Fortinet white logo
Fortinet white logo

Administration Guide

OpenStack SDN connector using node credentials

OpenStack SDN connector using node credentials

Note

This topic describes one of multiple configuration methods available with this SDN connector type. See the More Links section on the right sidebar for other methods.

To configure OpenStack SDN connector using node credentials:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New, then select OpenStack (Horizon).
  3. Configure the fields as follows:
    1. Name: Name the connector as desired.
    2. IP: Enter the OpenStack management component's IP address. Generally you can find it in the OpenStack identity.

    3. User name: Enter the specified node's administrator name.
    4. Password: Enter the administrator password.

  4. Click OK. The SDN connector is now configured.
To configure a dynamic firewall address:

The next step is to create an address that will be used as an address group or single address that acts as the source/destination for firewall policies. The address is based on IP addresses and contains VM instances' IP addresses.

No matter what changes occur to the instances, the SDN connector populates and updates the changes automatically based on the specified filtering condition so that administrators do not need to reconfigure the address content manually. Appropriate firewall policies using the address are applied to instances that are members of the address.

  1. Go to Policy & Objects > Address. Click Create New, then select Address.
  2. Configure the address as follows:
    1. Name: Name the address as desired.
    2. Type: Select Dynamic.
    3. Sub Type: Select Fabric Connector Address.
    4. SDN Connector: Select openstack.
    5. Filter: The SDN connector automatically populates and updates only IP addresses belonging to the specified filter that matches the condition. OpenStack Horizon connectors support the following filters:
      1. id=<instance id>: This matches a VM instance ID.
      2. name=<instance name>: This matches a VM instance name.
      3. flavor=<instance flavor name>: This matches an instance flavor name.
      4. keypair=<key pair name>: This matches a key pair name.
      5. network=<net name>: This matches a network name.
      6. project=<project name>: This matches a project name.
      7. availabilityzone=<zone name>: This matches an availability zone name.
      8. servergroup=<group name>: This matches a server group name.
      9. securitygroup=<security group name>: This matches a security group name.
      10. metadata.<key>=<value>: This matches metadata with its key and value pair.

    You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.

    For example, you could enter flavor=m1.nano&project=admin. In this case, IP addresses of instances that match both the flavor name and project name are populated. Wildcards (asterisks) are not allowed in values.

    In this example, let's use project=admin, assuming the project name is admin.

  3. Click OK after completing all required fields.
  4. Ensure that the address was created.

  5. After a few minutes, the new address takes effect. Hover your cursor on the address to see a list of IP addresses and instances with the project name "admin".

OpenStack SDN connector using node credentials

OpenStack SDN connector using node credentials

Note

This topic describes one of multiple configuration methods available with this SDN connector type. See the More Links section on the right sidebar for other methods.

To configure OpenStack SDN connector using node credentials:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New, then select OpenStack (Horizon).
  3. Configure the fields as follows:
    1. Name: Name the connector as desired.
    2. IP: Enter the OpenStack management component's IP address. Generally you can find it in the OpenStack identity.

    3. User name: Enter the specified node's administrator name.
    4. Password: Enter the administrator password.

  4. Click OK. The SDN connector is now configured.
To configure a dynamic firewall address:

The next step is to create an address that will be used as an address group or single address that acts as the source/destination for firewall policies. The address is based on IP addresses and contains VM instances' IP addresses.

No matter what changes occur to the instances, the SDN connector populates and updates the changes automatically based on the specified filtering condition so that administrators do not need to reconfigure the address content manually. Appropriate firewall policies using the address are applied to instances that are members of the address.

  1. Go to Policy & Objects > Address. Click Create New, then select Address.
  2. Configure the address as follows:
    1. Name: Name the address as desired.
    2. Type: Select Dynamic.
    3. Sub Type: Select Fabric Connector Address.
    4. SDN Connector: Select openstack.
    5. Filter: The SDN connector automatically populates and updates only IP addresses belonging to the specified filter that matches the condition. OpenStack Horizon connectors support the following filters:
      1. id=<instance id>: This matches a VM instance ID.
      2. name=<instance name>: This matches a VM instance name.
      3. flavor=<instance flavor name>: This matches an instance flavor name.
      4. keypair=<key pair name>: This matches a key pair name.
      5. network=<net name>: This matches a network name.
      6. project=<project name>: This matches a project name.
      7. availabilityzone=<zone name>: This matches an availability zone name.
      8. servergroup=<group name>: This matches a server group name.
      9. securitygroup=<security group name>: This matches a security group name.
      10. metadata.<key>=<value>: This matches metadata with its key and value pair.

    You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.

    For example, you could enter flavor=m1.nano&project=admin. In this case, IP addresses of instances that match both the flavor name and project name are populated. Wildcards (asterisks) are not allowed in values.

    In this example, let's use project=admin, assuming the project name is admin.

  3. Click OK after completing all required fields.
  4. Ensure that the address was created.

  5. After a few minutes, the new address takes effect. Hover your cursor on the address to see a list of IP addresses and instances with the project name "admin".