Fortinet black logo

Administration Guide

Public and private SDN connectors

Public and private SDN connectors

Cloud SDN connectors provide integration and orchestration of Fortinet products with public and private cloud solutions. In a typical cloud environment, resources are dynamic and often provisioned and scaled on-demand. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric.

To protect the East-West or North-South traffic in these environments, the FortiGate uses the SDN connector to sync the dynamic addresses that these volatile environments use. You can then configure the dynamic address objects as sources or destinations for firewall policies. When you make changes to cloud environment resources, such as moving them to a new location or assigning different IP addresses to them, you do not need to modify the policy in FortiOS, as the SDN connector syncs changes to the cloud address objects.

These configurations consist of three primary steps:

  1. Configure the cloud SDN connector to connect your FortiGate and public or private cloud account.
  2. Create dynamic address objects to use the SDN connector. Use filters to sync only cloud address objects that you require.
  3. Apply the dynamic address objects to your firewall policy to protect your traffic.

This chapter explores the steps in detail and describes how to connect to each currently supported cloud platform. This chapter does not discuss cloud account role-based or permission requirements. The respective cloud documents contain this information.

The following external connectors are available in the Security Fabric:

Category

Connector

Example configuration

Public SDN

Amazon Web Services (AWS)

AWS SDN connector using access keys

Microsoft Azure

Azure SDN connector using service principal

Google Cloud Platform (GCP)

GCP SDN connector using service account

Oracle Cloud Infrastructure (OCI)

OCI SDN connector using certificates

IBM Cloud

IBM Cloud SDN connector using API keys

AliCloud

AliCloud SDN connector using access key

Private SDN

Kubernetes

Kubernetes (K8s) SDN connectors

VMware ESXi

VMware ESXi SDN connector using server credentials

VMware NSX

VMware NSX-T Manager SDN connector using NSX-T Manager credentials

OpenStack (Horizon)

OpenStack SDN connector using node credentials

Application Centric Infrastructure (ACI)

Cisco ACI SDN connector using a standalone connector

Nuage Virtualized Services Platform

Nuage SDN connector using server credentials

Nutanix

Nutanix SDN connector using server credentials

SAP

SAP SDN connector

Endpoint/Identity

FSSO Agent on Windows AD

Fortinet single sign-on agent

Symantec Endpoint Protection

Symantec endpoint connector

Poll Active Directory Server

Poll Active Directory server

RADIUS Single Sign-On Agent

RADIUS single sign-on agent

Exchange Server

Exchange Server connector

Threat Feeds

FortiGuard Category

Threat feeds

IP Address

IP address threat feed

Domain Name

Domain name threat feed

Malware Hash

Malware hash threat feed

Note

If VDOMs are enabled, SDN and Threat Feeds connectors are in the global settings, and Endpoint/Identity connectors are per VDOM.

Public and private SDN connectors

Public and private SDN connectors

Cloud SDN connectors provide integration and orchestration of Fortinet products with public and private cloud solutions. In a typical cloud environment, resources are dynamic and often provisioned and scaled on-demand. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric.

To protect the East-West or North-South traffic in these environments, the FortiGate uses the SDN connector to sync the dynamic addresses that these volatile environments use. You can then configure the dynamic address objects as sources or destinations for firewall policies. When you make changes to cloud environment resources, such as moving them to a new location or assigning different IP addresses to them, you do not need to modify the policy in FortiOS, as the SDN connector syncs changes to the cloud address objects.

These configurations consist of three primary steps:

  1. Configure the cloud SDN connector to connect your FortiGate and public or private cloud account.
  2. Create dynamic address objects to use the SDN connector. Use filters to sync only cloud address objects that you require.
  3. Apply the dynamic address objects to your firewall policy to protect your traffic.

This chapter explores the steps in detail and describes how to connect to each currently supported cloud platform. This chapter does not discuss cloud account role-based or permission requirements. The respective cloud documents contain this information.

The following external connectors are available in the Security Fabric:

Category

Connector

Example configuration

Public SDN

Amazon Web Services (AWS)

AWS SDN connector using access keys

Microsoft Azure

Azure SDN connector using service principal

Google Cloud Platform (GCP)

GCP SDN connector using service account

Oracle Cloud Infrastructure (OCI)

OCI SDN connector using certificates

IBM Cloud

IBM Cloud SDN connector using API keys

AliCloud

AliCloud SDN connector using access key

Private SDN

Kubernetes

Kubernetes (K8s) SDN connectors

VMware ESXi

VMware ESXi SDN connector using server credentials

VMware NSX

VMware NSX-T Manager SDN connector using NSX-T Manager credentials

OpenStack (Horizon)

OpenStack SDN connector using node credentials

Application Centric Infrastructure (ACI)

Cisco ACI SDN connector using a standalone connector

Nuage Virtualized Services Platform

Nuage SDN connector using server credentials

Nutanix

Nutanix SDN connector using server credentials

SAP

SAP SDN connector

Endpoint/Identity

FSSO Agent on Windows AD

Fortinet single sign-on agent

Symantec Endpoint Protection

Symantec endpoint connector

Poll Active Directory Server

Poll Active Directory server

RADIUS Single Sign-On Agent

RADIUS single sign-on agent

Exchange Server

Exchange Server connector

Threat Feeds

FortiGuard Category

Threat feeds

IP Address

IP address threat feed

Domain Name

Domain name threat feed

Malware Hash

Malware hash threat feed

Note

If VDOMs are enabled, SDN and Threat Feeds connectors are in the global settings, and Endpoint/Identity connectors are per VDOM.