VMware NSX-T security tag action

VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiGate resolves NSX-T VMs. The FortiGate uses the VMWare NSX Security Tag automation action to assign a tag to the VM through an automation stitch.

The FortiGate is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.

To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
  1. Configure the NSX SDN connector:
    1. Go to Security Fabric > External Connectors and click Create New.
    2. Select VMware NSX.
    3. Configure the connector settings.
    4. Enable vCenter Settings and configure as needed.

    5. Click OK.
  2. Configure the automation stitch trigger:
    1. Go to Security Fabric > Automation and click Create New.
    2. Enter the stitch name (auto_webhook).
    3. Click Add Trigger.
    4. Click Create and select Incoming Webhook.
    5. Enter a name (auto_webhook).
    6. Click OK to close the Incoming Webhook URL prompt.
    7. Select the trigger in the list and click Apply.
  3. Configure the automation stitch action:
    1. Click Add Action.
    2. Click Create and select VMware NSX Security Tag.
    3. Enter the following:

      Name

      auto_webhook_quarantine-nsx

      Specify NSX server(s)

      Enable and select the SDN connector

      Security tag

      Select an existing tag, or create a new one

    4. Click OK.
    5. Select the action in the list and click Apply.
  4. Click OK.
  5. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000000",
      "version":"v6.4.0",
      "build":1608
    }

    The automation stitch is triggered and the configured tag is added to the NSX-T VM.

    In FortiOS, the Security Fabric > Automation page shows the last trigger time.