FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
RuiChang
Staff
Staff
Article Id 251915
Description

 

This article describes the integration of Kubernetes with FortiManager External Connector.

 

Scope

 

FortiManager.

 

Solution

 

FortiManager Fabric View enables integration with Kubernetes to dynamically pull Kubernetes addresses and apply them to the firewall policy. The configuration guides are provided below:

 

1)  In FortiManager, go to Fabric View -> External Connectors and select 'Create New':

 

RuiChang_0-1681184155466.png

 

Name = Connector Name

Status = enable

IP = Kubernetes IP

Port = Kubernetes Cluster Port

Secret Token = Kubernetes service account secret

 

Note:

Secret Token can be obtained from Kubernetes kubectl get secrets -o json and decode with base64.

 

2) Object Configuration:

After the Kubernetes External Connector is created, go to Policy & Objects -> Object Configuration -> Firewall Objects -> Addresses, select 'Create New' -> Address:

 

RuiChang_0-1681184214061.png

 

At the filter column, select the Icon to import all SDN Connector filters. It will load all the filters and provide a selection as shown below. Toggle the '+' sign will provide different display:

 

Display 1.

 

RuiChang_0-1681184239811.png

 

Display 2.

 

RuiChang_0-1681184268698.png

 

If multiple filters are selected, an 'OR' or 'AND' logic options are available. It provides a more dynamic filter for the addresses pulled from Kubernetes.

 

RuiChang_0-1681184302087.png

 

3) Policy Package:

After the Kubernetes addresses are created, itcan be applied in Policy Packages for firewall policy.

 

RuiChang_0-1681184327735.png

 

If FortiManager is unable to import Kubernetes addresses during object configuration, apply the debug below to obtain more information about the error for troubleshooting:

 

# diagnose debug application connector 255

# diagnose debug enable

 

Related article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Integration-of-Minikube-Kubernetes-in-Virt...

Contributors