Fortinet white logo
Fortinet white logo

Administration Guide

VMware NSX-T security tag action

VMware NSX-T security tag action

VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiProxy resolves NSX-T VMs. The FortiProxy uses the VMWare NSX Security Tag automation action to assign a tag to the VM through an automation stitch.

The FortiProxy is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.

To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
  1. Configure the NSX SDN connector:

    1. Go to Security Fabric > External Connectors and click Create New.

    2. Select VMware NSX.

    3. Configure the connector settings.

    4. Enable vCenter Settings and configure as needed.

    5. Click OK.

  2. Configure the automation stitch trigger:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the stitch name (auto_webhook).

    3. Click Add Trigger.

    4. Click Create and select Incoming Webhook.

    5. Enter a name (auto_webhook).

    6. Click OK to close the Incoming Webhook URL prompt.

    7. Select the trigger in the list and click Apply.

  3. Configure the automation stitch action:

    1. Click Add Action.

    2. Click Create and select VMware NSX Security Tag.

    3. Enter the following:

      Name

      auto_webhook_quarantine-nsx

      Specify NSX server(s)

      Enable and select the SDN connector

      Security tag

      Select an existing tag, or create a new one

    4. Click OK.

    5. Select the action in the list and click Apply.

  4. Click OK.

  5. In NSX-T, create a cURL request to trigger the automation stitch on the FortiProxy:

    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000000",
      "version":"v6.4.0",
      "build":1608
    }

    The automation stitch is triggered and the configured tag is added to the NSX-T VM.

    On the FortiProxy, the Security Fabric > Automation page shows the last trigger time.

To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:
  1. Configure the NSX SDN connector:
    config system sdn-connector
        edit "nsx_t25"
            set type nsx
            set server "172.18.64.205"
            set username "admin"
            set password xxxxxxxxxxxx
            set vcenter-server "172.18.64.201"
            set vcenter-username "administrator@vsphere.local"
            set vcenter-password xxxxxxxxxxxx
        next
    end
  2. Configure the automation stitch:
    config system automation-trigger
        edit "auto_webhook"
            set trigger-type event-based
            set event-type incoming-webhook
        next
    end
    config system automation-action
        edit "auto_webhook_quarantine-nsx"
            set action-type quarantine-nsx
            set security-tag "automation_tag"
            set sdn-connector "nsx_t25"
        next
    end
    config system automation-stitch
        edit "auto_webhook"
            set trigger "auto_webhook"
            config actions
                edit 1
                    set action "auto_webhook_quarantine-nsx"
                    set required enable
                next
            end
        next
    end
  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiProxy:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000000",
      "version":"v6.4.0",
      "build":1608
    }
To verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2

csf: enabled root:yes
version:1586883541 sync time:Tue Apr 14 11:04:05 2022

total stitches activated: 1

stitch: auto_webhook
        destinations: all
        trigger: auto_webhook
                type:incoming webhook

                field ids:
                        (id:15)service=auto_webhook

        local hit: 2 relayed to: 0 relayed from: 0
        actions:
                auto_webhook_quarantine-nsx type:quarantine-nsx interval:0
                        delay:0 required:yes
                        security tag:automation_tag
                        sdn connector:
        nsx_t25;

VMware NSX-T security tag action

VMware NSX-T security tag action

VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiProxy resolves NSX-T VMs. The FortiProxy uses the VMWare NSX Security Tag automation action to assign a tag to the VM through an automation stitch.

The FortiProxy is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.

To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
  1. Configure the NSX SDN connector:

    1. Go to Security Fabric > External Connectors and click Create New.

    2. Select VMware NSX.

    3. Configure the connector settings.

    4. Enable vCenter Settings and configure as needed.

    5. Click OK.

  2. Configure the automation stitch trigger:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the stitch name (auto_webhook).

    3. Click Add Trigger.

    4. Click Create and select Incoming Webhook.

    5. Enter a name (auto_webhook).

    6. Click OK to close the Incoming Webhook URL prompt.

    7. Select the trigger in the list and click Apply.

  3. Configure the automation stitch action:

    1. Click Add Action.

    2. Click Create and select VMware NSX Security Tag.

    3. Enter the following:

      Name

      auto_webhook_quarantine-nsx

      Specify NSX server(s)

      Enable and select the SDN connector

      Security tag

      Select an existing tag, or create a new one

    4. Click OK.

    5. Select the action in the list and click Apply.

  4. Click OK.

  5. In NSX-T, create a cURL request to trigger the automation stitch on the FortiProxy:

    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000000",
      "version":"v6.4.0",
      "build":1608
    }

    The automation stitch is triggered and the configured tag is added to the NSX-T VM.

    On the FortiProxy, the Security Fabric > Automation page shows the last trigger time.

To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:
  1. Configure the NSX SDN connector:
    config system sdn-connector
        edit "nsx_t25"
            set type nsx
            set server "172.18.64.205"
            set username "admin"
            set password xxxxxxxxxxxx
            set vcenter-server "172.18.64.201"
            set vcenter-username "administrator@vsphere.local"
            set vcenter-password xxxxxxxxxxxx
        next
    end
  2. Configure the automation stitch:
    config system automation-trigger
        edit "auto_webhook"
            set trigger-type event-based
            set event-type incoming-webhook
        next
    end
    config system automation-action
        edit "auto_webhook_quarantine-nsx"
            set action-type quarantine-nsx
            set security-tag "automation_tag"
            set sdn-connector "nsx_t25"
        next
    end
    config system automation-stitch
        edit "auto_webhook"
            set trigger "auto_webhook"
            config actions
                edit 1
                    set action "auto_webhook_quarantine-nsx"
                    set required enable
                next
            end
        next
    end
  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiProxy:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000000",
      "version":"v6.4.0",
      "build":1608
    }
To verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2

csf: enabled root:yes
version:1586883541 sync time:Tue Apr 14 11:04:05 2022

total stitches activated: 1

stitch: auto_webhook
        destinations: all
        trigger: auto_webhook
                type:incoming webhook

                field ids:
                        (id:15)service=auto_webhook

        local hit: 2 relayed to: 0 relayed from: 0
        actions:
                auto_webhook_quarantine-nsx type:quarantine-nsx interval:0
                        delay:0 required:yes
                        security tag:automation_tag
                        sdn connector:
        nsx_t25;