Fortinet black logo

Administration Guide

SAP SDN connector

SAP SDN connector

The SAP external Fabric connector allows the FortiGate to connect to an SAP instance to synchronize dynamic address objects and ports for SAP workloads. These address objects can be used in firewall policies to grant access control to dynamic SAP workloads.

To configure an SAP connector in the GUI:
  1. Configure the SAP SDN connector:

    1. Go to Security Fabric > External Connectors and click Create New.

    2. In the Private SDN section, select SAP.

    3. Enter a Name (sap-s4-docker).

    4. Enter the IP for the SAP instance.

    5. Enter the Username and Password.

    6. Click OK.

  2. Configure a network service associated with the configured SAP SDN connector:

    1. Go to Policy & Objects > Internet Service Database, select the Network Services tab, and click Create New.

    2. Enter a Name (sap-instance1).

    3. Set SDN connector to sap-s4-docker.

    4. Select a filter, such as InstanceNumber=1. The available filters are for HostName, InstanceNumber, and ServiceName.

    5. Click OK.

  3. Ensure that the SAP SDN connector resolves dynamic network services:

    1. Go to Policy & Objects > Internet Service Database, select the Network Services tab.

    2. Hover over the sap-instance1 and click View Resolved Entries.

      A list of resolved internet services is displayed.

      Click OK to close the list.

  4. Configure a firewall policy with the resolved dynamic network service as the destination:

    1. Go to Policy & Objects >Firewall Policy and click Create New.

    2. Set the Destination to the sap-instance1 network service.

    3. Configure the other settings as needed.

    4. Click OK.

To configure an SAP connector in the CLI:
  1. Configure the SAP SDN connector:
    config system sdn-connector
        edit "sap-s4-docker"
            set type sap
            set verify-certificate disable
            set server "20.124.134.109"
            set server-port 50014
            set username "a4hadm"
            set password ************
        next
    end
  2. Configure a network service associated with the configured SAP SDN connector (available filters are HostName, InstanceNumber, and ServiceName):
    config firewall network-service-dynamic
        edit "sap-instance1"
            set sdn "sap-s4-docker"
            set filter "InstanceNumber=1"
        next
    end
  3. Ensure that the SAP SDN connector resolves dynamic network services:
    # diagnose firewall network-service-dynamic list "sap-instance1"
    List internet service in kernel(custom):
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=8101-8101
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=50114-50114
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=50113-50113
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3901-3901
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3601-3601
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3201-3201
    addr ip range(1): 172.17.0.2-172.17.0.2
  4. Configure a firewall policy with the resolved dynamic network service as the destination:
    config firewall policy
        edit 2
            set name "FGT97-service-dynamic"
            set srcintf "port3"
            set dstintf "port10"
            set action accept
            set srcaddr "all"
            set internet-service enable
            set network-service-dynamic "sap-instance1"
            set schedule "always"
            set nat enable
        next
    end

SAP SDN connector

The SAP external Fabric connector allows the FortiGate to connect to an SAP instance to synchronize dynamic address objects and ports for SAP workloads. These address objects can be used in firewall policies to grant access control to dynamic SAP workloads.

To configure an SAP connector in the GUI:
  1. Configure the SAP SDN connector:

    1. Go to Security Fabric > External Connectors and click Create New.

    2. In the Private SDN section, select SAP.

    3. Enter a Name (sap-s4-docker).

    4. Enter the IP for the SAP instance.

    5. Enter the Username and Password.

    6. Click OK.

  2. Configure a network service associated with the configured SAP SDN connector:

    1. Go to Policy & Objects > Internet Service Database, select the Network Services tab, and click Create New.

    2. Enter a Name (sap-instance1).

    3. Set SDN connector to sap-s4-docker.

    4. Select a filter, such as InstanceNumber=1. The available filters are for HostName, InstanceNumber, and ServiceName.

    5. Click OK.

  3. Ensure that the SAP SDN connector resolves dynamic network services:

    1. Go to Policy & Objects > Internet Service Database, select the Network Services tab.

    2. Hover over the sap-instance1 and click View Resolved Entries.

      A list of resolved internet services is displayed.

      Click OK to close the list.

  4. Configure a firewall policy with the resolved dynamic network service as the destination:

    1. Go to Policy & Objects >Firewall Policy and click Create New.

    2. Set the Destination to the sap-instance1 network service.

    3. Configure the other settings as needed.

    4. Click OK.

To configure an SAP connector in the CLI:
  1. Configure the SAP SDN connector:
    config system sdn-connector
        edit "sap-s4-docker"
            set type sap
            set verify-certificate disable
            set server "20.124.134.109"
            set server-port 50014
            set username "a4hadm"
            set password ************
        next
    end
  2. Configure a network service associated with the configured SAP SDN connector (available filters are HostName, InstanceNumber, and ServiceName):
    config firewall network-service-dynamic
        edit "sap-instance1"
            set sdn "sap-s4-docker"
            set filter "InstanceNumber=1"
        next
    end
  3. Ensure that the SAP SDN connector resolves dynamic network services:
    # diagnose firewall network-service-dynamic list "sap-instance1"
    List internet service in kernel(custom):
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=8101-8101
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=50114-50114
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=50113-50113
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3901-3901
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3601-3601
    addr ip range(1): 172.17.0.2-172.17.0.2
    name=sap-instance1 id=4294770689 reputation=0 (null) singularity=0 flags=0x0 protocol=6 port=3201-3201
    addr ip range(1): 172.17.0.2-172.17.0.2
  4. Configure a firewall policy with the resolved dynamic network service as the destination:
    config firewall policy
        edit 2
            set name "FGT97-service-dynamic"
            set srcintf "port3"
            set dstintf "port10"
            set action accept
            set srcaddr "all"
            set internet-service enable
            set network-service-dynamic "sap-instance1"
            set schedule "always"
            set nat enable
        next
    end