Skip to main content
Calico Enterprise 3.19 (latest) documentation

Determine the best Calico Enterprise/Fortinet solution

Big picture

Determine the best Calico Enterprise/Fortinet solution to integrate Kubernetes clusters with your existing Fortinet firewall workflows.

Value

Many security teams must work within the confines of their existing IT security architecture, even though perimeter firewalls do not meet the needs of Kubernetes clusters. The Calico Enterprise/Fortinet integration allows firewall administrators to leverage existing Fortinet security tools and workflows, continue meeting compliance requirements, while adopting Kubernetes orchestration using Calico Enterprise at their own pace.

Concepts

The Calico Enterprise/Fortinet integration provides the following solutions. You can you use them separately, or together without contention.

Solution 1: Extend Kubernetes to Fortinet firewall devices

Use case: Control egress traffic for Kubernetes clusters.

Problem: Perimeter firewalls do not have the necessary information to act on traffic that leaves the cluster for Kubernetes workloads.

Solution: The Calico Enterprise/Fortinet integration leverages the power of Calico Enterprise policy selectors to provide Kubernetes workload information to FortiManager and FortiGate devices. You create perimeter firewall policies in FortiManager and FortiGate that reference Kubernetes workloads. Policies are applied and enforced by FortiGate devices. And Firewall administrators can write cluster egress policies that reference Kubernetes workloads directly in Fortinet devices.

Solution 2: Extend FortiManager firewall policies to Kubernetes

Use case: Control Kubernetes clusters directly and apply policy.

Problem: To avoid disruption, teams need to leverage existing FortiManager as the primary user interface.

Solution: Use FortiManager to create firewall policies that are applied as Calico Enterprise network policies on Kubernetes workloads. Use the power of a Calico Enterprise “higher-order tier” so Kubernetes policy is evaluated early in the policy processing order, but update policy using FortiManager UI. Use the Calico Enterprise Manager UI as a secondary interface to verify the integration and troubleshoot using logs.

Next steps