Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vschmitt_FTNT
Staff
Staff

Created on ‎10-05-2023 08:56 AM Edited on ‎02-05-2024 01:16 AM By Moderator

Article Id 277622

Technical Tip: SDN Connector - How to retrieve AWS ELBs, VPC Endpoints, TGW, GWLB, and Workspace Instance private IPs

Description

This article explains how to retrieve AWS Workspaces and ALB/NLB/GWLB ENI IP address, and also how to filter them with the following filters: <OwnerId> <InterfaceType> <SecurityGroupId> <InterfaceId> <Tag> <Description>
Scope FortiOS 7.2.4, FortiOS 7.4.2, AWS, SDN-Connector.
Solution

One feature of the SDN connector is to retrieve public/private cloud information of network objects to dynamically update network policies via Dynamic Address Objects.

 

Previously (prior to FortiOS 7.2.4 and FortiOS 7.4.2), FortiGate AWS type SDN connectors did not support AWS Workspaces and ALB/NLB/GWLB ENI IP address retrieval.

 

To make this function work, it is necessary to enable 'alt-resource-ip' in the system.sdn-connector settings.

 

To have access to information like AWS ELBs (ALB and NLB) , VPC Endpoints , TGW , GWLB and Workspace Instance Private IPs, it is necessary to enable the feature in the CLI:

 

config system sdn-connector

edit aws-cross-account

set alt-resource-ip enable

next

end

 

After, it should be possible to access information using filters:

 

  1. Workspace ENI IP addresses:

 

config firewall address

edit "aws-sdn-addr-workspace"

set type dynamic

set sdn "aws-sdn"

set filter "tag.Name=my-workspace-demo"

config list

edit "10.0.1.34"

next

end

next

end

 

  1. ALB ENI IP address:

config firewall address

edit "aws-sdn-addr-ALB"

set type dynamic

set sdn "aws-sdn"

set filter "tag.Name=my-ALB-demo"

config list

edit "10.0.2.120"

next

end

next

end

 

  1. NLB ENI IP address:

config firewall address

edit "aws-sdn-addr-NLB"

set type dynamic

set sdn "aws-sdn"

set filter "tag.Name=my-NLB-demo"

config list

edit "10.2.11.181"

next

edit "10.2.21.189"

next

end

next

end

 

  1. GWLB ENI IP address:

config firewall address

edit "aws-sdn-addr-GWLB"

set type dynamic

set sdn "aws-sdn1"

set filter "tag.Name=my-GWLB-demo"

config list

edit "10.2.1.199"

next

end

next

end

 

  1. FortiGate dynamic address support InterfaceID filter:

config firewall address

edit "aws-sdn-addr-GWLB-InterfaceId"

set type dynamic

set sdn "aws-sdn1"

set filter "InterfaceID=eni-0123456789"

config list

edit "10.2.1.199"

next

end

next

end

 

  1. FortiGate dynamic address support InterfaceType filter:

config firewall address

edit "aws-sdn-addr-GWLB-type"

set type dynamic

set sdn "aws-sdn1"

set filter "InterfaceType=gateway_load_balancer"

config list

edit "10.2.1.199"

next

end

next

end

 

  1. FortiGate dynamic address support SubnetId filter:

config firewall address

edit "aws-sdn-addr-GWLB-SubnetId"

set type dynamic

set sdn "aws-sdn1"

set filter "SubnetId=subnet-1234556789"

config list

edit "10.2.1.199"

next

end

next

end
Labels:
416
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.