Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
RuiChang
Staff
Staff

Created on ‎04-10-2023 09:41 PM Edited on ‎04-10-2023 09:46 PM By Community Manager

Article Id 251798

Technical Tip: Kubernetes dynamic address filter application in FortiGate

Description

 

This article describes methods to apply filter on Kubernetes address from Private Cloud SDN Connector to obtain specific IP Address.

 

Scope

 

FortiGate.

 

Solution

 

FortiGate queries the Kubernetes API to obtain the IP Address in the cluster dynamically.

In order to apply the addresses in the firewall policy, address objects are required to be created in FortiGate. Go to Policy & Objects- > Addresses, select 'Create New' -> Address:

 

RuiChang_1-1681092414655.png

 

In the filter drop-down list, FortiGate will provide options for different filters based on Namespaces, Pods, Services, Nodes, etc.

 

Note:

The SDN address type can be changed to 'All' if specific addresses are unable to resolve in FortiGate to query for more address types in Kubernetes.

 

1) Multiple filters:

In some environments, some specific IP addresses will need more restriction and protection from FortiGate. In that case, an additional filter can be applied to the Kubernetes addresses.

 

RuiChang_2-1681092441603.png

 

In the filter Column, select the '+' sign to apply an extra filter on the Kubernetes address.

Additionally, the logic button located on the right side of the filter can be toggled to apply 'and' or 'or' logic to the filter for a more dynamic application.

 

After the address is created, it can be verified in FortiGate -> Policy & Objects -> Kubernetes Address Name, hover the pointer to the address and choose 'Matched Address List'.

 

In this example, 2 filters for Service Name are applied. The Service addresses shown in the FortiGate are the same as the Service addresses in the Kubernetes Cluster indicating the filter is applied successfully.

 

RuiChang_0-1681092522689.png

 

RuiChang_0-1681092716562.png

 

2) Multiple interface:

If the FortiGate is connected to multiple Kubernetes clusters with different interfaces, the address can be created with a specific interface. By default, interface 'any' is applied and FortiGate will apply the filter and match the IP Addresses from all interfaces.

 

In the interface column, specify the interface connected to specific Kubernetes.

In this example, FortiGate will match the IP Address from port 2 only.

 

RuiChang_0-1681092789629.png

 

Related documents:

https://docs.fortinet.com/document/fortigate-private-cloud/7.2.0/kubernetes-administration-guide/510...

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/673021/kubernetes-k8s

584
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.