Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • GCP Administration Guide

    Home FortiGate Public Cloud 6.4.0 GCP Administration Guide
    6.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Multiple GCP projects in a single SDN connector

    Multiple GCP projects in a single SDN connector

    An option is added to specify multiple projects under a single GCP SDN connector. Previously, only one project was allowed per SDN connector, which limits the total projects to the number of SDN connectors (256). This enhancement also allows dynamic firewall address filters to filter on a project. FortiOS 6.4.7 and later versions support this feature.

    In this example, a GCP SDN connector (gcp_conn) is configured with two projects. The first project, dev-project-001-166400, is configured using the simple format. The second project, dev-project-002, is configured using the advanced format.

    To configure a GCP connector with multiple projects in the GUI:
    1. Go to Security Fabric > External Connectors and click Create New.
    2. Select Google Cloud Platform (GCP) and enter a name for the connector.
    3. Configure the first project:
      1. For Projects, select Simple.
      2. Enter the project name, service account email, and private key.

    4. Configure the second project:
      1. For Projects, select Advanced (the projects are now displayed in a table) and click Create New.

        The Add GCP Project pane opens.

      2. Enter a name.
      3. Optionally, click the + to enter zones. If no zones are selected, the SDN connector will include all zones. The us-central1-a zone is used in this example.

      4. Click OK.
    5. Click OK to save the SDN connector.
    6. Create a dynamic firewall address for the first project:
      1. Go to Policy & Objects > Addresses and click Create New > Address.
      2. Enter the following:

        Name

        project1_addresses

        Type

        Dynamic

        Sub Type

        Fabric Connector Address

        SDN Connector

        gcp_conn

        Filter

        Add a filter for the project, Project=dev-project-001-166400.

        In this example, there are several instances for the first project, so add a filter for the ID, Id=6266132824476267466.

        Change the logic operator to and.

      3. Click OK.
    7. Create a dynamic firewall address for the second project:
      1. Click Create New > Address.
      2. Enter the following:

        Name

        project2_addresses

        Type

        Dynamic

        Sub Type

        Fabric Connector Address

        SDN Connector

        gcp_conn

        Filter

        Add a filter for the project, Project=dev-project-002.
      3. Click OK.

        The addresses have been created. Wait for a few minutes before the settings take effect.

    8. Verify that the address resolve to the correct addresses. Hover over the address in the table to view the list of populated IP addresses.
    To configure a GCP connector with multiple projects in the CLI:
    1. Configure the SDN connector:
      config system sdn-connector
    edit "gcp_conn"
        set status enable
        set type gcp
        config gcp-project-list
            edit "dev-project-001-166400"
            next
            edit "dev-project-002"
                set gcp-zone-list "us-central1-a"
            next
        end
        set service-account "xxxxxxxxxxxx-compute@developer.gserviceaccount.com"
        set private-key **********
        set update-interval 30
    next
end
    2. Create a dynamic firewall address for project one:
      config firewall address
    edit "project1_addresses"
        set type dynamic
        set sdn "gcp_conn"
        set filter "Project=dev-project-001-166400 & Id=6266132824476267466"
    next
end

      The dynamic firewall address IP is resolved by the SDN connector:

      config firewall address
    edit "project1_addresses"
        show
            config firewall address
                edit "project1_addresses"
                    set uuid 38efbd88-fb08-51eb-8e6d-9b78a2a9bf49
                    set type dynamic
                    set sdn "gcp_conn"
                    set filter "Project=dev-project-001-166400 & Id=6266132824476267466"
                    config list
                        edit "172.16.16.3"
                        next
                        edit "172.16.24.3"
                        next
                        edit "172.16.8.4"
                        next
                    end
                next
            end
    next
end
    3. Create a dynamic firewall address for project two:
      config firewall address
    edit "project2_addresses"
        set type dynamic
        set sdn "gcp_conn"
        set filter "Project=dev-project-002"
        set sdn-addr-type all   
    next
end

      The dynamic firewall address IP is resolved by the SDN connector:

      config firewall address
    edit "project2_addresses"
        show
            config firewall address
                edit "project2_addresses"
                    set uuid 5ca9b2ba-fb08-51eb-57c0-12701b3d33c1
                    set type dynamic
                    set sdn "gcp_conn"
                    set filter "Project=dev-project-002"
                    set sdn-addr-type all
                    config list
                        edit "10.128.0.2"
                        next
                        edit "34.66.35.241"
                        next
                    end
                next
            end
    next
end
    Previous
    Next

    Multiple GCP projects in a single SDN connector

    Multiple GCP projects in a single SDN connector

    An option is added to specify multiple projects under a single GCP SDN connector. Previously, only one project was allowed per SDN connector, which limits the total projects to the number of SDN connectors (256). This enhancement also allows dynamic firewall address filters to filter on a project. FortiOS 6.4.7 and later versions support this feature.

    In this example, a GCP SDN connector (gcp_conn) is configured with two projects. The first project, dev-project-001-166400, is configured using the simple format. The second project, dev-project-002, is configured using the advanced format.

    To configure a GCP connector with multiple projects in the GUI:
    1. Go to Security Fabric > External Connectors and click Create New.
    2. Select Google Cloud Platform (GCP) and enter a name for the connector.
    3. Configure the first project:
      1. For Projects, select Simple.
      2. Enter the project name, service account email, and private key.

    4. Configure the second project:
      1. For Projects, select Advanced (the projects are now displayed in a table) and click Create New.

        The Add GCP Project pane opens.

      2. Enter a name.
      3. Optionally, click the + to enter zones. If no zones are selected, the SDN connector will include all zones. The us-central1-a zone is used in this example.

      4. Click OK.
    5. Click OK to save the SDN connector.
    6. Create a dynamic firewall address for the first project:
      1. Go to Policy & Objects > Addresses and click Create New > Address.
      2. Enter the following:

        Name

        project1_addresses

        Type

        Dynamic

        Sub Type

        Fabric Connector Address

        SDN Connector

        gcp_conn

        Filter

        Add a filter for the project, Project=dev-project-001-166400.

        In this example, there are several instances for the first project, so add a filter for the ID, Id=6266132824476267466.

        Change the logic operator to and.

      3. Click OK.
    7. Create a dynamic firewall address for the second project:
      1. Click Create New > Address.
      2. Enter the following:

        Name

        project2_addresses

        Type

        Dynamic

        Sub Type

        Fabric Connector Address

        SDN Connector

        gcp_conn

        Filter

        Add a filter for the project, Project=dev-project-002.
      3. Click OK.

        The addresses have been created. Wait for a few minutes before the settings take effect.

    8. Verify that the address resolve to the correct addresses. Hover over the address in the table to view the list of populated IP addresses.
    To configure a GCP connector with multiple projects in the CLI:
    1. Configure the SDN connector:
      config system sdn-connector
    edit "gcp_conn"
        set status enable
        set type gcp
        config gcp-project-list
            edit "dev-project-001-166400"
            next
            edit "dev-project-002"
                set gcp-zone-list "us-central1-a"
            next
        end
        set service-account "xxxxxxxxxxxx-compute@developer.gserviceaccount.com"
        set private-key **********
        set update-interval 30
    next
end
    2. Create a dynamic firewall address for project one:
      config firewall address
    edit "project1_addresses"
        set type dynamic
        set sdn "gcp_conn"
        set filter "Project=dev-project-001-166400 & Id=6266132824476267466"
    next
end

      The dynamic firewall address IP is resolved by the SDN connector:

      config firewall address
    edit "project1_addresses"
        show
            config firewall address
                edit "project1_addresses"
                    set uuid 38efbd88-fb08-51eb-8e6d-9b78a2a9bf49
                    set type dynamic
                    set sdn "gcp_conn"
                    set filter "Project=dev-project-001-166400 & Id=6266132824476267466"
                    config list
                        edit "172.16.16.3"
                        next
                        edit "172.16.24.3"
                        next
                        edit "172.16.8.4"
                        next
                    end
                next
            end
    next
end
    3. Create a dynamic firewall address for project two:
      config firewall address
    edit "project2_addresses"
        set type dynamic
        set sdn "gcp_conn"
        set filter "Project=dev-project-002"
        set sdn-addr-type all   
    next
end

      The dynamic firewall address IP is resolved by the SDN connector:

      config firewall address
    edit "project2_addresses"
        show
            config firewall address
                edit "project2_addresses"
                    set uuid 5ca9b2ba-fb08-51eb-57c0-12701b3d33c1
                    set type dynamic
                    set sdn "gcp_conn"
                    set filter "Project=dev-project-002"
                    set sdn-addr-type all
                    config list
                        edit "10.128.0.2"
                        next
                        edit "34.66.35.241"
                        next
                    end
                next
            end
    next
end
    Previous
    Next