Using FortiManager as a SDN proxy for GCP connectors
Each FortiGate configured with a GCP fabric connector makes a separate connection request to the GCP server. Having a high volume of devices may result in many simultaneous connections to GCP. For example, having 100 FortiGate devices with GCP connectors results in 100 separate connections to the GCP server.
To improve efficiency and security in these cases, FortiManager can be configured to work as a proxy between the FortiGate devices and GCP. When configured as a proxy, FortiManager will make all requests to the GCP server. The FortiGate devices do not need to be managed by FortiManager to use it as a proxy.
This setting can only be configured in the CLI.
|
When using FortiManager as a proxy to GCP, you must have an admin user on FortiManager with read-write permissions for JSON API Access. It is recommended that you also increase the login-max setting in Advanced Options to allow for the maximum number of logins (256) for the user since this FortiManager will receive login requests from each FortiGate when making requests to the GCP server. |
To configure FortiManager as a proxy to GCP:
- On each FortiGate, configure the SDN-Proxy object.
config system sdn-proxy
edit <sdn-proxy name>
set type fortimanager
set server <FortiManager address>
set username <username>
set password <password>
next
- On each FortiGate, configure the SDN connector to use the FortiManager proxy object.
config system sdn-connector
edit <connector name>
set proxy <sdn-proxy name>
set use-metadata-iam disable
set access-key <access>
set secret-key <secret>
set region <region>
next
end
On FortiManager, you can manage the sdnproxy daemon with the following commands:
- Restart the sdnproxy daemon:
diagnose test application sdnproxyd <interger> - Show debug logs:
diagnose debug application sdnproxy <debug level (0 - 8)>