Fortinet black logo

Administration Guide

Getting started with public and private SDN connectors

Getting started with public and private SDN connectors

You can use SDN connectors to connect your FortiGate to public and private cloud solutions. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric.

There are four steps to creating and using an SDN connector:

  1. Gather the required information
  2. Creating the SDN connector
  3. Creating an SDN connector address
  4. Adding the address to a firewall policy

The following provides general instructions for creating an SDN connector and using the dynamic address object in a firewall policy. For instructions for specific public and private cloud solutions, such as AWS, see the relevant topic in this guide. For advanced scenarios regarding SDN connectors, see the appropriate FortiOS 6.4 cloud platform guide.

Creating the SDN connector

To create an SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Click the desired public or private cloud.
  4. Enter the Name, Status, and Update Interval for the connector.
  5. Enter previously collected information for the connector as needed.
  6. Click OK.
To create an SDN connector in the CLI:
config system sdn-connector
    edit <name>
        set status {enable | disable}
        set type {connector type}
        ...
        set update-interval <integer>
    next
end
Note

The available CLI commands vary depending on the selected SDN connector type.

Creating an SDN connector address

You can use an SDN connector address in the following ways:

  • As the source or destination address for firewall policies.
  • To automatically update changes to addresses in the public or private cloud environment, based on specified filters.
  • To automatically apply changes to firewall policies that use the address, based on specified filters.
To create an SDN connector address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Enter a name for the address.
  4. Set the Type to Fabric Connector Address.
  5. Select an SDN Connector from the dropdown list, or click Create New to make a new one.
  6. Set the SDN address type. Only addresses of the selected type will be collected.
  7. Configure the connector specific settings.
  8. Select an Interface for the address, or leave it as any, enable or disable Show in Address List, and optionally add Comments.
  9. Add tags.
  10. Click OK.
To create a fabric connector address in the CLI:
config firewall address
    edit <name>
        set type dynamic
        set sdn <sdn_connector>
        set visibility enable
        set associated-interface <interface_name>
        set color <integer>
        ...
        set comment <comment>
        config tagging
            edit <name>
                set category <string>
                set tags <strings>
            next
        end
    next
end
Note

The available CLI commands vary depending on the selected SDN connector type.

Adding the address to a firewall policy

You can use an SDN connector address as the source or destination address.

To add the address to a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Enter a name for the policy.
  4. Set the incoming and outgoing interfaces.
  5. Use the SDN connector address as the source or destination address.
  6. Configure the remaining settings as needed.
  7. Click OK.
To add the address to a firewall policy in the CLI:
config firewall policy
    edit 0
        set name <name>
        set srcintf <port_name>
        set dstintf <port_name>
        set srcaddr <firewall_address>
        set dstaddr <firewall_address>
        set action accept
        set schedule <schedule>
        set service <service>
    next
end

Connector tooltips

In the Security Fabric > External Connectors page, hover over an SDN connector to view a tooltip that shows basic configuration information.

Three buttons provide additional information:

  • View Connector Objects shows the connector's dynamic objects, such as filters and instances.
  • View Policies shows a list of policies that use the dynamic addresses from the connector.
  • View Automation Rules shows a list of automation actions that use the connector.

Getting started with public and private SDN connectors

You can use SDN connectors to connect your FortiGate to public and private cloud solutions. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric.

There are four steps to creating and using an SDN connector:

  1. Gather the required information
  2. Creating the SDN connector
  3. Creating an SDN connector address
  4. Adding the address to a firewall policy

The following provides general instructions for creating an SDN connector and using the dynamic address object in a firewall policy. For instructions for specific public and private cloud solutions, such as AWS, see the relevant topic in this guide. For advanced scenarios regarding SDN connectors, see the appropriate FortiOS 6.4 cloud platform guide.

Creating the SDN connector

To create an SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Click the desired public or private cloud.
  4. Enter the Name, Status, and Update Interval for the connector.
  5. Enter previously collected information for the connector as needed.
  6. Click OK.
To create an SDN connector in the CLI:
config system sdn-connector
    edit <name>
        set status {enable | disable}
        set type {connector type}
        ...
        set update-interval <integer>
    next
end
Note

The available CLI commands vary depending on the selected SDN connector type.

Creating an SDN connector address

You can use an SDN connector address in the following ways:

  • As the source or destination address for firewall policies.
  • To automatically update changes to addresses in the public or private cloud environment, based on specified filters.
  • To automatically apply changes to firewall policies that use the address, based on specified filters.
To create an SDN connector address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Enter a name for the address.
  4. Set the Type to Fabric Connector Address.
  5. Select an SDN Connector from the dropdown list, or click Create New to make a new one.
  6. Set the SDN address type. Only addresses of the selected type will be collected.
  7. Configure the connector specific settings.
  8. Select an Interface for the address, or leave it as any, enable or disable Show in Address List, and optionally add Comments.
  9. Add tags.
  10. Click OK.
To create a fabric connector address in the CLI:
config firewall address
    edit <name>
        set type dynamic
        set sdn <sdn_connector>
        set visibility enable
        set associated-interface <interface_name>
        set color <integer>
        ...
        set comment <comment>
        config tagging
            edit <name>
                set category <string>
                set tags <strings>
            next
        end
    next
end
Note

The available CLI commands vary depending on the selected SDN connector type.

Adding the address to a firewall policy

You can use an SDN connector address as the source or destination address.

To add the address to a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Enter a name for the policy.
  4. Set the incoming and outgoing interfaces.
  5. Use the SDN connector address as the source or destination address.
  6. Configure the remaining settings as needed.
  7. Click OK.
To add the address to a firewall policy in the CLI:
config firewall policy
    edit 0
        set name <name>
        set srcintf <port_name>
        set dstintf <port_name>
        set srcaddr <firewall_address>
        set dstaddr <firewall_address>
        set action accept
        set schedule <schedule>
        set service <service>
    next
end

Connector tooltips

In the Security Fabric > External Connectors page, hover over an SDN connector to view a tooltip that shows basic configuration information.

Three buttons provide additional information:

  • View Connector Objects shows the connector's dynamic objects, such as filters and instances.
  • View Policies shows a list of policies that use the dynamic addresses from the connector.
  • View Automation Rules shows a list of automation actions that use the connector.