Deploying a FortiGate-VM instance in an OpenStack environment using service insertion/chaining
This version provides NSH chaining support for virtual wire pair, TP mode networks. FortiOS receives and unwraps the NSH packets and re-encapsulates them before sending them out. Firewall policies process the inner packet.
NSH support in FortiGate is basically unwrapping the packet on Ingress and putting the NSH header back on before sending it out. FortiOS does not yet support other parts of NSH (SI is currently left unchanged).
There is no CLI or GUI change. The only change is to show ext_header=nsh
in NSH session info when listing sessions.
Sample configuration
To configure virtual wire pair and firewall policy using the CLI:
config system virtual-wire-pair
edit "test-vw"
set member "port1" "mgmt2"
next
end
config firewall policy
edit 99
set uuid 241710a0-3ac6-51e9-10e9-9dd3eb65e708
set srcintf "mgmt2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Sample results of configuring a wire pair and policy between port1 and mgmt2. Packets with NSH are processed and the session list shows ext_header=nsh
.
A (vdom1) # diag sys session list
session info: proto=6 proto_state=01 duration=10 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty br src-vis dst-vis f00
statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 5/0
orgin->sink: org pre->post, reply pre->post dev=4->9/9->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.200.11:46739->172.16.200.55:23(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.55:23->172.16.200.11:46739(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:00:11:11:11:11 dst_mac=00:00:22:22:22:22
misc=0 policy_id=99 auth_info=0 chk_client_info=0 vd=1
serial=0000094d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x040001 no_offload
no_ofld_reason: mac-host-check disabled-by-policy non-npu-intf
ext_header_type=nsh
total session 1