Using FortiManager as a SDN proxy for Azure connectors
Each FortiGate configured with an Azure fabric connector makes a separate connection request to the Azure server. Having a high volume of devices may result in many simultaneous connections to Azure. For example, having 100 FortiGate devices with Azure connectors results in 100 separate connections to the Azure server.
To improve efficiency and security in these cases, FortiManager can be configured to work as a proxy between the FortiGate devices and Azure . When configured as a proxy, FortiManager will make all requests to the Azure server. The FortiGate devices do not need to be managed by FortiManager to use it as a proxy.
This setting can only be configured in the CLI.
When using FortiManager as a proxy to Azure, you must have an admin user on FortiManager with read-write permissions for JSON API Access. It is recommended that you also increase the login-max setting in Advanced Options to allow for the maximum number of logins (256) for the user since this FortiManager will receive login requests from each FortiGate when making requests to the Azure server. |
To configure FortiManager as a proxy to Azure:
- On each FortiGate, configure the SDN-Proxy object.
config system sdn-proxy
edit <sdn-proxy name>
set type fortimanager
set server <FortiManager address>
set username <username>
set password <password>
next
- On each FortiGate, configure the SDN connector to use the FortiManager proxy object.
config system sdn-connector
edit <connector name>
set proxy <sdn-proxy name>
set use-metadata-iam disable
set access-key <access>
set secret-key <secret>
set region <region>
next
end
On FortiManager, you can manage the sdnproxy daemon with the following commands:
- Restart the sdnproxy daemon:
diagnose test application sdnproxyd <interger>
- Show debug logs:
diagnose debug application sdnproxy <debug level (0 - 8)>