Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

SDN connector for Cisco ACI northbound API integration

A new SDN connector type has been added for Cisco ACI (Application Centric Infrastructure) northbound API integration. Administrators can define a dynamic firewall addresses for Cisco ACI directly. Deploying an SDN connector through an external VM between the FortiGate and Cisco ACI is no longer required.

The following address filters are supported:

  • Tenant
  • Application
  • Endpoint group
  • Tag
To configure a Cisco ACI connector in the GUI:
  1. Configure the Cisco ACI SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Application Centric Infrastructure (ACI).
    3. Configure the Connector Settings as needed. The update interval is in seconds.
    4. In the Cisco ACI Connector section, for Type, select Direct Connection and configure the remaining settings based on your deployment.

    5. Click OK.
  2. Create a dynamic firewall address for the connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New > Address and enter a name.
    3. Configure the following settings:
      1. For Type, select Dynamic.
      2. For Sub Type, select Fabric Connector Address.
      3. For SDN Connector, select the connector created in step 1.
      4. For Filter, select an entry from the dropdown list. In this example, Application is selected.

    4. Click OK.
  3. Confirm that the connector resolves the dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. In the address table, hover over the address created in step 2 to view which IPs it resolves to:

To configure a Cisco ACI connector in the CLI:
  1. Configure the Cisco ACI SDN connector:
    config system sdn-connector
        edit "aci_direct1"
            set status enable
            set type aci-direct
            set server "10.100.25.204"
            set username "lzou"
            set password xxxxxxx
            set update-interval 60
        next
    end
  2. Create a dynamic firewall address for the connector:
    config firewall address
        edit "aci-direct-app"
            set type dynamic
            set sdn "aci_direct1"
            set color 17
            set filter "Application=lzou-app"
        next
    end
  3. Confirm that the connector resolves the dynamic firewall IP addresses:
    config firewall address
        edit "aci-direct-app"
            show
                config firewall address
                    edit "aci-direct-app"
                        set uuid 794aaf20-3e33-51ea-57e1-10b5badf3fc7
                        set type dynamic
                        set sdn "aci_direct1"
                        set color 17
                        set filter "Application=lzou-app"
                        config list
                            edit "10.0.5.11"
                            next
                            edit "10.0.5.12"
                            next
                            edit "10.0.6.11"
                            next
                            edit "10.0.6.12"
                            next
                            edit "10.0.6.13"
                            next
                            edit "10.0.6.14"
                            next
                            edit "10.0.7.11"
                            next
                            edit "10.0.7.12"
                            next
                        end
                    next
                end
        next
    end

SDN connector for Cisco ACI northbound API integration

A new SDN connector type has been added for Cisco ACI (Application Centric Infrastructure) northbound API integration. Administrators can define a dynamic firewall addresses for Cisco ACI directly. Deploying an SDN connector through an external VM between the FortiGate and Cisco ACI is no longer required.

The following address filters are supported:

  • Tenant
  • Application
  • Endpoint group
  • Tag
To configure a Cisco ACI connector in the GUI:
  1. Configure the Cisco ACI SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select Application Centric Infrastructure (ACI).
    3. Configure the Connector Settings as needed. The update interval is in seconds.
    4. In the Cisco ACI Connector section, for Type, select Direct Connection and configure the remaining settings based on your deployment.

    5. Click OK.
  2. Create a dynamic firewall address for the connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New > Address and enter a name.
    3. Configure the following settings:
      1. For Type, select Dynamic.
      2. For Sub Type, select Fabric Connector Address.
      3. For SDN Connector, select the connector created in step 1.
      4. For Filter, select an entry from the dropdown list. In this example, Application is selected.

    4. Click OK.
  3. Confirm that the connector resolves the dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. In the address table, hover over the address created in step 2 to view which IPs it resolves to:

To configure a Cisco ACI connector in the CLI:
  1. Configure the Cisco ACI SDN connector:
    config system sdn-connector
        edit "aci_direct1"
            set status enable
            set type aci-direct
            set server "10.100.25.204"
            set username "lzou"
            set password xxxxxxx
            set update-interval 60
        next
    end
  2. Create a dynamic firewall address for the connector:
    config firewall address
        edit "aci-direct-app"
            set type dynamic
            set sdn "aci_direct1"
            set color 17
            set filter "Application=lzou-app"
        next
    end
  3. Confirm that the connector resolves the dynamic firewall IP addresses:
    config firewall address
        edit "aci-direct-app"
            show
                config firewall address
                    edit "aci-direct-app"
                        set uuid 794aaf20-3e33-51ea-57e1-10b5badf3fc7
                        set type dynamic
                        set sdn "aci_direct1"
                        set color 17
                        set filter "Application=lzou-app"
                        config list
                            edit "10.0.5.11"
                            next
                            edit "10.0.5.12"
                            next
                            edit "10.0.6.11"
                            next
                            edit "10.0.6.12"
                            next
                            edit "10.0.6.13"
                            next
                            edit "10.0.6.14"
                            next
                            edit "10.0.7.11"
                            next
                            edit "10.0.7.12"
                            next
                        end
                    next
                end
        next
    end