Fortinet black logo

OCI Administration Guide

Home FortiGate Public Cloud 6.2.0 OCI Administration Guide
6.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Configuring an OCI Fabric connector using IAM roles

Configuring an OCI Fabric connector using IAM roles

This guide provides a sample configuration of an OCI Fabric connector using IAM roles instead of traditional authentication. Traditional authentication uses certificates from the FortiGate-VM to OCI over TCP/IP. Instead, this configuration uses the IAM role provided by and configurable in the OCI environment for authentication. The IAM role includes permissions that you can give to the instance, so that FortiOS can implicitly access metadata information and communicate to the Fabric connector on its own private internal network without further authentication.

The following shows the topology when using traditional authentication versus IAM roles:

The following prerequisites must be met for this configuration:

  • A FortiGate located on OCI
  • Correct administrative permissions as an administrator on OCI over the FortiGate instance and the environment
  • The following summarizes minimum sufficient IAM roles for this deployment:
    • Allow dynamic-group <group_name> to read compartments in tenancy
    • Allow dynamic-group <group_name> to read instances in tenancy
    • Allow dynamic-group <group_name> to read vnic-attachments in tenancy
    • Allow dynamic-group <group_name> to read private-ips in tenancy
    • Allow dynamic-group <group_name> to read public-ips in tenancy
    • To define simpler roles, use the following:
      • Allow dynamic-group <group_name> to read compartments in tenancy
      • Allow dynamic-group <group_name> to read instances in tenancy
      • Allow dynamic-group <group_name> to read virtual-network-family in tenancy
    • For an HA setup, configure management permissions for virtual-network-family in tenancy:
      • Allow dynamic-group <group_name> to manage virtual-network-family in tenancy
    Note

    Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for more details.

To configure an OCI Fabric connector using IAM roles, complete the following steps:

  1. Configure an IAM role on OCI.
  2. Configure a Fabric connector in FortiOS.
  3. Perform testing to ensure that the Fabric connector is connected to OCI.
To configure an IAM role on OCI:
  1. In OCI, go to Compute > Instances, and select the desired FortiGate-VM instance.
  2. On the Instance Details page, note the instance's OCID. In this example, the OCID is ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq.
  3. Open the OPC menu and go to Identity > Dynamic Groups. Create a dynamic group with rules that allow instances that match the FortiGate-VM's instance ID. Use the syntax "ALL {instance.id ='instanceID'}" when creating the rule. In this example, the configured rule is "ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq'}". If you have multiple instances to include in the dynamic group, create multiple rules for this dynamic group.
  4. Go to Identity > Policies. Create a policy that allows the dynamic group to manage the environment. This allows the instance referenced in the dynamic group to query metadata and move resources around if the Fabric connector is used for HA. In the STATEMENT field, use the syntax "Allow dynamic-group <group-name> to manage all-resources in TENANCY".
To configure a Fabric connector in FortiOS:

To configure a Fabric connector in the FortiOS GUI, do the following:

  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Click Create New > Oracle Cloud Infrastructure (OCI).
  3. Enable Use metadata IAM.
  4. In the Tenant ID field, enter the FortiGate-VM's tenant ID.
  5. In the Compartment ID field, enter the compartment's tenant ID. This may be the same as the tenant ID depending on your configuration.
  6. Configure the other Fabric connector settings as required.
  7. In Security Fabric > Fabric Connectors, ensure that the OCI connector has been created and is enabled and connected.

To configure a Fabric connector using the FortiOS CLI, run the following commands:

config system sdn-connector

edit "oci-sdn-connector"

set status enable

set type oci

set ha-status disable

set tenant-id "<tenant ID>"

set user-id ''

set compartment-id "<compartment ID>"

set oci-region phoenix

set oci-cert ''

set use-metadata-iam enable

set update-interval 60

next

end

To perform testing:

To ensure the Fabric connector is connected to OCI, run the diagnose sys sdn status command. The output should display that the Fabric connector has a connected status.

You can run the diagnose debug application ocid -1 and diagnose test application ocid commands for further debugging.

Note

If you have security concerns about the policy allowing the dynamic group access to the entire environment, follow the concept of least privileges detailed in the OPC documentation. For example, if you are not using the Fabric connector for failover and instead are using it for querying, you can assign the dynamic group read-only permissions.
Previous
Next

Configuring an OCI Fabric connector using IAM roles

This guide provides a sample configuration of an OCI Fabric connector using IAM roles instead of traditional authentication. Traditional authentication uses certificates from the FortiGate-VM to OCI over TCP/IP. Instead, this configuration uses the IAM role provided by and configurable in the OCI environment for authentication. The IAM role includes permissions that you can give to the instance, so that FortiOS can implicitly access metadata information and communicate to the Fabric connector on its own private internal network without further authentication.

The following shows the topology when using traditional authentication versus IAM roles:

The following prerequisites must be met for this configuration:

  • A FortiGate located on OCI
  • Correct administrative permissions as an administrator on OCI over the FortiGate instance and the environment
  • The following summarizes minimum sufficient IAM roles for this deployment:
    • Allow dynamic-group <group_name> to read compartments in tenancy
    • Allow dynamic-group <group_name> to read instances in tenancy
    • Allow dynamic-group <group_name> to read vnic-attachments in tenancy
    • Allow dynamic-group <group_name> to read private-ips in tenancy
    • Allow dynamic-group <group_name> to read public-ips in tenancy
    • To define simpler roles, use the following:
      • Allow dynamic-group <group_name> to read compartments in tenancy
      • Allow dynamic-group <group_name> to read instances in tenancy
      • Allow dynamic-group <group_name> to read virtual-network-family in tenancy
    • For an HA setup, configure management permissions for virtual-network-family in tenancy:
      • Allow dynamic-group <group_name> to manage virtual-network-family in tenancy
    Note

    Actual role configurations may differ depending on your environments. Check with your company's public cloud administrators for more details.

To configure an OCI Fabric connector using IAM roles, complete the following steps:

  1. Configure an IAM role on OCI.
  2. Configure a Fabric connector in FortiOS.
  3. Perform testing to ensure that the Fabric connector is connected to OCI.
To configure an IAM role on OCI:
  1. In OCI, go to Compute > Instances, and select the desired FortiGate-VM instance.
  2. On the Instance Details page, note the instance's OCID. In this example, the OCID is ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq.
  3. Open the OPC menu and go to Identity > Dynamic Groups. Create a dynamic group with rules that allow instances that match the FortiGate-VM's instance ID. Use the syntax "ALL {instance.id ='instanceID'}" when creating the rule. In this example, the configured rule is "ALL {instance.id = 'ocid1.instance.oc1.iad.abuwcljthhvsi7djktxkljr2pzjelkcj4pgozd46bnpcpt5pxcaj56mkurhq'}". If you have multiple instances to include in the dynamic group, create multiple rules for this dynamic group.
  4. Go to Identity > Policies. Create a policy that allows the dynamic group to manage the environment. This allows the instance referenced in the dynamic group to query metadata and move resources around if the Fabric connector is used for HA. In the STATEMENT field, use the syntax "Allow dynamic-group <group-name> to manage all-resources in TENANCY".
To configure a Fabric connector in FortiOS:

To configure a Fabric connector in the FortiOS GUI, do the following:

  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Click Create New > Oracle Cloud Infrastructure (OCI).
  3. Enable Use metadata IAM.
  4. In the Tenant ID field, enter the FortiGate-VM's tenant ID.
  5. In the Compartment ID field, enter the compartment's tenant ID. This may be the same as the tenant ID depending on your configuration.
  6. Configure the other Fabric connector settings as required.
  7. In Security Fabric > Fabric Connectors, ensure that the OCI connector has been created and is enabled and connected.

To configure a Fabric connector using the FortiOS CLI, run the following commands:

config system sdn-connector

edit "oci-sdn-connector"

set status enable

set type oci

set ha-status disable

set tenant-id "<tenant ID>"

set user-id ''

set compartment-id "<compartment ID>"

set oci-region phoenix

set oci-cert ''

set use-metadata-iam enable

set update-interval 60

next

end

To perform testing:

To ensure the Fabric connector is connected to OCI, run the diagnose sys sdn status command. The output should display that the Fabric connector has a connected status.

You can run the diagnose debug application ocid -1 and diagnose test application ocid commands for further debugging.

Note

If you have security concerns about the policy allowing the dynamic group access to the entire environment, follow the concept of least privileges detailed in the OPC documentation. For example, if you are not using the Fabric connector for failover and instead are using it for querying, you can assign the dynamic group read-only permissions.
Previous
Next