SDN dynamic connector addresses in SD-WAN rules
SDN dynamic connector addresses can be used in SD-WAN rules. FortiGate supports both public (AWS, Azure, GCP, OCI, AliCloud) and private (Kubernetes, VMware ESXi and NSX, OpenStack, ACI, Nuage) SDN connectors.
The configuration procedure for all of the supported SDN connector types is the same. This example uses an Azure public SDN connector.
There are four steps to create and use an SDN connector address in an SD-WAN rule:
- Configure the FortiGate IP address and network gateway so that it can reach the Internet.
- Create an Azure SDN connector.
- Create a firewall address to associate with the configured SDN connector.
- Use the firewall address in an SD-WAN service rule.
To create an Azure SDN connector:
- Go to Security Fabric > External Connectors.
- Click Create New.
- In the Public SDN section, click Microsoft Azure.
- Enter the following:
Name
azure1
Status
Enabled
Update Interval
Use Default
Server region
Global
Directory ID
942b80cd-1b14-42a1-8dcf-4b21dece61ba
Application ID
14dbd5c5-307e-4ea4-8133-68738141feb1
Client secret
xxxxxx
Resource path
disabled
- Click OK.
To create a firewall address to associate with the configured SDN connector:
- Go to Policy & Objects > Addresses.
- Click Create New > Address.
- Enter the following:
Category
Address
Name
azure-address
Type
Dynamic
Sub Type
Fabric Connector Address
SDN Connector
azure1
SDN address type
Private
Filter
SecurityGroup=edsouza-centos
Interface
Any
- Click OK.
To use the firewall address in an SD-WAN service rule:
- Go to Network > SD-WAN Rules.
- Click Create New.
- Set the Name to Azure1.
- For the Destination Address select azure-address.
- Configure the remaining settings as needed. See WAN path control for details.
- Click OK.
Diagnostics
Use the following CLI commands to check the status of and troubleshoot the connector.
To see the status of the SDN connector:
# diagnose sys sdn status SDN Connector Type Status Updating Last update ----------------------------------------------------------------------------------------- azure1 azure connected no n/a
To debug the SDN connector to resolve the firewall address:
# diagnose debug application azd -1 Debug messages will be on for 30 minutes. ... azd sdn connector azure1 start updating IP addresses azd checking firewall address object azure-address-1, vd 0 IP address change, new list: 10.18.0.4 10.18.0.12 ... ...
# diagnose sys virtual-wan-link service Service(2): Address Mode(IPV4) flags=0x0 TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Service role: standalone Member sub interface: Members: 1: Seq_num(1), alive, selected Dst address: 10.18.0.4 - 10.18.0.4 10.18.0.12 - 10.18.0.12 ... ... ... ... ... ...