Support OCI IMDSv2 6.4.4
Support was added for OCI IMDSv2, which offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and on instance deployments with bootstrap metadata. When upgrading from previous FortiOS builds with legacy IMDSv1 endpoints, the endpoints will be updated to IMDSv2, and the same calls can be made.
The following use cases illustrate IMDSv2 support on the FortiGate-VM.
To configure the Oracle OCI instance to use IMDSv2:
- In OCI, deploy an instance using IMDSv2 with bootstrap metadata. There are two methods to enable IMDSv2 :
- Use the OCI command line to deploy an instance using
user-data
. This example uses a MIME file that contains the license and configuration, as well as a JSON file that specifies to disable V1 metadata.oci compute instance launch --availability-domain wwwl:US-ASHBURN-AD-1 --compartment-id ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa --display-name fos-byol-v6.4.6-b2290-emulated --image-id ocid1.image.oc1.iad.aaaaaaaa6xxx43xxxxxxxxx7aaaaaaaaaaaaaaaaaaaa3xxxxxxxxxxxxxxx --subnet-id ocid1.subnet.oc1.iad.aaaaaaaaxxxxxxxxx2xxxxxxxxxxxxxxxxxxxx5aaa4xxxxxxxxxxxx42aaa --shape VM.Standard1.4 --assign-public-ip true --user-data-file /home/oci/userdata/mime.txt --ssh-authorized-keys-file /home/oci/userdata/myfirstkeypair.pub --instance-options file://home/oci/scripts/metadatav2.json
root@mail:/home/oci/scripts# cat metadatav2.json { "areLegacyImdsEndpointsDisabled": true }
- While the instance is running, edit the instance metadata service version in the GUI ,and change the allowed IMDS version to VERSION 2 ONLY (see Getting Instance Metadata in the OCI documentation).
- Use the OCI command line to deploy an instance using
- The FortiGate will use the metadata v2 endpoints to get the metadata bootstrap information. In FortiOS, verify this by running the following after bootup:
# diagnose debug cloudinit show
To configure an SDN connector with meta-IAM enabled and firewall addresses to obtain dynamic addresses:
- Configure an IAM policy and dynamic group (see How Policies Work and Managing Dynamic Groups in the OCI documentation).
- In FortiOS, configure the OCI Fabric connector (see OCI SDN connector for detailed instructions):
- Create the SDN connector.
- Verify that the OCI connector comes up (Security Fabric > External Connectors page indicates the status is up).
- Configure a dynamic firewall address with a filter.
- Verify the dynamic firewall address is resolved by the SDN connector.
To manually update the external IP:
# execute update-eip instance: fos-byol-v6.4.6-b2290-emulated vnic0: fos-byol-v6.4.6-b2290-emulated 10.0.0.58 (129.213.138.192) port1: 10.0.0.58, eip: 129.213.138.192 EIP is updated successfully
To verify the OCI daemon debugs related to metadata:
# diagnose test application ocid 4 instance: fos-byol-v6.4.6-b2290-emulated vnic0: fos-byol-v6.4.6-b2290-emulated 10.0.0.58
# diagnose test application ocid 5 Compartment Id:ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa Instance Id:ocid1.instance.oc1.iad.axxxxxxxxxxxxxxxxxxx4aaaaa5aaaaaaaaa4xxxxxxx2aaaaaaaa Instance Name:fos-byol-v6.4.6-b2290-emulated OCI Regarxiehlion:us-ashburn-1
# diagnose test application ocid 6 Instance Principal Token has been refreshed