FortiGate multiple connector support
This guide shows how to configure Fabric connectors and resolve dynamic firewall addresses through the configured Fabric connector in FortiOS.
FortiOS supports multiple Fabric connectors including public connectors (AWS, Azure, GCP, OCI, AliCloud) and private connectors (Kubernetes, VMware ESXi, VMware NSX, OpenStack, Cisco ACI, Nuage). FortiOS also supports multiple instances for each type of Fabric connector.
This guide uses an Azure Fabric connector as an example. The configuration procedure for all supported Fabric connectors is the same. In the following topology, the FortiGate accesses the Azure public cloud through the Internet:
This process consists of the following:
- Configure the interface.
- Configure a static route to connect to the Internet.
- Configure two Azure Fabric connectors with different client IDs.
- Check the configured Fabric connectors.
- Create two firewall addresses.
- Check the resolved firewall addresses after the update interval.
- Run diagnose commands.
To configure the interface:
- In FortiOS, go to Network > Interfaces.
- Edit port1:
- From the Role dropdown list, select WAN.
- In the IP/Network Mask field, enter 10.6.30.4/255.255.255.0 for the interface connected to the Internet.
To configure a static route to connect to the Internet:
- Go to Network > Static Routes. Click Create New.
- In the Destination field, enter 0.0.0.0/0.0.0.0.
- From the Interface dropdown list, select port1.
- In the Gateway Address field, enter 10.60.30.254.
To configure two Azure Fabric connectors with different client IDs:
- Go to Security Fabric > External Connectors.
- Click Create New. Configure the first Fabric connector:
- Select Microsoft Azure.
- In the Name field, enter azure1.
- In the Status field, select Enabled.
- From the Server region dropdown list, select Global.
- In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
- In the Client ID field, enter the client ID. In this example, it is 14dbd5c5-307e-4ea4-8133-68738141feb1.
- In the Client secret field, enter the client secret.
- Leave the Resource path disabled.
- Click OK.
- Click Create New. Configure the second Fabric connector:
- Select Microsoft Azure.
- In the Name field, enter azure2.
- In the Status field, select Enabled.
- From the Server region dropdown list, select Global.
- In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
- In the Client ID field, enter the client ID. In this example, it is 3baf0a6c-44ff-4f94-b292-07f7a2c36be6.
- In the Client secret field, enter the client secret.
- Leave the Resource path disabled.
- Click OK.
To check the configured Fabric connectors:
- Go to Security Fabric > External Connectors.
- Click the Refresh icon in the upper right corner of each configured Fabric connector. A green up arrow appears in the lower right corner, meaning that both Fabric connectors are connected to the Azure cloud using different client IDs.
To create two firewall addresses:
This process creates two Fabric connector firewall addresses to associate with the configured Fabric connectors.
- Go to Policy & Objects > Addresses.
- Click Create New > Address. Configure the first Fabric connector firewall address:
- In the Name field, enter azure-address-1.
- From the Type dropdown list, select Fabric Connector address.
- From the SDN Connector dropdown list, select azure1.
- For SDN address type, select Private.
- From the Filter dropdown list, select the desired filter.
- For Interface, select any.
- Click OK.
- Click Create New > Address. Configure the second Fabric connector firewall address:
- In the Name field, enter azure-address-1.
- From the Type dropdown list, select Fabric Connector address.
- From the SDN Connector dropdown list, select azure2.
- For SDN address type, select Private.
- From the Filter dropdown list, select the desired filter.
- For Interface, select any.
- Click OK.
To check the resolved firewall addresses after the update interval:
By default, the update interval is 60 seconds.
- Go to Policy & Objects > Addresses.
- Hover over the created addresses. The firewall address that the configured Fabric connectors resolved display.
To run diagnose commands:
Run the show sdn connector status
command. Both Fabric connectors should appear with a status of connected.
Run the diagnose debug application azd -1
command. The output should look like the following:
Level2-downstream-D # diagnose debug application azd -1
...
azd sdn connector azure1 start updating IP addresses
azd checking firewall address object azure-address-1, vd 0
IP address change, new list:
10.18.0.4
...
To restart the Azure Fabric connector daemon, run the diagnose test application azd 99
command.