Determine the best Calico Cloud/Fortinet solution
Big picture​
Determine the best Calico Cloud/Fortinet solution to integrate Kubernetes clusters with your existing Fortinet firewall workflows.
Value​
Many security teams must work within the confines of their existing IT security architecture, even though perimeter firewalls do not meet the needs of Kubernetes clusters. The Calico Cloud/Fortinet integration allows firewall administrators to leverage existing Fortinet security tools and workflows, continue meeting compliance requirements, while adopting Kubernetes orchestration using Calico Cloud at their own pace.
Concepts​
The Calico Cloud/Fortinet integration provides the following solutions. You can you use them separately, or together without contention.
Solution 1: Extend Kubernetes to Fortinet firewall devices​
Use case: Control egress traffic for Kubernetes clusters.
Problem: Perimeter firewalls do not have the necessary information to act on traffic that leaves the cluster for Kubernetes workloads.
Solution: The Calico Cloud/Fortinet integration leverages the power of Calico Cloud policy selectors to provide Kubernetes workload information to FortiManager and FortiGate devices. You create perimeter firewall policies in FortiManager and FortiGate that reference Kubernetes workloads. Policies are applied and enforced by FortiGate devices. And Firewall administrators can write cluster egress policies that reference Kubernetes workloads directly in Fortinet devices.
Solution 2: Extend FortiManager firewall policies to Kubernetes​
Use case: Control Kubernetes clusters directly and apply policy.
Problem: To avoid disruption, teams need to leverage existing FortiManager as the primary user interface.
Solution: Use FortiManager to create firewall policies that are applied as Calico Cloud network policies on Kubernetes workloads. Use the power of a Calico Cloud “higher-order tier” so Kubernetes policy is evaluated early in the policy processing order, but update policy using FortiManager UI. Use the Calico Cloud Manager UI as a secondary interface to verify the integration and troubleshoot using logs.