FortiGate SDN Connector for AWS

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
  1. Configuring AWS SDN Connector in FortiOS
    1a. Configuring AWS SDN Connector using the GUI
    1b. Checking the configuration using the CLI
  2. Creating an Address
    2a. Creating an Address using the GUI
    2b. Creating an Address using the CLI
    2c. [Connectivity test] Add an EC2 to test automatic population
  3. Creating a firewall policy

This recipe describes how to configure FortiGate SDN Connector for use with Amazon Web Services (AWS).

1. Configuring AWS SDN Connector in FortiOS

This feature is supported in FortiOS 5.6.3.

1a. Configuring AWS SDN Connector using the GUI

Navigate to System > SDN Connectors. Note you can create only one SDN Connector per connector type. For example, you can create one entry for AWS.

In the Type dropdown list, select Amazon Web Services (AWS).

In the AWS access key ID field, enter the key created in the AWS management portal.

In the AWS secret access key field, enter the secret access key accompanying the above access key.

In the AWS region name field, enter the region name. In the example, us-west-2 denotes Oregon, rather than entering Oregon. Refer to http://docs.aws.amazon.com/general/latest/gr/rande.html for the desired region name.

In the AWS VPC ID field, enter the VPC ID within the specified region you desire to cover with the SDN Connector.

In the Update Interval field, enter the desired number of seconds. You can enter any value between 1 and 3600 seconds. The default value is 60 seconds.

Toggle the Status on or off. The example shows the SDN Connector is currently toggled on.

Click OK.

1b. Checking the configuration using the CLI

To check the configuration, right-click the entry and select Edit in CLI.

2. Creating an Address

You can create an Address using the GUI or CLI. Either way, the process consists of the following steps:

1. Creating an “Address”, which will be used as an address group or single address to be used for source/destination of firewall policies. The Address is based on IP addresses. The Address contains IP addresses of AWS instances.
2. When changes occur on the instances, the SDN Connector populates and updates the changes automatically based on the specified filtering condition so administrators do not need to reconfigure the Address’s content manually.
3. Appropriate firewall policies using the Address are applied to the instances that are members of it.

2a. Creating an Address using the GUI

In FortiOS, navigate to Policy & Objects > Addresses. Click Create New, then select Address.

Enter the Address name. In the Type dropdown list, select Dynamic SDN address.

In the SDN dropdown list, select Amazon Web Services (AWS). Enter the filter. This means the SDN Connector automatically populates and updates only instances belonging to the specified VPN that match this filtering condition. The following keys can be used:


1. instanceId (e.g. instanceId=i-12345678)
2. instanceType (e.g. instanceType=t2.micro)
3. imageId (e.g. imageId=ami-123456)
4. keyName (e.g. keyName=aws-key-name)
5. architecture (e.g. architecture=x86)
6. subnetId (e.g. subnetId=sub-123456)
7. placement.availabilityzone (e.g. placement.availabilityzone=us-east-1a)
8. placement.groupname (e.g. placement.groupname=group-name)
9. placement.tenancy (e.g. placement.tenancy=tenancy-name)
10. privateDnsName (e.g. privateDnsName=ip-172-31-10-211.us-west-2.compute.internal)
11. publicDnsName (e.g. publicDnsName=ec2-54-202-168-254.us-west-2.compute.amazonaws.com)
12. tag.Name AWS instance tag called “Name” (e.g. tag.Name=Value, maximum of 8 tags are supported.)

For example, to automatically populate instances that belong to a certain subnet within the VPC, you can create a filtering condition using the above 6. subnetID. First, check the subnet ID in the AWS management portal.

Enter subnetId=subnet-fb2506a0 in the Filter field.

In the Interface dropdown list, select an interface where the SDN Connector covers where relevant.

The filtering condition can be set using multiple entries with AND (“&”) or OR (“|”). When both AND and OR are used, AND is interpreted before OR. For example, you can enter subnetId=subnet-fb2506a0 & tag.Name=abc123. In this case, an IP address of the instance that matches both the subnet ID and the tag “Name” shows up. Note wildcards are not allowed in values.

Click OK. Once saved, the Address is listed under Policy & Objects > Addresses.

Proceed to creating a firewall policy.

2b. Creating an Address using the CLI

Create an Address to use to configure a firewall policy. Open the CLI with administrator credentials. Right-click the Address and select Edit in CLI.

Configure the Address as the SDN Connector supporting element. Enter set type dynamic, then set sdn aws, then end. The CLI resembles the following after entering config firewall address, then edit aws-test, then show. uuid is automatically assigned to every firewall address or policy, so can be ignored unless you desire to change it.

Configure the filtering rule. This means the SDN Connector will automatically populate and update only instances belonging to the specified VPN that match this filtering condition. The following keys can be used:


1. instanceId (e.g. instanceId=i-12345678)
2. instanceType (e.g. instanceType=t2.micro)
3. imageId (e.g. imageId=ami-123456)
4. keyName (e.g. keyName=aws-key-name)
5. architecture (e.g. architecture=x86)
6. subnetId (e.g. subnetId=sub-123456)
7. placement.availabilityzone (e.g. placement.availabilityzone=us-east-1a)
8. placement.groupname (e.g. placement.groupname=group-name)
9. placement.tenancy (e.g. placement.tenancy=tenancy-name)
10. privateDnsName (e.g. privateDnsName=ip-172-31-10-211.us-west-2.compute.internal)
11. publicDnsName (e.g. publicDnsName=ec2-54-202-168-254.us-west-2.compute.amazonaws.com)
12. tag.Name AWS instance tag called “Name” (e.g. tag.Name=Value, maximum of 8 tags are supported.)

For example, to automatically populate instances that belong to a certain subnet within the VPC, you can create a filtering condition using the above 6. subnetID. First, check the subnet ID in the AWS management portal.

Enter set filter "subnetId=subnet-fb2506a0". In this example, the subnet is 10.0.2.0/24. At this point, show shows the following:

Note three instances with IP addresses 10.0.2.111, 10.0.2.112, and 10.0.2.114 have just been populated and are updated automatically as you set the filtering condition above and the update interval specified in the GUI has been reached. Since these three instances have been up and running in the specified VPC, SDN Connector found them through APIs FortiGate called to AWS.

2c. [Connectivity test] Add an EC2 to test automatic population

Assume you want to boot up another instance with IP address 10.0.2.113, which is currently stopped. In the AWS management portal, start the instance.

Verify the instance is running.

At this point, running show again shows SDN Connector has automatically populated and added the 10.0.2.113 instance.

Therefore, administrators do not need to add this instance to the Address manually. When a firewall policy is applied to this Address, 10.0.2.113 is automatically covered. The filtering condition can be set using multiple entries with AND (“&”) or OR (“|”). When both AND and OR are used, AND is interpreted before OR. Check the syntax by entering set filter ?.

For example, you can enter subnetId=subnet-fb2506a0 & tag.Name=abc123. In this case, an IP address of the instance that matches both the subnet ID and the tag “Name” shows up. Note wildcards are not allowed in values.

3. Creating a firewall policy

Finally, you can use this Address to configure a firewall policy as a source or destination. The following operation is not SDN Connector-specific, but shows a general method of creating a firewall policy. Navigate to Policy & Objects > IPv4 Policy and create a firewall rule.

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin