Action - NSX Quarantine
This feature adds a new Security Fabric > Automation > Action: Assign VMware NSX Security Tag to the NSX endpoint instance. This action is only available when the Trigger is Compromised Host.
First configure NSX type SDN connector in FortiGate. Then FortiGate can retrieve security tags from VMware NSX server through the NSX connector.
Configure an automation stitch with the trigger Compromised Host and the Action Assign VMware NSX Security Tag, then choose a Security tag in the security tags retrieved from VMware NSX server through NSX connector.
If an endpoint instance in the VMware NSX environment is compromised which triggers the automation stitch in FortiGate, FortiGate will then assign the configured security tag to the compromised NSX endpoint instance.
To configure a VMware NSX SDN connector in the GUI:
- Go to Security Fabric > Fabric Connectors and click Create New.
- Select VMware NSX and configure its settings.
To configure a VMware NSX SDN connector in the CLI:
config system sdn-connector edit "nsx" set type nsx set server "172.18.64.32" set username "admin" set password xxxxx next end
To configure an automation stitch with a Trigger Compromised Host and Action Assign VMware NSX Security Tag using the GUI:
- Go to Security Fabric > Automation and click Create New.
- In the Trigger section, select Compromised Host.
- In the Action section, select Assign VMware NSX Security Tag and configure its settings.
To configure an automation stitch with a Trigger Compromised Host and Action Assign VMware NSX Security Tag using the CLI:
config system automation-action edit "pcui-test_quarantine-nsx" set action-type quarantine-nsx set security-tag "pcui-tag2" set sdn-connector "nsx" next end config system automation-trigger edit "pcui-test" set ioc-level high next end config system automation-stitch edit "pcui-test" set trigger "pcui-test" set action "pcui-test_quarantine-nsx" next end
To configure FortiAnalyzer in FortiGate which is used to send endpoint compromise notifications to FortiGate using the GUI:
- Go to Security Fabric > Settings.
- Enable FortiAnalyzer Logging and configure its settings.
To configure FortiAnalyzer in FortiGate which is used to send endpoint compromise notifications to FortiGate using the CLI:
config log fortianalyzer setting set status enable set server "172.18.64.234" set serial "FL-8HFT718900132" set upload-option realtime set reliable enable end
When an endpoint instance is compromised
When an endpoint instance, for example, pcui-ubuntu2, in the VMware NSX environment is compromised, the automation stitch in FortiGate is triggered. FortiGate then assigns the security tag, in this example, pcui-tag2, to the compromised NSX endpoint instance.