VMware NSX-T security tag action
VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiGate resolves NSX-T VMs. The FortiGate uses the VMWare NSX Security Tag automation action to assign a tag to the VM through an automation stitch.
The FortiGate is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.
To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
- Configure the NSX SDN connector:
- Go to Security Fabric > External Connectors and click Create New.
- Select VMware NSX.
- Configure the connector settings.
- Enable vCenter Settings and configure as needed.
- Click OK.
- Configure the automation stitch trigger:
- Go to Security Fabric > Automation and click Create New.
- Enter the stitch name (auto_webhook).
- Click Add Trigger.
- Click Create and select Incoming Webhook.
- Enter a name (auto_webhook).
- Click OK to close the Incoming Webhook URL prompt.
- Select the trigger in the list and click Apply.
- Configure the automation stitch action:
- Click Add Action.
- Click Create and select VMware NSX Security Tag.
- Enter the following:
Name
auto_webhook_quarantine-nsx
Specify NSX server(s)
Enable and select the SDN connector
Security tag
Select an existing tag, or create a new one
- Click OK.
- Select the action in the list and click Apply.
- Click OK.
- In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook { "http_method":"POST", "status":"success", "http_status":200, "serial":"FGVM08TM20000000", "version":"v6.4.0", "build":1608 }The automation stitch is triggered and the configured tag is added to the NSX-T VM.
In FortiOS, the Security Fabric > Automation page shows the last trigger time.
To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:
- Configure the NSX SDN connector:
config system sdn-connector edit "nsx_t25" set type nsx set server "172.18.64.205" set username "admin" set password xxxxxxxxxxxx set vcenter-server "172.18.64.201" set vcenter-username "administrator@vsphere.local" set vcenter-password xxxxxxxxxxxx next end - Configure the automation stitch:
config system automation-trigger edit "auto_webhook" set trigger-type event-based set event-type incoming-webhook next endconfig system automation-action edit "auto_webhook_quarantine-nsx" set action-type quarantine-nsx set security-tag "automation_tag" set sdn-connector "nsx_t25" next endconfig system automation-stitch edit "auto_webhook" set trigger "auto_webhook" config actions edit 1 set action "auto_webhook_quarantine-nsx" set required enable next end next end - In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook { "http_method":"POST", "status":"success", "http_status":200, "serial":"FGVM08TM20000000", "version":"v6.4.0", "build":1608 }
To verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2 csf: enabled root:yes version:1586883541 sync time:Tue Apr 14 11:04:05 2020 total stitches activated: 1 stitch: auto_webhook destinations: all trigger: auto_webhook (id:15)service=auto_webhook local hit: 1 relayed to: 0 relayed from: 0 actions: auto_webhook_quarantine-nsx type:quarantine-nsx interval:0 security tag:automation_tag sdn connector: nsx_t25;