Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.2 Administration Guide
    7.2.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    SAP SDN connector

    SAP SDN connector

    The SAP external Fabric connector allows the FortiGate to connect to an SAP instance to synchronize dynamic address objects and ports for SAP workloads. These address objects can be used in firewall policies to grant access control to dynamic SAP workloads.

    To configure an SAP connector in the GUI:

    1. Configure the SAP SDN connector:

      1. Go to Security Fabric > External Connectors and click Create New.

      2. In the Private SDN section, select SAP.

      3. Enter a Name (sap-s4-docker).

      4. Enter the IP for the SAP instance.

      5. Enter the Username and Password.

      6. Click OK.

    2. Configure a network service associated with the configured SAP SDN connector:

      1. Go to Policy & Objects > Internet Service Database, select the Network Services tab, and click Create New.

      2. Enter a Name (sap-instance1).

      3. Set SDN connector to sap-s4-docker.

      4. Select a filter, such as InstanceNumber=1. The available filters are for HostName, InstanceNumber, and ServiceName.

      5. Click OK.

    3. Ensure that the SAP SDN connector resolves dynamic network services:

      1. Go to Policy & Objects > Internet Service Database, select the Network Services tab.

      2. Hover over the sap-instance1 and click View Resolved Entries.

        A list of resolved internet services is displayed.

        Click OK to close the list.

    4. Configure a firewall policy with the resolved dynamic network service as the destination:

      1. Go to Policy & Objects >Firewall Policy and click Create New.

      2. Set the Destination to the sap-instance1 network service.

      3. Configure the other settings as needed.

      4. Click OK.

    To configure an SAP connector in the CLI:
    1. Configure the SAP SDN connector:
      config system sdn-connector
    edit "sap-s4-docker"
        set type sap
        set verify-certificate disable
        set server "20.124.134.109"
        set server-port 50014
        set username "a4hadm"
        set password ************
    next
end
    2. Configure a network service associated with the configured SAP SDN connector (available filters are HostName, InstanceNumber, and ServiceName):
      config firewall network-service-dynamic
    edit "sap-instance1"
        set sdn "sap-s4-docker"
        set filter "InstanceNumber=1"
    next
end
    3. Ensure that the SAP SDN connector resolves dynamic network services:
      # diagnose firewall network-service-dynamic list "sap-instance1"
List internet service in kernel(custom):
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=8101-8101
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=50114-50114
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=50113-50113
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3901-3901
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3601-3601
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3201-3201
addr ip range(1): 172.17.0.2-172.17.0.2
    4. Configure a firewall policy with the resolved dynamic network service as the destination:
      config firewall policy
    edit 2
        set name "FGT97-service-dynamic"
        set srcintf "port3"
        set dstintf "port10"
        set action accept
        set srcaddr "all"
        set internet-service enable
        set network-service-dynamic "sap-instance1"
        set schedule "always"
        set nat enable
    next
end
    Previous
    Next

    SAP SDN connector

    SAP SDN connector

    The SAP external Fabric connector allows the FortiGate to connect to an SAP instance to synchronize dynamic address objects and ports for SAP workloads. These address objects can be used in firewall policies to grant access control to dynamic SAP workloads.

    To configure an SAP connector in the GUI:

    1. Configure the SAP SDN connector:

      1. Go to Security Fabric > External Connectors and click Create New.

      2. In the Private SDN section, select SAP.

      3. Enter a Name (sap-s4-docker).

      4. Enter the IP for the SAP instance.

      5. Enter the Username and Password.

      6. Click OK.

    2. Configure a network service associated with the configured SAP SDN connector:

      1. Go to Policy & Objects > Internet Service Database, select the Network Services tab, and click Create New.

      2. Enter a Name (sap-instance1).

      3. Set SDN connector to sap-s4-docker.

      4. Select a filter, such as InstanceNumber=1. The available filters are for HostName, InstanceNumber, and ServiceName.

      5. Click OK.

    3. Ensure that the SAP SDN connector resolves dynamic network services:

      1. Go to Policy & Objects > Internet Service Database, select the Network Services tab.

      2. Hover over the sap-instance1 and click View Resolved Entries.

        A list of resolved internet services is displayed.

        Click OK to close the list.

    4. Configure a firewall policy with the resolved dynamic network service as the destination:

      1. Go to Policy & Objects >Firewall Policy and click Create New.

      2. Set the Destination to the sap-instance1 network service.

      3. Configure the other settings as needed.

      4. Click OK.

    To configure an SAP connector in the CLI:
    1. Configure the SAP SDN connector:
      config system sdn-connector
    edit "sap-s4-docker"
        set type sap
        set verify-certificate disable
        set server "20.124.134.109"
        set server-port 50014
        set username "a4hadm"
        set password ************
    next
end
    2. Configure a network service associated with the configured SAP SDN connector (available filters are HostName, InstanceNumber, and ServiceName):
      config firewall network-service-dynamic
    edit "sap-instance1"
        set sdn "sap-s4-docker"
        set filter "InstanceNumber=1"
    next
end
    3. Ensure that the SAP SDN connector resolves dynamic network services:
      # diagnose firewall network-service-dynamic list "sap-instance1"
List internet service in kernel(custom):
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=8101-8101
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=50114-50114
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=50113-50113
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3901-3901
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3601-3601
addr ip range(1): 172.17.0.2-172.17.0.2
name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3201-3201
addr ip range(1): 172.17.0.2-172.17.0.2
    4. Configure a firewall policy with the resolved dynamic network service as the destination:
      config firewall policy
    edit 2
        set name "FGT97-service-dynamic"
        set srcintf "port3"
        set dstintf "port10"
        set action accept
        set srcaddr "all"
        set internet-service enable
        set network-service-dynamic "sap-instance1"
        set schedule "always"
        set nat enable
    next
end
    Previous
    Next