Fortinet black logo

New Features

VMware NSX-T managed by FortiManager  6.2.2

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:486426
Download PDF

VMware NSX-T managed by FortiManager 6.2.2

FortiGate-VM can receive dynamic FSSO addresses, along with address settings in firewall policies, pushed by the FortiManager.

The FortiManager retrieves groups from VMware NSX-T manager and stores them as dynamic firewall address objects. The FortiGate-VM that is deployed by the registered VMware NSX-T service then connects to the FortiManager to receive the dynamic objects.

For more information, see VMware NSX-T connector in the FortiManager New Features Guide.

To configure a VMware NSX-T connector on a FortiManager and send dynamic FSSO firewall addresses to a managed FortiGate:
  1. Enable read-write JSON API access on the FortiManager
  2. Create an NSX-T connector on the FortiManager
  3. Create a dynamic FSSO address on the FortiManager
  4. Create a firewall policy with the dynamic FSSO address on the FortiManager
  5. Install the firewall policy to the FortiGate from the FortiManager
  6. Confirm that the firewall policy with the address option was pushed to the FortiGate
  7. Confirm that the FortiGate received the dynamic FSSO address
To enable read-write JSON API access:
  1. Go to System Settings > Admin > Administrators.
  2. Edit the administrator.
  3. For JSON API Access, select Read-Write.
  4. Click OK.
To create an NSX-T connector on the FortiManager:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity.
  2. Click Create New > NSX-T Connector.

    Only one NSX-T connector can be created per ADOM.

  3. Configure the NSX-T Manager Configurations settings.
  4. Configure the FortiManager Configurations settings.
  5. Click Apply & Refresh.
  6. Ensure that there is a password for FortiManager.
  7. Add a service:
    1. Click Add Service.
    2. Enter a Service Name and select the Integration to identify the flow of traffic
    3. Set the Image Location to the URL where the preconfigured FortiGate VM deployment image is located.
    4. Click OK.
  8. Click Apply & Refresh.
To create a dynamic FSSO address on the FortiManager:
  1. Go to Policy & Objects > Object Configurations > Firewall Objects > Addresses.
  2. Click Create New > Address.

  3. Set Type to Dynamic.
  4. Set Sub Type to FSSO.
  5. For the FSSO Group, select the group defined on the NSX-T manager.
  6. Click OK.
To create a firewall policy with the dynamic FSSO address on the FortiManager:
  1. Go to Policy & Objects > Policy Packages.
  2. Select the policy package and go to IPv4 Policy.
  3. Click Create New.
  4. Set the Source Address to the dynamic FSSO address.
  5. Configure the remaining settings as needed, then click OK.

To install the firewall policy to the FortiGate from the FortiManager:
  1. Go to Policy & Objects > Policy Packages.
  2. Select the policy package and go to Installation Targets.
  3. Click Add and add the FortiGate as a target if it is not already listed as a target.
  4. Select the FortiGate and , in the toolbar, click Install > Install Wizard.

  5. Make sure that Install Policy Package & Device Settings is selected, and that the correct Policy Package is selected.
  6. Follow the steps in the wizard to install the policy package to the FortiGate. For more information, see Using the Install Wizard to install policy packages and device settings in the FortiManager Administration Guide.
To confirm that the firewall policy with the address option was pushed to the FortiGate:
  1. On the FortiGate, go to Policy & Objects > IPv4 Policy and confirm that the policy is on the list.

To confirm that the FortiGate received the dynamic FSSO address:
  1. Go to Policy & Objects > Addresses and confirm that the dynamic FSSO address in on the list.

  2. In the FortiGate CLI console, check the firewall addresses:
    # show firewall address  
    config firewall address
        ...
        edit "FMG-addr-phonton-LS10-71"
            set uuid 2d5c5a46-e965-51e9-c3aa-c74bf993ce83
            set type dynamic
            set sub-type fsso
            set fsso-group "nsx_FMG-deployed-NSX_default/groups/Photon-LS10-71"
        next
        ...
    end

    The address name is inserted automatically by the FortiManager.

Diagnose commands

The following commands can be used on the FortiGate to help with diagnostics.

To view a list of current FSSO logons:
# diagnose debug authd fsso list
----FSSO logons----
IP: 1.1.1.1-1.1.1.1  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/group1  Workstation:
IP: 1.1.1.2-1.1.1.2  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/group1  Workstation:
IP: 10.1.10.71-10.1.10.71  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/Photon-LS10-71  Workstation:  MemberOf: nsx_FMG-deployed-NSX_default/groups/Photon-LS10-71
IP: 10.1.10.72-10.1.10.72  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/Photon-LS10-72  Workstation:
IP: 10.1.10.73-10.1.10.73  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/LS20-VMs  Workstation:
IP: 10.1.20.73-10.1.20.73  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/LS20-VMs  Workstation:
IP: 10.1.20.74-10.1.20.74  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/LS20-VMs  Workstation:
Total number of logons listed: 7, filtered: 0
----end of FSSO logons----
To turn on Auth daemon debug messages for 30 minutes:
# diagnose debug application authd -1

VMware NSX-T managed by FortiManager 6.2.2

FortiGate-VM can receive dynamic FSSO addresses, along with address settings in firewall policies, pushed by the FortiManager.

The FortiManager retrieves groups from VMware NSX-T manager and stores them as dynamic firewall address objects. The FortiGate-VM that is deployed by the registered VMware NSX-T service then connects to the FortiManager to receive the dynamic objects.

For more information, see VMware NSX-T connector in the FortiManager New Features Guide.

To configure a VMware NSX-T connector on a FortiManager and send dynamic FSSO firewall addresses to a managed FortiGate:
  1. Enable read-write JSON API access on the FortiManager
  2. Create an NSX-T connector on the FortiManager
  3. Create a dynamic FSSO address on the FortiManager
  4. Create a firewall policy with the dynamic FSSO address on the FortiManager
  5. Install the firewall policy to the FortiGate from the FortiManager
  6. Confirm that the firewall policy with the address option was pushed to the FortiGate
  7. Confirm that the FortiGate received the dynamic FSSO address
To enable read-write JSON API access:
  1. Go to System Settings > Admin > Administrators.
  2. Edit the administrator.
  3. For JSON API Access, select Read-Write.
  4. Click OK.
To create an NSX-T connector on the FortiManager:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity.
  2. Click Create New > NSX-T Connector.

    Only one NSX-T connector can be created per ADOM.

  3. Configure the NSX-T Manager Configurations settings.
  4. Configure the FortiManager Configurations settings.
  5. Click Apply & Refresh.
  6. Ensure that there is a password for FortiManager.
  7. Add a service:
    1. Click Add Service.
    2. Enter a Service Name and select the Integration to identify the flow of traffic
    3. Set the Image Location to the URL where the preconfigured FortiGate VM deployment image is located.
    4. Click OK.
  8. Click Apply & Refresh.
To create a dynamic FSSO address on the FortiManager:
  1. Go to Policy & Objects > Object Configurations > Firewall Objects > Addresses.
  2. Click Create New > Address.

  3. Set Type to Dynamic.
  4. Set Sub Type to FSSO.
  5. For the FSSO Group, select the group defined on the NSX-T manager.
  6. Click OK.
To create a firewall policy with the dynamic FSSO address on the FortiManager:
  1. Go to Policy & Objects > Policy Packages.
  2. Select the policy package and go to IPv4 Policy.
  3. Click Create New.
  4. Set the Source Address to the dynamic FSSO address.
  5. Configure the remaining settings as needed, then click OK.

To install the firewall policy to the FortiGate from the FortiManager:
  1. Go to Policy & Objects > Policy Packages.
  2. Select the policy package and go to Installation Targets.
  3. Click Add and add the FortiGate as a target if it is not already listed as a target.
  4. Select the FortiGate and , in the toolbar, click Install > Install Wizard.

  5. Make sure that Install Policy Package & Device Settings is selected, and that the correct Policy Package is selected.
  6. Follow the steps in the wizard to install the policy package to the FortiGate. For more information, see Using the Install Wizard to install policy packages and device settings in the FortiManager Administration Guide.
To confirm that the firewall policy with the address option was pushed to the FortiGate:
  1. On the FortiGate, go to Policy & Objects > IPv4 Policy and confirm that the policy is on the list.

To confirm that the FortiGate received the dynamic FSSO address:
  1. Go to Policy & Objects > Addresses and confirm that the dynamic FSSO address in on the list.

  2. In the FortiGate CLI console, check the firewall addresses:
    # show firewall address  
    config firewall address
        ...
        edit "FMG-addr-phonton-LS10-71"
            set uuid 2d5c5a46-e965-51e9-c3aa-c74bf993ce83
            set type dynamic
            set sub-type fsso
            set fsso-group "nsx_FMG-deployed-NSX_default/groups/Photon-LS10-71"
        next
        ...
    end

    The address name is inserted automatically by the FortiManager.

Diagnose commands

The following commands can be used on the FortiGate to help with diagnostics.

To view a list of current FSSO logons:
# diagnose debug authd fsso list
----FSSO logons----
IP: 1.1.1.1-1.1.1.1  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/group1  Workstation:
IP: 1.1.1.2-1.1.1.2  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/group1  Workstation:
IP: 10.1.10.71-10.1.10.71  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/Photon-LS10-71  Workstation:  MemberOf: nsx_FMG-deployed-NSX_default/groups/Photon-LS10-71
IP: 10.1.10.72-10.1.10.72  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/Photon-LS10-72  Workstation:
IP: 10.1.10.73-10.1.10.73  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/LS20-VMs  Workstation:
IP: 10.1.20.73-10.1.20.73  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/LS20-VMs  Workstation:
IP: 10.1.20.74-10.1.20.74  User: nsx  Groups: nsx_FMG-deployed-NSX_default/groups/LS20-VMs  Workstation:
Total number of logons listed: 7, filtered: 0
----end of FSSO logons----
To turn on Auth daemon debug messages for 30 minutes:
# diagnose debug application authd -1