t4glgvzjy5rwk3jywsthbyoxjdbojwouppnwdnbpadpnr3unra"}
    ip are 132.145.173.187:10.0.0.11
    ip are 132.145.173.187:10.0.10.2
    VM instance-20181128-1505
    ip are 132.145.162.119:10.0.0.3
    VM instance-20181214-1616
    moving private ip 10.0.1.15 to local successfully
    
    ocid fail over private ip: 10.0.0.15
    ip are 132.145.167.255:10.0.0.15
    VM jkato-fgt603-dev005
    private ip 10.0.0.15 is attached in remote instance
    attaching private ip 10.0.0.15 to local vnic (ocid1.vnic.oc1.iad.abuwcljtipazqefscqemll5forvnzfmo5zh22zjaeahnbph67wjmm7gd6qha)
    updating private ip with data: {"vnicId": "ocid1.vnic.oc1.iad.abuwcljtipazqefscqemll5forvnzfmo5zh22zjaeahnbph67wjmm7gd6qha"}
    moving private ip 10.0.0.15 to local successfully
    
To Configure the FortiGate using the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New, then select Oracle Cloud Infrastructure (OCI) from the SDN category.
  3. Fill in the Name, User ID, OCI tenant ID, and OCI compartment ID.
  4. Enable Use metadata IAM.

  5. Configure the Update Interval and Status, then click OK.
  6. Go to Policy and Objects > Addresses to check that the dynamic address can update.

More Links

IAM Authentication

This feature adds the ability to use IAM credentials for Oracle Cloud Infrastructure (OCI) SDN connector functionality, including HA and dynamic address updating.

Prior to enabling IAM credentials for an SDN connector, a dynamic group and policy must configured on OCI. The SDN connector can then be configured using the FortiGate CLI or GUI.

To configure OCI:
  1. Create a Dynamic Group that includes rules to allow an instance that matches the FortiGate HA device's instance ID. For example:

    ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljtkqllbq6yxgxtowybgc4ht6sxqpfccckjj23p6pbfmvbl52uttbiq'}

    ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljttcylhekauqy42jzpsnu2dkalbhnlulqxfe2az24fktcuhtj65vnq'}

  2. Create a policy that allows that group to manage all resources:

    Allow dynamic-group API to manage all-resources in TENANCY

To Configure the FortiGate using the CLI:
  1. Configure the SDN connector:

    config system sdn-connector

    edit "oci-sdn"

    set status enable

    set type oci

    set ha-status enable

    set tenant-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"

    set user-id "ocid1.user.oc1..aaaaaaaaq2lfspeo3uetzbzpiv2pqvzzevozccnys347stwssvizqlatfv7q"

    set compartment-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"

    set oci-region ashburn

    set oci-cert ''

    set use-metadata-iam enable

    set update-interval 60

    next

    end

  2. Confirm the HA failover succeeds on the secondary HA device:
    # HA event
    OCI sdn connector oci-sdn updating
    
    Updating Compartment: fortinetoraclecloud1
    VM FAZ-B1750
    ip are 129.213.120.204:10.0.0.5
    VM fmg-b1746
    Become HA master mode 2
    ocid collect vnics info for instance thomas-slave
    vnic state: ATTACHED
    vnic id(1/4): ocid1.vnic.oc1.iad.abuwcljt5f2ehfi2zlkhqqbrewgrnpy7iqhsxuqyad7k6natuq42lsqo3hfq
    ip are 129.213.138.127:10.0.0.5
    VM fmg-b1781
    vnic state: ATTACHED
    vnic id(2/4): ocid1.vnic.oc1.iad.abuwcljtk6t4glgvzjy5rwk3jywsthbyoxjdbojwouppnwdnbpadpnr3unra
    vnic state: ATTACHED
    vnic id(3/4): ocid1.vnic.oc1.iad.abuwcljtipazqefscqemll5forvnzfmo5zh22zjaeahnbph67wjmm7gd6qha
    ip are 132.145.170.31:10.0.0.14
    VM instance-20180813-1141
    vnic state: ATTACHED
    vnic id(4/4): ocid1.vnic.oc1.iad.abuwcljtyy3mvw7uqoefma6vx5y5g7bzjw4hycr37urncf53xyyzntzfeqza
    ocid fail over private ip: 10.0.1.15
    ip are 129.213.124.225:10.0.0.2
    VM instance-20181024-1439
    private ip 10.0.1.15 is attached in remote instance
    attaching private ip 10.0.1.15 to local vnic (ocid1.vnic.oc1.iad.abuwcljtk6t4glgvzjy5rwk3jywsthbyoxjdbojwouppnwdnbpadpnr3unra)
    updating private ip with data: {"vnicId": "ocid1.vnic.oc1.iad.abuwcljtk6t4glgvzjy5rwk3jywsthbyoxjdbojwouppnwdnbpadpnr3unra"}
    ip are 132.145.173.187:10.0.0.11
    ip are 132.145.173.187:10.0.10.2
    VM instance-20181128-1505
    ip are 132.145.162.119:10.0.0.3
    VM instance-20181214-1616
    moving private ip 10.0.1.15 to local successfully
    
    ocid fail over private ip: 10.0.0.15
    ip are 132.145.167.255:10.0.0.15
    VM jkato-fgt603-dev005
    private ip 10.0.0.15 is attached in remote instance
    attaching private ip 10.0.0.15 to local vnic (ocid1.vnic.oc1.iad.abuwcljtipazqefscqemll5forvnzfmo5zh22zjaeahnbph67wjmm7gd6qha)
    updating private ip with data: {"vnicId": "ocid1.vnic.oc1.iad.abuwcljtipazqefscqemll5forvnzfmo5zh22zjaeahnbph67wjmm7gd6qha"}
    moving private ip 10.0.0.15 to local successfully
    
To Configure the FortiGate using the GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New, then select Oracle Cloud Infrastructure (OCI) from the SDN category.
  3. Fill in the Name, User ID, OCI tenant ID, and OCI compartment ID.
  4. Enable Use metadata IAM.

  5. Configure the Update Interval and Status, then click OK.
  6. Go to Policy and Objects > Addresses to check that the dynamic address can update.