Features
There are a number of features associated with firewalls in general and FortiGate firewalls in particular. This section should explain which of these features are available through the FortiGate Connector and which are not.
Supported Features
The FortiGate Connector for Cisco ACI supports the following functions:
- Cisco ACI service insertion – software package for FortiGate device deployed to Cisco APIC, containing FortiGate models, function description, version, credentials, as a L4-L7 service.
- Enable tenant configuration to add/modify/delete L4-L7 device of FortiGate firewall service. l Enable FortiGate deployment as both physical and virtual device (FortiGate chassis & VM). l Support both transparent (GoThrough) and L3 (GoTo) device mode . l Automatically create VDOM (context). One VDOM per logical device under a tenant. l Enable FortiGate specific interface configuration: physical interface and port channel. l Support IP address configuration on Layer 3 interfaces. l Support subnet, service and schedule object configuration. l Enable FortiGate firewall device to connect to endpoint groups (EPGs).
- Support IPv4 policies: match, action, network operations & security features selection (although the Enable/Disable Security profile option in policies is not supported). l Support NAT. l Enable service graph to add/modify/delete FortiGate firewall service node.
Unsupported Features
The following features normally found on FortiGates are not supported through the FortiGate Connector for Cisco ACI.
- Security Profiles (Web filtering, etc) l DoS Policy l Proxy Policy l SSL/SSH Inspection l FortiGate WAN load balance link. l HA/cluster support. l Administrator profile for limited access of different administrator accounts. l Static and dynamic routing except OSPF. l Firewall port forwarding (destination NAT). l Firewall logging: allowed traffic, security events, all sessions, etc. l Firewall packet capture.
Planned for future releases Features
- Firewall with FortiGuard DDNS. l Other Firewall features not specifically listed as supported.
The following information resources are available on the FortiGates but do not integrate with APIC:
- Error Logs l Statistics Reporting
The unsupported features on APIC may still be used on FortiGate outside of the APIC control; the user must login to FortiGate to configure, monitor, and debug. However, any conflict with the operations from APIC may cause malfunction.
Planned for future releases
FortiGate Connector for Cisco ACI plans to incorporate the following features and functions into future versions of the software:
- Support for OSPF-based routing configuration in the L3 (GoTo) mode from APIC.
- Monitor FortiGate devices (health) status.
- Provide FortiGate device statistics – device and service counters per context.
- Support for logging and error reporting of FortiGate as a L4-L7 device.
- Performance reporting: control and management plane based on APIC, data path on FortiGate.
New features are not limited to this list. These are just the features currently planned for.
Supported Fortinet Products
The supported Fortinet products refers to those that are compatible with the FortiGate Connector for Cisco ACI software, and will properly integrate into the Cisco ACI. The products are separated into models and firmware but it is an “and” set of parameters. In order to be supported the Fortinet product has to be one of the listed models running supported firmware.
Models
FortiGate Connector for Cisco ACI v1.0 supports integration with the following predefined models: l FG-1000D l FG-1500D l FG-3700D l FG-VM
l Unknown (to be added based on customer’s request)
Firmware Versions
FortiGate Connector for Cisco ACI version 1 is compatible with the following FortiOS firmware:
l FortiOS 5.4 (including the Beta version)