NSX Quarantine action
If an endpoint instance in a VMware NSX environment is compromised, this action will assign the configured security tag is to the compromised endpoint.
This action is only available when the automation trigger is set to compromised host.
To set up the NSX quarantine action, you need to:
- Configure a VMware NSX SDN connector
- Configure an NSX security tag automation stitch
- Configure FortiAnalyzer logging on the FortiGate
Configure a VMware NSX SDN connector
The FortiGate retrieves security tags from the VMware NSX server through the connector.
To configure a VMware NSX SDN connector in the GUI:
- Go to Security Fabric > Fabric Connectors
- Click Create New.
- Select VMware NSX
- Configure the settings.
- Click OK.
To configure a VMware NSX SDN connector in the CLI:
config system sdn-connector edit "nsx" set type nsx set server "172.18.64.32" set username "admin" set password xxxxxx next end
Configure an NSX security tag automation stitch
Security tags are retrieved from the VMware NSX server through the NSX SDN connector.
To configure an NSX security tag automation stitch in the GUI:
- Go to Security Fabric > Automation.
- Click Create New.
- In the Trigger section, select Compromised Host.
- In the Action section, select Assign VMware NSX Security Tag.
- Configure the settings.
- Click OK.
To configure an NSX security tag automation stitch in the CLI:
- Create an automation action:
config system automation-action edit "pcui-test_quarantine-nsx" set action-type quarantine-nsx set security-tag "pcui-tag2" set sdn-connector "nsx" next end
- Create an automation trigger:
config system automation-trigger edit "pcui-test" set ioc-level high next end
- Create the automation stitch:
config system automation-stitch edit "pcui-test" set trigger "pcui-test" set action "pcui-test_quarantine-nsx" next end
Configure FortiAnalyzer logging on the FortiGate
The FortiAnalyzer is used to send endpoint compromise notification to the FortiGate.
See FortiAnalyzer for more information.
To configure FortiAnalyzer logging in the GUI:
- Go to Security Fabric > Settings.
- Enable and configure FortiAnalyzer Logging.
- Click Apply.
To configure FortiAnalyzer logging in the CLI:
config log fortianalyzer setting set status enable set server "172.18.64.234" set serial "FL-8HFT718900132" set upload-option realtime set reliable enable end
When an endpoint instance is compromised
When an endpoint instance, such as pcui-ubuntu2, in the VMware NSX environment is compromised, the automation stitch is triggered. The FortiGate then assigns the configured security tag, pcui-tag2 in this example, to the compromised NSX endpoint instance.