Fortinet black logo

Administration Guide

Creating AWS fabric connectors

Creating AWS fabric connectors

With FortiManager, you can create a fabric connector for Amazon Web Services (AWS), and then import address names from AWS to automatically create dynamic objects that you can use in policies. When you install the policies to one or more FortiGate units, FortiGate uses the information to communicate with AWS and dynamically populate the objects with IP addresses. Fortinet SDN Connector is not required for this configuration.

When you create a fabric connector for AWS, you are specifying how FortiGate can communicate directly with AWS.

If ADOMs are enabled, you can create one fabric connector per ADOM.

Requirements:

  • FortiManager version 5.6 ADOM or later

    The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

  • FortiGate is managed by FortiManager.
  • The managed FortiGate unit is configured to work with AWS.

Following is a high-level overview of the configuration procedure:

To create a fabric connector object for AWS:
  1. Go to Fabric View > Fabric Connectors.
  2. Click Create New. The Create New Fabric Connector wizard is displayed.
  3. Under Public SDN, select Amazon Web Services. The Amazon Web Services screen is displayed.

  4. Configure the following options, and then click OK:

    Name

    Type a name for the fabric connector object.

    Type

    Displays Amazon Web Services (AWS).

    AWS access key ID

    Type the access key ID from AWS.

    AWS secret access key

    Type the secret access key from AWS.

    AWS region name

    Type the region name from AWS.

    AWS VPC ID

    Type the AWS VPC ID.

    Update Interval (s)

    Specify how often in seconds that the dynamic firewall objects should be updated.

    Status

    Toggle On to enable the fabric connector object. Toggle OFF to disable the fabric connector object.

To complete the fabric connector setup:
  1. Import address names from AWS to the fabric connector object. See Importing address names to fabric connectors.

    The address names are imported and converted to firewall address objects. The objects do not yet include IP addresses. The objects are displayed on the Firewall Objects > Addresses pane.

  2. In the policy package in which you will be creating the new policy, create an IPv4 policy and include the firewall address objects for AWS. See IP policies.
  3. Install the policy package to FortiGate. See Install a policy package.

    FortiGate communicates with AWS to dynamically populate the firewall address objects with IP addresses.

If the filter names change in AWS after you import them to FortiManager, you must modify the filter again.

Creating AWS fabric connectors

With FortiManager, you can create a fabric connector for Amazon Web Services (AWS), and then import address names from AWS to automatically create dynamic objects that you can use in policies. When you install the policies to one or more FortiGate units, FortiGate uses the information to communicate with AWS and dynamically populate the objects with IP addresses. Fortinet SDN Connector is not required for this configuration.

When you create a fabric connector for AWS, you are specifying how FortiGate can communicate directly with AWS.

If ADOMs are enabled, you can create one fabric connector per ADOM.

Requirements:

  • FortiManager version 5.6 ADOM or later

    The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

  • FortiGate is managed by FortiManager.
  • The managed FortiGate unit is configured to work with AWS.

Following is a high-level overview of the configuration procedure:

To create a fabric connector object for AWS:
  1. Go to Fabric View > Fabric Connectors.
  2. Click Create New. The Create New Fabric Connector wizard is displayed.
  3. Under Public SDN, select Amazon Web Services. The Amazon Web Services screen is displayed.

  4. Configure the following options, and then click OK:

    Name

    Type a name for the fabric connector object.

    Type

    Displays Amazon Web Services (AWS).

    AWS access key ID

    Type the access key ID from AWS.

    AWS secret access key

    Type the secret access key from AWS.

    AWS region name

    Type the region name from AWS.

    AWS VPC ID

    Type the AWS VPC ID.

    Update Interval (s)

    Specify how often in seconds that the dynamic firewall objects should be updated.

    Status

    Toggle On to enable the fabric connector object. Toggle OFF to disable the fabric connector object.

To complete the fabric connector setup:
  1. Import address names from AWS to the fabric connector object. See Importing address names to fabric connectors.

    The address names are imported and converted to firewall address objects. The objects do not yet include IP addresses. The objects are displayed on the Firewall Objects > Addresses pane.

  2. In the policy package in which you will be creating the new policy, create an IPv4 policy and include the firewall address objects for AWS. See IP policies.
  3. Install the policy package to FortiGate. See Install a policy package.

    FortiGate communicates with AWS to dynamically populate the firewall address objects with IP addresses.

If the filter names change in AWS after you import them to FortiManager, you must modify the filter again.