Getting started with public and private SDN connectors
You can use SDN connectors to connect your FortiGate to public and private cloud solutions. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric.
There are four steps to creating and using an SDN connector:
- Gather the required information
- Creating the SDN connector
- Creating an SDN connector address
- Adding the address to a firewall policy
The following provides general instructions for creating an SDN connector and using the dynamic address object in a firewall policy. For instructions for specific public and private cloud solutions, such as AWS, see the relevant topic in this guide. For advanced scenarios regarding SDN connectors, see the appropriate FortiOS 6.4 cloud platform guide.
Creating the SDN connector
To create an SDN connector in the GUI:
- Go to Security Fabric > External Connectors.
- Click Create New.
- Click the desired public or private cloud.
- Enter the Name, Status, and Update Interval for the connector.
- Enter previously collected information for the connector as needed.
- Click OK.
To create an SDN connector in the CLI:
config system sdn-connector edit <name> set status {enable | disable} set type {connector type} ... set update-interval <integer> next end
The available CLI commands vary depending on the selected SDN connector type. |
Creating an SDN connector address
You can use an SDN connector address in the following ways:
- As the source or destination address for firewall policies.
- To automatically update changes to addresses in the public or private cloud environment, based on specified filters.
- To automatically apply changes to firewall policies that use the address, based on specified filters.
To create an SDN connector address in the GUI:
- Go to Policy & Objects > Addresses.
- Click Create New > Address.
- Enter a name for the address.
- Set the Type to Fabric Connector Address.
- Select an SDN Connector from the dropdown list, or click Create New to make a new one.
- Set the SDN address type. Only addresses of the selected type will be collected.
- Configure the connector specific settings.
- Select an Interface for the address, or leave it as any, enable or disable Show in Address List, and optionally add Comments.
- Add tags.
- Click OK.
To create a fabric connector address in the CLI:
config firewall address edit <name> set type dynamic set sdn <sdn_connector> set visibility enable set associated-interface <interface_name> set color <integer> ... set comment <comment> config tagging edit <name> set category <string> set tags <strings> next end next end
The available CLI commands vary depending on the selected SDN connector type. |
Adding the address to a firewall policy
You can use an SDN connector address as the source or destination address.
To add the address to a firewall policy in the GUI:
- Go to Policy & Objects > Firewall Policy.
- Click Create New.
- Enter a name for the policy.
- Set the incoming and outgoing interfaces.
- Use the SDN connector address as the source or destination address.
- Configure the remaining settings as needed.
- Click OK.
To add the address to a firewall policy in the CLI:
config firewall policy edit 0 set name <name> set srcintf <port_name> set dstintf <port_name> set srcaddr <firewall_address> set dstaddr <firewall_address> set action accept set schedule <schedule> set service <service> next end
Connector tooltips
In the Security Fabric > External Connectors page, hover over an SDN connector to view a tooltip that shows basic configuration information.
Three buttons provide additional information:
- View Connector Objects shows the connector's dynamic objects, such as filters and instances.
- View Policies shows a list of policies that use the dynamic addresses from the connector.
- View Automation Rules shows a list of automation actions that use the connector.