Fortinet black logo

GCP Administration Guide

Home FortiGate Public Cloud 6.4.0 GCP Administration Guide

Configuring GCP SDN connector using metadata IAM

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 62d32ecf-687f-11ea-9384-00505692583a:298652
Download PDF

Configuring GCP SDN connector using metadata IAM

To populate dynamic objects, the FortiGate-VM must have API access to required resources on the Google Cloud Compute Engine.

To configure GCP SDN connector using metadata IAM:
  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Click Create New, and select Google Cloud Platform (GCP).

    Note you can create only one SDN Connector per connector type. For example, you can create one entry for GCP.

  3. Configure the connector as follows:
    1. Name: Enter the desired connector name.
    2. Enable Use metadata IAM. The Google platform requires a certain authentication level to call APIs from the FortiGate. See To check metadata API access:. The Use metadata IAM option is only available to FortiGate-VMs running on GCP. FortiGates running outside of GCP (including physical FortiGate units and FortiGate-VMs running on other cloud platforms) have a configuration that is equivalent to disabling this option.
    3. Update interval: the default value is 60 seconds. You can enter a value between 1 and 3600 seconds.
    4. Status: Green means that the connector is enabled. You can disable it at any time by toggling the switch.

    Once the connector is successfully configured, a green indicator appears at the bottom right corner. If the indicator is red, the connector is not working. See Troubleshooting GCP SDN Connector.

  4. Create a dynamic firewall address for the configured GCP SDN connector:
    1. Go to Policy & Objects > Addresses. Click Create New, then select Address.
    1. Configure the Address:
      1. Name: Enter the desired name.
      2. Type: Select Fabric Connector Address.
      3. Fabric Connector Type: Select Google Cloud Platform (GCP).
      4. Filter: This means the SDN Connector automatically populates and updates only instances belonging to the specified VPN that match this filtering condition. Currently GCP supports the following filters:
        1. id=<instance id> : This matches an VM instance ID.
        2. name=<instance name> : This matches a VM instance name.
        3. zone=<gcp zones> : This matches a zone name.
        4. network=<gcp network name> : This matches a network name.
        5. subnet=<gcp subnet name> : This matches a subnet name.
        6. tag=<gcp network tags> : This matches a network tag.
        7. label.<gcp label key>=<gcp label value> : This matches a free form GCP label key and its value.

        In the example, the filter is set as 'network=default & zone=us-central-1f’. This configuration populates all IP addresses that belong to the default network in the zone us-central-1f.

        You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.

        Note that wildcards (such as the asterisk) are not allowed in filter values.

      5. Click OK.

      The address has been created. Wait for a few minutes before the setting takes effect. You will know that the address is in effect when the exclamation mark disappears from the address entry. When you hover over the address, you can see the list of populated IP addresses.

      If the exclamation mark does not disappear, check the address settings.

To check metadata API access:
  1. On the GCP Compute Engine, go to the FortiGate-VM.

  2. Scroll down to Cloud API Access Scopes and check the Compute Engine configuration. If Compute Engine is disabled, you must enable it:
    1. Stop the VM.
    2. Once the VM is completely stopped, click Edit.
    3. From the Compute Engine dropdown list, select Read/Write access.
    4. Save the change, then restart the VM.
Previous
Next

Configuring GCP SDN connector using metadata IAM

To populate dynamic objects, the FortiGate-VM must have API access to required resources on the Google Cloud Compute Engine.

To configure GCP SDN connector using metadata IAM:
  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Click Create New, and select Google Cloud Platform (GCP).

    Note you can create only one SDN Connector per connector type. For example, you can create one entry for GCP.

  3. Configure the connector as follows:
    1. Name: Enter the desired connector name.
    2. Enable Use metadata IAM. The Google platform requires a certain authentication level to call APIs from the FortiGate. See To check metadata API access:. The Use metadata IAM option is only available to FortiGate-VMs running on GCP. FortiGates running outside of GCP (including physical FortiGate units and FortiGate-VMs running on other cloud platforms) have a configuration that is equivalent to disabling this option.
    3. Update interval: the default value is 60 seconds. You can enter a value between 1 and 3600 seconds.
    4. Status: Green means that the connector is enabled. You can disable it at any time by toggling the switch.

    Once the connector is successfully configured, a green indicator appears at the bottom right corner. If the indicator is red, the connector is not working. See Troubleshooting GCP SDN Connector.

  4. Create a dynamic firewall address for the configured GCP SDN connector:
    1. Go to Policy & Objects > Addresses. Click Create New, then select Address.
    1. Configure the Address:
      1. Name: Enter the desired name.
      2. Type: Select Fabric Connector Address.
      3. Fabric Connector Type: Select Google Cloud Platform (GCP).
      4. Filter: This means the SDN Connector automatically populates and updates only instances belonging to the specified VPN that match this filtering condition. Currently GCP supports the following filters:
        1. id=<instance id> : This matches an VM instance ID.
        2. name=<instance name> : This matches a VM instance name.
        3. zone=<gcp zones> : This matches a zone name.
        4. network=<gcp network name> : This matches a network name.
        5. subnet=<gcp subnet name> : This matches a subnet name.
        6. tag=<gcp network tags> : This matches a network tag.
        7. label.<gcp label key>=<gcp label value> : This matches a free form GCP label key and its value.

        In the example, the filter is set as 'network=default & zone=us-central-1f’. This configuration populates all IP addresses that belong to the default network in the zone us-central-1f.

        You can set filtering conditions using multiple entries with AND ("&") or OR ("|"). When both AND and OR are specified, AND is interpreted first, then OR.

        Note that wildcards (such as the asterisk) are not allowed in filter values.

      5. Click OK.

      The address has been created. Wait for a few minutes before the setting takes effect. You will know that the address is in effect when the exclamation mark disappears from the address entry. When you hover over the address, you can see the list of populated IP addresses.

      If the exclamation mark does not disappear, check the address settings.

To check metadata API access:
  1. On the GCP Compute Engine, go to the FortiGate-VM.

  2. Scroll down to Cloud API Access Scopes and check the Compute Engine configuration. If Compute Engine is disabled, you must enable it:
    1. Stop the VM.
    2. Once the VM is completely stopped, click Edit.
    3. From the Compute Engine dropdown list, select Read/Write access.
    4. Save the change, then restart the VM.
Previous
Next