Using OCI IMDSv2

OCI IMDSv2 offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and on instance deployments with bootstrap metadata. When upgrading from previous FortiOS builds with legacy IMDSv1 endpoints, the endpoints will be updated to IMDSv2, and the same calls can be made.

The following use cases illustrate IMDSv2 support on the FortiGate-VM.

To configure the Oracle OCI instance to use IMDSv2:
  1. In OCI, deploy an instance using IMDSv2 with bootstrap metadata. There are two methods to enable IMDSv2 :
    • Use the OCI command line to deploy an instance using user-data. This example uses a MIME file that contains the license and configuration, as well as a JSON file that specifies to disable V1 metadata.
      oci compute instance launch
      --availability-domain wwwl:US-ASHBURN-AD-1
      --compartment-id ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
      --display-name fos-byol-v6.4.6-b2290-emulated
      --image-id ocid1.image.oc1.iad.aaaaaaaa6xxx43xxxxxxxxx7aaaaaaaaaaaaaaaaaaaa3xxxxxxxxxxxxxxx
      --subnet-id ocid1.subnet.oc1.iad.aaaaaaaaxxxxxxxxx2xxxxxxxxxxxxxxxxxxxx5aaa4xxxxxxxxxxxx42aaa
      --shape VM.Standard1.4
      --assign-public-ip true
      --user-data-file /home/oci/userdata/mime.txt
      --ssh-authorized-keys-file /home/oci/userdata/myfirstkeypair.pub
      --instance-options file://home/oci/scripts/metadatav2.json
      root@mail:/home/oci/scripts# cat metadatav2.json
      {
        "areLegacyImdsEndpointsDisabled": true
      }
    • While the instance is running, edit the instance metadata service version in the GUI ,and change the allowed IMDS version to VERSION 2 ONLY (see Getting Instance Metadata in the OCI documentation).