The policies for the FortiGate-VMX Security Node are set up on the FortiGate-VMX Service Manager.
Go to Virtual Domains > nsx > Policy & Objects > IPv4 Virtual Wire Pair Policy.
FortiGate-VMX supports a limited number of VDOMs. Each VDOM will have a virtual internal and external port. These interfaces are the two ends of a port pairing. Traffic is intercepted between the given vNIC of a VM and its port on the dvSwitch. In effect, the internal port can be considered the VM itself and the external port as everything else. Policies using NSX Security Groups as based on source and destination.
The default VDOM is “nsx” and its two virtual interfaces are “internal” and “external”. For all other VDOMs, the port pairs are named as follows:
- <VDOM name>-int: the VM itself
- <VDOM name>-ext: everything else
When setting up a new policy, determine whether the traffic is inbound to the VM or outbound to everything else. All other parameters involved in a policy such as Service, Action, Schedule, Security profiles etc are just like a regular FortiGate. For instructions on the detailed operation and administration of a FortiGate firewall see the FortiOS manuals at https://docs.fortinet.com/product/fortigate
An example of synchronized NSX Security Group objects and FortiGate-VMX Security Policy are seen below.
The NSX Security Groups are synchronized with the FortiGate-VMX Service Manager, creating dynamic objects in the FortiGate-VMX Service Manager to allow advanced granular security policy. Any change to the NSX Security Group will alter the dynamic objects in the FortiGate-VMX Service Manager to reflect that change immediately.
This is an example of a FortiGate-VMX Security Policy that utilizes the NSX Security Groups to secure a multi-tier application while doing Anti-Virus scanning on incoming connections to the front-end web servers.
Creating and navigating Virtual Domains (VDOMs)
Virtual Domain creation is recommended prior to registering the FortiGate-VMX security service with the NSX Manager (complementary NSX Service Profiles will also be created during the registration process). This section shows the basic steps to create a Virtual Domain (VDOM) in the FortiGate-VMX Service Manager.
- Log in to FortiGate-VMX Service Manager.
- Navigate to Global -> System -> VDOM.
- Click on + Create New.
- Enter values in the Virtual Domain, Inspection Mode and optionally, Comments fields.
To navigate between Global and various VDOMs, use the pull down arrow in the upper left to show all available VDOMs.