Cisco ACI Administration Guide

FortiOS 7.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

March 31, 2022

FortiOS 7.2 Cisco ACI Administration Guide
01-720-793034-20220331
 TABLE OF CONTENTS

SDN Connector integration with Cisco ACI 4

Off-the-box connector VM 4
Configuring the Cisco ACI connector in FortiOS 4
Configuring VDOM and SDN connector example 4
FortiGate built-in connector 37
Configuring Cisco pxGrid SDN connector 39
Change log 44

FortiOS 7.2 Cisco ACI Administration Guide 3

Fortinet Inc.
SDN Connector integration with Cisco ACI

Fortinet Device Package for Cisco ACI is being deprecated. Use an SDN connector that this
document describes as a replacement.

Off-the-box connector VM

You can use Cisco ACI (Application Centric Infrastructure) SDN connectors in dynamic firewall addresses.
The Fortinet SDN Connector for Cisco ACI is a standalone connector that connects to SDN controllers within Cisco ACI.
You must configure a connection to the Fortinet SDN connector in FortiOS to query the dynamic addresses.

Configuring the Cisco ACI connector in FortiOS

See the FortiOS Administration Guide.

Configuring VDOM and SDN connector - example

SDN Connector is the Fortinet response to integrate various SDN solutions with FortiGate as well as FortiManager
products. The SDN Connector serves as a gateway bridging SDN controllers and Fortinet devices including FortiGate
and FortiManager. The SDN Connector registers itself to the Cisco ACI SDN controller, polls interested objects, and
translates them into address objects. The translated address objects and associated endpoints are populated to the
FortiGate/FortiManager that are interested in these objects.
The following provides an example of configuring VDOM and SDN Connector. This example uses SDN Connector 1.1.3.

Overview

Components

The following diagram illustrates the relationship between the components of the SDN Connector:

FortiOS 7.2 Cisco ACI Administration Guide 4

Fortinet Inc.
SDN Connector integration with Cisco ACI

Topology

The following diagram illustrates the topology when using SDN Connector with FortiManager:

FortiOS 7.2 Cisco ACI Administration Guide 5

Fortinet Inc.
SDN Connector integration with Cisco ACI

Licensing

SDN Connector is available free of charge for Fortinet customers. You must ensure that you register your
FortiGate/FortiManager with FortiCare on Fortinet Customer Service & Support.

Hardware requirements

If you plan to instantiate a large number of virtual machines (VMs) in your SDN Connector environment, ensure that you
size the host VM or server appropriately. The following recommendations represent the minimum sizing numbers:
l Memory: 4 GB
l CPU: 2 vCPU
l Disk: 20-50 GB
l vNICs: 1

Terminology

The following defines some terms used in this guide:

ACI Cisco Application Centric Infrastructure

APIC Cisco Application Policy Infrastructure Controller

BD Bridge domain

EPG Endpoint group

VDOM Virtual domain

SDN Software-defined network

FortiOS 7.2 Cisco ACI Administration Guide 6

Fortinet Inc.
SDN Connector integration with Cisco ACI

Supported new features

SDN Connector 1.1 supports the Nuage and Cisco ACI platforms. This guide is written for the Cisco ACI platform.

Supported Fortinet products

All physical and virtual FortiGate products that support the Fortinet Security Fabric are compatible with SDN Connector.
FortiManager-VM has also been qualified.

Firmware versions

SDN Connector 1.1 is compatible with the following FortiOS versions:

l 6.2.0 and later versions
l 6.0.5

Prerequisites

The following prerequisites must be met before deploying SDN Connector with Cisco ACI Connector:
l Cisco-side prerequisites on page 7
l FortiGate-side prerquisites on page 7
l FortiManager-side prerequisites on page 8
l SDN Connector prerequisites on page 8
l Cisco ACI deployment on page 15

Cisco-side prerequisites

Before you can successfully deploy SDN Connector, a number of prerequisites must be satisfied within the Cisco
environment. A Cisco ACI 3.0 or later environment must be in place. Within Cisco, the following configurations must be
completed before SDN Connector can pull objects:
l Creation of Access Policies configuration under the Fabric menu
l Creation of any needed tenant(s)
l Creation of network(s) including BD
l Creation of application profile(s)
l Creation of EPG(s)
l Creation of contract(s)
l Create BG/OSPF L3Out (only if BGP/OSPF is required)
For details, consult the Cisco APIC deployment guide.

FortiGate-side prerquisites

Before you can successfully deploy SDN Connector, a number of prerequisites must be satisfied on the FortiGate:
1. Configure the administrator username and password.
2. Enable HTTP/HTTPS on the management port.
3. Configure the management port's IP address.

FortiOS 7.2 Cisco ACI Administration Guide 7

Fortinet Inc.
SDN Connector integration with Cisco ACI

4. Enable VDOM-Admin globally.

5. Configure port-group if needed.

FortiManager-side prerequisites

Before you can successfully deploy SDN Connector, a number of prerequisites must be satisfied on FortiManager:
1. Configure the administrator username and password.
2. Enable HTTP/HTTPS on the management port.
3. Configure the management port's IP address.
4. Register the FortiGate with FortiManager.

SDN Connector prerequisites

Before you can successfully deploy SDN Connector, you must complete a number of tasks on the SDN Connector:

Installing the SDN Connector

1. SDN Connector supports VMware vSphere, KVM, and Microsoft Hyper-V as deployment environments. Download
the connector package:
a. On the Customer Service & Support site, go to Download > Firmware Images.
b. From the Select Product dropdown list, select FortiSDNConnector.
c. On the Download tab, go to v1.00 > v1.1.3.
d. Download the appropriate file based on your hypervisor platform:

Hypervisor File

KVM sdn-connector-1.1.3.img

Hyper-V sdn-connector-1.1.3.vhd

VMware vSphere sdn-connector-1.1.3.zip

2. This example shows the installation process for vSphere client. Download sdn-connector.ovf. In vSphere Client, go
to File > Deploy OVF Template.

3. In the Deploy OVF Template dialog, enter the SDN Connector image file path in the Deploy from a file or URL field.
Click Next.

FortiOS 7.2 Cisco ACI Administration Guide 8

Fortinet Inc.
SDN Connector integration with Cisco ACI

4. The dialog displays the SDN Connector version, download size, and size on disk. Click Next.

FortiOS 7.2 Cisco ACI Administration Guide 9

Fortinet Inc.
SDN Connector integration with Cisco ACI

5. Enter the VM name, select the location, then click Next.

6. Choose the destination storage for the VM files, then click Next.

FortiOS 7.2 Cisco ACI Administration Guide 10

Fortinet Inc.
SDN Connector integration with Cisco ACI

7. The dialog displays the datastore name and amount of available space. Select Thin Provision, then click Next.

8. Networks used in this OVF template should map to networks in your inventory. Choose the destination network for
network mapping, then click Next.

FortiOS 7.2 Cisco ACI Administration Guide 11

Fortinet Inc.
SDN Connector integration with Cisco ACI

9. The dialog displays all previously configured options. To edit an option, click Back. If ready to deploy, click Finish.

Initializing the SDN Connector

1. After deploying the OVF template, turn on the VM and go to the Console tab. Once the SDN Connector boots up,
the system displays the following GUI dialog for configuration. Press Enter to proceed to the Network Interface
Configuration wizard.

The Network Interface Configuration wizard provides DHCP and static IP configuration options.

When the VM receives the IP address from the DHCP server, the system shows this success dialog. The dialog
shows the SDN Connector IP address and gateway information.

FortiOS 7.2 Cisco ACI Administration Guide 12

Fortinet Inc.
SDN Connector integration with Cisco ACI

When the VM is configured with a static IP address, the system shows this success dialog.

2. To change the network configuration, click OK and return to the wizard to restart the setup flow.
3. Using a web browser, go to https://<SDN connector IP address>.

4. Log into the system with the default username and password, which are admin@sdn-connector.local and
fortinet123, respectively. When you first log in, the GUI prompts you to change the password.

Configuring the SDN Connector

The SDN Connector GUI has several web controls. It is a single-page web application.
To restart the service, click Restart Service. The system displays a dialog asking you to restart the connector service.

To change the password, click Change Password.

FortiOS 7.2 Cisco ACI Administration Guide 13

Fortinet Inc.
SDN Connector integration with Cisco ACI

To change the configuration click Configuration.

The Configuration page consists of the following fields:

Option Description

APIC Host/IP You can enter multiple APIC IP addresses and/or FQDNs. Ensure that you
separate each entry with a comma.

APIC Username Enter the Cisco ACI username as obtained from the ACI administrator.

APIC Password Enter the Cisco ACI password as obtained from the ACI administrator.

Fabric Connector Username Enter the FortiGate/FortiManager username used to log into the Fortinet SDN
connector. The default username is admin.

Change Fabric Connector Enter the FortiGate/FortiManager password used to log into the Fortinet SDN
Password connector. The default password is fortinet123.

To upgrade the service, go to the SDN Connector homepage, then click UpgradeService on the banner. A dialog shows
the upgrade progress. Once the upgrade is finished, the dialog prompts “Upgraded Successfully! Going to refresh in
10s” and the GUI refreshes automatically. This allows patch upgrade for SDN Connector.

The following displays sample output objects pulled from Cisco ACI:

FortiOS 7.2 Cisco ACI Administration Guide 14

Fortinet Inc.
SDN Connector integration with Cisco ACI

Click Running Status to verify the status. When the signal icons are green, this indicates the connection between the
SDN controller and SDN connector has been established.

Cisco ACI deployment

This section describes steps to create endpoint objects within ACI that SDN Connector can extract from. The steps
include the following:
1. Create a tenant (Tenant1) and VRF (vrf1).
2. Create BDs (app and web).
3. Create EPGs (app and web).
4. Create an L4-L7 device (FGT1).
5. Create a service graph template (Template1).
6. Deploy service graph between web and app.

To create a tenant and VRF:

1. In Cisco APIC, go to Tenants > Add Tenant.

2. Create a tenant and VRF as shown below. In the example below, the tenant is named "Tenant1", and the VRF is

FortiOS 7.2 Cisco ACI Administration Guide 15

Fortinet Inc.
SDN Connector integration with Cisco ACI

named "vrf1".

To create a BD (app and web):

1. Create the app BD:

a. Go to Tenants > Tenant 1 > Networking > Bridge Domains.
b. Create the app BD as shown. In the Name field, enter App. From the VRF dropdown list, select vrf1. Click Next.

FortiOS 7.2 Cisco ACI Administration Guide 16

Fortinet Inc.
SDN Connector integration with Cisco ACI

c. Configure the other parameters as required. Click Finish.

2. Define a subnet gateway for the app BD:
a. If you are using policy base routing (PBR), this will be the gateway for the endpoints that belong to this BD. For
PBR configuration, consult the Cisco configuration guide. If you are not using PBR, the endpoint gateway will
be the interfaces on the FortiGate. In our example, we are using the FortiGate interface as the gateway for the
endpoints. Go to the newly created BD app, then click Subnets.
b. Create the subnet and enter the gateway IP address as shown.

c. Click Submit.

FortiOS 7.2 Cisco ACI Administration Guide 17

Fortinet Inc.
SDN Connector integration with Cisco ACI

3. Create the web BD:

a. Go to Tenants > Tenant 1 > Networking > Bridge Domains.
b. Create the web BD as shown. In the Name field, enter web. From the VRF dropdown list, select vrf1. Click Next.

c. Configure the other parameters as required. Click Finish.

4. Define a subnet gateway for the web BD:
a. If you are using policy base routing (PBR), this will be the gateway for the endpoints that belong to this BD. For
PBR configuration, consult the Cisco configuration guide. If you are not using PBR, the endpoint gateway will
be the interfaces on the FortiGate. In our example, we are using the FortiGate interface as the gateway for the
endpoints. Go to the newly created BD app, then click Subnets.

FortiOS 7.2 Cisco ACI Administration Guide 18

Fortinet Inc.
SDN Connector integration with Cisco ACI

b. Create the subnet and enter the gateway IP address as shown.

c. Click Submit.

To create EPGs:

1. Create an application profile for the EPGs:

a. Go to Tenants > Tenant 1 > Create Application Profile.

FortiOS 7.2 Cisco ACI Administration Guide 19

Fortinet Inc.
SDN Connector integration with Cisco ACI

b. Configure as shown, then click Submit.

2. Create the app EPG:

a. Go to Tenants > Tenant 1 > Application Profiles > AP > Application EPGS > Create Application EPG. Do not
use | in the EPG name.
b. Configure as shown, selecting the web BD.
c. Click Finish.

FortiOS 7.2 Cisco ACI Administration Guide 20

Fortinet Inc.
SDN Connector integration with Cisco ACI

3. Configure tag(s) for the app EPG if desired.

4. Map endpoint VMs to the app EPG:

a. Go to Tenants > Tenant1 > Application Profiles > AP > Application EPGs > app, then right-click Domains (VMs
and Bare-Metals). Select Add VMM Domain Association.

FortiOS 7.2 Cisco ACI Administration Guide 21

Fortinet Inc.
SDN Connector integration with Cisco ACI

b. Configure the VMM domain association as shown. Click Submit.

c. In the hypervisor, select the configured VMM domain association under the Network label.

FortiOS 7.2 Cisco ACI Administration Guide 22

Fortinet Inc.
SDN Connector integration with Cisco ACI

5. Repeat step b to create the web EPG, selecting the web BD instead of the app BD. Do not use | in the EPG name.

6. If desired, create tag(s) for the web EPG.

7. Repeat step c to map endpoints to the web EPG.

To create an L4-L7 device:

1. Go to Tenant > Tenant1 > Services > L4-L7 > Devices > Create L4-L7 Devices.
2. If using unmanaged mode, ensure that the Managed checkbox is not selected.

FortiOS 7.2 Cisco ACI Administration Guide 23

Fortinet Inc.
SDN Connector integration with Cisco ACI

3. Configure as shown, then click Finish.

To create the service graph template:

1. Go to Tenant > Tenant1 > Services > L4-L7 > Service Graph Templates > Create L4-L7 Service Graph Template.
2. Configure the service graph template.
3. Click Submit.

FortiOS 7.2 Cisco ACI Administration Guide 24

Fortinet Inc.
SDN Connector integration with Cisco ACI

To deploy the service graph template between the web and app EPGs:

1. Deploy the service graph between the web and app EPGs:
a. Go to Tenant > Tenant1 > Services > L4-L7 > Service Graph Templates. Right-click Template1, then select
Apply L4-L7 Service Graph Template.

b. From the Consumer EPG / External Network dropdown list, select the web EPG.
c. From the Provider EPG / Internal Network dropdown list, select the app EPG.
d. Enter a contract name.
e. Click Next.

f. From the Service Graph Template dropdown list, select the service graph template configured in step h.
g. Under FGT1 Information, configure the consumer connector as shown, selecting the web BD. Configure the
provider connector with the app BD.

FortiOS 7.2 Cisco ACI Administration Guide 25

Fortinet Inc.
SDN Connector integration with Cisco ACI

h. Click Finish. The service graph is deployed.

2. Obtain the VLANs assigned to the interfaces. You will configure the corresponding VLANs on the FortiGate side:
a. Go to Tenant > Tenant1 > Services > L4-L7 > Deployed Graph Instances > contract1-Template1-Tenant1 >
Function Node - N1.

FortiOS 7.2 Cisco ACI Administration Guide 26

Fortinet Inc.
SDN Connector integration with Cisco ACI

b. Under Function Connectors, note the VLANs listed for the consumer and provider in the Encap column.

Deploying SDN Connector

SDN Connector works with standalone FortiGate as well as FortiManager. The below sections describe steps for
deploying FortiGate in standalone or managed mode with FortiManager:
l Deploying SDN Connector with FortiGate (standalone) on page 27
l Deploying SDN Connector with FortiManager on page 31

Deploying SDN Connector with FortiGate (standalone)

Deploying SDN Connector when using FortiGate in standalone mode consists of the following steps:
1. Create a VDOM.
2. Create VLAN interfaces.
3. Create static routes.
4. Configure a Fabric SDN Connector.
5. Create dynamic addresses.
6. Create policies using the dynamic address(es).

To create a VDOM:

1. In FortiOS, connect to the management VDOM.

2. Go to Global > System > VDOM and select Create New.
3. Enter a unique Name. VDOM names have the following restrictions:
l Only letters, numbers, "-", and "_" are allowed.

l No more than eleven characters are allowed.

l No spaces are allowed.

l VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.

4. Enter a short and descriptive comment to identify this VDOM.

5. Select OK.

FortiOS 7.2 Cisco ACI Administration Guide 27

Fortinet Inc.
SDN Connector integration with Cisco ACI

To create VLAN interfaces:

1. Go to Network > Interfaces.

2. Click Create New > Interface.
3. Configure an interface for each VLAN noted in the last step of Cisco ACI deployment on page 15. Ensure that the
VLAN mapped to the interface corresponds to the VLAN that ACI assigned during service graph deployment.

FortiOS 7.2 Cisco ACI Administration Guide 28

Fortinet Inc.
SDN Connector integration with Cisco ACI

To create static routes:

1. Go to Network > Static Routes.

2. Click Create New > IPv4 Static Route.
3. Configure two static routes as shown below: one for each VLAN configured in the previous section.

To configure an SDN connector:

1. Go to Security Fabric > External Connectors.

2. Click Create New.
3. Under Private SDN, select Application Centric Infrastructure (ACI).

FortiOS 7.2 Cisco ACI Administration Guide 29

Fortinet Inc.
SDN Connector integration with Cisco ACI

4. Configure the SDN Connector, then click OK. The default port is 5671.

To create dynamic addresses:

1. Go to Policy & Objects > Addresses.

2. Click Create New > Address.
3. Configure a dynamic address for the app EPG:
a. From the Type dropdown list, select Dynamic.
b. From the Sub Type dropdown list, select Fabric Connector Address.
c. From the SDN Connector dropdown list, select the configured SDN connector.
d. In the Endpoint Group Name field, enter the endpoint group name in the following format: Application Profile
name|EPG name. This is case-sensitive. In Cisco ACI deployment on page 15, the application profile was
named "AP", and the EPGs were named "app" and "web". Therefore, the correct format is AP|app and AP|web.

4. Repeat steps 2 and 3 to configure a dynamic address for the web EPG.
The following shows that the FortiOS and SDN Connector output regarding the web and app EPGs contain
corresponding information:

FortiOS 7.2 Cisco ACI Administration Guide 30

Fortinet Inc.
SDN Connector integration with Cisco ACI

To create policies using the dynamic addresses:

1. Go to Policy & Objects > Firewall Policy.

2. Click Create New.
3. Create a policy that allows communication from the web EPG to the app EPG:
a. In the Incoming Interface field, select the port5_vlan2767 interface.
b. In the Outgoing Interface field, select the port6_vlan2766 interface.
c. In the Source field, select the web EPG address.
d. In the Destination field, select the app EPG address.
e. Click OK.
4. Create a policy that allows communication from the app EPG to the web EPG:
a. In the Incoming Interface field, select the port6_vlan2766 interface.
b. In the Outgoing Interface field, select the port5_vlan2767 interface.
c. In the Source field, select the app EPG address.
d. In the Destination field, select the web EPG address.
e. Click OK.
5. Ensure that an endpoint in the web EPG and an endpoint in the app EPG can ping each other.

Deploying SDN Connector with FortiManager

Deploying SDN Connector when using FortiManager consists of the following steps:
1. Configure a Fabric SDN Connector.
2. Create or import address objects.
3. Map the web and app interfaces.
4. Create policies leveraging the address objects.
5. Push the configuration to the FortiGate.

To configure a Fabric SDN Connector:

1. In FortiManager, go to Policy & Objects > Security Fabric > Fabric Connectors.
2. Click Create New.

FortiOS 7.2 Cisco ACI Administration Guide 31

Fortinet Inc.
SDN Connector integration with Cisco ACI

3. Configure the SDN Connector. The default port is 5671.

To create or import address objects:

To import address objects, do the following:

1. Go to Policy & Objects > Security Fabric > Fabric Connectors.
2. Right-click the newly created SDN Connector and select Import from the context menu.
3. In the Import SDN Connector dialog, select the EPGs to import. In this example, the AP|app and AP|web EPGs are
imported.

To manually create address objects, do the following:

1. Go to Policy & Objects > Firewall Objects > Addresses.
2. Click Create New > Address.
3. Configure a dynamic address for the web EPG. Ensure that the format for the endpoint group name is entered as
"Application Profile name|EPG name". This is case-sensitive. In Cisco ACI deployment on page 15, the application
profile was named "AP", and the EPGs were named "app" and "web". Therefore, the correct format is AP|app and
AP|web.

FortiOS 7.2 Cisco ACI Administration Guide 32

Fortinet Inc.
SDN Connector integration with Cisco ACI

4. Repeat steps 2 and 3 to configure a dynamic address for the app EPG.

To map the web and app interfaces:

1. Go to Policy & Objects > Zone/Interface > Interface.

2. Click Create New > Dynamic Interface.
3. Create an interface for the web EPG that maps to the correct port and VLAN.

4. Repeat step 3 for the app EPG.

To create policies leveraging the address objects:

1. Go to Policy & Objects > Policy Packages > default > Installation Targets.
2. Click Add.
3. In the Add Installation Targets dialog, select the managed FortiGate. Click OK.
4. Go to Policy & Objects > Policy Packages > default > IPv4 Policy.
5. Click Create New.

FortiOS 7.2 Cisco ACI Administration Guide 33

Fortinet Inc.
SDN Connector integration with Cisco ACI

6. Create a policy that allows communication from the web EPG to the app EPG as shown:

7. Create a policy that allows communication from the app EPG to the web EPG as shown:

To push the configuration to the FortiGate:

1. Go to Policy & Objects > Policy Packages > default > IPv4 Policy.
2. Click Install > Install Wizard.
3. In the Install Wizard, ensure that the default policy package is selected. Click Next.
4. Select the managed FortiGate. Click Next.
5. Ensure that the summary is correct, then click Install.
6. When installation is complete, click Finish.
7. In FortiOS, go to Policy & Objects > IPv4 Policy to ensure that the policies were pushed and are configured as
desired.

8. Ensure that an endpoint in the web EPG and an endpoint in the app EPG can ping each other.

FortiOS 7.2 Cisco ACI Administration Guide 34

Fortinet Inc.
SDN Connector integration with Cisco ACI

Monitoring SDN connector status using an API

You can monitor SDN connector status using a REST API that Fortinet SDN Connector for Cisco ACI and Nuage
Networks provides.
Request:
/api/status

Response:
Format: json

Key Type Possible values Description

in_sync Boolean l true Whether endpoints are synchronized with
l false upstream SDN controller.
rpc_listener String l connected Send and receive notifications to and from
l disconnected FortiOS and FortiManager.
l uninitialized l connected: SDN connector connected to

RabbitMQ for receiving and sending

notifications
l disconnected: connection to RabbitMQ

is down.
l uninitialized: SDN connector has not

initialized connection with RabbitMQ yet,

during startup stage
sdn_controller String l connected Controller that the SDN connector connects to in
l disconnected order to get endpoint updates.
l connected: SDN connector connection to

SDN controller is successful.

l disconnected: SDN connector

connection to SDN controller fails due to

outage or invalid username/password or
has not completed yet.
sdn_controller_ String l IP address IP address or FQDN of the SDN controller that
host the SDN connector is connecting to.
l FQDN
type String l aci Current SDN controller type.
l nuage
time Integer Epoch time in seconds Current epoch time stamp.
usage Dictionary
usage.cpu Float 0-100 SDN connector CPU usage.
usage.mem Float 0-100 SDN connector memory usage.
version String x.x.x Version number in major.minor.patch format.

The following is an example of the output:

FortiOS 7.2 Cisco ACI Administration Guide 35

Fortinet Inc.
SDN Connector integration with Cisco ACI

{
"in_sync": true,
"rpc_listener": "connected",
"sdn_controller": "connected",
"sdn_controller_host": "x.x.x.x",
"time": 1584398898,
"type": "aci",
"usage": {
"cpu": 7.6,
"mem": 69.7
},
"version": "1.1.3"
}

The following shows sample code for monitoring the SDN connector using this API:
#!/usr/bin/env python
import re
import requests

class SdnConnectorClient(object):

def __init__(self, host, password, user="admin@sdn-connector.local"):

self.host = host
self.base_url = "https://" + host
self.user = user
self.password = password
self.csrf = None
self.cookies = None

def login(self):
login_page = requests.get(self.base_url + '/login', verify=False)
session = login_page.cookies
regex = re.compile(".+csrf_token=\\'(\S+)\\'.+")
self.csrf = regex.search(login_page.text).group(1)
form = {"email": self.user, "password": self.password,
"csrf_token": self.csrf, "submit": "Login", "next": "/"}
res = requests.post(self.base_url + '/login', data=form,
verify=False, cookies=session,
headers={'referer': self.base_url})
self.cookies = res.cookies

def get_status(self):
res = self.get('/api/status')
return res[1]

def get(self, path):

res = requests.get(self.base_url + path, cookies=self.cookies,
verify=False)
return res.status_code, res.text

def post(self, path, data):

res = requests.post(self.base_url + path, cookies=self.cookies,
data=data, verify=False)
return res.status_code, res.text

FortiOS 7.2 Cisco ACI Administration Guide 36

Fortinet Inc.
 SDN Connector integration with Cisco ACI

if __name__ == "__main__":
sdn_client = SdnConnectorClient('localhost', 'xxxxxx')
sdn_client.login()
print sdn_client.get_status()

FortiGate built-in connector

You can use the Cisco ACI (Application Centric Infrastructure) connector for northbound API integration with a direct
connection.
Multiple server IP addresses can be included for the Cisco APIC cluster active and standby hosts. One server is active,
and the rest serve as backups in case the active server fails. The FortiGate checks the status of the servers, and selects
one as the active server according to the order of the IP addresses in the list. If the active server fails, the FortiGate
changes to the next one down on the list.
This connector supports the following address filters:
l Tenant
l Application
l Endpoint group
l Tag

To configure a Cisco ACI connector in the GUI:

1. Create the Cisco ACI SDN connector:

a. Go to Security Fabric > External Connectors and click Create New,.
b. In the Private SDN section, click Application Centric Infrastructure (ACI).
c. Configure the Connector Settings as needed. The update interval is in seconds.
d. In the Cisco ACI Connector section, for Type, select Direct Connection and configure the remaining settings as
needed.
e. Click OK.
2. Create a dynamic firewall address for the connector:
a. Go to Policy & Objects > Addresses.
b. Click Create New > Address and enter a name.
c. Configure the following settings:
i. For Type, select Dynamic.
ii. For Sub Type, select Fabric Connector Address.
iii. For SDN Connector, select the connector created in step 1.
iv. For Filter, select an entry from the dropdown list or configure a new filter.
d. Click OK.

FortiOS 7.2 Cisco ACI Administration Guide 37

Fortinet Inc.
SDN Connector integration with Cisco ACI

3. Confirm that the connector resolves the dynamic firewall IP addresses:

a. Go to Policy & Objects > Addresses.
b. In the address table, hover over the address created in step 2 to view which IP addresses it resolves to:

To configure a Cisco ACI connector in the CLI:

1. Create the Cisco ACI SDN connector:

config system sdn-connector
edit "aci_direct1"
set status enable
set type aci-direct
set server "10.100.25.204"
set username "lzou"
set password xxxxxxx
set update-interval 60
next
end

2. Create a dynamic firewall address for the connector:

config firewall address
edit "aci-direct-app"
set type dynamic
set sdn "aci_direct1"
set color 17
set filter "Application=lzou-app"
next
end

3. Confirm that the connector resolves the dynamic firewall IP addresses:

config firewall address
edit "aci-direct-app"
show
config firewall address
edit "aci-direct-app"
set uuid 794aaf20-3e33-51ea-57e1-10b5badf3fc7
set type dynamic
set sdn "aci_direct1"
set color 17
set filter "Application=lzou-app"
config list
edit "10.0.5.11"
next
edit "10.0.5.12"
next
edit "10.0.6.11"

FortiOS 7.2 Cisco ACI Administration Guide 38

Fortinet Inc.
 SDN Connector integration with Cisco ACI

next
edit "10.0.6.12"
next
edit "10.0.6.13"
next
edit "10.0.6.14"
next
edit "10.0.7.11"
next
edit "10.0.7.12"
next
end
next
end
next
end

Configuring Cisco pxGrid SDN connector

You can create an endpoint connector to Cisco pxGrid by using FortiManager. FortiManager dynamically collects
updates from pxGrid and forwards them to FortiGate by using the Fortinet Single Sign On (FSSO) protocol.

To create a Cisco pxGrid SDN connector:

1. On FortiManager, create an SSO Connector to Cisco ISE.

Communication between FortiManager and Cisco ISE is secured by using TLS. FortiManager requires a client
certificate issued by Cisco ISE. FortiManager uses the certificate to authenticate to Cisco ISE.

FortiOS 7.2 Cisco ACI Administration Guide 39

Fortinet Inc.
SDN Connector integration with Cisco ACI

2. On FortiManager, map Cisco ISE groups to a Fortinet FSSO group.

Once a secured communication channel is established, Cisco sends all user groups to FortiManager.
The FortiManager administrator can select specific groups and map them to Fortinet FSSO groups.

FortiOS 7.2 Cisco ACI Administration Guide 40

Fortinet Inc.
SDN Connector integration with Cisco ACI

3. On FortiManager, add Fortinet FSSO group to a firewall policy in a policy package.

4. On FortiManager, synchronize the policy package to the firewall for the managed FortiGate.

5. On FortiGate, verify that the synced firewall policy contains the correct FSSO group and that all FSSO-related
information in user adgrp is correct.

FortiOS 7.2 Cisco ACI Administration Guide 41

Fortinet Inc.
SDN Connector integration with Cisco ACI

6. After successful user authentication on Cisco ISE, verify that information is forwarded to FortiManager.
On FortiManager, the icon next to the authenticated user in pxGrid Monitor should be green.

FortiGate should have two entries: one in the firewall-authenticated user list and one in the FSSO logged-on user
list.
In the FSSO logged-on user list, you can view both groups. You view the group that the user belongs to on Cisco
ISE and the Fortinet FSSO group.

FortiOS 7.2 Cisco ACI Administration Guide 42

Fortinet Inc.
SDN Connector integration with Cisco ACI

FortiOS 7.2 Cisco ACI Administration Guide 43

Fortinet Inc.
Change log

Date Change Description

2022-03-31 Initial release.

FortiOS 7.2 Cisco ACI Administration Guide 44

Fortinet Inc.
 www.fortinet.com

Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.