Fortinet Document Library

Version:


Table of Contents

SDN Connector

FortiGate Connector - Cisco ACI Deployment Package

Resources

Upgrade Path Tool
5.6.3
Copy Link

Configuring the Firewall Address and Address Group

The following shows sample CLI commands to create a dynamic address object.

config firewall address

edit "test-tag"

set type dynamic

set sdn aci

set tenant "TENANT-NAME"

set epg-name "AP-NAME|EPG-NAME"

set sdn-tag "TAG-NAME"

next

end

config firewall addrgrp

edit "test-group"

set member "test-tag" "Adobe Login"

next

end

note icon

AP-NAME is the name of the application profile that the EPG belongs to.

Like a regular firewall address, you can edit the dynamic address on the GUI. Navigate to Policy & Objects > Addresses and create a dynamic address.

To debug the SDN Connector on the FortiGate side, use diagnose firewall dynamic address. The output lists the entire VDOM dynamic summary. Using diagnose firewall dynamic list outputs the detailed address on each dynamic address.

FG100D3G14800142 (root) # diagnose firewall dynamic address

Summary of SDN dynamic addresses:

aci.t2.App_6.*(total-addr: 1000): ID(61) REF(2)

nuage.NuageCluster.Trusted.*(total-addr: 2): ID(129) REF(1)

nuage.NuageCluster.*.*(total-addr: 5): ID(192) REF(1)

Total dynamic list entries: 3. Total dynamic addresses: 1007

The below provides information on firewall address mapping:

  • Dynamic group tag: The administrator of the tenant or system administrator uses an orchestration script or manually tags those objects in the tag, description, or alias field depending on the SDN Connector.
  • Back end process: After system boot-up, dynamic group daemon connects to SDN Connector using the sdn-connector global system setting. It iterates all addresses, such as dynamic-aci, dynamic-nsx, and dynamic-aws. It then sends the request to SDN Connector to get all endpoints or endpoint groups with the SDN filter.

    After that, based on the received data, it uses the filter to find the EPGs and use those as members. Then, it updates the IP and kernel.

    If any dynamic address creation is in the CMDB, daemon receives the CMDB event and sends all the filters to SDN Connector. SDN Connector retrieves the endpoints or EPGs matching the filters, sends them to the FortiGate, and updates the kernel.

Resources

Configuring the Firewall Address and Address Group

The following shows sample CLI commands to create a dynamic address object.

config firewall address

edit "test-tag"

set type dynamic

set sdn aci

set tenant "TENANT-NAME"

set epg-name "AP-NAME|EPG-NAME"

set sdn-tag "TAG-NAME"

next

end

config firewall addrgrp

edit "test-group"

set member "test-tag" "Adobe Login"

next

end

note icon

AP-NAME is the name of the application profile that the EPG belongs to.

Like a regular firewall address, you can edit the dynamic address on the GUI. Navigate to Policy & Objects > Addresses and create a dynamic address.

To debug the SDN Connector on the FortiGate side, use diagnose firewall dynamic address. The output lists the entire VDOM dynamic summary. Using diagnose firewall dynamic list outputs the detailed address on each dynamic address.

FG100D3G14800142 (root) # diagnose firewall dynamic address

Summary of SDN dynamic addresses:

aci.t2.App_6.*(total-addr: 1000): ID(61) REF(2)

nuage.NuageCluster.Trusted.*(total-addr: 2): ID(129) REF(1)

nuage.NuageCluster.*.*(total-addr: 5): ID(192) REF(1)

Total dynamic list entries: 3. Total dynamic addresses: 1007

The below provides information on firewall address mapping:

  • Dynamic group tag: The administrator of the tenant or system administrator uses an orchestration script or manually tags those objects in the tag, description, or alias field depending on the SDN Connector.
  • Back end process: After system boot-up, dynamic group daemon connects to SDN Connector using the sdn-connector global system setting. It iterates all addresses, such as dynamic-aci, dynamic-nsx, and dynamic-aws. It then sends the request to SDN Connector to get all endpoints or endpoint groups with the SDN filter.

    After that, based on the received data, it uses the filter to find the EPGs and use those as members. Then, it updates the IP and kernel.

    If any dynamic address creation is in the CMDB, daemon receives the CMDB event and sends all the filters to SDN Connector. SDN Connector retrieves the endpoints or EPGs matching the filters, sends them to the FortiGate, and updates the kernel.