Fortinet black logo

Administration Guide

Assign VMware NSX-T security tag action

Assign VMware NSX-T security tag action

VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiGate resolves NSX-T VMs. The FortiGate uses the Assign VMWare NSX Security Tag automation action to assign a tag to the VM through an automation stitch.

The FortiGate is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.

To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
  1. Configure the NSX SDN connector:
    1. Go to Security Fabric > External Connectors and click Create New.
    2. Select VMware NSX.
    3. Configure the connector settings.
    4. Enable vCenter Settings and configure as needed.

    5. Click OK.
  2. Configure the automation stitch:
    1. Go to Security Fabric > Automation and click Create New.
    2. In the Trigger section, select Incoming Webhook.
    3. In the Action section, select Assign VMwareNSX Security Tag.
    4. Enable Specify NSX server(s) and enter a server.
    5. Enter a Security tag.
    6. Click OK.

  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000220",
      "version":"v6.4.0",
      "build":1608
    }

    The automation stitch is triggered and the configured tag is added to the NSX-T VM.

    In FortiOS, the Security Fabric > Automation page shows the last trigger time.

To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:
  1. Configure the NSX SDN connector:
    config system sdn-connector
        edit "nsx_t25"
            set type nsx
            set server "172.18.64.205"
            set username "admin"
            set password xxxxxx
            set vcenter-server "172.18.64.201"
            set vcenter-username "administrator@vsphere.local"
            set vcenter-password xxxxxx
        next
    end
  2. Configure the automation stitch:
    config system automation-action
        edit "auto_webhook_quarantine-nsx"
            set action-type quarantine-nsx
            set security-tag "automation_tag"
            set sdn-connector "nsx_t25"
        next
    end
    config system automation-trigger
        edit "auto_webhook"
            set trigger-type event-based
            set event-type incoming-webhook
        next
    end
    config system automation-stitch
        edit "auto_webhook"
            set status enable
            set trigger "auto_webhook"
            set action "auto_webhook_quarantine-nsx"
        next
    end
  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000220",
      "version":"v6.4.0",
      "build":1608
    }
To verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2

csf: enabled root:yes
version:1586883541 sync time:Tue Apr 14 11:04:05 2020

total stitches activated: 1

stitch: auto_webhook
destinations: all
trigger: auto_webhook

(id:15)service=auto_webhook

local hit: 1 relayed to: 0 relayed from: 0
actions:
auto_webhook_quarantine-nsx type:quarantine-nsx interval:0
security tag:automation_tag
sdn connector:
nsx_t25;

Assign VMware NSX-T security tag action

VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiGate resolves NSX-T VMs. The FortiGate uses the Assign VMWare NSX Security Tag automation action to assign a tag to the VM through an automation stitch.

The FortiGate is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.

To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
  1. Configure the NSX SDN connector:
    1. Go to Security Fabric > External Connectors and click Create New.
    2. Select VMware NSX.
    3. Configure the connector settings.
    4. Enable vCenter Settings and configure as needed.

    5. Click OK.
  2. Configure the automation stitch:
    1. Go to Security Fabric > Automation and click Create New.
    2. In the Trigger section, select Incoming Webhook.
    3. In the Action section, select Assign VMwareNSX Security Tag.
    4. Enable Specify NSX server(s) and enter a server.
    5. Enter a Security tag.
    6. Click OK.

  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000220",
      "version":"v6.4.0",
      "build":1608
    }

    The automation stitch is triggered and the configured tag is added to the NSX-T VM.

    In FortiOS, the Security Fabric > Automation page shows the last trigger time.

To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:
  1. Configure the NSX SDN connector:
    config system sdn-connector
        edit "nsx_t25"
            set type nsx
            set server "172.18.64.205"
            set username "admin"
            set password xxxxxx
            set vcenter-server "172.18.64.201"
            set vcenter-username "administrator@vsphere.local"
            set vcenter-password xxxxxx
        next
    end
  2. Configure the automation stitch:
    config system automation-action
        edit "auto_webhook_quarantine-nsx"
            set action-type quarantine-nsx
            set security-tag "automation_tag"
            set sdn-connector "nsx_t25"
        next
    end
    config system automation-trigger
        edit "auto_webhook"
            set trigger-type event-based
            set event-type incoming-webhook
        next
    end
    config system automation-stitch
        edit "auto_webhook"
            set status enable
            set trigger "auto_webhook"
            set action "auto_webhook_quarantine-nsx"
        next
    end
  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000220",
      "version":"v6.4.0",
      "build":1608
    }
To verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2

csf: enabled root:yes
version:1586883541 sync time:Tue Apr 14 11:04:05 2020

total stitches activated: 1

stitch: auto_webhook
destinations: all
trigger: auto_webhook

(id:15)service=auto_webhook

local hit: 1 relayed to: 0 relayed from: 0
actions:
auto_webhook_quarantine-nsx type:quarantine-nsx interval:0
security tag:automation_tag
sdn connector:
nsx_t25;