Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

system sdn-connector

Use this command to create external connectors for Amazon Web Services (AWS), Microsoft Azure, and OCI.

The AWS and Azure connectors authorize FortiWeb to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.

OCI Connector is available only when FortiWeb-VM is deployed on OCI. It is used to obtain FortiWeb HA member information in Active-Passive mode.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system sdn-connector

edit <name>

set status {enable | disable}

set type {azure | aws | oci}

set update-interval <int>

set access-key <string>

set secret-key <string>

set region <string>

set tenant-id <string>

set subscription-id <string>

set client-id <string>

set client-secret <string>

set resource-group <string>

set azure-region <string>

setserver-region-type {commercial | government}

set server-region <region-id>

set user-ocid <string>

set tenant-ocid <string>

set compartment-ocid <string>

set private-key <userdef>

end

end

Variable Description Default
<name> Enter a name for the external connector object. No default
status {enable | disable}

Enable or disable the external connector object.

enable
type {azure | aws | oci} Select the type of the connector. No default
update-interval <int>

Specify the update interval for the connector to get AWS objects and dynamically populates the information in the server pool configuration.

60

AWS connector settings

 

access-key <string>

Specify the access key ID.

An access key on AWS grants programmatic access to your resources. If you have security considerations, it's recommended to create an IAM role specially for FortiWeb and grant read-only access.

See this article for how to get access key ID and secret access key on AWS: HTTPs://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html.

No default
secret-key <string>

Specify the secret access key.

No default
region <string> Specify the region where your instances are deployed, for example, us-west-2. No default

Azure connector settings

You must create an Azure AD application to generate the Azure client ID and corresponding Azure client secret. This application must be a service principal. Otherwise, the Fabric connector cannot read the inventory. You can find the complete instructions at Use portal to create an Azure Active Directory application and service principal that can access resources.
Keep the following in mind when you get to the part about making a new application registration:

  • The Application type has two options. Choose Web app/API.
  • The Sign-on URL has the asterisk commonly associated with a required field, but this is not applicable in this case. Put in any valid URL in the field to complete the form and enable the Create button.

 

tenant-id <string> See instructions above for how to find the Tenant ID. No default
subscription-id <string> The ID of the subscription where your application server is deployed. No default
client-id <string> See instructions above for how to find the Client ID. No default
client-secret <string> See instructions above for how to find the Client Secret. No default
resource-group <string> The name of the resource group where your application server is deployed. Make sure that the service principal (app registration) is granted for the network contributor and VM contributor roles for the target resource group. No default
azure-region <string> The region where your application server is deployed. No default

OCI Connector settings

you need to generate the RSA key that will be used for authentication when FortiWeb-VM connects to the load balancer.

  1. Log in to a Linux system which has installed OpenSSL.
  2. Open a SHELL terminal, enter the following commands:
    openssl genrsa -out ./oci_api.key 2048
    openssl rsa -pubout -in ./oci_api.key -out ./oci_api_pub.key

    The file oci_api.key is the RSA private key file and the file oci_api_pub.key is its paired public key file.
  3. Log in OCI. Go to Governance and Administration > Identity > User.
  4. Select the proper user you wan to use.
  5. Click Add Public Key, copy the text in oci_api_pub.key file, and then paste it into the PUBLIC KEY field on the Add Public Key window.
  6. Click Add.

For a complete guide on the OCI connector settings, see Configuring OCI Connector.

 

server-region-type {commercial | government}

If your OCI server region is either “US Federal Cloud with DISA Impact Level 5 Authorization Regions” or “US Government Cloud with FedRAMP Authorization Regions”, please select Government. Otherwise please select Commercial.

commercial

server-region <region-id>

Enter the Region Identifier of your load balancer.

No default

user-ocid <string>

To get the User OCID:

  1. Log in to OCI.
  2. Go to Governance and Administration > Identity > User.
  3. Click the user you want to use.
  4. Copy the OCID of this user.
No default

tenant-ocid <string>

To get the tenant OCID:

  1. Log in to OCI.
  2. Go to Governance and Administration > Administration > Tenancy Details.
  3. Click the Tenancy you want to use.
  4. Copy the OCID of this Tenancy.
No default

compartment-ocid <string>

To get the compartment OCID:

  1. Log in to OCI.
  2. Go to Governance and Administration > Identity > Compartments.
  3. Click the compartment that your load balancer is located in.
  4. Copy the OCID of this Tenancy.

Note: If you don't have a compartment, you can leave this option empty.

No default
private-key <userdef> Upload the private key file you have generated when system sdn-connector. No default

To apply the external connector, you need to select it in the server pool configurations so that FortiWeb can use the connector to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.

Here is an example:

config server-policy server-pool

edit pool

config pserver-list

edit 1

set server-type sdn-connector

set sdn-addr-type public

set sdn aws

set filter InstanceId=i-04d15747127e4f8fe

next

end

next

end

 

Related topics

system sdn-connector

Use this command to create external connectors for Amazon Web Services (AWS), Microsoft Azure, and OCI.

The AWS and Azure connectors authorize FortiWeb to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.

OCI Connector is available only when FortiWeb-VM is deployed on OCI. It is used to obtain FortiWeb HA member information in Active-Passive mode.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system sdn-connector

edit <name>

set status {enable | disable}

set type {azure | aws | oci}

set update-interval <int>

set access-key <string>

set secret-key <string>

set region <string>

set tenant-id <string>

set subscription-id <string>

set client-id <string>

set client-secret <string>

set resource-group <string>

set azure-region <string>

setserver-region-type {commercial | government}

set server-region <region-id>

set user-ocid <string>

set tenant-ocid <string>

set compartment-ocid <string>

set private-key <userdef>

end

end

Variable Description Default
<name> Enter a name for the external connector object. No default
status {enable | disable}

Enable or disable the external connector object.

enable
type {azure | aws | oci} Select the type of the connector. No default
update-interval <int>

Specify the update interval for the connector to get AWS objects and dynamically populates the information in the server pool configuration.

60

AWS connector settings

 

access-key <string>

Specify the access key ID.

An access key on AWS grants programmatic access to your resources. If you have security considerations, it's recommended to create an IAM role specially for FortiWeb and grant read-only access.

See this article for how to get access key ID and secret access key on AWS: HTTPs://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html.

No default
secret-key <string>

Specify the secret access key.

No default
region <string> Specify the region where your instances are deployed, for example, us-west-2. No default

Azure connector settings

You must create an Azure AD application to generate the Azure client ID and corresponding Azure client secret. This application must be a service principal. Otherwise, the Fabric connector cannot read the inventory. You can find the complete instructions at Use portal to create an Azure Active Directory application and service principal that can access resources.
Keep the following in mind when you get to the part about making a new application registration:

  • The Application type has two options. Choose Web app/API.
  • The Sign-on URL has the asterisk commonly associated with a required field, but this is not applicable in this case. Put in any valid URL in the field to complete the form and enable the Create button.

 

tenant-id <string> See instructions above for how to find the Tenant ID. No default
subscription-id <string> The ID of the subscription where your application server is deployed. No default
client-id <string> See instructions above for how to find the Client ID. No default
client-secret <string> See instructions above for how to find the Client Secret. No default
resource-group <string> The name of the resource group where your application server is deployed. Make sure that the service principal (app registration) is granted for the network contributor and VM contributor roles for the target resource group. No default
azure-region <string> The region where your application server is deployed. No default

OCI Connector settings

you need to generate the RSA key that will be used for authentication when FortiWeb-VM connects to the load balancer.

  1. Log in to a Linux system which has installed OpenSSL.
  2. Open a SHELL terminal, enter the following commands:
    openssl genrsa -out ./oci_api.key 2048
    openssl rsa -pubout -in ./oci_api.key -out ./oci_api_pub.key

    The file oci_api.key is the RSA private key file and the file oci_api_pub.key is its paired public key file.
  3. Log in OCI. Go to Governance and Administration > Identity > User.
  4. Select the proper user you wan to use.
  5. Click Add Public Key, copy the text in oci_api_pub.key file, and then paste it into the PUBLIC KEY field on the Add Public Key window.
  6. Click Add.

For a complete guide on the OCI connector settings, see Configuring OCI Connector.

 

server-region-type {commercial | government}

If your OCI server region is either “US Federal Cloud with DISA Impact Level 5 Authorization Regions” or “US Government Cloud with FedRAMP Authorization Regions”, please select Government. Otherwise please select Commercial.

commercial

server-region <region-id>

Enter the Region Identifier of your load balancer.

No default

user-ocid <string>

To get the User OCID:

  1. Log in to OCI.
  2. Go to Governance and Administration > Identity > User.
  3. Click the user you want to use.
  4. Copy the OCID of this user.
No default

tenant-ocid <string>

To get the tenant OCID:

  1. Log in to OCI.
  2. Go to Governance and Administration > Administration > Tenancy Details.
  3. Click the Tenancy you want to use.
  4. Copy the OCID of this Tenancy.
No default

compartment-ocid <string>

To get the compartment OCID:

  1. Log in to OCI.
  2. Go to Governance and Administration > Identity > Compartments.
  3. Click the compartment that your load balancer is located in.
  4. Copy the OCID of this Tenancy.

Note: If you don't have a compartment, you can leave this option empty.

No default
private-key <userdef> Upload the private key file you have generated when system sdn-connector. No default

To apply the external connector, you need to select it in the server pool configurations so that FortiWeb can use the connector to automatically retrieve the IP addresses of the back-end servers deployed on AWS or Azure.

Here is an example:

config server-policy server-pool

edit pool

config pserver-list

edit 1

set server-type sdn-connector

set sdn-addr-type public

set sdn aws

set filter InstanceId=i-04d15747127e4f8fe

next

end

next

end

 

Related topics