Fortinet white logo
Fortinet white logo

Administration Guide

Using FortiManager as a SDN proxy for AWS connectors

Using FortiManager as a SDN proxy for AWS connectors

Each FortiGate configured with an AWS fabric connector makes a separate connection request to the AWS server. Having a high volume of devices may result in many simultaneous connections to AWS. For example, having 100 FortiGate devices with AWS connectors results in 100 separate connections to the AWS server.

To improve efficiency and security in these cases, FortiManager can be configured to work as a proxy between the FortiGate devices and AWS. When configured as proxy, FortiManager will make all requests to the AWS server. The FortiGate devices do not need to be managed by FortiManager to use it as a proxy.

This setting can only be configured in the CLI.

Tooltip

When using FortiManager as a proxy to AWS, you must have an admin user on FortiManager with read-write permissions for JSON API Access. It is recommended that you also increase the login-max setting in Advanced Options to allow for the maximum number of logins (256) for the user since this FortiManager will receive login requests from each FortiGate when making requests to the AWS server.

To configure FortiManager as a proxy to AWS:
  1. On each FortiGate, configure the SDN-Proxy object.

    config system sdn-proxy

    edit <sdn-proxy name>

    set type fortimanager

    set server <FortiManager address>

    set username <username>

    set password <password>

    next

  2. On each FortiGate, configure the SDN connector to use the FortiManager as a proxy.

    config system sdn-connector

    edit <connector name>

    set proxy <sdn-proxy name>

    set use-metadata-iam disable

    set access-key <access>

    set secret-key <secret>

    set region <region>

    next

    end

On FortiManager, you can manage the sdnproxy daemon with the following commands:

  • Restart the sdnproxy daemon: diagnose test application sdnproxyd <interger>
  • Show debug logs: diagnose debug application sdnproxy <debug level (0 - 8)>

Using FortiManager as a SDN proxy for AWS connectors

Using FortiManager as a SDN proxy for AWS connectors

Each FortiGate configured with an AWS fabric connector makes a separate connection request to the AWS server. Having a high volume of devices may result in many simultaneous connections to AWS. For example, having 100 FortiGate devices with AWS connectors results in 100 separate connections to the AWS server.

To improve efficiency and security in these cases, FortiManager can be configured to work as a proxy between the FortiGate devices and AWS. When configured as proxy, FortiManager will make all requests to the AWS server. The FortiGate devices do not need to be managed by FortiManager to use it as a proxy.

This setting can only be configured in the CLI.

Tooltip

When using FortiManager as a proxy to AWS, you must have an admin user on FortiManager with read-write permissions for JSON API Access. It is recommended that you also increase the login-max setting in Advanced Options to allow for the maximum number of logins (256) for the user since this FortiManager will receive login requests from each FortiGate when making requests to the AWS server.

To configure FortiManager as a proxy to AWS:
  1. On each FortiGate, configure the SDN-Proxy object.

    config system sdn-proxy

    edit <sdn-proxy name>

    set type fortimanager

    set server <FortiManager address>

    set username <username>

    set password <password>

    next

  2. On each FortiGate, configure the SDN connector to use the FortiManager as a proxy.

    config system sdn-connector

    edit <connector name>

    set proxy <sdn-proxy name>

    set use-metadata-iam disable

    set access-key <access>

    set secret-key <secret>

    set region <region>

    next

    end

On FortiManager, you can manage the sdnproxy daemon with the following commands:

  • Restart the sdnproxy daemon: diagnose test application sdnproxyd <interger>
  • Show debug logs: diagnose debug application sdnproxy <debug level (0 - 8)>