Skip to main content
vschmitt_FTNT
Staff
vschmitt_FTNT
Staff
October 5, 2023

Technical Tip: SDN Connector - How to retrieve AWS ELBs, VPC Endpoints, TGW, GWLB, and Workspace Instance private IPs

  • October 5, 2023
  • 0 replies
  • 1252 views
Description

This article explains how to retrieve AWS Workspaces and ALB/NLB/GWLB ENI IP address, and also how to filter them with the following filters: <OwnerId> <InterfaceType> <SecurityGroupId> <InterfaceId> <Tag> <Description>
Scope FortiOS 7.2.4, FortiOS 7.4.2, AWS, SDN-Connector.
Solution

One feature of the SDN connector is to retrieve public/private cloud information of network objects to dynamically update network policies via Dynamic Address Objects.

 

Previously (prior to FortiOS 7.2.4 and FortiOS 7.4.2), FortiGate AWS type SDN connectors did not support AWS Workspaces and ALB/NLB/GWLB ENI IP address retrieval.

 

To make this function work, it is necessary to enable 'alt-resource-ip' in the system.sdn-connector settings.

 

To have access to information like AWS ELBs (ALB and NLB) , VPC Endpoints , TGW , GWLB and Workspace Instance Private IPs, it is necessary to enable the feature in the CLI:

 

config system sdn-connector

edit aws-cross-account

set alt-resource-ip enable

next

end

 

After, it should be possible to access information using filters:

 

  1. Workspace ENI IP addresses:

 

config firewall address

edit "aws-sdn-addr-workspace"

set type dynamic

set sdn "aws-sdn"

set filter "tag.Name=my-workspace-demo"

config list

edit "10.0.1.34"

next

end

next

end

 

  1. ALB ENI IP address:

config firewall address

edit "aws-sdn-addr-ALB"

set type dynamic

set sdn "aws-sdn"

set filter "tag.Name=my-ALB-demo"

config list

edit "10.0.2.120"

next

end

next

end

 

  1. NLB ENI IP address:

config firewall address

edit "aws-sdn-addr-NLB"

set type dynamic

set sdn "aws-sdn"

set filter "tag.Name=my-NLB-demo"

config list

edit "10.2.11.181"

next

edit "10.2.21.189"

next

end

next

end

 

  1. GWLB ENI IP address:

config firewall address

edit "aws-sdn-addr-GWLB"

set type dynamic

set sdn "aws-sdn1"

set filter "tag.Name=my-GWLB-demo"

config list

edit "10.2.1.199"

next

end

next

end

 

  1. FortiGate dynamic address support InterfaceID filter:

config firewall address

edit "aws-sdn-addr-GWLB-InterfaceId"

set type dynamic

set sdn "aws-sdn1"

set filter "InterfaceID=eni-0123456789"

config list

edit "10.2.1.199"

next

end

next

end

 

  1. FortiGate dynamic address support InterfaceType filter:

config firewall address

edit "aws-sdn-addr-GWLB-type"

set type dynamic

set sdn "aws-sdn1"

set filter "InterfaceType=gateway_load_balancer"

config list

edit "10.2.1.199"

next

end

next

end

 

  1. FortiGate dynamic address support SubnetId filter:

config firewall address

edit "aws-sdn-addr-GWLB-SubnetId"

set type dynamic

set sdn "aws-sdn1"

set filter "SubnetId=subnet-1234556789"

config list

edit "10.2.1.199"

next

end

next

end
    Terms & ConditionsCookie settingsAccessibility statement