Assign VMware NSX-T security tag action
VMware NSX SDN connectors' vCenter server and credentials can be configured so the FortiGate resolves NSX-T VMs.
The FortiGate is notified of a compromised host on the NSX-T network by an incoming webhook or other means, such as FortiGuard IOC. An automation stitch can be configured to process this trigger and action it by assigning a VMware NSX security tag on the VM instance.
To configure an automation stitch to assign a security tag to NSX-T VMs in the GUI:
- Configure the NSX SDN connector:
config system sdn-connector edit "nsx_t25" set type nsx set server "172.18.64.205" set username "admin" set password xxxxxx set vcenter-server "172.18.64.201" set vcenter-username "administrator@vsphere.local" set vcenter-password xxxxxx next end
- Configure the automation stitch:
- Go to Security Fabric > Automation and click Create New.
- In the Trigger section, select Incoming Webhook.
- In the Action section, select Assign VMwareNSX Security Tag.
- Enable Specify NSX server(s) and enter a server.
- Enter a Security tag.
- Click OK.
- In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook { "http_method":"POST", "status":"success", "http_status":200, "serial":"FGVM08TM20000220", "version":"v6.4.0", "build":1608 }
The automation stitch is triggered and the configured tag is added to the NSX-T VM.
In FortiOS, the Security Fabric > Automation page shows the last trigger time.
To configure an automation stitch to assign a security tag to NSX-T VMs in the CLI:
- Configure the NSX SDN connector:
config system sdn-connector edit "nsx_t25" set type nsx set server "172.18.64.205" set username "admin" set password xxxxxx set vcenter-server "172.18.64.201" set vcenter-username "administrator@vsphere.local" set vcenter-password xxxxxx next end
- Configure the automation stitch:
config system automation-action edit "auto_webhook_quarantine-nsx" set action-type quarantine-nsx set security-tag "automation_tag" set sdn-connector "nsx_t25" next end
config system automation-trigger edit "auto_webhook" set trigger-type event-based set event-type incoming-webhook next end
config system automation-stitch edit "auto_webhook" set status enable set trigger "auto_webhook" set action "auto_webhook_quarantine-nsx" next end
- In NSX-T, create a cURL request to trigger the automation stitch on the FortiGate:
root@pc56:/home# curl -k -X POST -H 'Authorization: Bearer 3fdxNG08mgNg0fh4NQ51g1NQ1QHcxx' --data '{ "srcip": "10.1.30.242"}' https://172.16.116.230/api/v2/monitor/system/automation-stitch/webhook/auto_webhook { "http_method":"POST", "status":"success", "http_status":200, "serial":"FGVM08TM20000220", "version":"v6.4.0", "build":1608 }
To verify the automation stitch is triggered and the action is executed:
# diagnose test application autod 2 csf: enabled root:yes version:1586883541 sync time:Tue Apr 14 11:04:05 2020 total stitches activated: 1 stitch: auto_webhook destinations: all trigger: auto_webhook (id:15)service=auto_webhook local hit: 1 relayed to: 0 relayed from: 0 actions: auto_webhook_quarantine-nsx type:quarantine-nsx interval:0 security tag:automation_tag sdn connector: nsx_t25;