Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.4.2 CLI Reference
    7.4.2
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    system sdn-connector

    system sdn-connector

    Use this command to create external connectors for Amazon Web Services (AWS), Microsoft Azure, and OCI.

    The AWS and Azure connectors authorize FortiWeb to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.

    OCI Connector is available only when FortiWeb-VM is deployed on OCI. It is used to obtain FortiWeb HA member information in Active-Passive mode.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

    Syntax

    config system sdn-connector

    edit <name>

    set status {enable | disable}

    set type {azure | aws | oci}

    set update-interval <int>

    set access-key <string>

    set secret-key <string>

    set region <string>

    set tenant-id <string>

    set subscription-id <string>

    set client-id <string>

    set client-secret <string>

    set resource-group <string>

    set azure-region <string>

    setserver-region-type {commercial | government}

    set server-region <region-id>

    set user-ocid <string>

    set tenant-ocid <string>

    set compartment-ocid <string>

    set private-key <userdef>

    end

    end

    Variable Description Default
    <name> Enter a name for the external connector object. No default
    status {enable | disable}

    Enable or disable the external connector object.

    		 enable
    type {azure | aws | oci} Select the type of the connector. No default
    update-interval <int>

    Specify the update interval for the connector to get AWS objects and dynamically populates the information in the server pool configuration.

    		 60

    AWS connector settings

    access-key <string>

    Specify the access key ID.

    An access key on AWS grants programmatic access to your resources. If you have security considerations, it's recommended to create an IAM role specially for FortiWeb and grant read-only access.

    See this article for how to get access key ID and secret access key on AWS: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html.

    		 No default
    secret-key <string>

    Specify the secret access key.

    		 No default
    region <string> Specify the region where your instances are deployed, for example, us-west-2. No default

    Azure connector settings

    You must create an Azure AD application to generate the Azure client ID and corresponding Azure client secret. This application must be a service principal. Otherwise, the Fabric connector cannot read the inventory. You can find the complete instructions at Use portal to create an Azure Active Directory application and service principal that can access resources.
    Keep the following in mind when you get to the part about making a new application registration:

    • The Application type has two options. Choose Web app/API.
    • The Sign-on URL has the asterisk commonly associated with a required field, but this is not applicable in this case. Put in any valid URL in the field to complete the form and enable the Create button.

    tenant-id <string> See instructions above for how to find the Tenant ID. No default
    subscription-id <string> The ID of the subscription where your application server is deployed. No default
    client-id <string> See instructions above for how to find the Client ID. No default
    client-secret <string> See instructions above for how to find the Client Secret. No default
    resource-group <string> The name of the resource group where your application server is deployed. Make sure that the service principal (app registration) is granted for the network contributor and VM contributor roles for the target resource group. No default
    azure-region <string> The region where your application server is deployed. No default

    OCI Connector settings

    you need to generate the RSA key that will be used for authentication when FortiWeb-VM connects to the load balancer.

    1. Log in to a Linux system which has installed OpenSSL.
    2. Open a SHELL terminal, enter the following commands:
      openssl genrsa -out ./oci_api.key 2048
      openssl rsa -pubout -in ./oci_api.key -out ./oci_api_pub.key
      The file oci_api.key is the RSA private key file and the file oci_api_pub.key is its paired public key file.
    3. Log in OCI. Go to Governance and Administration > Identity > User.
    4. Select the proper user you wan to use.
    5. Click Add Public Key, copy the text in oci_api_pub.key file, and then paste it into the PUBLIC KEY field on the Add Public Key window.
    6. Click Add.

    For a complete guide on the OCI connector settings, see Configuring OCI Connector.

    server-region-type {commercial | government}

    If your OCI server region is either “US Federal Cloud with DISA Impact Level 5 Authorization Regions” or “US Government Cloud with FedRAMP Authorization Regions”, please select Government. Otherwise please select Commercial.

    commercial

    server-region <region-id>

    Enter the Region Identifier of your load balancer.

    		No default

    user-ocid <string>

    To get the User OCID:

    1. Log in to OCI.
    2. Go to Governance and Administration > Identity > User.
    3. Click the user you want to use.
    4. Copy the OCID of this user.
    		No default

    tenant-ocid <string>

    To get the tenant OCID:

    1. Log in to OCI.
    2. Go to Governance and Administration > Administration > Tenancy Details.
    3. Click the Tenancy you want to use.
    4. Copy the OCID of this Tenancy.
    		No default

    compartment-ocid <string>

    To get the compartment OCID:

    1. Log in to OCI.
    2. Go to Governance and Administration > Identity > Compartments.
    3. Click the compartment that your load balancer is located in.
    4. Copy the OCID of this Tenancy.

    Note: If you don't have a compartment, you can leave this option empty.

    		 No default
    private-key <userdef> Upload the private key file you have generated when system sdn-connector. No default

    To apply the external connector, you need to select it in the server pool configurations so that FortiWeb can use the connector to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.

    Here is an example:

    config server-policy server-pool

    edit pool

    config pserver-list

    edit 1

    set server-type sdn-connector

    set sdn-addr-type public

    set sdn aws

    set filter InstanceId=i-04d15747127e4f8fe

    next

    end

    next

    end

    Related topics

    Previous
    Next

    system sdn-connector

    system sdn-connector

    Use this command to create external connectors for Amazon Web Services (AWS), Microsoft Azure, and OCI.

    The AWS and Azure connectors authorize FortiWeb to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.

    OCI Connector is available only when FortiWeb-VM is deployed on OCI. It is used to obtain FortiWeb HA member information in Active-Passive mode.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

    Syntax

    config system sdn-connector

    edit <name>

    set status {enable | disable}

    set type {azure | aws | oci}

    set update-interval <int>

    set access-key <string>

    set secret-key <string>

    set region <string>

    set tenant-id <string>

    set subscription-id <string>

    set client-id <string>

    set client-secret <string>

    set resource-group <string>

    set azure-region <string>

    setserver-region-type {commercial | government}

    set server-region <region-id>

    set user-ocid <string>

    set tenant-ocid <string>

    set compartment-ocid <string>

    set private-key <userdef>

    end

    end

    Variable Description Default
    <name> Enter a name for the external connector object. No default
    status {enable | disable}

    Enable or disable the external connector object.

    		 enable
    type {azure | aws | oci} Select the type of the connector. No default
    update-interval <int>

    Specify the update interval for the connector to get AWS objects and dynamically populates the information in the server pool configuration.

    		 60

    AWS connector settings

    access-key <string>

    Specify the access key ID.

    An access key on AWS grants programmatic access to your resources. If you have security considerations, it's recommended to create an IAM role specially for FortiWeb and grant read-only access.

    See this article for how to get access key ID and secret access key on AWS: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html.

    		 No default
    secret-key <string>

    Specify the secret access key.

    		 No default
    region <string> Specify the region where your instances are deployed, for example, us-west-2. No default

    Azure connector settings

    You must create an Azure AD application to generate the Azure client ID and corresponding Azure client secret. This application must be a service principal. Otherwise, the Fabric connector cannot read the inventory. You can find the complete instructions at Use portal to create an Azure Active Directory application and service principal that can access resources.
    Keep the following in mind when you get to the part about making a new application registration:

    • The Application type has two options. Choose Web app/API.
    • The Sign-on URL has the asterisk commonly associated with a required field, but this is not applicable in this case. Put in any valid URL in the field to complete the form and enable the Create button.

    tenant-id <string> See instructions above for how to find the Tenant ID. No default
    subscription-id <string> The ID of the subscription where your application server is deployed. No default
    client-id <string> See instructions above for how to find the Client ID. No default
    client-secret <string> See instructions above for how to find the Client Secret. No default
    resource-group <string> The name of the resource group where your application server is deployed. Make sure that the service principal (app registration) is granted for the network contributor and VM contributor roles for the target resource group. No default
    azure-region <string> The region where your application server is deployed. No default

    OCI Connector settings

    you need to generate the RSA key that will be used for authentication when FortiWeb-VM connects to the load balancer.

    1. Log in to a Linux system which has installed OpenSSL.
    2. Open a SHELL terminal, enter the following commands:
      openssl genrsa -out ./oci_api.key 2048
      openssl rsa -pubout -in ./oci_api.key -out ./oci_api_pub.key
      The file oci_api.key is the RSA private key file and the file oci_api_pub.key is its paired public key file.
    3. Log in OCI. Go to Governance and Administration > Identity > User.
    4. Select the proper user you wan to use.
    5. Click Add Public Key, copy the text in oci_api_pub.key file, and then paste it into the PUBLIC KEY field on the Add Public Key window.
    6. Click Add.

    For a complete guide on the OCI connector settings, see Configuring OCI Connector.

    server-region-type {commercial | government}

    If your OCI server region is either “US Federal Cloud with DISA Impact Level 5 Authorization Regions” or “US Government Cloud with FedRAMP Authorization Regions”, please select Government. Otherwise please select Commercial.

    commercial

    server-region <region-id>

    Enter the Region Identifier of your load balancer.

    		No default

    user-ocid <string>

    To get the User OCID:

    1. Log in to OCI.
    2. Go to Governance and Administration > Identity > User.
    3. Click the user you want to use.
    4. Copy the OCID of this user.
    		No default

    tenant-ocid <string>

    To get the tenant OCID:

    1. Log in to OCI.
    2. Go to Governance and Administration > Administration > Tenancy Details.
    3. Click the Tenancy you want to use.
    4. Copy the OCID of this Tenancy.
    		No default

    compartment-ocid <string>

    To get the compartment OCID:

    1. Log in to OCI.
    2. Go to Governance and Administration > Identity > Compartments.
    3. Click the compartment that your load balancer is located in.
    4. Copy the OCID of this Tenancy.

    Note: If you don't have a compartment, you can leave this option empty.

    		 No default
    private-key <userdef> Upload the private key file you have generated when system sdn-connector. No default

    To apply the external connector, you need to select it in the server pool configurations so that FortiWeb can use the connector to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.

    Here is an example:

    config server-policy server-pool

    edit pool

    config pserver-list

    edit 1

    set server-type sdn-connector

    set sdn-addr-type public

    set sdn aws

    set filter InstanceId=i-04d15747127e4f8fe

    next

    end

    next

    end

    Related topics

    Previous
    Next