Fortinet black logo

Registering the service insertion definition to NSX-T

6.4.0
Copy Link
Copy Doc ID cf31fe37-64b1-11eb-b9ad-00505692583a:222138
Download PDF

Registering the service insertion definition to NSX-T

With the NSX-T integration, you can register to the partner service catalog through FortiManager to NSX Manager. This step applies commonly to FortiManager-VM and FortiManager physical appliances.

To register the service insertion definition to NSX-T:
  1. Log in to FortiManager, then select the desired ADOM.
  2. Go to Fabric View > Fabric Connectors.
  3. Click Create New > VMware NSX-T.
  4. In the Create New Fabric Connector page, fill out the following fields:

    Name

    Enter a unique name to identify the NSX-T Connector.

    Status

    Keep the status OFF until you have configured the other fields.

    NSX-T Manager Configurations

    Server

    Enter the NSX-T Manager IP address.

    User Name

    Enter the username to access the NSX-T Manager.

    Password

    Enter the password.

    FortiManager Configurations

    IP Address

    Enter the FortiManager IP address. Usually it is the same IP address that you are accessing in the browser.

    User Name

    Enter the username to access the FortiManager.

    Password

    Enter the password.

  5. Click OK to save the changes. Then, toggle the Status to ON.
  6. Add the service:
    1. Open the newly created NSX-T Connector. Under Registered Services, click Add Service.
    2. In the Service Name field, enter the service name to register under to NSX-T's partner service catalog.
    3. For Integration, select East-West or North-South as desired.
    4. In earlier steps, you placed FortiGate-VM deployment image files on a web server. In the Image Location field, enter the file location URL in the format http://<IP address of web server>/<directory>/FortiGate-VM64.nsxt.ovf.
    5. Enter the URL of the directory containing the license files in the License URL Prefix. This directory should contain the license file, OVF, and both VMDK files. The FortiGate-VM automatically downloads the license and validates it on bootup. If license validation fails, you can upload a new valid license via the FortiOS UI. The FortiGate must have a valid license before connecting to FortiManager.
    6. From the Type dropdown list, select the desired SKU. This does not have any bearing on the SKU of the FortiGate-VM being deployed, as the OVF file configuration determines this. However, this can be useful in letting the user know which SKU is configured to be deployed on the NSX Manager UI. You can specify multiple SKUs in the service field in FortiManager. You can use this to upgrade or downgrade the deployment via NSX-T when required.

You now see the service registered with NSX-T. After waiting a few minutes, if FortiManager connects to NSX-T, it populates the dynamic address objects as you can see in FortiManager configurations and NSX-T's inventory groups. You can use the objects to configure firewall policies.

Note

To ensure automatic dynamic address population, execute the following CLI command in the FortiManager CLI:

config system admin user

edit <admin (username specified in FortiManager connector configuration)>

set rpc-permit read-write

next

end

Lack of read-write permissions on rpc-permit causes dynamic addresses to not be automatically populated.

Registering the service insertion definition to NSX-T

With the NSX-T integration, you can register to the partner service catalog through FortiManager to NSX Manager. This step applies commonly to FortiManager-VM and FortiManager physical appliances.

To register the service insertion definition to NSX-T:
  1. Log in to FortiManager, then select the desired ADOM.
  2. Go to Fabric View > Fabric Connectors.
  3. Click Create New > VMware NSX-T.
  4. In the Create New Fabric Connector page, fill out the following fields:

    Name

    Enter a unique name to identify the NSX-T Connector.

    Status

    Keep the status OFF until you have configured the other fields.

    NSX-T Manager Configurations

    Server

    Enter the NSX-T Manager IP address.

    User Name

    Enter the username to access the NSX-T Manager.

    Password

    Enter the password.

    FortiManager Configurations

    IP Address

    Enter the FortiManager IP address. Usually it is the same IP address that you are accessing in the browser.

    User Name

    Enter the username to access the FortiManager.

    Password

    Enter the password.

  5. Click OK to save the changes. Then, toggle the Status to ON.
  6. Add the service:
    1. Open the newly created NSX-T Connector. Under Registered Services, click Add Service.
    2. In the Service Name field, enter the service name to register under to NSX-T's partner service catalog.
    3. For Integration, select East-West or North-South as desired.
    4. In earlier steps, you placed FortiGate-VM deployment image files on a web server. In the Image Location field, enter the file location URL in the format http://<IP address of web server>/<directory>/FortiGate-VM64.nsxt.ovf.
    5. Enter the URL of the directory containing the license files in the License URL Prefix. This directory should contain the license file, OVF, and both VMDK files. The FortiGate-VM automatically downloads the license and validates it on bootup. If license validation fails, you can upload a new valid license via the FortiOS UI. The FortiGate must have a valid license before connecting to FortiManager.
    6. From the Type dropdown list, select the desired SKU. This does not have any bearing on the SKU of the FortiGate-VM being deployed, as the OVF file configuration determines this. However, this can be useful in letting the user know which SKU is configured to be deployed on the NSX Manager UI. You can specify multiple SKUs in the service field in FortiManager. You can use this to upgrade or downgrade the deployment via NSX-T when required.

You now see the service registered with NSX-T. After waiting a few minutes, if FortiManager connects to NSX-T, it populates the dynamic address objects as you can see in FortiManager configurations and NSX-T's inventory groups. You can use the objects to configure firewall policies.

Note

To ensure automatic dynamic address population, execute the following CLI command in the FortiManager CLI:

config system admin user

edit <admin (username specified in FortiManager connector configuration)>

set rpc-permit read-write

next

end

Lack of read-write permissions on rpc-permit causes dynamic addresses to not be automatically populated.