Fortinet black logo

New Features

Home FortiManager 7.2.0 New Features

FortiManager updated integration with NSX-T

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.7
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID 722c6141-8e83-11ec-9fd1-fa163e15d75b:501465
Download PDF

FortiManager updated integration with NSX-T

FortiManager has updated integration with NSX-T. Using the new Service Manager APIs, FortiManager gets notifications for registration changes and dynamic address updates.

To configure NSX-T integration with FortiManager:
  1. Configure the NSX-T connector
  2. Configure the NSX-T Manager
  3. Use the groups in a FortiManager policy

Configure the NSX-T connector

To enable JSON API access for administrators:
  1. In FortiManager, go to System Settings > Admin > Administrators.
  2. Select your Administrator account, and click Edit.
  3. From the JSON API Access dropdown, select Read-Write, and click OK.
    The FortiManager will log you out to activate the settings.
To configure NSX-T API integration on FortiManager:
  1. Log into FortiManager.
  2. Go to Policy & Objects > Objects Configuration > Fabric Connectors > Endpoint/Identity.
  3. Click Create New > NSX-T Connector.
  4. Configure the parameters for the new NSX-T connector, and click OK.
    For example:
    1. Name: NSXT-Manager.
    2. Status: ON.
    3. NSX-T Manager Configurations:
      1. Server: NSX-T server.
      2. User Name: NSX-T user name.
      3. Password: NSX-T password.
    4. FortiManager Configurations:
      1. IP Address: FortiManager IP or FQDN.
      2. User Name: Your FortiManager administrator user name.
        Note

        The user name under FortiManager configurations can be any other FortiManager local user with JSON API access set to read-write. This user will be used by the NSX-T Manager to perform the API calls to the FortiManager in order to dynamically update the VM groups objects.

      3. Password: Your administrator password.
  5. Edit the configured NSX-T connector, and click Add Service under Registered Services.
  6. Configure the service details:
    1. Integration: Select your integration, for example East-West.
    2. FortiGate Password: Your FortiGate admin password.
    3. License URL Prefix: Enter the license URL prefix, for example: http://x.x.x.x/lics/.

  7. Click the plus icon to add a new image location, and click OK.
    1. Type: Select the VM type, for example VM01.
    2. Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf.
  8. In the NSX-T Manager GUI, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.

Configure the NSX-T Manager

To configure NSX-T Manager:
  1. In the NSX-T Manager GUI, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.
  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiManager. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.

  5. Go to Security > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.
  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.
  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to East West Security > Network Introspection (E-W), and click on Add Policy.
  14. Click on the policy name and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FGT-EW-VM instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.

Use the groups in a FortiManager policy

To use groups in a policy:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors.
  2. Edit the NSXT-Manager object.
  3. Scroll down and check that the objects with addresses appear. If there aren't any objects, select Apply & Refresh.
  4. Click Cancel.
    Note

    These groups and their members are automatically synchronized between FortiManager and NSX-T Manager. As soon as you add a VM/IP to a group that the Redir-Rule applies to on NSX-T Manager, it will be synchronized.

  5. You can have the FortiManager create Firewall Addresses or create your own. Go to Firewall Objects > Addresses, and click Create New > Address.
  6. Configure the parameters, and click OK.
    1. Address Name: Enter a name.
    2. Type: Dynamic.
    3. Sub Type: FSSO.
    4. FSSO Group: nsx_NSXT-Manager_Default/groups/<group name>
Previous
Next

FortiManager updated integration with NSX-T

FortiManager has updated integration with NSX-T. Using the new Service Manager APIs, FortiManager gets notifications for registration changes and dynamic address updates.

To configure NSX-T integration with FortiManager:
  1. Configure the NSX-T connector
  2. Configure the NSX-T Manager
  3. Use the groups in a FortiManager policy

Configure the NSX-T connector

To enable JSON API access for administrators:
  1. In FortiManager, go to System Settings > Admin > Administrators.
  2. Select your Administrator account, and click Edit.
  3. From the JSON API Access dropdown, select Read-Write, and click OK.
    The FortiManager will log you out to activate the settings.
To configure NSX-T API integration on FortiManager:
  1. Log into FortiManager.
  2. Go to Policy & Objects > Objects Configuration > Fabric Connectors > Endpoint/Identity.
  3. Click Create New > NSX-T Connector.
  4. Configure the parameters for the new NSX-T connector, and click OK.
    For example:
    1. Name: NSXT-Manager.
    2. Status: ON.
    3. NSX-T Manager Configurations:
      1. Server: NSX-T server.
      2. User Name: NSX-T user name.
      3. Password: NSX-T password.
    4. FortiManager Configurations:
      1. IP Address: FortiManager IP or FQDN.
      2. User Name: Your FortiManager administrator user name.
        Note

        The user name under FortiManager configurations can be any other FortiManager local user with JSON API access set to read-write. This user will be used by the NSX-T Manager to perform the API calls to the FortiManager in order to dynamically update the VM groups objects.

      3. Password: Your administrator password.
  5. Edit the configured NSX-T connector, and click Add Service under Registered Services.
  6. Configure the service details:
    1. Integration: Select your integration, for example East-West.
    2. FortiGate Password: Your FortiGate admin password.
    3. License URL Prefix: Enter the license URL prefix, for example: http://x.x.x.x/lics/.

  7. Click the plus icon to add a new image location, and click OK.
    1. Type: Select the VM type, for example VM01.
    2. Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf.
  8. In the NSX-T Manager GUI, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.

Configure the NSX-T Manager

To configure NSX-T Manager:
  1. In the NSX-T Manager GUI, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.
  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiManager. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.

  5. Go to Security > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.
  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.
  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to East West Security > Network Introspection (E-W), and click on Add Policy.
  14. Click on the policy name and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FGT-EW-VM instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.

Use the groups in a FortiManager policy

To use groups in a policy:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors.
  2. Edit the NSXT-Manager object.
  3. Scroll down and check that the objects with addresses appear. If there aren't any objects, select Apply & Refresh.
  4. Click Cancel.
    Note

    These groups and their members are automatically synchronized between FortiManager and NSX-T Manager. As soon as you add a VM/IP to a group that the Redir-Rule applies to on NSX-T Manager, it will be synchronized.

  5. You can have the FortiManager create Firewall Addresses or create your own. Go to Firewall Objects > Addresses, and click Create New > Address.
  6. Configure the parameters, and click OK.
    1. Address Name: Enter a name.
    2. Type: Dynamic.
    3. Sub Type: FSSO.
    4. FSSO Group: nsx_NSXT-Manager_Default/groups/<group name>
Previous
Next