Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Azure SDN connector using service principal

    Azure SDN connector using service principal

    FortiOS automatically updates dynamic addresses for Azure using Azure SDN connector, including mapping attributes from Azure instances to dynamic address groups in FortiOS.

    Note

    This topic describes one of multiple configuration methods available with this SDN connector type. See More Links on the right sidebar for other methods.
    To configure the Azure SDN connector using service principal:
    1. Create an Azure SDN connector:
      1. Go to Security Fabric > External Connectors and click Create New.
      2. Select Microsoft Azure.
      3. Configure the connector. See Azure SDN connector service principal configuration requirements:

      4. Click OK.
    2. Create a dynamic firewall address for the Azure connector.
      1. Go to Policy & Objects > Addresses and select Address.
      2. Click Create new.
      3. From the Type dropdown list, select Dynamic.
      4. From the Sub Type dropdown list, select Fabric Connector Address.
      5. From the SDN Connector dropdown list, select the Azure SDN connector.
      6. In the Filter field, add filters as desired. The Azure SDN connector supports the following filters:
        • vm=<VM name>
        • securitygroup=<nsg id>
        • vnet=<VNet id>
        • subnet=<subnet id>
        • vmss=<VM scale set>
        • tag.<key>=<value>
        • servicetag=<value>
        • tag.<key>=<value>
      7. Click OK.
      8. Hover the cursor over the address name to see the dynamic IP addresses that the connector resolves.

    Configuring SDN connector proxy via FortiManager

    FortiOS Azure SDN connector API calls can be relayed through a FortiManager proxy. FortiManager 7.6 supports this feature. This is recommended for large-scale deployments.

    To configure Azure SDN connector relay through FortiManager support:
    1. Configure the FortiManager:
      1. Provision an FMG_VM64_AZURE 7.6 instance in Azure. See Creating a FortiManager-VM.
      2. License the FortiManager instance. See Connecting to FortiManager.
      3. In FortiManager, go to System Settings > Administrators.
      4. Create a new administrator or edit an existing one.
      5. For JSON API Access, select Read-Write.
      6. Configure other fields as desired, then click OK.
    2. Provision a FGT_VM64_AZURE pay as you go instance in Azure.
    3. Configure the FortiManager proxy in the CLI:
      config system sdn-proxy
    edit "FMG_proxy"
        set type fortimanager
        set server "fmg.labs.ca"
        set server-port 443
        set username "admin"
        set password "-=redacted=-"
    next
end
    4. Configure two SDN connectors:
      config system sdn-connector
    edit "FMG_proxy"
        set type azure
        set proxy "FMG_proxy"
        set use-metadata-iam disable
        set tenant-id "<tenant ID>"
        set client-id "<client ID>"
        set client-secret "-=redacted=-"
        set subscription-id "<subscription ID>"
        set resource-group "<resource group >"
    next
end
config firewall address
    edit "FMG_proxy"
        set type dynamic
        set sdn "FMG_proxy"
        set filter "Vnet=VNET0"
        set sdn-addr-type all
    next
end
config system sdn-connector
    edit "AZURE"
        set type azure
        set use-metadata-iam disable
        set tenant-id "<tenant ID>"
        set client-id "<client ID>"
        set client-secret "-=redacted=-"
        set subscription-id "<subscription ID>"
        set resource-group "<resource group >"
    next
end
config firewall address
    edit "AZURE"
        set type dynamic
        set sdn "AZURE"
        set filter "Vnet=VNET0"
        set sdn-addr-type all
    next
end
    5. Go to Security Fabric > External Connectors and confirm that the connectors were created.
    6. Compare the resolved IP address list between the FMG_proxy and AZURE connectors and verify that the list is complete.
    Previous
    Next

    More Links

    Azure SDN connector service principal configuration requirements
    Configuring an SDN connector using a managed identity
    Configuring an Azure SDN connector for Azure resources
    Azure SDN connector using ServiceTag and Region filter keys
    Troubleshooting Azure SDN connector

    Azure SDN connector using service principal

    Azure SDN connector using service principal

    FortiOS automatically updates dynamic addresses for Azure using Azure SDN connector, including mapping attributes from Azure instances to dynamic address groups in FortiOS.

    Note

    This topic describes one of multiple configuration methods available with this SDN connector type. See More Links on the right sidebar for other methods.
    To configure the Azure SDN connector using service principal:
    1. Create an Azure SDN connector:
      1. Go to Security Fabric > External Connectors and click Create New.
      2. Select Microsoft Azure.
      3. Configure the connector. See Azure SDN connector service principal configuration requirements:

      4. Click OK.
    2. Create a dynamic firewall address for the Azure connector.
      1. Go to Policy & Objects > Addresses and select Address.
      2. Click Create new.
      3. From the Type dropdown list, select Dynamic.
      4. From the Sub Type dropdown list, select Fabric Connector Address.
      5. From the SDN Connector dropdown list, select the Azure SDN connector.
      6. In the Filter field, add filters as desired. The Azure SDN connector supports the following filters:
        • vm=<VM name>
        • securitygroup=<nsg id>
        • vnet=<VNet id>
        • subnet=<subnet id>
        • vmss=<VM scale set>
        • tag.<key>=<value>
        • servicetag=<value>
        • tag.<key>=<value>
      7. Click OK.
      8. Hover the cursor over the address name to see the dynamic IP addresses that the connector resolves.

    Configuring SDN connector proxy via FortiManager

    FortiOS Azure SDN connector API calls can be relayed through a FortiManager proxy. FortiManager 7.6 supports this feature. This is recommended for large-scale deployments.

    To configure Azure SDN connector relay through FortiManager support:
    1. Configure the FortiManager:
      1. Provision an FMG_VM64_AZURE 7.6 instance in Azure. See Creating a FortiManager-VM.
      2. License the FortiManager instance. See Connecting to FortiManager.
      3. In FortiManager, go to System Settings > Administrators.
      4. Create a new administrator or edit an existing one.
      5. For JSON API Access, select Read-Write.
      6. Configure other fields as desired, then click OK.
    2. Provision a FGT_VM64_AZURE pay as you go instance in Azure.
    3. Configure the FortiManager proxy in the CLI:
      config system sdn-proxy
    edit "FMG_proxy"
        set type fortimanager
        set server "fmg.labs.ca"
        set server-port 443
        set username "admin"
        set password "-=redacted=-"
    next
end
    4. Configure two SDN connectors:
      config system sdn-connector
    edit "FMG_proxy"
        set type azure
        set proxy "FMG_proxy"
        set use-metadata-iam disable
        set tenant-id "<tenant ID>"
        set client-id "<client ID>"
        set client-secret "-=redacted=-"
        set subscription-id "<subscription ID>"
        set resource-group "<resource group >"
    next
end
config firewall address
    edit "FMG_proxy"
        set type dynamic
        set sdn "FMG_proxy"
        set filter "Vnet=VNET0"
        set sdn-addr-type all
    next
end
config system sdn-connector
    edit "AZURE"
        set type azure
        set use-metadata-iam disable
        set tenant-id "<tenant ID>"
        set client-id "<client ID>"
        set client-secret "-=redacted=-"
        set subscription-id "<subscription ID>"
        set resource-group "<resource group >"
    next
end
config firewall address
    edit "AZURE"
        set type dynamic
        set sdn "AZURE"
        set filter "Vnet=VNET0"
        set sdn-addr-type all
    next
end
    5. Go to Security Fabric > External Connectors and confirm that the connectors were created.
    6. Compare the resolved IP address list between the FMG_proxy and AZURE connectors and verify that the list is complete.
    Previous
    Next