-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfgt-base-config.tpl
129 lines (127 loc) · 2.51 KB
/
fgt-base-config.tpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
config system global
set hostname ${hostname}
end
config system probe-response
set mode http-probe
set http-probe-value OK
set port ${healthcheck_port}
end
%{ if length(api_accprofile) > 0 }
config system api-user
edit terraform
set api-key ${api_key}
set accprofile "${api_accprofile}"
config trusthost
%{ for cidr in api_acl ~}
edit 0
set ipv4-trusthost ${cidr}
next
%{ endfor ~}
end
next
end
%{ endif }
config system sdn-connector
edit "gcp"
set type gcp
set ha-status disable
next
end
config system dns
set primary 169.254.169.254
set protocol cleartext
unset secondary
end
config system ha
set group-name "gcp-group"
set mode a-p
set hbdev "port3" 50
set session-pickup enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port4"
set gateway ${mgmt_gw}
next
end
set override enable
set priority ${ha_prio}
set unicast-hb enable
set unicast-hb-peerip ${unicast_peer_ip}
set unicast-hb-netmask ${unicast_peer_netmask}
end
config system interface
edit port1
set mode static
set ip ${ext_ip}/32
set allowaccess ping
set secondary-IP enable
config secondaryip
%{ for name, eip in frontend_eips ~}
edit 0
set ip ${eip}/32
set allowaccess probe-response
next
%{ endfor ~}
end
next
edit port2
set mode static
set allowaccess ping
set ip ${int_ip}/32
set secondary-IP enable
config secondaryip
edit 0
set ip ${ilb_ip}/32
set allowaccess probe-response
next
end
next
edit port3
set mode static
set allowaccess ping
set ip ${hasync_ip}/32
next
edit port4
set mode static
set ip ${mgmt_ip}/32
set allowaccess ping https ssh fgfm
next
edit "probe"
set vdom "root"
set ip 169.254.255.100 255.255.255.255
set allowaccess probe-response
set type loopback
next
end
config router static
edit 0
set device port1
set gateway ${ext_gw}
next
edit 0
set device port2
set dst ${int_cidr}
set gateway ${int_gw}
next
edit 0
set device port2
set dst 35.191.0.0/16
set gateway ${int_gw}
next
edit 0
set device port2
set dst 130.211.0.0/22
set gateway ${int_gw}
next
end
config firewall ippool
%{ for name, eip in frontend_eips ~}
edit ${name}
set startip ${eip}
set endip ${eip}
set comment "GCP load balancer frontend"
next
%{ endfor ~}
end
${fgt_config}