Fortinet black logo

Administration Guide

Creating VMware NSX-T connectors

Creating VMware NSX-T connectors

FortiManager supports VMware NSX-T connectors. After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Following is an overview of the steps required to set up a VMware NSX-T connector:

  1. Enabling read-write JSON API access
  2. Creating a fabric connector for VMware NSX-T
  3. Configure registered services
  4. Configure the NSX-T Manager
  5. Use the groups in a FortiManager policy
Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. On FortiManager, go to System Settings > Administrators.
  2. Select your Administrator account, and click Edit.
  3. From the JSON API Access dropdown, select Read-Write, and click OK.
    The FortiManager will log you out to activate the settings.
Creating a fabric connector for VMware NSX-T

In FortiManager, create a fabric connector for VMware NSX-T.

To configure an NSX-T connector on FortiManager:
  1. Log into FortiManager.
  2. Go to Policy & Objects > Objects Configuration > External Connectors > Endpoint/Identity.
  3. Click Create New > NSX-T Connector.
    Note

    NSX-T connectors can also be created from Fabric View > Fabric > External Connectors in FortiManager.


  4. Configure the following parameters for the new NSX-T connector, and click OK.

    NameEnter a name for the connector.
    StatusToggle the status to ON or OFF.
    NSX-T Manager Configurations

    Server

    Configure the server address for NSX-T Manager.

    User Name

    Enter your NSX-T username.

    Password

    Enter your NSX-T password.

    FortiManager Configurations

    IP Address

    Enter the IP or FQDN for FortiManager.

    User Name

    Your FortiManager administrator password.

    Note

    The user name under FortiManager configurations can be any other FortiManager local user with JSON API access set to read-write. This user will be used by the NSX-T Manager to perform the API calls to the FortiManager in order to dynamically update the VM groups objects.

    Password

    Your FortiManager administrator password.

Configure registered services
To configure a registered service:
  1. Edit the previously configured NSX-T connector.
  2. Under Registered Service, click Add Service.
    You also have the option to Delete or Edit previously configured registered services.

  3. Name Enter the service name to register to NSX-T's partner service catalog.
    Integration Select the integration type as East-West or North-South.
    FortiGate Password Enter your FortiGate administrator password.
    License Type Select the license type as either License File or Flex-VM.

    License File

    When using a License File:

    1. Enter the license URL prefix in License URL Prefix, for example: http://x.x.x.x/lics/.
    2. Click the Add icon to add a new image location, and configure the following:
      • Type: Select the VM type, for example VM01.
      • Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf

    Flex-VM

    When using Flex-VM, select a previously configured Flex-VM Connector from which to obtain the license. See Creating Flex-VM connectors.

  4. Click OK, and save the NSX-T connector.
  5. In the NSX-T Manager, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.
To edit a registered service:
  1. Navigate to the NSX-T Connector in FortiManager.
  2. Select the registered service, and click Edit Service.
  3. Once Edit Service is selected, you can change the following information:
    • Password
    • License type
    • License URL (if license type is License File)
    • Image location of existing deployment specs
      When upgrading, make sure to mark the change as upgrade by enabling the Upgrade toggle. This marks the change on the NSX-T Manager. Once a deployment spec is set as Upgrade, users can upgrade a service deployment using the NSX-T Manager GUI.
Configure the NSX-T Manager
To configure NSX-T Manager:
  1. In the NSX-T Manager, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.

  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiManager. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.

  5. Go to Security > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.

  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.

  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to Service Chain Management > E-W Network Introspection or N-S Network Introspection, and click on Add Policy.
  14. Click on the policy name, and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FortiGate instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.
Note

NSX-T currently only supports North-South Introspection once the service is deployed.

To deploy a North-South service on NSX-T Manager:
  1. In the NSX-T Manager, go to System > Service Deployment > Deployment.
  2. From the dropdown, select the newly registered service and select Deploy.
  3. Fill in the details, and deploy the service.
  4. Associate groups with the North-South service:
    1. Go to Security > Service Chain Management > N-S Network Introspection.
    2. In the policy, add the desired groups.
    3. The same groups will appear on FortiManager and be available for use.
Use the groups in a FortiManager policy
To use groups in a policy:
  1. Go to Policy & Objects > Security Fabric > Endpoint/Identity.
  2. Edit the NSXT-Manager object.
  3. Scroll down and check that the objects with addresses appear. If there aren't any objects, select Apply & Refresh.
  4. Click Cancel.
    Note

    These groups and their members are automatically synchronized between FortiManager and NSX-T Manager. As soon as you add a VM/IP to a group that the Redir-Rule applies to on NSX-T Manager, it will be synchronized.

  5. You can have the FortiManager create Firewall Addresses or create your own. Go to Firewall Objects > Addresses, and click Create New > Address.
  6. Configure the parameters, and click OK.
    1. Address Name: Enter a name.
    2. Type: Dynamic.
    3. Sub Type: FSSO.
    4. FSSO Group: nsx_NSXT-Manager_Default/groups/<group name>

Creating VMware NSX-T connectors

FortiManager supports VMware NSX-T connectors. After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Following is an overview of the steps required to set up a VMware NSX-T connector:

  1. Enabling read-write JSON API access
  2. Creating a fabric connector for VMware NSX-T
  3. Configure registered services
  4. Configure the NSX-T Manager
  5. Use the groups in a FortiManager policy
Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. On FortiManager, go to System Settings > Administrators.
  2. Select your Administrator account, and click Edit.
  3. From the JSON API Access dropdown, select Read-Write, and click OK.
    The FortiManager will log you out to activate the settings.
Creating a fabric connector for VMware NSX-T

In FortiManager, create a fabric connector for VMware NSX-T.

To configure an NSX-T connector on FortiManager:
  1. Log into FortiManager.
  2. Go to Policy & Objects > Objects Configuration > External Connectors > Endpoint/Identity.
  3. Click Create New > NSX-T Connector.
    Note

    NSX-T connectors can also be created from Fabric View > Fabric > External Connectors in FortiManager.


  4. Configure the following parameters for the new NSX-T connector, and click OK.

    NameEnter a name for the connector.
    StatusToggle the status to ON or OFF.
    NSX-T Manager Configurations

    Server

    Configure the server address for NSX-T Manager.

    User Name

    Enter your NSX-T username.

    Password

    Enter your NSX-T password.

    FortiManager Configurations

    IP Address

    Enter the IP or FQDN for FortiManager.

    User Name

    Your FortiManager administrator password.

    Note

    The user name under FortiManager configurations can be any other FortiManager local user with JSON API access set to read-write. This user will be used by the NSX-T Manager to perform the API calls to the FortiManager in order to dynamically update the VM groups objects.

    Password

    Your FortiManager administrator password.

Configure registered services
To configure a registered service:
  1. Edit the previously configured NSX-T connector.
  2. Under Registered Service, click Add Service.
    You also have the option to Delete or Edit previously configured registered services.

  3. Name Enter the service name to register to NSX-T's partner service catalog.
    Integration Select the integration type as East-West or North-South.
    FortiGate Password Enter your FortiGate administrator password.
    License Type Select the license type as either License File or Flex-VM.

    License File

    When using a License File:

    1. Enter the license URL prefix in License URL Prefix, for example: http://x.x.x.x/lics/.
    2. Click the Add icon to add a new image location, and configure the following:
      • Type: Select the VM type, for example VM01.
      • Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf

    Flex-VM

    When using Flex-VM, select a previously configured Flex-VM Connector from which to obtain the license. See Creating Flex-VM connectors.

  4. Click OK, and save the NSX-T connector.
  5. In the NSX-T Manager, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.
To edit a registered service:
  1. Navigate to the NSX-T Connector in FortiManager.
  2. Select the registered service, and click Edit Service.
  3. Once Edit Service is selected, you can change the following information:
    • Password
    • License type
    • License URL (if license type is License File)
    • Image location of existing deployment specs
      When upgrading, make sure to mark the change as upgrade by enabling the Upgrade toggle. This marks the change on the NSX-T Manager. Once a deployment spec is set as Upgrade, users can upgrade a service deployment using the NSX-T Manager GUI.
Configure the NSX-T Manager
To configure NSX-T Manager:
  1. In the NSX-T Manager, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.

  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiManager. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.

  5. Go to Security > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.

  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.

  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to Service Chain Management > E-W Network Introspection or N-S Network Introspection, and click on Add Policy.
  14. Click on the policy name, and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FortiGate instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.
Note

NSX-T currently only supports North-South Introspection once the service is deployed.

To deploy a North-South service on NSX-T Manager:
  1. In the NSX-T Manager, go to System > Service Deployment > Deployment.
  2. From the dropdown, select the newly registered service and select Deploy.
  3. Fill in the details, and deploy the service.
  4. Associate groups with the North-South service:
    1. Go to Security > Service Chain Management > N-S Network Introspection.
    2. In the policy, add the desired groups.
    3. The same groups will appear on FortiManager and be available for use.
Use the groups in a FortiManager policy
To use groups in a policy:
  1. Go to Policy & Objects > Security Fabric > Endpoint/Identity.
  2. Edit the NSXT-Manager object.
  3. Scroll down and check that the objects with addresses appear. If there aren't any objects, select Apply & Refresh.
  4. Click Cancel.
    Note

    These groups and their members are automatically synchronized between FortiManager and NSX-T Manager. As soon as you add a VM/IP to a group that the Redir-Rule applies to on NSX-T Manager, it will be synchronized.

  5. You can have the FortiManager create Firewall Addresses or create your own. Go to Firewall Objects > Addresses, and click Create New > Address.
  6. Configure the parameters, and click OK.
    1. Address Name: Enter a name.
    2. Type: Dynamic.
    3. Sub Type: FSSO.
    4. FSSO Group: nsx_NSXT-Manager_Default/groups/<group name>