Fortinet black logo

Cookbook

SDN dynamic connector addresses in SD-WAN rules

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:762743
Download PDF

SDN dynamic connector addresses in SD-WAN rules

SDN dynamic connector addresses can be used in SD-WAN rules. FortiGate supports both public (AWS, Azure, GCP, OCI, AliCloud) and private (Kubernetes, VMware ESXi and NSX, OpenStack, ACI, Nuage) SDN connectors.

The configuration procedure for all of the supported SDN connector types is the same. This example uses an Azure public SDN connector.

There are four steps to create and use an SDN connector address in an SD-WAN rule:

  1. Configure the FortiGate IP address and network gateway so that it can reach the Internet.
  2. Create an Azure SDN connector.
  3. Create a firewall address to associate with the configured SDN connector.
  4. Use the firewall address in an SD-WAN service rule.
To create an Azure SDN connector:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. In the Public SDN section, click Microsoft Azure.
  4. Enter the following:

    Name

    azure1

    Status

    Enabled

    Update Interval

    Use Default

    Server region

    Global

    Tenant ID

    942b80cd-1b14-42a1-8dcf-4b21dece61ba

    Client ID

    14dbd5c5-307e-4ea4-8133-68738141feb1

    Client secret

    xxxxxx

    Resource path

    disabled

  5. Click OK.
To create a firewall address to associate with the configured SDN connector:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Enter the following:

    Category

    Address

    Name

    azure-address

    Type

    Fabric Connector Address

    SDN Connector

    azure1

    SDN address type

    Private

    Filter

    SecurityGroup=edsouza-centos

    Interface

    Any

  4. Click OK.
To use the firewall address in an SD-WAN service rule:
  1. Go to Network > SD-WAN Rules.
  2. Click Create New.
  3. Set the Name to Azure1.
  4. For the Destination Address select azure-address.
  5. Configure the remaining settings as needed. See WAN path control for details.
  6. Click OK.

Diagnostics

Use the following CLI commands to check the status of and troubleshoot the connector.

To see the status of the SDN connector:
diagnose sys sdn status
    
    SDN Connector       Type        Status          Updating        Last update
    -----------------------------------------------------------------------------------------
    azure1              azure       connected       no              n/a
To debug the SDN connector to resolve the firewall address:
diagnose debug application azd -1
    Debug messages will be on for 30 minutes.
        
    ...
    azd sdn connector azure1 start updating IP addresses
    azd checking firewall address object azure-address-1, vd 0
     IP address change, new list:
      10.18.0.4
      10.18.0.12
      ...
      ...
diagnose sys virtual-wan-link service
    
    Service(2): Address Mode(IPV4) flags=0x0
      TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
      Service role: standalone
      Member sub interface:
      Members:
        1: Seq_num(1), alive, selected
      Dst address:
            10.18.0.4 - 10.18.0.4
            10.18.0.12 - 10.18.0.12
             ... ...
             ... ...
             ... ...

More Links

SDN dynamic connector addresses in SD-WAN rules

SDN dynamic connector addresses can be used in SD-WAN rules. FortiGate supports both public (AWS, Azure, GCP, OCI, AliCloud) and private (Kubernetes, VMware ESXi and NSX, OpenStack, ACI, Nuage) SDN connectors.

The configuration procedure for all of the supported SDN connector types is the same. This example uses an Azure public SDN connector.

There are four steps to create and use an SDN connector address in an SD-WAN rule:

  1. Configure the FortiGate IP address and network gateway so that it can reach the Internet.
  2. Create an Azure SDN connector.
  3. Create a firewall address to associate with the configured SDN connector.
  4. Use the firewall address in an SD-WAN service rule.
To create an Azure SDN connector:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. In the Public SDN section, click Microsoft Azure.
  4. Enter the following:

    Name

    azure1

    Status

    Enabled

    Update Interval

    Use Default

    Server region

    Global

    Tenant ID

    942b80cd-1b14-42a1-8dcf-4b21dece61ba

    Client ID

    14dbd5c5-307e-4ea4-8133-68738141feb1

    Client secret

    xxxxxx

    Resource path

    disabled

  5. Click OK.
To create a firewall address to associate with the configured SDN connector:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Enter the following:

    Category

    Address

    Name

    azure-address

    Type

    Fabric Connector Address

    SDN Connector

    azure1

    SDN address type

    Private

    Filter

    SecurityGroup=edsouza-centos

    Interface

    Any

  4. Click OK.
To use the firewall address in an SD-WAN service rule:
  1. Go to Network > SD-WAN Rules.
  2. Click Create New.
  3. Set the Name to Azure1.
  4. For the Destination Address select azure-address.
  5. Configure the remaining settings as needed. See WAN path control for details.
  6. Click OK.

Diagnostics

Use the following CLI commands to check the status of and troubleshoot the connector.

To see the status of the SDN connector:
diagnose sys sdn status
    
    SDN Connector       Type        Status          Updating        Last update
    -----------------------------------------------------------------------------------------
    azure1              azure       connected       no              n/a
To debug the SDN connector to resolve the firewall address:
diagnose debug application azd -1
    Debug messages will be on for 30 minutes.
        
    ...
    azd sdn connector azure1 start updating IP addresses
    azd checking firewall address object azure-address-1, vd 0
     IP address change, new list:
      10.18.0.4
      10.18.0.12
      ...
      ...
diagnose sys virtual-wan-link service
    
    Service(2): Address Mode(IPV4) flags=0x0
      TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual)
      Service role: standalone
      Member sub interface:
      Members:
        1: Seq_num(1), alive, selected
      Dst address:
            10.18.0.4 - 10.18.0.4
            10.18.0.12 - 10.18.0.12
             ... ...
             ... ...
             ... ...