Fortinet black logo

Administration Guide

VMware NSX security tag action

VMware NSX security tag action

If an endpoint instance in a VMware NSX environment is compromised, this action will assign the configured security tag to the compromised endpoint.

This action is only available when the automation trigger is set to compromised host.

To set up the NSX quarantine action, you need to:

  1. Configure a VMware NSX SDN connector
  2. Configure an NSX security tag automation stitch
  3. Configure FortiAnalyzer logging on the FortiGate

Configure a VMware NSX SDN connector

The FortiGate retrieves security tags from the VMware NSX server through the connector.

To configure a VMware NSX SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Select VMware NSX.
  4. Configure the settings as needed.

  5. Click OK.
To configure a VMware NSX SDN connector in the CLI:
config system sdn-connector
    edit "nsx"
        set type nsx
        set server "172.18.64.32"
        set username "admin"
        set password xxxxxxxxxxxx
    next
end

Configure an NSX security tag automation stitch

Security tags are retrieved from the VMware NSX server through the NSX SDN connector.

To configure an automation stitch with an NSX security tag in the GUI:
  1. Go to Security Fabric > Automation and click Create New.
  2. Enter the stitch name (pcui-test).
  3. Configure the trigger:
    1. Click Add Trigger.
    2. Click Create and select Compromised Host.
    3. Enter the following:

      Name

      pcui-test

      Threat level threshold

      High

    4. Click OK.
    5. Select the trigger in the list and click Apply.
  4. Configure the VMware NSX Security Tag action:
    1. Click Add Action.
    2. Click Create and select VMware NSX Security Tag.
    3. Enter the following:

      Name

      pcui-test_quarantine-nsx

      Specify NSX server(s)

      Enable and select the SDN connector

      Security tag

      Select an existing tag, or create a new one

    4. Click OK.
    5. Select the action in the list and click Apply.
  5. Click OK.
To configure an automation stitch with an NSX security tag in the CLI:
  1. Create an automation trigger:
    config system automation-trigger
        edit "pcui-test"
            set ioc-level high
        next
    end
  2. Create an automation action:
    config system automation-action
        edit "pcui-test_quarantine-nsx"
            set action-type quarantine-nsx
            set security-tag "pcui-tag2"
            set sdn-connector "nsx"
        next
    end
  3. Create the automation stitch:
    config system automation-stitch
        edit "pcui-test"
            set trigger "pcui-test"
            config actions
                edit 1
                    set action "pcui-test_quarantine-nsx"
                    set required enable
                next
            end
        next
    end

Configure FortiAnalyzer logging on the FortiGate

The FortiAnalyzer is used to send endpoint compromise notification to the FortiGate.

See Configuring FortiAnalyzer for more information.

To configure FortiAnalyzer logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
  2. Ensure the Status is Enabled, and configure the settings as needed.

  3. Click Apply.
To configure FortiAnalyzer logging in the CLI:
config log fortianalyzer setting
    set status enable
    set server "172.18.64.234"
    set serial "FL-8HFT000000000"
    set upload-option realtime
    set reliable enable
end

When an endpoint instance is compromised

When an endpoint instance, such as pcui-ubuntu2, in the VMware NSX environment is compromised, the automation stitch is triggered. The FortiGate then assigns the configured security tag, pcui-tag2 in this example, to the compromised NSX endpoint instance.

VMware NSX security tag action

If an endpoint instance in a VMware NSX environment is compromised, this action will assign the configured security tag to the compromised endpoint.

This action is only available when the automation trigger is set to compromised host.

To set up the NSX quarantine action, you need to:

  1. Configure a VMware NSX SDN connector
  2. Configure an NSX security tag automation stitch
  3. Configure FortiAnalyzer logging on the FortiGate

Configure a VMware NSX SDN connector

The FortiGate retrieves security tags from the VMware NSX server through the connector.

To configure a VMware NSX SDN connector in the GUI:
  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Select VMware NSX.
  4. Configure the settings as needed.

  5. Click OK.
To configure a VMware NSX SDN connector in the CLI:
config system sdn-connector
    edit "nsx"
        set type nsx
        set server "172.18.64.32"
        set username "admin"
        set password xxxxxxxxxxxx
    next
end

Configure an NSX security tag automation stitch

Security tags are retrieved from the VMware NSX server through the NSX SDN connector.

To configure an automation stitch with an NSX security tag in the GUI:
  1. Go to Security Fabric > Automation and click Create New.
  2. Enter the stitch name (pcui-test).
  3. Configure the trigger:
    1. Click Add Trigger.
    2. Click Create and select Compromised Host.
    3. Enter the following:

      Name

      pcui-test

      Threat level threshold

      High

    4. Click OK.
    5. Select the trigger in the list and click Apply.
  4. Configure the VMware NSX Security Tag action:
    1. Click Add Action.
    2. Click Create and select VMware NSX Security Tag.
    3. Enter the following:

      Name

      pcui-test_quarantine-nsx

      Specify NSX server(s)

      Enable and select the SDN connector

      Security tag

      Select an existing tag, or create a new one

    4. Click OK.
    5. Select the action in the list and click Apply.
  5. Click OK.
To configure an automation stitch with an NSX security tag in the CLI:
  1. Create an automation trigger:
    config system automation-trigger
        edit "pcui-test"
            set ioc-level high
        next
    end
  2. Create an automation action:
    config system automation-action
        edit "pcui-test_quarantine-nsx"
            set action-type quarantine-nsx
            set security-tag "pcui-tag2"
            set sdn-connector "nsx"
        next
    end
  3. Create the automation stitch:
    config system automation-stitch
        edit "pcui-test"
            set trigger "pcui-test"
            config actions
                edit 1
                    set action "pcui-test_quarantine-nsx"
                    set required enable
                next
            end
        next
    end

Configure FortiAnalyzer logging on the FortiGate

The FortiAnalyzer is used to send endpoint compromise notification to the FortiGate.

See Configuring FortiAnalyzer for more information.

To configure FortiAnalyzer logging in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the FortiAnalyzer Logging card.
  2. Ensure the Status is Enabled, and configure the settings as needed.

  3. Click Apply.
To configure FortiAnalyzer logging in the CLI:
config log fortianalyzer setting
    set status enable
    set server "172.18.64.234"
    set serial "FL-8HFT000000000"
    set upload-option realtime
    set reliable enable
end

When an endpoint instance is compromised

When an endpoint instance, such as pcui-ubuntu2, in the VMware NSX environment is compromised, the automation stitch is triggered. The FortiGate then assigns the configured security tag, pcui-tag2 in this example, to the compromised NSX endpoint instance.