Fortinet white logo
Fortinet white logo

Administration Guide

OCI SDN connector using certificates

OCI SDN connector using certificates

You can configure SDN connector integration with Oracle Cloud Infrastructure (OCI).

Note

This topic describes one of multiple configuration methods available with this SDN connector type. See the More Links section on the right sidebar for other methods.

To configure an OCI SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Public SDN section, select Oracle Cloud Infrastructure (OCI).
  3. Configure the connector as desired:
    1. User ID: Enter the OCID of the OCI user who belongs to the administrator group. See Certificate-based SDN connector requirements.
    2. For the OCI Certificate field, you must select a certificate that satisfies OCI key size limits. The minimum size is 2048 bits. Do one of the following:
      1. Select the built-in default certificate called Fortinet_Factory.
      2. Follow steps 1-2 in Using custom certificates to configure a custom certificate.

  4. Click OK.
  5. At this stage, you must register the certificate's fingerprint to the specified OCI user.
    1. Go to the OCI user, then API Keys > Add Public Key.
    2. If you selected the Fortinet_Factory certificate in step 2f, do the following:
      1. In FortiOS, go to System > Certificate. Select Fortinet_Factory, then click Download.
      2. You now have the Fortinet_Factory.cer file. Create a public key file in PEM format from it, using a freely available tool of your choice such as OpenSSL.
    3. Copy and paste the content of the certificate PEM key file in the Add Public Key window in OCI. Click Add.
    4. You now see the fingerprint.

      You can configure the following for the fingerprint:

      1. Update Interval: The default value is 60 seconds. You can change the value to between 1 and 3600 seconds.
      2. Status: Green means that the connector is enabled. You can disable it at any time by toggling the switch.
    5. Click OK.
  6. Go to Policy & Objects > Addresses and click Create New > Address.
  7. Configure the address as needed, selecting the OCI connector in the SDN Connector field. The following filters are supported:

    'vm_name=<vm name>': matches VM instance name.

    'instance_id=<instance id>': matches instance OCID.

    'tag.<key>=<value>': matches freeform tag key and its value.

    'definedtag.<namespace>.<key>=<value>': matches a tag namespace, tag key, and its value.

  8. Click OK.
To configure an OCI SDN connector in the CLI:
  1. Configure an SDN connector:
    config system sdn-connector
        edit "oci1"
            set status enable
            set type oci
            set tenant-id "ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa77xxxxxx54bbbbbb4xxxx35xx55xxxx"
            set user-id "ocid1.user.oc1..aaaaaaaaa2laaaaa3aaaaaaaaaabbbbbbbbbbcccc3ccccccccccxxxxxxxx"
            set compartment-id "ocid1.compartment.oc1..aaaaaaaaaaaaaaaaaa7bbbbbbbbbbcccccccccc6xxx53xxxx7xxxxxxxxxx"
            set oci-region "us-ashburn-1"
            set oci-region-type commercial
            set oci-cert "cert-sha2"
            set update-interval 30
        next
    end
  2. Create a dynamic firewall address for the SDN connector with a supported filter:
    config firewall address
        edit "oci-address-1"
            set type dynamic
            set sdn "oci1"
            set filter "CompartmentName=DevelopmentEngineering"
        next
    end
To confirm that dynamic firewall addresses are resolved by the SDN connector:
  1. In the CLI, check that the addresses are listed:
    config firewall address
        edit "oci-address-1"
            set type dynamic
            set sdn "oci1"
            set filter "CompartmentName=DevelopmentEngineering"
            config list
                edit "10.0.0.11"
                next
                edit "10.0.0.118"
                next
                ...
                next
            end
        next
    end
  2. In the GUI, go to Policy & Objects > Addresses and hover the cursor over the address name.

OCI SDN connector using certificates

OCI SDN connector using certificates

You can configure SDN connector integration with Oracle Cloud Infrastructure (OCI).

Note

This topic describes one of multiple configuration methods available with this SDN connector type. See the More Links section on the right sidebar for other methods.

To configure an OCI SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Public SDN section, select Oracle Cloud Infrastructure (OCI).
  3. Configure the connector as desired:
    1. User ID: Enter the OCID of the OCI user who belongs to the administrator group. See Certificate-based SDN connector requirements.
    2. For the OCI Certificate field, you must select a certificate that satisfies OCI key size limits. The minimum size is 2048 bits. Do one of the following:
      1. Select the built-in default certificate called Fortinet_Factory.
      2. Follow steps 1-2 in Using custom certificates to configure a custom certificate.

  4. Click OK.
  5. At this stage, you must register the certificate's fingerprint to the specified OCI user.
    1. Go to the OCI user, then API Keys > Add Public Key.
    2. If you selected the Fortinet_Factory certificate in step 2f, do the following:
      1. In FortiOS, go to System > Certificate. Select Fortinet_Factory, then click Download.
      2. You now have the Fortinet_Factory.cer file. Create a public key file in PEM format from it, using a freely available tool of your choice such as OpenSSL.
    3. Copy and paste the content of the certificate PEM key file in the Add Public Key window in OCI. Click Add.
    4. You now see the fingerprint.

      You can configure the following for the fingerprint:

      1. Update Interval: The default value is 60 seconds. You can change the value to between 1 and 3600 seconds.
      2. Status: Green means that the connector is enabled. You can disable it at any time by toggling the switch.
    5. Click OK.
  6. Go to Policy & Objects > Addresses and click Create New > Address.
  7. Configure the address as needed, selecting the OCI connector in the SDN Connector field. The following filters are supported:

    'vm_name=<vm name>': matches VM instance name.

    'instance_id=<instance id>': matches instance OCID.

    'tag.<key>=<value>': matches freeform tag key and its value.

    'definedtag.<namespace>.<key>=<value>': matches a tag namespace, tag key, and its value.

  8. Click OK.
To configure an OCI SDN connector in the CLI:
  1. Configure an SDN connector:
    config system sdn-connector
        edit "oci1"
            set status enable
            set type oci
            set tenant-id "ocid1.tenancy.oc1..aaaaaaaaaaa3aaaaaaaaaaaaaaaaa77xxxxxx54bbbbbb4xxxx35xx55xxxx"
            set user-id "ocid1.user.oc1..aaaaaaaaa2laaaaa3aaaaaaaaaabbbbbbbbbbcccc3ccccccccccxxxxxxxx"
            set compartment-id "ocid1.compartment.oc1..aaaaaaaaaaaaaaaaaa7bbbbbbbbbbcccccccccc6xxx53xxxx7xxxxxxxxxx"
            set oci-region "us-ashburn-1"
            set oci-region-type commercial
            set oci-cert "cert-sha2"
            set update-interval 30
        next
    end
  2. Create a dynamic firewall address for the SDN connector with a supported filter:
    config firewall address
        edit "oci-address-1"
            set type dynamic
            set sdn "oci1"
            set filter "CompartmentName=DevelopmentEngineering"
        next
    end
To confirm that dynamic firewall addresses are resolved by the SDN connector:
  1. In the CLI, check that the addresses are listed:
    config firewall address
        edit "oci-address-1"
            set type dynamic
            set sdn "oci1"
            set filter "CompartmentName=DevelopmentEngineering"
            config list
                edit "10.0.0.11"
                next
                edit "10.0.0.118"
                next
                ...
                next
            end
        next
    end
  2. In the GUI, go to Policy & Objects > Addresses and hover the cursor over the address name.