Extend FortiManager firewall policies to Kubernetes

Big picture

Use FortiManager firewall policies to secure workloads in your Kubernetes cluster.

Value

The Calico Cloud/Fortinet integration lets you control Kubernetes clusters directly and apply policy using the FortiManager UI as the primary interface. This allows firewall administrators to leverage existing tools and workflows as they learn and adopt Kubernetes orchestration at their own pace.

Concepts

Integration at a glance

This Calico Cloud/Fortinet solution lets you directly control Kubernetes policies using FortiManager.

The basic workflow is:

1. Determine the Kubernetes pods that you want to securely communicate with each other.
2. Label these pods using a key-value pair where key is the tigera.io/address-group, and value is the pod matching a label name.
3. In the FortiManager, select the cluster’s ADOM, and create an address group using the key-value pair associated with the pods.
4. Create firewall policies using the address groups for IPv4 Source address and IPv4 Destination Address, and select services and actions as you normally would to allow or deny the traffic. Under the covers, the Calico Cloud integration controller periodically reads the FortiManager firewall policies for your Kubernetes cluster, converts them to Calico Cloud global network policies, and applies them to clusters.
5. Use the Calico Cloud Manager UI to verify the integration, and then FortiManager UI to make all updates to policy rules.

note

The default value for reading FortiManager firewall policies is three seconds. To change the value, modify environment variable FW_FORTIMGR_EW_POLL_INTERVAL in FortiManager integration manifest; units are in seconds.

Before you begin

Supported version

• FortiManager v6.4

Required

• IPv4 CIDR’s or IP addresses of all Kubernetes nodes; this is required for FortiManager to treat Kubernetes nodes as trusted hosts.

Recommended

• Experience with tiered policy and global network policy
• Experience creating and administering FortiGate/FortiManager firewall policies

How to

• Create a tier
• Configure FortiManager to communicate with firewall controller
• Create a FortiManager config map
• Install FortiManager password as secrets
• Deploy the firewall controller in the Kubernetes cluster
• Verify the integration

Create a tier

Create a Calico Cloud tier in the Calico Cloud Manager UI for each Kubernetes cluster you want to secure. We recommend that you create a new tier (rather than reusing an existing tier) for all global network policies created by the Calico Cloud integration controller.

Configure FortiManager to communicate with firewall controller

1. Determine and note the CIDR’s or IP addresses of all Kubernetes nodes that can run the tigera-firewall-controller.
   This is required to explicitly allow the tigera-firewall-controller to access the FortiManager API.
2. From system settings, create an Admin profile with Read-Write access for Policy & Objects.
   For example: tigera_api_user_profile
3. Create a JSON API administrator and associate this user with the tigera_api_user_profile profile and add CIDR or IP address of your Kubernetes cluster nodes as trusted hosts.
4. Note the username and password.

Create a FortiManager config map

1. Create a namespace for the tigera-firewall-controller.

    kubectl create namespace tigera-firewall-controller

2. In this FortiManager ConfigMap manifest, add your FortiManager device information in the data section: tigera.firewall.fortimanager-policies. For example:

     tigera.firewall.fortimanager-policies: |
     - name: prod-east1
       ip: 3.2.1.4
       username: api_user
       adom: root
       tier: <tier-name>
       packagename: sacramento
       password:
         secretKeyRef:
           name: fortimgr-east1
           key: pwd-fortimgr-east1

   Where:

   Field	Description
   name	FortiManager device name.
   ip	FortiManager Management IP address.
   adom	FortiManager ADOM name that manages Kubernetes cluster.
   packagename	FortiManager Firewall package. All firewall rules targeted for Kubernetes cluster are packed under this package.
   username	JSON api access account name to Read/Write FortiManager address objects.
   password	Secret in tigera-firewall-controller namespace, to store FortiManager password
   tier	Tier name you created in Calico Cloud Manager UI
   password.secretKeyRef.name	Name of the secret to store password.
   password.secretKeyRef.key	Key name in the secret, which stores password.

3. Apply the manifest.

   kubectl apply -f https://downloads.tigera.io/ee/v3.20.0-1.0/manifests/fortimanager-device-configmap.yaml

Install FortiManager password as secrets

Store each FortiManager password as a secret in the tigera-firewall-controller namespace.

For example, in the ConfigMap for FortiMgr prod-east1, store its password as a secret name as fortimgr-east1, with key as pwd-fortimgr-east1.

kubectl create secret generic fortimgr-east1 \
-n tigera-firewall-controller \
--from-literal=pwd-fortimgr-east1=<fortimgr-password>

Deploy the firewall controller in the Kubernetes cluster

1. Install your pull secret.

   kubectl create secret generic tigera-pull-secret \
   --from-file=.dockerconfigjson=<path/to/pull/secret> \
   --type=kubernetes.io/dockerconfigjson -n tigera-firewall-controller

2. Apply the manifest.

   kubectl apply -f https://downloads.tigera.io/ee/v3.20.0-1.0/manifests/fortimanager.yaml

Verify the integration

1. Log in to FortiManager with the correct ADOM.
2. Select Policy & Objects, Object Configuration, and create new Address Groups.
3. Click Policy packages and select the Package assigned to your Kubernetes cluster.
4. Create a test firewall policy with the following fields: Name, IPv4 Source Address, IPv4 Destination Address, Service and Action.
5. Log in to the Calico Cloud Manager UI, and under the tier that you specified in the ConfigMap, verify that the GlobalNetworkPolicies are created.