Fortinet black logo

Administration Guide

Using OCI IMDSv2

Using OCI IMDSv2

Oracle Cloud Infrastructure (OCI) IMDSv2 offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and on instance deployments with bootstrap metadata. Upgrading from previous FortiOS builds updates legacy IMDSv1 endpoints to IMDSv2, and you can make the same calls.

The following use cases illustrate IMDSv2 support on the FortiGate-VM.

To configure the OCI instance to use IMDSv2:
  1. In OCI, deploy an instance using IMDSv2 with bootstrap metadata. There are two methods to enable IMDSv2:
    • Use the OCI command line to deploy an instance using user-data. This example uses a MIME file that contains the license and configuration, as well as a JSON file that specifies to disable V1 metadata.
      oci compute instance launch
      --availability-domain wwwl:US-ASHBURN-AD-1
      --compartment-id ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
      --display-name fos-byol-v6.4.6-b2290-emulated
      --image-id ocid1.image.oc1.iad.aaaaaaaa6xxx43xxxxxxxxx7aaaaaaaaaaaaaaaaaaaa3xxxxxxxxxxxxxxx
      --subnet-id ocid1.subnet.oc1.iad.aaaaaaaaxxxxxxxxx2xxxxxxxxxxxxxxxxxxxx5aaa4xxxxxxxxxxxx42aaa
      --shape VM.Standard1.4
      --assign-public-ip true
      --user-data-file /home/oci/userdata/mime.txt
      --ssh-authorized-keys-file /home/oci/userdata/myfirstkeypair.pub
      --instance-options file://home/oci/scripts/metadatav2.json
      root@mail:/home/oci/scripts# cat metadatav2.json
      {
        "areLegacyImdsEndpointsDisabled": true
      }
    • While the instance is running, edit the instance metadata service version in the GUI, and change the allowed IMDS version to VERSION 2 ONLY. See Getting Instance Metadata.

  2. The FortiGate will use the metadata v2 endpoints to get the metadata bootstrap information. In FortiOS, verify this by running the following after bootup:
    # diagnose debug cloudinit show
To configure an SDN connector with meta-IAM enabled and firewall addresses to obtain dynamic addresses:
  1. Configure an IAM policy and dynamic group (see How Policies Work and Managing Dynamic Groups in the OCI documentation).

  2. In FortiOS, configure the OCI Fabric connector (see OCI SDN connector for detailed instructions):
    1. Create the SDN connector.
    2. Verify that the OCI connector comes up (Security Fabric > External Connectors page indicates the status is up).
    3. Configure a dynamic firewall address with a filter.
    4. Verify the dynamic firewall address is resolved by the SDN connector.
To manually update the external IP:
# execute update-eip
instance: fos-byol-v6.4.6-b2290-emulated
    vnic0: fos-byol-v6.4.6-b2290-emulated
           10.0.0.58 (129.213.138.192)
port1: 10.0.0.58, eip: 129.213.138.192
EIP is updated successfully
To verify the OCI daemon debugs related to metadata:
# diagnose test application ocid 4
instance: fos-byol-v6.4.6-b2290-emulated
    vnic0: fos-byol-v6.4.6-b2290-emulated
           10.0.0.58
# diagnose test application ocid 5
Compartment Id:ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
Instance Id:ocid1.instance.oc1.iad.axxxxxxxxxxxxxxxxxxx4aaaaa5aaaaaaaaa4xxxxxxx2aaaaaaaa
Instance Name:fos-byol-v6.4.6-b2290-emulated
OCI Regarxiehlion:us-ashburn-1
# diagnose test application ocid 6
Instance Principal Token has been refreshed

Using OCI IMDSv2

Oracle Cloud Infrastructure (OCI) IMDSv2 offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and on instance deployments with bootstrap metadata. Upgrading from previous FortiOS builds updates legacy IMDSv1 endpoints to IMDSv2, and you can make the same calls.

The following use cases illustrate IMDSv2 support on the FortiGate-VM.

To configure the OCI instance to use IMDSv2:
  1. In OCI, deploy an instance using IMDSv2 with bootstrap metadata. There are two methods to enable IMDSv2:
    • Use the OCI command line to deploy an instance using user-data. This example uses a MIME file that contains the license and configuration, as well as a JSON file that specifies to disable V1 metadata.
      oci compute instance launch
      --availability-domain wwwl:US-ASHBURN-AD-1
      --compartment-id ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
      --display-name fos-byol-v6.4.6-b2290-emulated
      --image-id ocid1.image.oc1.iad.aaaaaaaa6xxx43xxxxxxxxx7aaaaaaaaaaaaaaaaaaaa3xxxxxxxxxxxxxxx
      --subnet-id ocid1.subnet.oc1.iad.aaaaaaaaxxxxxxxxx2xxxxxxxxxxxxxxxxxxxx5aaa4xxxxxxxxxxxx42aaa
      --shape VM.Standard1.4
      --assign-public-ip true
      --user-data-file /home/oci/userdata/mime.txt
      --ssh-authorized-keys-file /home/oci/userdata/myfirstkeypair.pub
      --instance-options file://home/oci/scripts/metadatav2.json
      root@mail:/home/oci/scripts# cat metadatav2.json
      {
        "areLegacyImdsEndpointsDisabled": true
      }
    • While the instance is running, edit the instance metadata service version in the GUI, and change the allowed IMDS version to VERSION 2 ONLY. See Getting Instance Metadata.

  2. The FortiGate will use the metadata v2 endpoints to get the metadata bootstrap information. In FortiOS, verify this by running the following after bootup:
    # diagnose debug cloudinit show
To configure an SDN connector with meta-IAM enabled and firewall addresses to obtain dynamic addresses:
  1. Configure an IAM policy and dynamic group (see How Policies Work and Managing Dynamic Groups in the OCI documentation).

  2. In FortiOS, configure the OCI Fabric connector (see OCI SDN connector for detailed instructions):
    1. Create the SDN connector.
    2. Verify that the OCI connector comes up (Security Fabric > External Connectors page indicates the status is up).
    3. Configure a dynamic firewall address with a filter.
    4. Verify the dynamic firewall address is resolved by the SDN connector.
To manually update the external IP:
# execute update-eip
instance: fos-byol-v6.4.6-b2290-emulated
    vnic0: fos-byol-v6.4.6-b2290-emulated
           10.0.0.58 (129.213.138.192)
port1: 10.0.0.58, eip: 129.213.138.192
EIP is updated successfully
To verify the OCI daemon debugs related to metadata:
# diagnose test application ocid 4
instance: fos-byol-v6.4.6-b2290-emulated
    vnic0: fos-byol-v6.4.6-b2290-emulated
           10.0.0.58
# diagnose test application ocid 5
Compartment Id:ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
Instance Id:ocid1.instance.oc1.iad.axxxxxxxxxxxxxxxxxxx4aaaaa5aaaaaaaaa4xxxxxxx2aaaaaaaa
Instance Name:fos-byol-v6.4.6-b2290-emulated
OCI Regarxiehlion:us-ashburn-1
# diagnose test application ocid 6
Instance Principal Token has been refreshed