Fortinet black logo

Administration Guide

Getting started with public and private SDN connectors

Getting started with public and private SDN connectors

You can use SDN connectors to connect your FortiGate to public and private cloud solutions. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric. You can use SDN connector address objects to create policies that provide dynamic access control based on cloud environment attribute changes. There is no need to manually reconfigure addresses and policies whenever changes to the cloud environment occur.

There are four steps to creating and using an SDN connector:

  1. Gather the required information. The required information depends on which public or private cloud solution SDN connector you are configuring.
  2. Creating the SDN connector
  3. Creating an SDN connector address
  4. Adding the address to a firewall policy

The following provides general instructions for creating an SDN connector and using the dynamic address object in a firewall policy. For instructions for specific public and private cloud solutions, see the relevant topic in this guide. For advanced scenarios regarding SDN connectors, see the appropriate FortiOS 6.4 cloud platform guide.

Creating the SDN connector

To create an SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Click the desired public or private cloud.
  4. Enter the Name, Status, and Update Interval for the connector.
  5. Enter previously collected information for the connector as needed.
  6. Click OK.
To create an SDN connector in the CLI:
config system sdn-connector
    edit <name>
        set status {enable | disable}
        set type {connector type}
        ...
        set update-interval <integer>
    next
end
Note

The available CLI commands vary depending on the selected SDN connector type.

Creating an SDN connector address

You can use an SDN connector address in the following ways:

  • As the source or destination address for firewall policies.
  • To automatically update changes to addresses in the public or private cloud environment, based on specified filters.
  • To automatically apply changes to firewall policies that use the address, based on specified filters.
To create an SDN connector address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Configure the address:
    1. Set the Type to Dynamic.
    2. From the Sub Type dropdown list, select Fabric Connector Address.
    3. From the SDN Connector dropdown list, select the desired SDN connector.
    4. From the Filter dropdown list, configure the desired filter. The filters available depend on the selected SDN connector type. The SDN connector automatically populates and updates IP addresses only for instances that satisfy the filter requirements. In this example, the address will automatically populate and update IP addresses only for AliCloud instances that belong to the specified security group:

      You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.

    5. Configure other settings as desired.
    6. Click OK.
  4. Ensure that the SDN connector resolves dynamic firewall IP addresses as configured:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address that you created to see a list of IP addresses for instances that satisfy the filter that you configured. In this case, the IP addresses of instances that belong to the specified security group display:

To create an SDN connector address in the CLI:
  1. Create the address:

    config firewall address

    edit <name>

    set type dynamic

    set sdn <sdn_connector>

    set visibility enable

    set associated-interface <interface_name>

    set color <integer>

    ...

    set comment <comment>

    config tagging

    edit <name>

    set category <string>

    set tags <strings>

    next

    end

    next

    end

  2. Ensure that the SDN connector resolves dynamic firewall IP addresses as configured by running show. The following shows example output:

    config firewall address

    edit "ali-address-security"

    set type dynamic

    config list

    edit "10.0.0.16"

    next

    edit "10.0.0.17"

    next

    edit "10.0.20.20"

    next

    end

    ...

    next

    end

Note

The available CLI commands vary depending on the selected SDN connector type.

Adding the address to a firewall policy

You can use an SDN connector address as the source or destination address in a policy.

To add the address to a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Use the SDN connector address as the source or destination address.
  4. Configure the remaining settings as needed.
  5. Click OK.
To add the address to a firewall policy in the CLI:
config firewall policy
    edit 0
        set name <name>
        set srcintf <port_name>
        set dstintf <port_name>
        set srcaddr <firewall_address>
        set dstaddr <firewall_address>
        set action accept
        set schedule <schedule>
        set service <service>
    next
end

Connector tooltips

In Security Fabric > External Connectors, hover over an SDN connector to view a tooltip that shows basic configuration information.

Three buttons provide additional information:

Button

Information

View Connector Objects

Connector's dynamic objects, such as filters and instances.

View Policies

List of policies that use the dynamic addresses from the connector.

View Automation Rules

List of automation actions that use the connector.

Getting started with public and private SDN connectors

You can use SDN connectors to connect your FortiGate to public and private cloud solutions. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric. You can use SDN connector address objects to create policies that provide dynamic access control based on cloud environment attribute changes. There is no need to manually reconfigure addresses and policies whenever changes to the cloud environment occur.

There are four steps to creating and using an SDN connector:

  1. Gather the required information. The required information depends on which public or private cloud solution SDN connector you are configuring.
  2. Creating the SDN connector
  3. Creating an SDN connector address
  4. Adding the address to a firewall policy

The following provides general instructions for creating an SDN connector and using the dynamic address object in a firewall policy. For instructions for specific public and private cloud solutions, see the relevant topic in this guide. For advanced scenarios regarding SDN connectors, see the appropriate FortiOS 6.4 cloud platform guide.

Creating the SDN connector

To create an SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Click the desired public or private cloud.
  4. Enter the Name, Status, and Update Interval for the connector.
  5. Enter previously collected information for the connector as needed.
  6. Click OK.
To create an SDN connector in the CLI:
config system sdn-connector
    edit <name>
        set status {enable | disable}
        set type {connector type}
        ...
        set update-interval <integer>
    next
end
Note

The available CLI commands vary depending on the selected SDN connector type.

Creating an SDN connector address

You can use an SDN connector address in the following ways:

  • As the source or destination address for firewall policies.
  • To automatically update changes to addresses in the public or private cloud environment, based on specified filters.
  • To automatically apply changes to firewall policies that use the address, based on specified filters.
To create an SDN connector address in the GUI:
  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Configure the address:
    1. Set the Type to Dynamic.
    2. From the Sub Type dropdown list, select Fabric Connector Address.
    3. From the SDN Connector dropdown list, select the desired SDN connector.
    4. From the Filter dropdown list, configure the desired filter. The filters available depend on the selected SDN connector type. The SDN connector automatically populates and updates IP addresses only for instances that satisfy the filter requirements. In this example, the address will automatically populate and update IP addresses only for AliCloud instances that belong to the specified security group:

      You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.

    5. Configure other settings as desired.
    6. Click OK.
  4. Ensure that the SDN connector resolves dynamic firewall IP addresses as configured:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address that you created to see a list of IP addresses for instances that satisfy the filter that you configured. In this case, the IP addresses of instances that belong to the specified security group display:

To create an SDN connector address in the CLI:
  1. Create the address:

    config firewall address

    edit <name>

    set type dynamic

    set sdn <sdn_connector>

    set visibility enable

    set associated-interface <interface_name>

    set color <integer>

    ...

    set comment <comment>

    config tagging

    edit <name>

    set category <string>

    set tags <strings>

    next

    end

    next

    end

  2. Ensure that the SDN connector resolves dynamic firewall IP addresses as configured by running show. The following shows example output:

    config firewall address

    edit "ali-address-security"

    set type dynamic

    config list

    edit "10.0.0.16"

    next

    edit "10.0.0.17"

    next

    edit "10.0.20.20"

    next

    end

    ...

    next

    end

Note

The available CLI commands vary depending on the selected SDN connector type.

Adding the address to a firewall policy

You can use an SDN connector address as the source or destination address in a policy.

To add the address to a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy.
  2. Click Create New.
  3. Use the SDN connector address as the source or destination address.
  4. Configure the remaining settings as needed.
  5. Click OK.
To add the address to a firewall policy in the CLI:
config firewall policy
    edit 0
        set name <name>
        set srcintf <port_name>
        set dstintf <port_name>
        set srcaddr <firewall_address>
        set dstaddr <firewall_address>
        set action accept
        set schedule <schedule>
        set service <service>
    next
end

Connector tooltips

In Security Fabric > External Connectors, hover over an SDN connector to view a tooltip that shows basic configuration information.

Three buttons provide additional information:

Button

Information

View Connector Objects

Connector's dynamic objects, such as filters and instances.

View Policies

List of policies that use the dynamic addresses from the connector.

View Automation Rules

List of automation actions that use the connector.