Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiADC 8.0.1 CLI Reference
    8.0.1
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config system sdn-connector

    config system sdn-connector

    Use this command to create a Cloud SDN connector. Cloud SDN connectors provide integration and orchestration of Fortinet products with public and private cloud solutions. In a typical cloud environment, resources are dynamic and often provisioned and scaled on-demand. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric.

    Syntax

    Kubernetes Connector

    config system sdn-connector

    edit <name>

    set type kubernetes

    set status {enable | disable}

    set server <server address>

    set server-port <port number>

    set secret-token <string>

    set update-interval <seconds>

    next

    end

    OCI Connector

    config system sdn-connector

    edit <name>

    set type oci

    set tenant-id <string>

    set compartment-id <string>

    set user-id <string>

    set oci-region <string>

    set oci-cert <string>

    set use-metadata-iam {enable | disable}

    set ha-status {enable | disable}

    next

    end

    AWS Connector

    config system sdn-connector

    edit <name>

    set type aws

    set status {enable | disable}

    set aws-region <string>

    set aws-accesskey <string>

    set aws-secretkey <string>

    set update-interval <seconds>

    set use-metadata-iam {enable | disable}

    next

    end

    SAP Connector

    config system sdn-connector

    edit <name>

    set type sap

    set status {enable | disable}

    set server <server address>

    set sap-ms-http-port <port number>

    set sap-icm-http-port <port number>

    set sap-sidadm <string>

    set sap-password <string>

    set update-interval <seconds>

    next

    end

    Cisco ACI Connector

    config system sdn-connector

    edit <name>

    set type acid

    set status {enable | disable}

    set verify-certificate {enable | disable}

    set server-list <server address>

    set aci-username <string>

    set aci-password <string>

    set update-interval <seconds>

    next

    end

    CLI Parameter

    Description

    type

    The type of SDN.

    • kubernetes

    • aws

    • oci

    • sap

    Kubernetes connector

    status

    Enable/disable SDN connector

    server

    Server IP address.

    server-port

    Port number. Default is 6443. Range is 1 to 65535.

    secret-token

    Specify a secret token.

    Note:

    Versions of Kubernetes before v1.22 automatically created long term credentials for accessing the Kubernetes API. This older mechanism was based on creating token Secrets that could then be mounted into running Pods. In more recent versions, including Kubernetes v1.28, API credentials are obtained directly by using the TokenRequest API, and are mounted into Pods using a projected volume. The tokens obtained using this method have bounded lifetimes, and are automatically invalidated when the Pod they are mounted into is deleted.

    You can still manually create a service account token Secret; for example, if you need a token that never expires. However, using the TokenRequest subresource to obtain a token to access the API is recommended instead.

    update-interval

    Specify an update interval in seconds. Default is 30. Range is 30 to 3600.

    OCI connector

    tenant-id

    Specify the OCI region type.The tenant ID to log in to OCI.

    compartment-id

    The Compartment ID in which your compute instances are deployed.

    user-id

    The user ID to log in to OCI.

    oci-region

    Specify the OCI region where your compute instances are located.

    oci-cert

    The certificate that FortiADC uses to build connections with OCI.

    use-metadata-iam

    When FortiADC is deployed on OCI, you can assign IAM role for it to access OCI objects.

    ha-status

    Enable this option if your OCI instances are deployed in HA mode.

    AWS connector

    status

    Enable or disable the AWS connector.

    aws-region

    Specify the region where your instances are deployed.

    aws-accesskey

    Specify the access key ID.

    aws-secretkey

    Specify the secret access key.

    update-interval

    Specify the update interval for the connector to get AWS objects and dynamically populates the information in the server pool configuration.

    use-metadata-iam

    When FortiADC is deployed on AWS, you can assign IAM role for it to access EC2 instances and EKS objects.

    SAP Connector

    status

    Enable or disable the SAP connector.

    server

    Type the IP address of the SAP server.

    sap-ms-http-port

    		 Specify the SAP MS HTTP port that FortiADC uses to communicate with the SAP server.

    sap-icm-http-port

    Specify the ICM HTTP Port.

    sap-sidadm

    Specify the SID admin account that FortiADC uses to access the resources in this account.

    sap-password

    Specify the password.

    update-interval

    Specify the update interval for the connector to get SAP objects and dynamically populates the information in the server pool configuration.

    Cisco ACI Connector

    status

    Enables or disables the connector. When enabled, FortiADC immediately attempts to establish communication with the APIC servers in the configured list. Disabling the connector suspends synchronization and retains the last cached topology data until re-enabled.

    verify-certificate

    When enabled, FortiADC verifies the SSL certificate presented by the APIC server during HTTPS negotiation. This should be enabled when using CA-signed or trusted certificates.

    Disable this option if the APIC uses self-signed certificates or an internal CA not trusted by FortiADC. Disabling verification bypasses certificate validation but does not affect encryption.

    This is disabled by default.

    server-list

    Lists up to four Cisco APIC controller IP addresses (IPv4 or IPv6). FortiADC connects to the first reachable host in sequence and monitors the connection. If the active controller becomes unavailable, FortiADC automatically switches to the next server in the list. At least one reachable APIC host is required for successful synchronization.

    aci-username

    		 Specifies the APIC account used for REST API authentication. The account should have read-only privileges to the ACI tenant and fabric objects. Higher privileges are not required or recommended.

    aci-password

    		 Password for the APIC user account. The password is stored in encrypted form and used only for API authentication.

    update-interval

    Specifies the polling frequency (in seconds) for topology updates from the APIC cluster. Each interval triggers a REST API query to retrieve changes in tenants, application profiles, and EPGs.

    Default: 60, Valid range: 10–3600 seconds. Shorter intervals increase synchronization responsiveness but generate higher API request volume.

    Previous
    Next

    config system sdn-connector

    config system sdn-connector

    Use this command to create a Cloud SDN connector. Cloud SDN connectors provide integration and orchestration of Fortinet products with public and private cloud solutions. In a typical cloud environment, resources are dynamic and often provisioned and scaled on-demand. By using an SDN connector, you can ensure that changes to cloud environment attributes are automatically updated in the Security Fabric.

    Syntax

    Kubernetes Connector

    config system sdn-connector

    edit <name>

    set type kubernetes

    set status {enable | disable}

    set server <server address>

    set server-port <port number>

    set secret-token <string>

    set update-interval <seconds>

    next

    end

    OCI Connector

    config system sdn-connector

    edit <name>

    set type oci

    set tenant-id <string>

    set compartment-id <string>

    set user-id <string>

    set oci-region <string>

    set oci-cert <string>

    set use-metadata-iam {enable | disable}

    set ha-status {enable | disable}

    next

    end

    AWS Connector

    config system sdn-connector

    edit <name>

    set type aws

    set status {enable | disable}

    set aws-region <string>

    set aws-accesskey <string>

    set aws-secretkey <string>

    set update-interval <seconds>

    set use-metadata-iam {enable | disable}

    next

    end

    SAP Connector

    config system sdn-connector

    edit <name>

    set type sap

    set status {enable | disable}

    set server <server address>

    set sap-ms-http-port <port number>

    set sap-icm-http-port <port number>

    set sap-sidadm <string>

    set sap-password <string>

    set update-interval <seconds>

    next

    end

    Cisco ACI Connector

    config system sdn-connector

    edit <name>

    set type acid

    set status {enable | disable}

    set verify-certificate {enable | disable}

    set server-list <server address>

    set aci-username <string>

    set aci-password <string>

    set update-interval <seconds>

    next

    end

    CLI Parameter

    Description

    type

    The type of SDN.

    • kubernetes

    • aws

    • oci

    • sap

    Kubernetes connector

    status

    Enable/disable SDN connector

    server

    Server IP address.

    server-port

    Port number. Default is 6443. Range is 1 to 65535.

    secret-token

    Specify a secret token.

    Note:

    Versions of Kubernetes before v1.22 automatically created long term credentials for accessing the Kubernetes API. This older mechanism was based on creating token Secrets that could then be mounted into running Pods. In more recent versions, including Kubernetes v1.28, API credentials are obtained directly by using the TokenRequest API, and are mounted into Pods using a projected volume. The tokens obtained using this method have bounded lifetimes, and are automatically invalidated when the Pod they are mounted into is deleted.

    You can still manually create a service account token Secret; for example, if you need a token that never expires. However, using the TokenRequest subresource to obtain a token to access the API is recommended instead.

    update-interval

    Specify an update interval in seconds. Default is 30. Range is 30 to 3600.

    OCI connector

    tenant-id

    Specify the OCI region type.The tenant ID to log in to OCI.

    compartment-id

    The Compartment ID in which your compute instances are deployed.

    user-id

    The user ID to log in to OCI.

    oci-region

    Specify the OCI region where your compute instances are located.

    oci-cert

    The certificate that FortiADC uses to build connections with OCI.

    use-metadata-iam

    When FortiADC is deployed on OCI, you can assign IAM role for it to access OCI objects.

    ha-status

    Enable this option if your OCI instances are deployed in HA mode.

    AWS connector

    status

    Enable or disable the AWS connector.

    aws-region

    Specify the region where your instances are deployed.

    aws-accesskey

    Specify the access key ID.

    aws-secretkey

    Specify the secret access key.

    update-interval

    Specify the update interval for the connector to get AWS objects and dynamically populates the information in the server pool configuration.

    use-metadata-iam

    When FortiADC is deployed on AWS, you can assign IAM role for it to access EC2 instances and EKS objects.

    SAP Connector

    status

    Enable or disable the SAP connector.

    server

    Type the IP address of the SAP server.

    sap-ms-http-port

    		 Specify the SAP MS HTTP port that FortiADC uses to communicate with the SAP server.

    sap-icm-http-port

    Specify the ICM HTTP Port.

    sap-sidadm

    Specify the SID admin account that FortiADC uses to access the resources in this account.

    sap-password

    Specify the password.

    update-interval

    Specify the update interval for the connector to get SAP objects and dynamically populates the information in the server pool configuration.

    Cisco ACI Connector

    status

    Enables or disables the connector. When enabled, FortiADC immediately attempts to establish communication with the APIC servers in the configured list. Disabling the connector suspends synchronization and retains the last cached topology data until re-enabled.

    verify-certificate

    When enabled, FortiADC verifies the SSL certificate presented by the APIC server during HTTPS negotiation. This should be enabled when using CA-signed or trusted certificates.

    Disable this option if the APIC uses self-signed certificates or an internal CA not trusted by FortiADC. Disabling verification bypasses certificate validation but does not affect encryption.

    This is disabled by default.

    server-list

    Lists up to four Cisco APIC controller IP addresses (IPv4 or IPv6). FortiADC connects to the first reachable host in sequence and monitors the connection. If the active controller becomes unavailable, FortiADC automatically switches to the next server in the list. At least one reachable APIC host is required for successful synchronization.

    aci-username

    		 Specifies the APIC account used for REST API authentication. The account should have read-only privileges to the ACI tenant and fabric objects. Higher privileges are not required or recommended.

    aci-password

    		 Password for the APIC user account. The password is stored in encrypted form and used only for API authentication.

    update-interval

    Specifies the polling frequency (in seconds) for topology updates from the APIC cluster. Each interval triggers a REST API query to retrieve changes in tenants, application profiles, and EPGs.

    Default: 60, Valid range: 10–3600 seconds. Shorter intervals increase synchronization responsiveness but generate higher API request volume.

    Previous
    Next