Fortinet black logo

New Features

Action - NSX Quarantine

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:747319
Download PDF

Action - NSX Quarantine

This feature adds a new Security Fabric > Automation > Action: Assign VMware NSX Security Tag to the NSX endpoint instance. This action is only available when the Trigger is Compromised Host.

First configure NSX type SDN connector in FortiGate. Then FortiGate can retrieve security tags from VMware NSX server through the NSX connector.

Configure an automation stitch with the trigger Compromised Host and the Action Assign VMware NSX Security Tag, then choose a Security tag in the security tags retrieved from VMware NSX server through NSX connector.

If an endpoint instance in the VMware NSX environment is compromised which triggers the automation stitch in FortiGate, FortiGate will then assign the configured security tag to the compromised NSX endpoint instance.

To configure a VMware NSX SDN connector in the GUI:
  1. Go to Security Fabric > Fabric Connectors and click Create New.
  2. Select VMware NSX and configure its settings.

To configure a VMware NSX SDN connector in the CLI:
config system sdn-connector
    edit "nsx"
        set type nsx
        set server "172.18.64.32"
        set username "admin"
        set password xxxxx
    next
end
To configure an automation stitch with a Trigger Compromised Host and Action Assign VMware NSX Security Tag using the GUI:
  1. Go to Security Fabric > Automation and click Create New.
  2. In the Trigger section, select Compromised Host.
  3. In the Action section, select Assign VMware NSX Security Tag and configure its settings.

To configure an automation stitch with a Trigger Compromised Host and Action Assign VMware NSX Security Tag using the CLI:
config system automation-action
    edit "pcui-test_quarantine-nsx"
        set action-type quarantine-nsx
        set security-tag "pcui-tag2"
        set sdn-connector "nsx"
    next
end

config system automation-trigger
    edit "pcui-test"
        set ioc-level high
    next
end

config system automation-stitch
    edit "pcui-test"
        set trigger "pcui-test"
        set action "pcui-test_quarantine-nsx"
    next
end
To configure FortiAnalyzer in FortiGate which is used to send endpoint compromise notifications to FortiGate using the GUI:
  1. Go to Security Fabric > Settings.
  2. Enable FortiAnalyzer Logging and configure its settings.

To configure FortiAnalyzer in FortiGate which is used to send endpoint compromise notifications to FortiGate using the CLI:
config log fortianalyzer setting
    set status enable
    set server "172.18.64.234"
    set serial "FL-8HFT718900132"
    set upload-option realtime
    set reliable enable
end

When an endpoint instance is compromised

When an endpoint instance, for example, pcui-ubuntu2, in the VMware NSX environment is compromised, the automation stitch in FortiGate is triggered. FortiGate then assigns the security tag, in this example, pcui-tag2, to the compromised NSX endpoint instance.

Action - NSX Quarantine

This feature adds a new Security Fabric > Automation > Action: Assign VMware NSX Security Tag to the NSX endpoint instance. This action is only available when the Trigger is Compromised Host.

First configure NSX type SDN connector in FortiGate. Then FortiGate can retrieve security tags from VMware NSX server through the NSX connector.

Configure an automation stitch with the trigger Compromised Host and the Action Assign VMware NSX Security Tag, then choose a Security tag in the security tags retrieved from VMware NSX server through NSX connector.

If an endpoint instance in the VMware NSX environment is compromised which triggers the automation stitch in FortiGate, FortiGate will then assign the configured security tag to the compromised NSX endpoint instance.

To configure a VMware NSX SDN connector in the GUI:
  1. Go to Security Fabric > Fabric Connectors and click Create New.
  2. Select VMware NSX and configure its settings.

To configure a VMware NSX SDN connector in the CLI:
config system sdn-connector
    edit "nsx"
        set type nsx
        set server "172.18.64.32"
        set username "admin"
        set password xxxxx
    next
end
To configure an automation stitch with a Trigger Compromised Host and Action Assign VMware NSX Security Tag using the GUI:
  1. Go to Security Fabric > Automation and click Create New.
  2. In the Trigger section, select Compromised Host.
  3. In the Action section, select Assign VMware NSX Security Tag and configure its settings.

To configure an automation stitch with a Trigger Compromised Host and Action Assign VMware NSX Security Tag using the CLI:
config system automation-action
    edit "pcui-test_quarantine-nsx"
        set action-type quarantine-nsx
        set security-tag "pcui-tag2"
        set sdn-connector "nsx"
    next
end

config system automation-trigger
    edit "pcui-test"
        set ioc-level high
    next
end

config system automation-stitch
    edit "pcui-test"
        set trigger "pcui-test"
        set action "pcui-test_quarantine-nsx"
    next
end
To configure FortiAnalyzer in FortiGate which is used to send endpoint compromise notifications to FortiGate using the GUI:
  1. Go to Security Fabric > Settings.
  2. Enable FortiAnalyzer Logging and configure its settings.

To configure FortiAnalyzer in FortiGate which is used to send endpoint compromise notifications to FortiGate using the CLI:
config log fortianalyzer setting
    set status enable
    set server "172.18.64.234"
    set serial "FL-8HFT718900132"
    set upload-option realtime
    set reliable enable
end

When an endpoint instance is compromised

When an endpoint instance, for example, pcui-ubuntu2, in the VMware NSX environment is compromised, the automation stitch in FortiGate is triggered. FortiGate then assigns the security tag, in this example, pcui-tag2, to the compromised NSX endpoint instance.