Fortinet black logo

Handbook

Configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:183361
Download PDF

Configuration

The method that you use to configure a Fabric Connector depends on which type of connector you're using:

Creating a Fabric connector for SDN

note icon

FortiOS doesn't support multiple SDN Connector instances to Amazon Web Services, Google Cloud Platform, Microsoft Azure, and VMware NSX.

Fabric Connectors to Software-Defined Networks (SDNs) Cprovide integration and orchestration of Fortinet products with key SDN solutions. You use Fabric Connectors to make sure that any changes in your SDN environment are automatically updated in your network.

To create Fabric Connector for SDN, you need to do the following:

For an example of how to configure a Fabric Connector for Microsoft Azure, see Automatically Updating Dynamic Addresses Using Fabric Connector.

Gather required information

Before you can create a Fabric Connector, you need to know specific information, which differs depending on which service you're using. You can find this information using your account for the specific service.

Service

Required information for the service

Amazon Web Services

  • Access key ID
  • Secret access key
  • Region name
  • VPC ID (optional)

Cisco Application Centric Infrastructure

  • IP address
  • Port
  • Username
  • Password

Google Cloud Platform

  • Project name
  • Service account email
  • Private key

Microsoft Azure (including Azure Stack)

  • Server region
  • Tenant ID
  • Client ID
  • Client secret
  • Subscription ID (optional)
  • Resource group (optional)
  • Login endpoint (Azure Stack only)
  • Resource URL (Azure Stack only)

Nuage Virtualized Services Platform

  • IP address
  • Port
  • Username
  • Password

Oracle Cloud Infrastructure

  • User ID
  • Tenant ID
  • Compartment ID
  • Server region
  • Certificate

OpenStack (Horizon)

  • IP address
  • Username
  • Password

VMware NSX

  • IP address or hostname
  • Username
  • Password

Create the Fabric Connector

You can create the Fabric Connector using either the GUI or CLI. The CLI commands that are available vary depending on which service you're using.

Creating a Fabric Connector - GUI:
  1. To create a new connector, go to Security Fabric > Fabric Connectors and select Create New.
  2. Select the service you're using and enter the required information for that service.
  3. Select OK.
Creating a Fabric Connector - CLI:

To create a Fabric Connector using the CLI, use the command config system sdn-connector. For more information about this command, see the FortiOS 6.0 CLI Reference.

Create a Fabric Connector address

You use a Fabric Connector address for the following:

  • As the source or destination address for firewall policies
  • To automatically update changes to the addresses in the environment of the service you're using, based on specified filtering conditions
  • To automatically apply changes to the firewall policies that use the address, based on specified filtering conditions
Creating a Fabric Connector address - GUI:
  1. To create a new address, go to Policy & Objects > Addresses and select Create New > Address.
  2. Set a Name for the address.
  3. Set Type to Fabric Connector Address and set Fabric Connector Type to the new Fabric Connector.
  4. Set a Filter or Object ID, depending on the type of Fabric Connector. The filter or ID dynamically creates the members of the address. The types of filters or IDs that are supported vary depending on which service you're using.
  5. Set a specific Interface or leave it as the default any.
  6. Select OK.
Creating a Fabric Connector address - CLI:

config firewall address

edit <name>

set type dynamic

set comment <comment>

set visibility enable

set associated-interface <interface_name>

set sdn {aci | aws | azure | nsx | nuage | oci}

set filter <filter>

set obj-id <ID>

next

end

Add the address to a firewall policy

You use a Fabric Connector addresses in a firewall policy as either the source or destination address.

Adding the address to a policy - GUI:
  1. To create a new policy, go to Policy & Objects > IPv4 Policy and select Create New.
  2. Set a Name for the policy.
  3. Set the appropriate Incoming Interface and Outgoing Interface.
  4. Set the Fabric Connector address as either the Source or Destination address, as appropriate.
  5. Set other policy settings, as required.
  6. Select OK.
Adding the address to a policy - CLI:

config firewall policy

edit 0

set name <name>

set srcintf <port_name>

set dstintf <port_name>

set srcaddr <firewall_address>

set dstaddr <firewall_address>

set action accept

set schedule <schedule>

set service <service>

next

end

Creating a Fabric Connector for SSO

Fabric Connectors for SSO integrate single sign-on (SSO) authentication in your network. SSO allows users to enter their credentials once and have those credentials reused when they access other network resources through your FortiGate.

Fabric Connectors are available for the following services:

  • Poll Active Directory (AD) server
  • RADIUS Single Sign-On (RSSO) agent
  • Fortinet Single Sign-On (FSSO) agent

For more information about Fabric Connectors for SSO, see Authentication.

Creating a Fabric Connector for threat feeds

Fabric Connectors for threat feeds dynamically import an external block list, in the form of a text file containing a list of either addresses or domains, which resides on an HTTP server. You use block lists to deny access to destination IP addresses in web filter and DNS filter profiles, SSL inspection exemptions, and as sources or destinations in proxy policies.

You can configure Fabric Connectors for the following types of threat feeds:

  • FortiGuard category
  • IP address
  • Domain name

For more information about Fabric Connectors for threat feeds, see Overriding FortiGuard website categorization.

Related Videos

sidebar video

Fortinet Security Fabric 6.0.0 Series - Part 4: Connectors

  • 1,339 views
  • 5 years ago
sidebar video

Fortinet Security Fabric 6.0.0 Series - Part 5: SSO and Identity Connectors

  • 1,358 views
  • 5 years ago

Configuration

The method that you use to configure a Fabric Connector depends on which type of connector you're using:

Creating a Fabric connector for SDN

note icon

FortiOS doesn't support multiple SDN Connector instances to Amazon Web Services, Google Cloud Platform, Microsoft Azure, and VMware NSX.

Fabric Connectors to Software-Defined Networks (SDNs) Cprovide integration and orchestration of Fortinet products with key SDN solutions. You use Fabric Connectors to make sure that any changes in your SDN environment are automatically updated in your network.

To create Fabric Connector for SDN, you need to do the following:

For an example of how to configure a Fabric Connector for Microsoft Azure, see Automatically Updating Dynamic Addresses Using Fabric Connector.

Gather required information

Before you can create a Fabric Connector, you need to know specific information, which differs depending on which service you're using. You can find this information using your account for the specific service.

Service

Required information for the service

Amazon Web Services

  • Access key ID
  • Secret access key
  • Region name
  • VPC ID (optional)

Cisco Application Centric Infrastructure

  • IP address
  • Port
  • Username
  • Password

Google Cloud Platform

  • Project name
  • Service account email
  • Private key

Microsoft Azure (including Azure Stack)

  • Server region
  • Tenant ID
  • Client ID
  • Client secret
  • Subscription ID (optional)
  • Resource group (optional)
  • Login endpoint (Azure Stack only)
  • Resource URL (Azure Stack only)

Nuage Virtualized Services Platform

  • IP address
  • Port
  • Username
  • Password

Oracle Cloud Infrastructure

  • User ID
  • Tenant ID
  • Compartment ID
  • Server region
  • Certificate

OpenStack (Horizon)

  • IP address
  • Username
  • Password

VMware NSX

  • IP address or hostname
  • Username
  • Password

Create the Fabric Connector

You can create the Fabric Connector using either the GUI or CLI. The CLI commands that are available vary depending on which service you're using.

Creating a Fabric Connector - GUI:
  1. To create a new connector, go to Security Fabric > Fabric Connectors and select Create New.
  2. Select the service you're using and enter the required information for that service.
  3. Select OK.
Creating a Fabric Connector - CLI:

To create a Fabric Connector using the CLI, use the command config system sdn-connector. For more information about this command, see the FortiOS 6.0 CLI Reference.

Create a Fabric Connector address

You use a Fabric Connector address for the following:

  • As the source or destination address for firewall policies
  • To automatically update changes to the addresses in the environment of the service you're using, based on specified filtering conditions
  • To automatically apply changes to the firewall policies that use the address, based on specified filtering conditions
Creating a Fabric Connector address - GUI:
  1. To create a new address, go to Policy & Objects > Addresses and select Create New > Address.
  2. Set a Name for the address.
  3. Set Type to Fabric Connector Address and set Fabric Connector Type to the new Fabric Connector.
  4. Set a Filter or Object ID, depending on the type of Fabric Connector. The filter or ID dynamically creates the members of the address. The types of filters or IDs that are supported vary depending on which service you're using.
  5. Set a specific Interface or leave it as the default any.
  6. Select OK.
Creating a Fabric Connector address - CLI:

config firewall address

edit <name>

set type dynamic

set comment <comment>

set visibility enable

set associated-interface <interface_name>

set sdn {aci | aws | azure | nsx | nuage | oci}

set filter <filter>

set obj-id <ID>

next

end

Add the address to a firewall policy

You use a Fabric Connector addresses in a firewall policy as either the source or destination address.

Adding the address to a policy - GUI:
  1. To create a new policy, go to Policy & Objects > IPv4 Policy and select Create New.
  2. Set a Name for the policy.
  3. Set the appropriate Incoming Interface and Outgoing Interface.
  4. Set the Fabric Connector address as either the Source or Destination address, as appropriate.
  5. Set other policy settings, as required.
  6. Select OK.
Adding the address to a policy - CLI:

config firewall policy

edit 0

set name <name>

set srcintf <port_name>

set dstintf <port_name>

set srcaddr <firewall_address>

set dstaddr <firewall_address>

set action accept

set schedule <schedule>

set service <service>

next

end

Creating a Fabric Connector for SSO

Fabric Connectors for SSO integrate single sign-on (SSO) authentication in your network. SSO allows users to enter their credentials once and have those credentials reused when they access other network resources through your FortiGate.

Fabric Connectors are available for the following services:

  • Poll Active Directory (AD) server
  • RADIUS Single Sign-On (RSSO) agent
  • Fortinet Single Sign-On (FSSO) agent

For more information about Fabric Connectors for SSO, see Authentication.

Creating a Fabric Connector for threat feeds

Fabric Connectors for threat feeds dynamically import an external block list, in the form of a text file containing a list of either addresses or domains, which resides on an HTTP server. You use block lists to deny access to destination IP addresses in web filter and DNS filter profiles, SSL inspection exemptions, and as sources or destinations in proxy policies.

You can configure Fabric Connectors for the following types of threat feeds:

  • FortiGuard category
  • IP address
  • Domain name

For more information about Fabric Connectors for threat feeds, see Overriding FortiGuard website categorization.