Fortinet white logo
Fortinet white logo

Administration Guide

Creating VMware NSX-T connector

Creating VMware NSX-T connector

FortiManager supports VMware NSX-T connectors. After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. Go to System Settings > Admin > Administrators.
  2. Select your administrator account, and click Edit.
  3. Beside JSON API Access, select Read-Write, and click OK.
Creating a fabric connector for VMware NSX-T
To create a fabric connector for VMware NSX-T:
  1. Go to Fabric View > Fabric > Connectors, and click Create New. The Create New Fabric Connector wizard is displayed.
  2. Under Endpoint/Identity, select VMware NSX-T. The VMware NSX-T screen is displayed.

  3. Configure the following options, and click OK:

    Name

    Type a name for the fabric connector object.

    Status

    Toggle On to enable the fabric connector object. Toggle OFF to disable the fabric connector object.

    NSX-T Manager Configuration

    Server

    Type the IP address of the NSX-T server.

    User Name

    Type the user name for the NSX-T server.

    Password

    Type the password for the NSX-T server.

    FortiManager Configurations

    IP Address

    Type the IP address for FortiManager.

    User Name

    Type the user name for FortiManager.

    Password

    Type the password for FortiManager.

Configure registered services
To configure a registered service:
  1. Edit the previously configured NSX-T connector.
  2. Under Registered Service, click Add Service.
    You also have the option to Delete or Edit previously configured registered services.

    NameEnter the service name to register to NSX-T's partner service catalog.
    IntegrationSelect the integration type as East-West.
    FortiGate PasswordEnter your FortiGate administrator password.
    License URL PrefixEnter the license URL prefix, for example: http://x.x.x.x/lics/.

    Image Location

    Configure the following:

    • Type: Select the VM type, for example VM02.
    • Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf
  3. Click OK, and save the NSX-T connector.
  4. In the NSX-T Manager, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.
Configure the NSX-T Manager
To configure NSX-T Manager:
  1. In the NSX-T Manager, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.

  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiManager. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.

  5. Go to Security > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.

  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.

  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to Service Chain Management > E-W Network Introspection, and click Add Policy.
  14. Click on the policy name, and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FortiGate-EW-VM instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.
Use the groups in a FortiManager policy
To use groups in a policy:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.
  2. Edit the NSXT-Manager object.
  3. Scroll down and check that the objects with addresses appear. If there aren't any objects, select Apply & Refresh.
  4. Click Cancel.
    Note

    These groups and their members are automatically synchronized between FortiManager and NSX-T Manager. As soon as you add a VM/IP to a group that the Redir-Rule applies to on NSX-T Manager, it will be synchronized.

  5. You can have the FortiManager create Firewall Addresses or create your own. Go to Firewall Objects > Addresses, and click Create New > Address.
  6. Configure the parameters, and click OK.
    1. Address Name: Enter a name.
    2. Type: Dynamic.
    3. Sub Type: FSSO.
    4. FSSO Group: nsx_NSXT-Manager_Default/groups/<group name>

Creating VMware NSX-T connector

Creating VMware NSX-T connector

FortiManager supports VMware NSX-T connectors. After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. Go to System Settings > Admin > Administrators.
  2. Select your administrator account, and click Edit.
  3. Beside JSON API Access, select Read-Write, and click OK.
Creating a fabric connector for VMware NSX-T
To create a fabric connector for VMware NSX-T:
  1. Go to Fabric View > Fabric > Connectors, and click Create New. The Create New Fabric Connector wizard is displayed.
  2. Under Endpoint/Identity, select VMware NSX-T. The VMware NSX-T screen is displayed.

  3. Configure the following options, and click OK:

    Name

    Type a name for the fabric connector object.

    Status

    Toggle On to enable the fabric connector object. Toggle OFF to disable the fabric connector object.

    NSX-T Manager Configuration

    Server

    Type the IP address of the NSX-T server.

    User Name

    Type the user name for the NSX-T server.

    Password

    Type the password for the NSX-T server.

    FortiManager Configurations

    IP Address

    Type the IP address for FortiManager.

    User Name

    Type the user name for FortiManager.

    Password

    Type the password for FortiManager.

Configure registered services
To configure a registered service:
  1. Edit the previously configured NSX-T connector.
  2. Under Registered Service, click Add Service.
    You also have the option to Delete or Edit previously configured registered services.

    NameEnter the service name to register to NSX-T's partner service catalog.
    IntegrationSelect the integration type as East-West.
    FortiGate PasswordEnter your FortiGate administrator password.
    License URL PrefixEnter the license URL prefix, for example: http://x.x.x.x/lics/.

    Image Location

    Configure the following:

    • Type: Select the VM type, for example VM02.
    • Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf
  3. Click OK, and save the NSX-T connector.
  4. In the NSX-T Manager, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.
Configure the NSX-T Manager
To configure NSX-T Manager:
  1. In the NSX-T Manager, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.

  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiManager. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.

  5. Go to Security > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.

  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.

  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to Service Chain Management > E-W Network Introspection, and click Add Policy.
  14. Click on the policy name, and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FortiGate-EW-VM instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.
Use the groups in a FortiManager policy
To use groups in a policy:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.
  2. Edit the NSXT-Manager object.
  3. Scroll down and check that the objects with addresses appear. If there aren't any objects, select Apply & Refresh.
  4. Click Cancel.
    Note

    These groups and their members are automatically synchronized between FortiManager and NSX-T Manager. As soon as you add a VM/IP to a group that the Redir-Rule applies to on NSX-T Manager, it will be synchronized.

  5. You can have the FortiManager create Firewall Addresses or create your own. Go to Firewall Objects > Addresses, and click Create New > Address.
  6. Configure the parameters, and click OK.
    1. Address Name: Enter a name.
    2. Type: Dynamic.
    3. Sub Type: FSSO.
    4. FSSO Group: nsx_NSXT-Manager_Default/groups/<group name>