Using FortiManager as a SDN proxy for AWS connectors
Each FortiGate configured with an AWS fabric connector makes a separate connection request to the AWS server. Having a high volume of devices may result in many simultaneous connections to AWS. For example, having 100 FortiGate devices with AWS connectors results in 100 separate connections to the AWS server.
To improve efficiency and security in these cases, FortiManager can be configured to work as a proxy between the FortiGate devices and AWS. When configured as proxy, FortiManager will make all requests to the AWS server. The FortiGate devices do not need to be managed by FortiManager to use it as a proxy.
This setting can only be configured in the CLI.
When using FortiManager as a proxy to AWS, you must have an admin user on FortiManager with read-write permissions for JSON API Access. It is recommended that you also increase the login-max setting in Advanced Options to allow for the maximum number of logins (256) for the user since this FortiManager will receive login requests from each FortiGate when making requests to the AWS server. |
To configure FortiManager as a proxy to AWS:
- On each FortiGate, configure the SDN-Proxy object.
config system sdn-proxy
edit <sdn-proxy name>
set type fortimanager
set server <FortiManager address>
set username <username>
set password <password>
next
- On each FortiGate, configure the SDN connector to use the FortiManager as a proxy.
config system sdn-connector
edit <connector name>
set proxy <sdn-proxy name>
set use-metadata-iam disable
set access-key <access>
set secret-key <secret>
set region <region>
next
end
On FortiManager, you can manage the sdnproxy daemon with the following commands:
- Restart the sdnproxy daemon:
diagnose test application sdnproxyd <interger>
- Show debug logs:
diagnose debug application sdnproxy <debug level (0 - 8)>