Fortinet black logo

New Features

Home FortiManager 7.2.0 New Features
7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.7
6.2.3
6.2.2
6.2.1
6.2.0

Universal Connector MEA added support for Cisco ACI 7.2.1

Universal Connector MEA added support for Cisco ACI 7.2.1

Universal Connector MEA added support for Cisco ACI to retrieve the endpoint groups (EPGs) and operate dynamic objects changes on FortiGates.

This feature requires Cisco ACI version 5 or higher.

Creating the Universal Connector
To create a new Cisco ACI Universal Connector:
  1. Go to Management Extensions > Universal Connector.
  2. Click Create New on the toolbar, and select Cisco ACI.
  3. Enter the connector settings.
  4. Click Save & Continue, and then set the Status toggle to the on position to enable the connector.
  5. You can manually enter the update Interval for FortiManager to communicate with the Cisco APIC. The default is 60 seconds.
  6. FortiManager will authenticate against Cisco APIC using the credentials provided by the administrator on this page. Only once the authentication is successful can the connector can be enabled.
  7. You can enable/disable the certificate verification check for the remote Cisco APIC server. The behavior for certificate verification is as follows:
    • If the remote certificate is valid and we enable the certificate verification, login succeeds.
    • If the remote certificate is valid and we disable the certificate verification, login succeeds.
    • If the remote certificate is invalid and we enable the certificate verification, login fails.
    • If the remote certificate is invalid and we disable the certificate verification, login succeeds.
Importing EPGs from the Universal Connector
To import EPGs from the connector:
  1. Once the connector is enabled, you can import EPGs and IP address information from the remote Cisco APIC server.
  2. All the available EPGs from the server will appear in the Available list and can be moved to the Selected list for use on the FortiManager.
  3. Once moved, enter the Change Note and click OK.

    FortiManager will retrieve all the corresponding EPGs and the IP address information from the Cisco ACI server.
Enabling the Universal Connector

To use the imported EPGs from the connector, administrators will first need to enable the connector.

To enable the Universal Connector:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.
  2. Click Create New from the toolbar and select Universal Connector from the dropdown.
  3. Set the Status toggle to the on position to enable the connector.
Using the imported EPGs

The imported labels from the remote host are available as FSSO adgrp, and are selectable in the areas indicated below:

  • Dynamic FSSO type address.
  • Policy FSSO groups.
  • User group FSSO/SSO connector types.
Cisco ACI connector behavior
  1. If the connector is configured but disabled:
    1. In this case, all connectors and FortiManager configurations are still accessible and work, however, the connector does not send any groups and address (corresponding to active sessions) to FortiManager until the connector is enabled.
    2. If the connector was in use but is disabled, the container and FortiManager will maintain all configurations, but address information of active sessions will be removed/cleared.
  2. If the connector is configured and functional, but is deleted:
    1. All existing groups information and address information (active sessions) will be cleared from FortiManager/Connector/FSSO/FortiOS.
    2. If the EPGs are in use in Policy and or Address Objects, these FSSO groups will be stuck on FortiManager. Administrators will need to make sure that all the EPG groups in use should be deleted before deleting the connector.
      • If the connector to Cisco APIC is lost after five minutes, action is taken based on whether the administrator has checked the Remove the address when the connector is unreachable more than 5 minutes option. This option is enabled by default, and addresses are cleared if the connection to Cisco APIC is lost for five minutes. When the checkbox is not selected, all address information is maintained until the connection is reestablished or the administrator changes the connector configuration.
Previous
Next

Universal Connector MEA added support for Cisco ACI 7.2.1

Universal Connector MEA added support for Cisco ACI to retrieve the endpoint groups (EPGs) and operate dynamic objects changes on FortiGates.

This feature requires Cisco ACI version 5 or higher.

Creating the Universal Connector
To create a new Cisco ACI Universal Connector:
  1. Go to Management Extensions > Universal Connector.
  2. Click Create New on the toolbar, and select Cisco ACI.
  3. Enter the connector settings.
  4. Click Save & Continue, and then set the Status toggle to the on position to enable the connector.
  5. You can manually enter the update Interval for FortiManager to communicate with the Cisco APIC. The default is 60 seconds.
  6. FortiManager will authenticate against Cisco APIC using the credentials provided by the administrator on this page. Only once the authentication is successful can the connector can be enabled.
  7. You can enable/disable the certificate verification check for the remote Cisco APIC server. The behavior for certificate verification is as follows:
    • If the remote certificate is valid and we enable the certificate verification, login succeeds.
    • If the remote certificate is valid and we disable the certificate verification, login succeeds.
    • If the remote certificate is invalid and we enable the certificate verification, login fails.
    • If the remote certificate is invalid and we disable the certificate verification, login succeeds.
Importing EPGs from the Universal Connector
To import EPGs from the connector:
  1. Once the connector is enabled, you can import EPGs and IP address information from the remote Cisco APIC server.
  2. All the available EPGs from the server will appear in the Available list and can be moved to the Selected list for use on the FortiManager.
  3. Once moved, enter the Change Note and click OK.

    FortiManager will retrieve all the corresponding EPGs and the IP address information from the Cisco ACI server.
Enabling the Universal Connector

To use the imported EPGs from the connector, administrators will first need to enable the connector.

To enable the Universal Connector:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.
  2. Click Create New from the toolbar and select Universal Connector from the dropdown.
  3. Set the Status toggle to the on position to enable the connector.
Using the imported EPGs

The imported labels from the remote host are available as FSSO adgrp, and are selectable in the areas indicated below:

  • Dynamic FSSO type address.
  • Policy FSSO groups.
  • User group FSSO/SSO connector types.
Cisco ACI connector behavior
  1. If the connector is configured but disabled:
    1. In this case, all connectors and FortiManager configurations are still accessible and work, however, the connector does not send any groups and address (corresponding to active sessions) to FortiManager until the connector is enabled.
    2. If the connector was in use but is disabled, the container and FortiManager will maintain all configurations, but address information of active sessions will be removed/cleared.
  2. If the connector is configured and functional, but is deleted:
    1. All existing groups information and address information (active sessions) will be cleared from FortiManager/Connector/FSSO/FortiOS.
    2. If the EPGs are in use in Policy and or Address Objects, these FSSO groups will be stuck on FortiManager. Administrators will need to make sure that all the EPG groups in use should be deleted before deleting the connector.
      • If the connector to Cisco APIC is lost after five minutes, action is taken based on whether the administrator has checked the Remove the address when the connector is unreachable more than 5 minutes option. This option is enabled by default, and addresses are cleared if the connection to Cisco APIC is lost for five minutes. When the checkbox is not selected, all address information is maintained until the connection is reestablished or the administrator changes the connector configuration.
Previous
Next