FortiGate multiple connector support

FortiGate multiple connector support

This guide shows how to configure Fabric connectors and resolve dynamic firewall addresses through the configured Fabric connector in FortiOS.

FortiOS supports multiple Fabric connectors including public connectors (AWS, Azure, GCP, OCI, AliCloud) and private connectors (Kubernetes, VMware ESXi, VMware NSX, OpenStack, Cisco ACI, Nuage). FortiOS also supports multiple instances for each type of Fabric connector.

This guide uses an Azure Fabric connector as an example. The configuration procedure for all supported Fabric connectors is the same. In the following topology, the FortiGate accesses the Azure public cloud through the Internet:

This process consists of the following:

  1. Configure the interface.
  2. Configure a static route to connect to the Internet.
  3. Configure two Azure Fabric connectors with different client IDs.
  4. Check the configured Fabric connectors.
  5. Create two firewall addresses.
  6. Check the resolved firewall addresses afterthe update interval.
  7. Run diagnose commands.

To configure the interface:

  1. In FortiOS, go to Network > Interfaces.
  2. Edit port1:
    1. From the Role dropdown list, select WAN.
    2. In the IP/Network Mask field, enter 10.6.30.4/255.255.255.0 for the interface connected to the Internet.

To configure a static route to connect to the Internet:

  1. Go to Network > Static Routes. Click Create New.
  2. In the Destination field, enter 0.0.0.0/0.0.0.0.
  3. From the Interface dropdown list, select port1.
  4. In the Gateway Address field, enter 10.60.30.254.

To configure two Azure Fabric connectors with different client IDs:

  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New. Configure the first Fabric connector:
    1. Select Microsoft Azure.
    2. In the Name field, enter azure1.
    3. In the Status field, select Enabled.
    4. From the Server region dropdown list, select Global.
    5. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
    6. In the Client ID field, enter the client ID. In this example, it is 14dbd5c5-307e-4ea4-8133-68738141feb1.
    7. In the Client secret field, enter the client secret.
    8. Leave the Resource path
    9. Click OK.
  3. Click Create New. Configure the second Fabric connector:
    1. Select Microsoft Azure.
    2. In the Name field, enter azure2.
    3. In the Status field, select Enabled.
    4. From the Server region dropdown list, select Global.
    5. In the Tenant ID field, enter the tenant ID. In this example, it is 942b80cd-1b14-42a1-8dcf-4b21dece61ba.
    6. In the Client ID field, enter the client ID. In this example, it is 3baf0a6c-44ff-4f94-b292-07f7a2c36be6.
    7. In the Client secret field, enter the client secret.
    8. Leave the Resource path
    9. Click OK.

To check the configured Fabric connectors:

  1. Go to Security Fabric > Fabric Connectors.
  2. Click the Refresh icon in the upper right corner of each configured Fabric connector. A green up arrow appears in the lower right corner, meaning that both Fabric connectors are connected to the Azure cloud using different client IDs.

To create two firewall addresses:

This process creates two Fabric connector firewall addresses to associate with the configured Fabric connectors.

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address. Configure the first Fabric connector firewall address:
    1. In the Name field, enter azure-address-1.
    2. From the Type dropdown list, select Fabric Connectoraddress.
    3. From the SDN Connector dropdown list, select azure1.
    4. For SDN address type, select Private.
    5. From the Filter dropdown list, select the desired filter.
    6. For Interface, select any.
    7. Click OK.
  3. Click Create New > Address. Configure the second Fabric connector firewall address:
    1. In the Name field, enter azure-address-1.
    2. From the Type dropdown list, select Fabric Connectoraddress.
    3. From the SDN Connector dropdown list, select azure2.
    4. For SDN address type, select Private.
    5. From the Filter dropdown list, select the desired filter.
    6. For Interface, select any.
    7. Click OK.

To check the resolved firewall addresses after the update interval:

By default, the update interval is 60 seconds.

  1. Go to Policy & Objects > Addresses.
  2. Hover over the created addresses. The firewall address that the configured Fabric connectors resolved display.

To run diagnose commands:

Run the show sdn connector status command. Both Fabric connectors should appear with a status of connected.

Run the diagnose debug application azd -1 command. The output should look like the following:

Level2-downstream-D # diagnose debug application azd -1 …

azd sdn connector azure1 start updating IP addresses azd checking firewall address object azure-address-1, vd 0 IP address change, new list: 10.18.0.4 …

To restart the Azure Fabric connector daemon, run the diagnose test application azd 99 command.

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.