Fortinet Document Library

Version:


Table of Contents

FortiGate-VM on OpenStack

Use Case: Automatically Updating Dynamic Addresses Using Fabric Connector

Resources

Upgrade Path Tool
6.0.0
Copy Link

Creating an Address

The next step is to create an Address that will be used as an address group or single address that acts as the source/destination for firewall policies. The Address is based on IP addresses and contains VM instances' IP addresses.

No matter what changes occur to the instances, SDN Connector populates and updates the changes automatically based on the specified filtering condition so that administrators do not need to reconfigure the Address content manually. Appropriate firewall policies using the Address are applied to instances that are members of the Address.

  1. Go to Policy & Objects > Address. Click Create New, then select Address.

  2. Configure the Address as follows:
    1. Name: Name the Address as desired.
    2. Type: Select Fabric Connector Address.
    3. SDN Connector: Select openstack.
    4. Filter: Only IP addresses belonging to the specified filter that matches the condition are automatically populated and updated by the SDN Connector. Currently, OpenStack Horizon Connectors support the following filters:
      1. id=<instance id>: This matches a VM instance ID.
      2. name=<instance name>: This matches a VM instance name.
      3. flavor=<instance flavor name>: This matches an instance flavor name.
      4. keypair=<key pair name>: This matches a key pair name.
      5. network=<net name>: This matches a network name.
      6. project=<project name>: This matches a project name.
      7. availabilityzone=<zone name>: This matches an availability zone name.
      8. servergroup=<group name>: This matches a server group name.
      9. securitygroup=<security group name>: This matches a security group name.
      10. metadata.<key>=<value>: This matches metadata with its key and value pair.

    You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.

    For example, you could enter flavor=m1.nano&project=admin. In this case, IP addresses of instances that match both the flavor name and project name are populated. Wildcards (asterisks) are not allowed in values.

    In this example, let's use project=admin, assuming the project name is admin.

  3. Click OK after completing all required fields.
  4. Ensure that the Address was created.

  5. After a few minutes, the new Address will take effect. Hover your mouse on the Address to see a list of IP addresses and instances with the project name "admin".

Resources

Creating an Address

The next step is to create an Address that will be used as an address group or single address that acts as the source/destination for firewall policies. The Address is based on IP addresses and contains VM instances' IP addresses.

No matter what changes occur to the instances, SDN Connector populates and updates the changes automatically based on the specified filtering condition so that administrators do not need to reconfigure the Address content manually. Appropriate firewall policies using the Address are applied to instances that are members of the Address.

  1. Go to Policy & Objects > Address. Click Create New, then select Address.

  2. Configure the Address as follows:
    1. Name: Name the Address as desired.
    2. Type: Select Fabric Connector Address.
    3. SDN Connector: Select openstack.
    4. Filter: Only IP addresses belonging to the specified filter that matches the condition are automatically populated and updated by the SDN Connector. Currently, OpenStack Horizon Connectors support the following filters:
      1. id=<instance id>: This matches a VM instance ID.
      2. name=<instance name>: This matches a VM instance name.
      3. flavor=<instance flavor name>: This matches an instance flavor name.
      4. keypair=<key pair name>: This matches a key pair name.
      5. network=<net name>: This matches a network name.
      6. project=<project name>: This matches a project name.
      7. availabilityzone=<zone name>: This matches an availability zone name.
      8. servergroup=<group name>: This matches a server group name.
      9. securitygroup=<security group name>: This matches a security group name.
      10. metadata.<key>=<value>: This matches metadata with its key and value pair.

    You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.

    For example, you could enter flavor=m1.nano&project=admin. In this case, IP addresses of instances that match both the flavor name and project name are populated. Wildcards (asterisks) are not allowed in values.

    In this example, let's use project=admin, assuming the project name is admin.

  3. Click OK after completing all required fields.
  4. Ensure that the Address was created.

  5. After a few minutes, the new Address will take effect. Hover your mouse on the Address to see a list of IP addresses and instances with the project name "admin".