Fortinet white logo
Fortinet white logo

Administration Guide

Assign VMware NSX-T security tag action

Assign VMware NSX-T security tag action

VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiGate resolves NSX-T VMs.

The FortiGate is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.

To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
  1. Configure the NSX SDN connector:
    config system sdn-connector
        edit "nsx_t25"
            set type nsx
            set server "172.18.64.205"
            set username "admin"
            set password xxxxxx
            set vcenter-server "172.18.64.201"
            set vcenter-username "administrator@vsphere.local"
            set vcenter-password xxxxxx
        next
    end
  2. Configure the automation stitch:
    1. Go to Security Fabric > Automation and click Create New.
    2. In the Trigger section, select Incoming Webhook.
    3. In the Action section, select Assign VMwareNSX Security Tag.
    4. Enable Specify NSX server(s) and enter a server.
    5. Enter a Security tag.
    6. Click OK.

  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000220",
      "version":"v6.4.0",
      "build":1608
    }

    The automation stitch is triggered and the configured tag is added to the NSX-T VM.

    In FortiOS, the Security Fabric > Automation page shows the last trigger time.

To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:
  1. Configure the NSX SDN connector:
    config system sdn-connector
        edit "nsx_t25"
            set type nsx
            set server "172.18.64.205"
            set username "admin"
            set password xxxxxx
            set vcenter-server "172.18.64.201"
            set vcenter-username "administrator@vsphere.local"
            set vcenter-password xxxxxx
        next
    end
  2. Configure the automation stitch:
    config system automation-action
        edit "auto_webhook_quarantine-nsx"
            set action-type quarantine-nsx
            set security-tag "automation_tag"
            set sdn-connector "nsx_t25"
        next
    end
    config system automation-trigger
        edit "auto_webhook"
            set trigger-type event-based
            set event-type incoming-webhook
        next
    end
    config system automation-stitch
        edit "auto_webhook"
            set status enable
            set trigger "auto_webhook"
            set action "auto_webhook_quarantine-nsx"
        next
    end
  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000220",
      "version":"v6.4.0",
      "build":1608
    }
To verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2

csf: enabled root:yes
version:1586883541 sync time:Tue Apr 14 11:04:05 2020

total stitches activated: 1

stitch: auto_webhook
destinations: all
trigger: auto_webhook

(id:15)service=auto_webhook

local hit: 1 relayed to: 0 relayed from: 0
actions:
auto_webhook_quarantine-nsx type:quarantine-nsx interval:0
security tag:automation_tag
sdn connector:
nsx_t25;

Assign VMware NSX-T security tag action

Assign VMware NSX-T security tag action

VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiGate resolves NSX-T VMs.

The FortiGate is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.

To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
  1. Configure the NSX SDN connector:
    config system sdn-connector
        edit "nsx_t25"
            set type nsx
            set server "172.18.64.205"
            set username "admin"
            set password xxxxxx
            set vcenter-server "172.18.64.201"
            set vcenter-username "administrator@vsphere.local"
            set vcenter-password xxxxxx
        next
    end
  2. Configure the automation stitch:
    1. Go to Security Fabric > Automation and click Create New.
    2. In the Trigger section, select Incoming Webhook.
    3. In the Action section, select Assign VMwareNSX Security Tag.
    4. Enable Specify NSX server(s) and enter a server.
    5. Enter a Security tag.
    6. Click OK.

  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000220",
      "version":"v6.4.0",
      "build":1608
    }

    The automation stitch is triggered and the configured tag is added to the NSX-T VM.

    In FortiOS, the Security Fabric > Automation page shows the last trigger time.

To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:
  1. Configure the NSX SDN connector:
    config system sdn-connector
        edit "nsx_t25"
            set type nsx
            set server "172.18.64.205"
            set username "admin"
            set password xxxxxx
            set vcenter-server "172.18.64.201"
            set vcenter-username "administrator@vsphere.local"
            set vcenter-password xxxxxx
        next
    end
  2. Configure the automation stitch:
    config system automation-action
        edit "auto_webhook_quarantine-nsx"
            set action-type quarantine-nsx
            set security-tag "automation_tag"
            set sdn-connector "nsx_t25"
        next
    end
    config system automation-trigger
        edit "auto_webhook"
            set trigger-type event-based
            set event-type incoming-webhook
        next
    end
    config system automation-stitch
        edit "auto_webhook"
            set status enable
            set trigger "auto_webhook"
            set action "auto_webhook_quarantine-nsx"
        next
    end
  3. In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
    root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook
    {
      "http_method":"POST",
      "status":"success",
      "http_status":200,
      "serial":"FGVM08TM20000220",
      "version":"v6.4.0",
      "build":1608
    }
To verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2

csf: enabled root:yes
version:1586883541 sync time:Tue Apr 14 11:04:05 2020

total stitches activated: 1

stitch: auto_webhook
destinations: all
trigger: auto_webhook

(id:15)service=auto_webhook

local hit: 1 relayed to: 0 relayed from: 0
actions:
auto_webhook_quarantine-nsx type:quarantine-nsx interval:0
security tag:automation_tag
sdn connector:
nsx_t25;