Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    VMware NSX security tag action

    VMware NSX security tag action

    If an endpoint instance in a VMware NSX environment is compromised, this action will assign the configured security tag to the compromised endpoint.

    This action is only available when the automation trigger is set to compromised host.

    To set up the NSX quarantine action, you need to:

    1. Configure a VMware NSX SDN connector

    2. Configure an NSX security tag automation stitch

    3. Configure FortiAnalyzer logging on the FortiGate

    Configure a VMware NSX SDN connector

    The FortiGate retrieves security tags from the VMware NSX server through the connector.

    To configure a VMware NSX SDN connector in the GUI:

    1. Go to Security Fabric > External Connectors.

    2. Click Create New.

    3. Select VMware NSX.

    4. Configure the settings as needed.

    5. Click OK.

    To configure a VMware NSX SDN connector in the CLI:
    config system sdn-connector
    edit "nsx"
        set type nsx
        set server "172.18.64.32"
        set username "admin"
        set password xxxxxxxxxxxx
    next
end

    Configure an NSX security tag automation stitch

    Security tags are retrieved from the VMware NSX server through the NSX SDN connector.

    To configure an automation stitch with an NSX security tag in the GUI:

    1. Go to Security Fabric > Automation and click Create New.

    2. Enter the stitch name (pcui-test).

    3. Configure the trigger:

      1. Click Add Trigger.

      2. Select Compromised Host.

      3. Click Apply.

    4. Configure the VMware NSX Security Tag action:

      1. Click Add Action.

      2. Click Create and select VMware NSX Security Tag.

      3. Enter the following:

        Name

        pcui-test_quarantine-nsx

        Specify NSX server(s)

        Enable and select the SDN connector

        Security tag

        Select an existing tag, or create a new one

      4. Click OK.

      5. Select the action in the list and click Apply.

    5. Click OK.

    To configure an automation stitch with an NSX security tag in the CLI:

    1. Create the automation trigger:

      config system automation-trigger
    edit "Compromised Host"
    next
end

    2. Create the automation action:

      config system automation-action
    edit "pcui-test_quarantine-nsx"
        set action-type quarantine-nsx
        set security-tag "pcui-tag2"
        set sdn-connector "nsx"
    next
end

    3. Create the automation stitch:

      config system automation-stitch
    edit "pcui-test"
        set trigger "Compromised Host"
        config actions
            edit 1
                set action "pcui-test_quarantine-nsx"
                set required enable
            next
        end
    next
end

    Configure FortiAnalyzer logging on the FortiGate

    The FortiAnalyzer is used to send endpoint compromise notification to the FortiGate.

    See Configuring FortiAnalyzer for more information.

    To configure FortiAnalyzer logging in the GUI:

    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

    2. In the FortiAnalyzer tab, ensure the Status is Enabled, and configure the settings as needed.

    3. Click OK.

    To configure FortiAnalyzer logging in the CLI:
    config log fortianalyzer setting
    set status enable
    set server "172.18.64.234"
    set serial "FL-8HFT000000000"
    set upload-option realtime
    set reliable enable
end

    When an endpoint instance is compromised

    When an endpoint instance, such as pcui-ubuntu2, in the VMware NSX environment is compromised, the automation stitch is triggered. The FortiGate then assigns the configured security tag, pcui-tag2 in this example, to the compromised NSX endpoint instance.

    Previous
    Next

    More Links

    VMware NSX-T Manager SDN connector using NSX-T Manager credentials

    VMware NSX security tag action

    VMware NSX security tag action

    If an endpoint instance in a VMware NSX environment is compromised, this action will assign the configured security tag to the compromised endpoint.

    This action is only available when the automation trigger is set to compromised host.

    To set up the NSX quarantine action, you need to:

    1. Configure a VMware NSX SDN connector

    2. Configure an NSX security tag automation stitch

    3. Configure FortiAnalyzer logging on the FortiGate

    Configure a VMware NSX SDN connector

    The FortiGate retrieves security tags from the VMware NSX server through the connector.

    To configure a VMware NSX SDN connector in the GUI:

    1. Go to Security Fabric > External Connectors.

    2. Click Create New.

    3. Select VMware NSX.

    4. Configure the settings as needed.

    5. Click OK.

    To configure a VMware NSX SDN connector in the CLI:
    config system sdn-connector
    edit "nsx"
        set type nsx
        set server "172.18.64.32"
        set username "admin"
        set password xxxxxxxxxxxx
    next
end

    Configure an NSX security tag automation stitch

    Security tags are retrieved from the VMware NSX server through the NSX SDN connector.

    To configure an automation stitch with an NSX security tag in the GUI:

    1. Go to Security Fabric > Automation and click Create New.

    2. Enter the stitch name (pcui-test).

    3. Configure the trigger:

      1. Click Add Trigger.

      2. Select Compromised Host.

      3. Click Apply.

    4. Configure the VMware NSX Security Tag action:

      1. Click Add Action.

      2. Click Create and select VMware NSX Security Tag.

      3. Enter the following:

        Name

        pcui-test_quarantine-nsx

        Specify NSX server(s)

        Enable and select the SDN connector

        Security tag

        Select an existing tag, or create a new one

      4. Click OK.

      5. Select the action in the list and click Apply.

    5. Click OK.

    To configure an automation stitch with an NSX security tag in the CLI:

    1. Create the automation trigger:

      config system automation-trigger
    edit "Compromised Host"
    next
end

    2. Create the automation action:

      config system automation-action
    edit "pcui-test_quarantine-nsx"
        set action-type quarantine-nsx
        set security-tag "pcui-tag2"
        set sdn-connector "nsx"
    next
end

    3. Create the automation stitch:

      config system automation-stitch
    edit "pcui-test"
        set trigger "Compromised Host"
        config actions
            edit 1
                set action "pcui-test_quarantine-nsx"
                set required enable
            next
        end
    next
end

    Configure FortiAnalyzer logging on the FortiGate

    The FortiAnalyzer is used to send endpoint compromise notification to the FortiGate.

    See Configuring FortiAnalyzer for more information.

    To configure FortiAnalyzer logging in the GUI:

    1. Go to Security Fabric > Fabric Connectors and double-click the Logging & Analytics card.

    2. In the FortiAnalyzer tab, ensure the Status is Enabled, and configure the settings as needed.

    3. Click OK.

    To configure FortiAnalyzer logging in the CLI:
    config log fortianalyzer setting
    set status enable
    set server "172.18.64.234"
    set serial "FL-8HFT000000000"
    set upload-option realtime
    set reliable enable
end

    When an endpoint instance is compromised

    When an endpoint instance, such as pcui-ubuntu2, in the VMware NSX environment is compromised, the automation stitch is triggered. The FortiGate then assigns the configured security tag, pcui-tag2 in this example, to the compromised NSX endpoint instance.

    Previous
    Next