Fortinet black logo

Administration Guide

Using OCI IMDSv2

Using OCI IMDSv2

OCI IMDSv2 offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and on instance deployments with bootstrap metadata. When upgrading from previous FortiOS builds with legacy IMDSv1 endpoints, the endpoints will be updated to IMDSv2, and the same calls can be made.

The following use cases illustrate IMDSv2 support on the FortiGate-VM.

To configure the Oracle OCI instance to use IMDSv2:
  1. In OCI, deploy an instance using IMDSv2 with bootstrap metadata. There are two methods to enable IMDSv2 :
    • Use the OCI command line to deploy an instance using user-data. This example uses a MIME file that contains the license and configuration, as well as a JSON file that specifies to disable V1 metadata.
      oci compute instance launch
      --availability-domain wwwl:US-ASHBURN-AD-1
      --compartment-id ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
      --display-name fos-byol-v6.4.6-b2290-emulated
      --image-id ocid1.image.oc1.iad.aaaaaaaa6xxx43xxxxxxxxx7aaaaaaaaaaaaaaaaaaaa3xxxxxxxxxxxxxxx
      --subnet-id ocid1.subnet.oc1.iad.aaaaaaaaxxxxxxxxx2xxxxxxxxxxxxxxxxxxxx5aaa4xxxxxxxxxxxx42aaa
      --shape VM.Standard1.4
      --assign-public-ip true
      --user-data-file /home/oci/userdata/mime.txt
      --ssh-authorized-keys-file /home/oci/userdata/myfirstkeypair.pub
      --instance-options file://home/oci/scripts/metadatav2.json
      root@mail:/home/oci/scripts# cat metadatav2.json
      {
        "areLegacyImdsEndpointsDisabled": true
      }
    • While the instance is running, edit the instance metadata service version in the GUI ,and change the allowed IMDS version to VERSION 2 ONLY (see Getting Instance Metadata in the OCI documentation).

  2. The FortiGate will use the metadata v2 endpoints to get the metadata bootstrap information. In FortiOS, verify this by running the following after bootup:
    # diagnose debug cloudinit show
To configure an SDN connector with meta-IAM enabled and firewall addresses to obtain dynamic addresses:
  1. Configure an IAM policy and dynamic group (see How Policies Work and Managing Dynamic Groups in the OCI documentation).

  2. In FortiOS, configure the OCI Fabric connector (see OCI SDN connector using certificates for detailed instructions):
    1. Create the SDN connector.
    2. Verify that the OCI connector comes up (Security Fabric > External Connectors page indicates the status is up).
    3. Configure a dynamic firewall address with a filter.
    4. Verify the dynamic firewall address is resolved by the SDN connector.
To manually update the external IP:
# execute update-eip
instance: fos-byol-v6.4.6-b2290-emulated
    vnic0: fos-byol-v6.4.6-b2290-emulated
           10.0.0.58 (129.213.138.192)
port1: 10.0.0.58, eip: 129.213.138.192
EIP is updated successfully
To verify the OCI daemon debugs related to metadata:
# diagnose test application ocid 4
instance: fos-byol-v6.4.6-b2290-emulated
    vnic0: fos-byol-v6.4.6-b2290-emulated
           10.0.0.58
# diagnose test application ocid 5
Compartment Id:ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
Instance Id:ocid1.instance.oc1.iad.axxxxxxxxxxxxxxxxxxx4aaaaa5aaaaaaaaa4xxxxxxx2aaaaaaaa
Instance Name:fos-byol-v6.4.6-b2290-emulated
OCI Regarxiehlion:us-ashburn-1
# diagnose test application ocid 6
Instance Principal Token has been refreshed

Using OCI IMDSv2

OCI IMDSv2 offers increased security for accessing instance metadata compared to IMDSv1. IMDSv2 is used in OCI SDN connectors and on instance deployments with bootstrap metadata. When upgrading from previous FortiOS builds with legacy IMDSv1 endpoints, the endpoints will be updated to IMDSv2, and the same calls can be made.

The following use cases illustrate IMDSv2 support on the FortiGate-VM.

To configure the Oracle OCI instance to use IMDSv2:
  1. In OCI, deploy an instance using IMDSv2 with bootstrap metadata. There are two methods to enable IMDSv2 :
    • Use the OCI command line to deploy an instance using user-data. This example uses a MIME file that contains the license and configuration, as well as a JSON file that specifies to disable V1 metadata.
      oci compute instance launch
      --availability-domain wwwl:US-ASHBURN-AD-1
      --compartment-id ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
      --display-name fos-byol-v6.4.6-b2290-emulated
      --image-id ocid1.image.oc1.iad.aaaaaaaa6xxx43xxxxxxxxx7aaaaaaaaaaaaaaaaaaaa3xxxxxxxxxxxxxxx
      --subnet-id ocid1.subnet.oc1.iad.aaaaaaaaxxxxxxxxx2xxxxxxxxxxxxxxxxxxxx5aaa4xxxxxxxxxxxx42aaa
      --shape VM.Standard1.4
      --assign-public-ip true
      --user-data-file /home/oci/userdata/mime.txt
      --ssh-authorized-keys-file /home/oci/userdata/myfirstkeypair.pub
      --instance-options file://home/oci/scripts/metadatav2.json
      root@mail:/home/oci/scripts# cat metadatav2.json
      {
        "areLegacyImdsEndpointsDisabled": true
      }
    • While the instance is running, edit the instance metadata service version in the GUI ,and change the allowed IMDS version to VERSION 2 ONLY (see Getting Instance Metadata in the OCI documentation).

  2. The FortiGate will use the metadata v2 endpoints to get the metadata bootstrap information. In FortiOS, verify this by running the following after bootup:
    # diagnose debug cloudinit show
To configure an SDN connector with meta-IAM enabled and firewall addresses to obtain dynamic addresses:
  1. Configure an IAM policy and dynamic group (see How Policies Work and Managing Dynamic Groups in the OCI documentation).

  2. In FortiOS, configure the OCI Fabric connector (see OCI SDN connector using certificates for detailed instructions):
    1. Create the SDN connector.
    2. Verify that the OCI connector comes up (Security Fabric > External Connectors page indicates the status is up).
    3. Configure a dynamic firewall address with a filter.
    4. Verify the dynamic firewall address is resolved by the SDN connector.
To manually update the external IP:
# execute update-eip
instance: fos-byol-v6.4.6-b2290-emulated
    vnic0: fos-byol-v6.4.6-b2290-emulated
           10.0.0.58 (129.213.138.192)
port1: 10.0.0.58, eip: 129.213.138.192
EIP is updated successfully
To verify the OCI daemon debugs related to metadata:
# diagnose test application ocid 4
instance: fos-byol-v6.4.6-b2290-emulated
    vnic0: fos-byol-v6.4.6-b2290-emulated
           10.0.0.58
# diagnose test application ocid 5
Compartment Id:ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa7xxxxxxx54aaaaaa4xxxxxxxx55xxxa
Instance Id:ocid1.instance.oc1.iad.axxxxxxxxxxxxxxxxxxx4aaaaa5aaaaaaaaa4xxxxxxx2aaaaaaaa
Instance Name:fos-byol-v6.4.6-b2290-emulated
OCI Regarxiehlion:us-ashburn-1
# diagnose test application ocid 6
Instance Principal Token has been refreshed