-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbase_config.tftpl
140 lines (129 loc) · 2.71 KB
/
base_config.tftpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
config system global
set hostname ${hostname}
end
config sys interface
%{ for port, address in prv_ips ~}
edit ${port}
set mode static
set ip ${address}/32
%{ if port==mgmt_port ~}
set allowaccess ping https ssh
%{ endif ~}
next
%{ endfor ~}
end
config sys interface
%{ for port, ilb in ilb_ips ~}
edit ${port}
set secondary-IP enable
config secondaryip
edit 0
set ip ${ilb.address}/32
set allowaccess probe-response
next
end
next
%{ endfor ~}
end
config system interface
edit port1
set secondary-IP enable
config secondaryip
%{ for eip in frontends}
edit 0
set ip ${eip}/32
set allowaccess probe-response
next
%{ endfor }
end
next
end
config route static
%{ for subnet, info in subnets ~}
edit 0
set dst ${subnet}
set gateway ${gateways[info.dev]}
set device ${info.dev}
set comment ${info.name}
next
%{ endfor ~}
edit 0
set device port1
set comment "default via external load balancer"
set gateway ${gateways["port1"]}
set priority 5
%{ if length(frontends)>0 ~}
set preferred-source ${frontends[0]}
%{ endif ~}
next
%{ if mgmt_port_public ~}
edit 0
set device ${mgmt_port}
set comment "default via public management port"
set priority 2
set gateway ${gateways[mgmt_port]}
next
%{ endif ~}
%{ for port,ilb in ilb_ips ~}
edit 0
set device ${port}
set gateway ${gateways[port]}
set dst 35.191.0.0/16
comment "GCP load balancer health checks"
next
edit 0
set device ${port}
set gateway ${gateways[port]}
set dst 130.211.0.0/22
comment "GCP load balancer health checks"
next
%{ endfor ~}
end
config system probe-response
set mode http-probe
set http-probe-value OK
set port ${healthcheck_port}
end
config system sdn-connector
edit "gcp"
set type gcp
set ha-status disable
next
end
config system dns
set primary 169.254.169.254
set protocol cleartext
unset secondary
end
config system ha
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-nat enable
end
config system standalone-cluster
set group-member-id ${ha_indx}
config cluster-peer
%{ for peer in ha_peers }
edit 0
set peerip ${peer}
next
%{ endfor }
end
end
%{ if fortimanager.ip != null ~}
config system central-management
set type fortimanager
set serial-number ${fortimanager.serial}
set fmg ${fortimanager.ip}
end
%{ endif }
config firewall ippool
%{ for name, eip in frontends ~}
edit ${name}
set startip ${eip}
set endip ${eip}
set comment "GCP load balancer frontend"
next
%{ endfor ~}
end
${fgt_config}