Fortinet black logo

New Features

NSX-T service template with VDOM support 7.0.1

Copy Link
Copy Doc ID c54fdd80-4935-11eb-b9ad-00505692583a:433431
Download PDF

NSX-T service template with VDOM support 7.0.1

FortiManager 7.0.1 includes an NSX-T Service Template with VDOM support.

This section includes the following topics:

Liveness detection

Liveness detection can be enabled and disabled for each VM. The configuration can be managed in Device Manager by selecting a FortiGate and going to CLI Configuration > nsxt > setting.

Service chain on FortiGate VMs

Service chain configuration on FortiGate VMs launched through NSX-T can be managed under the service.

To edit service chains for FortiGate VMs:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.
  2. Select and edit the NSX-T connector, and then select and configure the service.
  3. Select and edit a device.

Manage devices using an NSX-T service template

NXS-T templates can be created, cloned, deleted, and assigned in Device Manager > Provisioning Templates > NSX-T Service Template.

To create a new NSX-T service template:
  1. Go to Device Manager > Provisioning Templates > NSX-T Service Template.
  2. Click Create New in the toolbar.
  3. In the Create New Template pane, type a name for the template.
  4. Click OK to create the new NSX-T service template.
To edit an NSX-T service template:
  1. Go to Device Manager > Provisioning Templates > NSX-T Service Template.
  2. Select an NSX-T service template and click Edit.
    The Edit NSX-T Service Template pane opens.
  3. Adjust the settings as required, and click OK to save your changes.
To create a new VDOM in an NSX-T service template:
  1. Click Create New under the VDOMs section. The Create New VDOM pane opens.
  2. Fill in the VDOM name and select the policy package from the dropdown which will be applied to the template.
  3. The Virtual Wire Pair will be automatically filled based on the VDOM name.
    Note

    Dynamic interface mapping is mandatory to create the VDOM. Select the interface name and click Edit to configure the dynamic interface mapping for internal and external interfaces.

    Note

    The Dynamic Interface dropdown will only show normalized interfaces which have default mappings and where the default mapping name is the same as the name of the interface on the Edit Interface page. You can create a new interface using the add icon in the dropdown.

To assign an NSX-T service template to a device:
  1. Go to Device Manager > Provisioning Template > NSX-T Service Template.
  2. Select a template to assign to managed devices.
  3. Right-click anywhere in the template list window and select Assign to Device from the menu, or click Assign to Device from the toolbar above.
    The Assign to Device dialog appears.
  4. Select the managed devices to which you want to assign the selected template from the Available Entries field, and move those entries to the Selected Entries field.
    Note

    For a device to show up in the list it should meet the following conditions as also mentioned on the Edit Installation Target panel.

    • VDOM feature should be enabled on the FortiGate.
    • The FortiGate should match the platform type with the one mentioned in the template.
    • The NSX-T service name should match with devices.

CLI configuration

Service Configured on Fortigate:

config nsxt setting

set liveness enable

set service "hkalra-service"

end

Configuration pushed to Fortigate:

FGVM04TM21007922 $ config vdom

FGVM04TM21007922 (vdom) $ edit vd1

current vf=vd1:3

FGVM04TM21007922 (vd1) $ end

FGVM04TM21007922 $ config global

FGVM04TM21007922 (global) $ config system interface

FGVM04TM21007922 (interface) $ edit "ssl.vd1"

FGVM04TM21007922 (ssl.vd1) $ set vdom "vd1"

FGVM04TM21007922 (ssl.vd1) $ set type tunnel

FGVM04TM21007922 (ssl.vd1) $ set alias "SSL VPN interface"

FGVM04TM21007922 (ssl.vd1) $ set snmp-index 110

FGVM04TM21007922 (ssl.vd1) $ next

FGVM04TM21007922 (interface) $ edit "vd1_int"

FGVM04TM21007922 (vd1_int) $ set vdom "vd1"

FGVM04TM21007922 (vd1_int) $ set type geneve

FGVM04TM21007922 (vd1_int) $ set snmp-index 111

FGVM04TM21007922 (vd1_int) $ set interface "port2"

FGVM04TM21007922 (vd1_int) $ next

FGVM04TM21007922 (interface) $ edit "vd1_ext"

FGVM04TM21007922 (vd1_ext) $ set vdom "vd1"

FGVM04TM21007922 (vd1_ext) $ set type geneve

FGVM04TM21007922 (vd1_ext) $ set snmp-index 112

FGVM04TM21007922 (vd1_ext) $ set interface "port2"

FGVM04TM21007922 (vd1_ext) $ next

FGVM04TM21007922 (interface) $ end

FGVM04TM21007922 (global) $ config nsxt service-chain

FGVM04TM21007922 (service-chain) $ edit 1

FGVM04TM21007922 (1) $ config service-index

FGVM04TM21007922 (service-index) $ edit 1

FGVM04TM21007922 (1) $ set reverse-index 2

FGVM04TM21007922 (1) $ set name "1"

FGVM04TM21007922 (1) $ set vd "vd1"

FGVM04TM21007922 (1) $ next

FGVM04TM21007922 (service-index) $ end

FGVM04TM21007922 (1) $ next

FGVM04TM21007922 (service-chain) $ end

FGVM04TM21007922 (global) $ end

NSX-T service template with VDOM support 7.0.1

FortiManager 7.0.1 includes an NSX-T Service Template with VDOM support.

This section includes the following topics:

Liveness detection

Liveness detection can be enabled and disabled for each VM. The configuration can be managed in Device Manager by selecting a FortiGate and going to CLI Configuration > nsxt > setting.

Service chain on FortiGate VMs

Service chain configuration on FortiGate VMs launched through NSX-T can be managed under the service.

To edit service chains for FortiGate VMs:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.
  2. Select and edit the NSX-T connector, and then select and configure the service.
  3. Select and edit a device.

Manage devices using an NSX-T service template

NXS-T templates can be created, cloned, deleted, and assigned in Device Manager > Provisioning Templates > NSX-T Service Template.

To create a new NSX-T service template:
  1. Go to Device Manager > Provisioning Templates > NSX-T Service Template.
  2. Click Create New in the toolbar.
  3. In the Create New Template pane, type a name for the template.
  4. Click OK to create the new NSX-T service template.
To edit an NSX-T service template:
  1. Go to Device Manager > Provisioning Templates > NSX-T Service Template.
  2. Select an NSX-T service template and click Edit.
    The Edit NSX-T Service Template pane opens.
  3. Adjust the settings as required, and click OK to save your changes.
To create a new VDOM in an NSX-T service template:
  1. Click Create New under the VDOMs section. The Create New VDOM pane opens.
  2. Fill in the VDOM name and select the policy package from the dropdown which will be applied to the template.
  3. The Virtual Wire Pair will be automatically filled based on the VDOM name.
    Note

    Dynamic interface mapping is mandatory to create the VDOM. Select the interface name and click Edit to configure the dynamic interface mapping for internal and external interfaces.

    Note

    The Dynamic Interface dropdown will only show normalized interfaces which have default mappings and where the default mapping name is the same as the name of the interface on the Edit Interface page. You can create a new interface using the add icon in the dropdown.

To assign an NSX-T service template to a device:
  1. Go to Device Manager > Provisioning Template > NSX-T Service Template.
  2. Select a template to assign to managed devices.
  3. Right-click anywhere in the template list window and select Assign to Device from the menu, or click Assign to Device from the toolbar above.
    The Assign to Device dialog appears.
  4. Select the managed devices to which you want to assign the selected template from the Available Entries field, and move those entries to the Selected Entries field.
    Note

    For a device to show up in the list it should meet the following conditions as also mentioned on the Edit Installation Target panel.

    • VDOM feature should be enabled on the FortiGate.
    • The FortiGate should match the platform type with the one mentioned in the template.
    • The NSX-T service name should match with devices.

CLI configuration

Service Configured on Fortigate:

config nsxt setting

set liveness enable

set service "hkalra-service"

end

Configuration pushed to Fortigate:

FGVM04TM21007922 $ config vdom

FGVM04TM21007922 (vdom) $ edit vd1

current vf=vd1:3

FGVM04TM21007922 (vd1) $ end

FGVM04TM21007922 $ config global

FGVM04TM21007922 (global) $ config system interface

FGVM04TM21007922 (interface) $ edit "ssl.vd1"

FGVM04TM21007922 (ssl.vd1) $ set vdom "vd1"

FGVM04TM21007922 (ssl.vd1) $ set type tunnel

FGVM04TM21007922 (ssl.vd1) $ set alias "SSL VPN interface"

FGVM04TM21007922 (ssl.vd1) $ set snmp-index 110

FGVM04TM21007922 (ssl.vd1) $ next

FGVM04TM21007922 (interface) $ edit "vd1_int"

FGVM04TM21007922 (vd1_int) $ set vdom "vd1"

FGVM04TM21007922 (vd1_int) $ set type geneve

FGVM04TM21007922 (vd1_int) $ set snmp-index 111

FGVM04TM21007922 (vd1_int) $ set interface "port2"

FGVM04TM21007922 (vd1_int) $ next

FGVM04TM21007922 (interface) $ edit "vd1_ext"

FGVM04TM21007922 (vd1_ext) $ set vdom "vd1"

FGVM04TM21007922 (vd1_ext) $ set type geneve

FGVM04TM21007922 (vd1_ext) $ set snmp-index 112

FGVM04TM21007922 (vd1_ext) $ set interface "port2"

FGVM04TM21007922 (vd1_ext) $ next

FGVM04TM21007922 (interface) $ end

FGVM04TM21007922 (global) $ config nsxt service-chain

FGVM04TM21007922 (service-chain) $ edit 1

FGVM04TM21007922 (1) $ config service-index

FGVM04TM21007922 (service-index) $ edit 1

FGVM04TM21007922 (1) $ set reverse-index 2

FGVM04TM21007922 (1) $ set name "1"

FGVM04TM21007922 (1) $ set vd "vd1"

FGVM04TM21007922 (1) $ next

FGVM04TM21007922 (service-index) $ end

FGVM04TM21007922 (1) $ next

FGVM04TM21007922 (service-chain) $ end

FGVM04TM21007922 (global) $ end