Fortinet Document Library

Version:


Table of Contents

About FortiGate for OCI

Single FortiGate-VM Deployment

Use Case: High Availability for FortiGate on OCI

Deploying FortiGate-VM using Terraform

Security Fabric Connector Integration with OCI

Resources

Upgrade Path Tool
6.0.0
Copy Link

Using a custom certificate

OCI requires a mechanism to append a certain signature/credential in making API requests. Currrently FortiGate uses a certificate to do so. You are required to specify a certificate on the FortiGate for OCI when configuring A-P HA. The certificate calls APIs to OCI. In the previous deployment step, you used a built-in FortiGate certificate called "Fortinet_Factory".

For greater security, Oracle Cloud recommends rotating the security element periodically. You may want to change the default certificate after some time, or if you have multiple sets of A-P HA clusters, you may want to use a different certificate for each cluster initially.

This section explains how to replace the certificate. In this example, let's use a self-signed certificate that you created for your organization outside of the FortiGate. For details about the certificates that OCI requires, see Request Signatures.

You need three files:

  • Certificate file (for use on the FortiGate)
  • Key file (for use on the FortiGate)
  • PEM file (for use on OCI)

The signing algorithm must be RSA SHA-256. In this example, you have used an RSA-2048-bit key to create a certificate.

  1. Import your custom certificate to the primary FortiGate. There is no need to do the same on the secondary unit, as A-P HA enables a feature called configuration synchronization, where the certificate is automatically applied to the secondary unit with the FortiOS configuration.
  2. Log into the primary FortiGate and Go to System > Certificates. The list of available FortiGate certificates displays.

  3. Have a pair of the certificate and key files ready on the PC.
  4. Click Import > Local Certificate. In the Import Certificate panel, for Type, select Certificate.
  5. Upload the pair of certificate and key files. In this example, the file names are apache-selfsigned.crt and apache-selfsigned.key, respectively. Enter the password if any, and name the certificate as desired. Click OK.

  6. The certificate displays on the screen. Double-click to show certificate detail.

  7. Now you must edit the OCI Fabric connector created earlier. You can do this via the GUI or the CLI.
    1. To edit the Fabric connector via the GUI, do the following:
      1. Go to Security Fabric > Fabric Connectors.
      2. Select the Fabric connector, then click Edit.

      3. From the OCI certificate dropdown list, select the newly created certificate.

      4. Click OK.
    2. To edit the Fabric connector via the CLI, do the following:
      1. Open the CLI console in the FortiGate management console.
      2. Enter CLI commands as follows to point to the new certificate. The show command shows what is configured. next and end save the configuration and returns to the original indentation with which you started. Replace oci-sdn with the name you configured for your Fabric connector, and enter the desired certificate name. In this example, the certificate name is jkato-new-cert1.

        config system sdn-connector

        edit oci-sdn

        set oci-cert “your_certificate_name”

        next

        end

        You can see the configuration by running get oci_connector_name.

  8. Next, you must add a new fingerprint for the user based on the new certificate's PEM. Log into the OCI compute portal and locate the user, which you specified with user-id above.

    1. Select the user and go to API Keys. Click Add Public Key.

    2. Copy and paste the content of the PEM key. Click Add.

    3. You should see that a new fingerprint has been added. You can also see the fingerprint in the CLI by running the get OCI_connector_name command.

  9. Check if API calls can be made successfully by referring to Troubleshooting OCI SDN Connector.

Resources

Using a custom certificate

OCI requires a mechanism to append a certain signature/credential in making API requests. Currrently FortiGate uses a certificate to do so. You are required to specify a certificate on the FortiGate for OCI when configuring A-P HA. The certificate calls APIs to OCI. In the previous deployment step, you used a built-in FortiGate certificate called "Fortinet_Factory".

For greater security, Oracle Cloud recommends rotating the security element periodically. You may want to change the default certificate after some time, or if you have multiple sets of A-P HA clusters, you may want to use a different certificate for each cluster initially.

This section explains how to replace the certificate. In this example, let's use a self-signed certificate that you created for your organization outside of the FortiGate. For details about the certificates that OCI requires, see Request Signatures.

You need three files:

  • Certificate file (for use on the FortiGate)
  • Key file (for use on the FortiGate)
  • PEM file (for use on OCI)

The signing algorithm must be RSA SHA-256. In this example, you have used an RSA-2048-bit key to create a certificate.

  1. Import your custom certificate to the primary FortiGate. There is no need to do the same on the secondary unit, as A-P HA enables a feature called configuration synchronization, where the certificate is automatically applied to the secondary unit with the FortiOS configuration.
  2. Log into the primary FortiGate and Go to System > Certificates. The list of available FortiGate certificates displays.

  3. Have a pair of the certificate and key files ready on the PC.
  4. Click Import > Local Certificate. In the Import Certificate panel, for Type, select Certificate.
  5. Upload the pair of certificate and key files. In this example, the file names are apache-selfsigned.crt and apache-selfsigned.key, respectively. Enter the password if any, and name the certificate as desired. Click OK.

  6. The certificate displays on the screen. Double-click to show certificate detail.

  7. Now you must edit the OCI Fabric connector created earlier. You can do this via the GUI or the CLI.
    1. To edit the Fabric connector via the GUI, do the following:
      1. Go to Security Fabric > Fabric Connectors.
      2. Select the Fabric connector, then click Edit.

      3. From the OCI certificate dropdown list, select the newly created certificate.

      4. Click OK.
    2. To edit the Fabric connector via the CLI, do the following:
      1. Open the CLI console in the FortiGate management console.
      2. Enter CLI commands as follows to point to the new certificate. The show command shows what is configured. next and end save the configuration and returns to the original indentation with which you started. Replace oci-sdn with the name you configured for your Fabric connector, and enter the desired certificate name. In this example, the certificate name is jkato-new-cert1.

        config system sdn-connector

        edit oci-sdn

        set oci-cert “your_certificate_name”

        next

        end

        You can see the configuration by running get oci_connector_name.

  8. Next, you must add a new fingerprint for the user based on the new certificate's PEM. Log into the OCI compute portal and locate the user, which you specified with user-id above.

    1. Select the user and go to API Keys. Click Add Public Key.

    2. Copy and paste the content of the PEM key. Click Add.

    3. You should see that a new fingerprint has been added. You can also see the fingerprint in the CLI by running the get OCI_connector_name command.

  9. Check if API calls can be made successfully by referring to Troubleshooting OCI SDN Connector.