Fortinet black logo

OpenStack Administration Guide

Deploying a FortiGate-VM instance in an OpenStack environment using service insertion/chaining

Copy Link
Copy Doc ID 6d721014-a934-11ec-9fd1-fa163e15d75b:810504
Download PDF

Deploying a FortiGate-VM instance in an OpenStack environment using service insertion/chaining

This version provides NSH chaining support for virtual wire pair, TP mode networks. FortiOS receives and unwraps the NSH packets and re-encapsulates them before sending them out. Firewall policies process the inner packet.

NSH support in FortiGate is basically unwrapping the packet on Ingress and putting the NSH header back on before sending it out. FortiOS does not yet support other parts of NSH (SI is currently left unchanged).

There is no CLI or GUI change. The only change is to show ext_header=nsh in NSH session info when listing sessions.

Sample configuration

To configure virtual wire pair and firewall policy using the CLI:

config system virtual-wire-pair

edit "test-vw"

set member "port1" "mgmt2"

next

end

config firewall policy

edit 99

set uuid 241710a0-3ac6-51e9-10e9-9dd3eb65e708

set srcintf "mgmt2"

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

next

end

Sample results of configuring a wire pair and policy between port1 and mgmt2. Packets with NSH are processed and the session list shows ext_header=nsh.

A (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=10 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0

state=log may_dirty br src-vis dst-vis f00

statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2

tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 5/0

orgin->sink: org pre->post, reply pre->post dev=4->9/9->4 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 172.16.200.11:46739->172.16.200.55:23(0.0.0.0:0)

hook=post dir=reply act=noop 172.16.200.55:23->172.16.200.11:46739(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

src_mac=00:00:11:11:11:11 dst_mac=00:00:22:22:22:22

misc=0 policy_id=99 auth_info=0 chk_client_info=0 vd=1

serial=0000094d tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id = 00000000

dd_type=0 dd_mode=0

npu_state=0x040001 no_offload

no_ofld_reason: mac-host-check disabled-by-policy non-npu-intf

ext_header_type=nsh

total session 1

Deploying a FortiGate-VM instance in an OpenStack environment using service insertion/chaining

This version provides NSH chaining support for virtual wire pair, TP mode networks. FortiOS receives and unwraps the NSH packets and re-encapsulates them before sending them out. Firewall policies process the inner packet.

NSH support in FortiGate is basically unwrapping the packet on Ingress and putting the NSH header back on before sending it out. FortiOS does not yet support other parts of NSH (SI is currently left unchanged).

There is no CLI or GUI change. The only change is to show ext_header=nsh in NSH session info when listing sessions.

Sample configuration

To configure virtual wire pair and firewall policy using the CLI:

config system virtual-wire-pair

edit "test-vw"

set member "port1" "mgmt2"

next

end

config firewall policy

edit 99

set uuid 241710a0-3ac6-51e9-10e9-9dd3eb65e708

set srcintf "mgmt2"

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

next

end

Sample results of configuring a wire pair and policy between port1 and mgmt2. Packets with NSH are processed and the session list shows ext_header=nsh.

A (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=10 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0

state=log may_dirty br src-vis dst-vis f00

statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2

tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 5/0

orgin->sink: org pre->post, reply pre->post dev=4->9/9->4 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 172.16.200.11:46739->172.16.200.55:23(0.0.0.0:0)

hook=post dir=reply act=noop 172.16.200.55:23->172.16.200.11:46739(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

src_mac=00:00:11:11:11:11 dst_mac=00:00:22:22:22:22

misc=0 policy_id=99 auth_info=0 chk_client_info=0 vd=1

serial=0000094d tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id = 00000000

dd_type=0 dd_mode=0

npu_state=0x040001 no_offload

no_ofld_reason: mac-host-check disabled-by-policy non-npu-intf

ext_header_type=nsh

total session 1