Fortinet Document Library

Version:


Table of Contents

FortiGate-VM on OpenStack

Use Case: Automatically Updating Dynamic Addresses Using Fabric Connector

Resources

Upgrade Path Tool
6.0.0
Download PDF
Copy Link

Disabling port security for the FortiGate-VM and CirrOS instances

In OpenStack, the networking component (called Neutron) only allows traffic with known IP/MAC address combinations. This makes the network very secure; however, normal firewall traffic would contain very many IP/MAC address combinations, and it's not practical to add them all to the configuration. Instead, to allow normal firewall traffic, you need to disable port security for your FortiGate-VM instance. For more information, see Managing port level security in OpenStack.

Use the Horizon Instances view to verify the IP addresses of the FortiGate-VM instance, the CirrOS instances, and the networks that the interfaces are connected to. For example:

From the OpenStack command line, run the following bash script to disable port security on the FortiGate-VM interfaces.

#!/bin/bash
echo
echo 'Disable port_security on fgt-vm-1'
echo
echo
`source /home/stack/overcloudrc_tenant01`
FGT='fgt-vm-1'
IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $2}' | awk -F ";" '{print $1}'`
PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`
neutron port-update $PORTID --no-security-groups --port_security_enabled=False
echo
echo $IPADDR
echo `openstack port show $PORTID`
echo
IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $3}' | awk -F ";" '{print $1}'`
PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`
`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`
echo
echo $IPADDR
echo `openstack port show $PORTID`
echo
IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $4}' | awk -F ";" '{print $1}'`
PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`
`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`
echo
echo $IPADDR
echo `openstack port show $PORTID`
echo
IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $5}' | awk -F ";" '{print $1}'`
PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`
`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`
echo
echo $IPADDR
echo `openstack port show $PORTID`
echo

From the OpenStack command line, associate floating IPs to the FortiGate-VM by entering the following command:

openstack server add floating ip fgt-vm-1 10.210.9.10 

Resources

Disabling port security for the FortiGate-VM and CirrOS instances

In OpenStack, the networking component (called Neutron) only allows traffic with known IP/MAC address combinations. This makes the network very secure; however, normal firewall traffic would contain very many IP/MAC address combinations, and it's not practical to add them all to the configuration. Instead, to allow normal firewall traffic, you need to disable port security for your FortiGate-VM instance. For more information, see Managing port level security in OpenStack.

Use the Horizon Instances view to verify the IP addresses of the FortiGate-VM instance, the CirrOS instances, and the networks that the interfaces are connected to. For example:

From the OpenStack command line, run the following bash script to disable port security on the FortiGate-VM interfaces.

#!/bin/bash
echo
echo 'Disable port_security on fgt-vm-1'
echo
echo
`source /home/stack/overcloudrc_tenant01`
FGT='fgt-vm-1'
IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $2}' | awk -F ";" '{print $1}'`
PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`
neutron port-update $PORTID --no-security-groups --port_security_enabled=False
echo
echo $IPADDR
echo `openstack port show $PORTID`
echo
IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $3}' | awk -F ";" '{print $1}'`
PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`
`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`
echo
echo $IPADDR
echo `openstack port show $PORTID`
echo
IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $4}' | awk -F ";" '{print $1}'`
PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`
`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`
echo
echo $IPADDR
echo `openstack port show $PORTID`
echo
IPADDR=`openstack server show $FGT | grep addresses | awk -F "|" '{print $3}' | awk -F "=" '{print $5}' | awk -F ";" '{print $1}'`
PORTID=`openstack port list | grep $IPADDR | awk -F "|" '{print $2}'`
`neutron port-update $PORTID --no-security-groups --port_security_enabled=False`
echo
echo $IPADDR
echo `openstack port show $PORTID`
echo

From the OpenStack command line, associate floating IPs to the FortiGate-VM by entering the following command:

openstack server add floating ip fgt-vm-1 10.210.9.10