Fortinet white logo
Fortinet white logo

Administration Guide

Using FortiManager as a SDN proxy for Azure connectors

Using FortiManager as a SDN proxy for Azure connectors

Each FortiGate configured with an Azure fabric connector makes a separate connection request to the Azure server. Having a high volume of devices may result in many simultaneous connections to Azure. For example, having 100 FortiGate devices with Azure connectors results in 100 separate connections to the Azure server.

To improve efficiency and security in these cases, FortiManager can be configured to work as a proxy between the FortiGate devices and Azure . When configured as a proxy, FortiManager will make all requests to the Azure server. The FortiGate devices do not need to be managed by FortiManager to use it as a proxy.

This setting can only be configured in the CLI.

Tooltip

When using FortiManager as a proxy to Azure, you must have an admin user on FortiManager with read-write permissions for JSON API Access. It is recommended that you also increase the login-max setting in Advanced Options to allow for the maximum number of logins (256) for the user since this FortiManager will receive login requests from each FortiGate when making requests to the Azure server.

To configure FortiManager as a proxy to Azure:
  1. On each FortiGate, configure the SDN-Proxy object.

    config system sdn-proxy

    edit <sdn-proxy name>

    set type fortimanager

    set server <FortiManager address>

    set username <username>

    set password <password>

    next

  2. On each FortiGate, configure the SDN connector to use the FortiManager proxy object.

    config system sdn-connector

    edit <connector name>

    set proxy <sdn-proxy name>

    set use-metadata-iam disable

    set access-key <access>

    set secret-key <secret>

    set region <region>

    next

    end

On FortiManager, you can manage the sdnproxy daemon with the following commands:

  • Restart the sdnproxy daemon: diagnose test application sdnproxyd <interger>
  • Show debug logs: diagnose debug application sdnproxy <debug level (0 - 8)>

Using FortiManager as a SDN proxy for Azure connectors

Using FortiManager as a SDN proxy for Azure connectors

Each FortiGate configured with an Azure fabric connector makes a separate connection request to the Azure server. Having a high volume of devices may result in many simultaneous connections to Azure. For example, having 100 FortiGate devices with Azure connectors results in 100 separate connections to the Azure server.

To improve efficiency and security in these cases, FortiManager can be configured to work as a proxy between the FortiGate devices and Azure . When configured as a proxy, FortiManager will make all requests to the Azure server. The FortiGate devices do not need to be managed by FortiManager to use it as a proxy.

This setting can only be configured in the CLI.

Tooltip

When using FortiManager as a proxy to Azure, you must have an admin user on FortiManager with read-write permissions for JSON API Access. It is recommended that you also increase the login-max setting in Advanced Options to allow for the maximum number of logins (256) for the user since this FortiManager will receive login requests from each FortiGate when making requests to the Azure server.

To configure FortiManager as a proxy to Azure:
  1. On each FortiGate, configure the SDN-Proxy object.

    config system sdn-proxy

    edit <sdn-proxy name>

    set type fortimanager

    set server <FortiManager address>

    set username <username>

    set password <password>

    next

  2. On each FortiGate, configure the SDN connector to use the FortiManager proxy object.

    config system sdn-connector

    edit <connector name>

    set proxy <sdn-proxy name>

    set use-metadata-iam disable

    set access-key <access>

    set secret-key <secret>

    set region <region>

    next

    end

On FortiManager, you can manage the sdnproxy daemon with the following commands:

  • Restart the sdnproxy daemon: diagnose test application sdnproxyd <interger>
  • Show debug logs: diagnose debug application sdnproxy <debug level (0 - 8)>