Fortinet Document Library

Version:


Table of Contents

Deploying FortiGate-VMX

VMware-NSX Security Fabric integration

Resources

Upgrade Path Tool
6.0.1
Download PDF
Copy Link

Preparing for deployment

The deployment of FortiGate-VMX requires a properly licensed VMware vSphere of a supported version, as well as knowledge of how to configure and maintain the environment. Other VMware platforms such as Workstation, Fusion, Player or Server are not supported.

VM requirements

You can manually alter the specs before deployment.

  • FortiGate-VMX SVM requires 1 GB of RAM by default, preconfigured in OVF.
  • FortiGate-VMX security nodes require 2 GB of RAM by default, preconfigured in OVF.

VMware components

  • vCenter Server Standard
  • vSphere Enterprise Plus license level
  • NSX Manager

Verify that you are using supported versions of VMware products. To determine which VMware releases are supported, go to: https://www.vmware.com/resources/compatibility/search.php

Use the following search parameters:

Search option Value
What are you looking for: Networking and Security Services for NSX-V
Partner Name: Fortinet, Inc.
Solution Category: Firewall (Host/Network)
Keyword 6.0.1

Click on the Update and View Results button and click on the FortiGate VMX link under Product Name next to the appropriate version number. The resulting page lists of supported platforms and releases.

note icon FortiGate-VMX v6.0.1 is supported in vSphere v5.5 & v6.5 and NSX 6.3 environments.

Web server

The web server hosts the VMX security node's deployment file to install VMX security nodes. There is no particular type or version of web server. It can be IIS, Apache, Nginx, etc. It can be hardware based or VM-based.

The web server must be:

  • able to serve up files designated by a URL
  • accessible by the NSX Manager

VMware technologies

  • ESXi host cluster enabled with DRS
  • DRS Cluster(s) - These clusters will contain the hosts. The clusters containing the hosts must be DRS enabled for the solution to work.
  • Distributed Switch (management traffic can traverse legacy vSwitch)
  • vSphere Web Client required for NSX Manager add-on
  • vDistributed switches (standard vSwitches aren't supported – this is a VMware requirement).Only traffic going through the vDistributed switches can be secured by the FortiGate-VMX security solution.

VMware configurations

Agent VM settings must be set on each ESXi host in the cluster. For larger environments, they can also be set during service deployment.

Certain ports are required for communication between the FortiGate-VMX SVM and FortiGate-VMX security nodes through the sync interface: 700, 703, and 720. These are for the cluster protocol, configuration synchronization, and traffic, such as license registration and log traffic.

note icon

SVM must be connected to the Internet for license validation with FortiGuard.

Configured networks

mgmt: management network for communication between the FortiGate-VMX Service Manager and VMware components as well as the FortiGuard Distribution Network (FDN).

sync: sync network for communication between the FortiGate-VMX Service Manager and all deployed FortiGate-VMX Security Nodes

Resources

Preparing for deployment

The deployment of FortiGate-VMX requires a properly licensed VMware vSphere of a supported version, as well as knowledge of how to configure and maintain the environment. Other VMware platforms such as Workstation, Fusion, Player or Server are not supported.

VM requirements

You can manually alter the specs before deployment.

  • FortiGate-VMX SVM requires 1 GB of RAM by default, preconfigured in OVF.
  • FortiGate-VMX security nodes require 2 GB of RAM by default, preconfigured in OVF.

VMware components

  • vCenter Server Standard
  • vSphere Enterprise Plus license level
  • NSX Manager

Verify that you are using supported versions of VMware products. To determine which VMware releases are supported, go to: https://www.vmware.com/resources/compatibility/search.php

Use the following search parameters:

Search option Value
What are you looking for: Networking and Security Services for NSX-V
Partner Name: Fortinet, Inc.
Solution Category: Firewall (Host/Network)
Keyword 6.0.1

Click on the Update and View Results button and click on the FortiGate VMX link under Product Name next to the appropriate version number. The resulting page lists of supported platforms and releases.

note icon FortiGate-VMX v6.0.1 is supported in vSphere v5.5 & v6.5 and NSX 6.3 environments.

Web server

The web server hosts the VMX security node's deployment file to install VMX security nodes. There is no particular type or version of web server. It can be IIS, Apache, Nginx, etc. It can be hardware based or VM-based.

The web server must be:

  • able to serve up files designated by a URL
  • accessible by the NSX Manager

VMware technologies

  • ESXi host cluster enabled with DRS
  • DRS Cluster(s) - These clusters will contain the hosts. The clusters containing the hosts must be DRS enabled for the solution to work.
  • Distributed Switch (management traffic can traverse legacy vSwitch)
  • vSphere Web Client required for NSX Manager add-on
  • vDistributed switches (standard vSwitches aren't supported – this is a VMware requirement).Only traffic going through the vDistributed switches can be secured by the FortiGate-VMX security solution.

VMware configurations

Agent VM settings must be set on each ESXi host in the cluster. For larger environments, they can also be set during service deployment.

Certain ports are required for communication between the FortiGate-VMX SVM and FortiGate-VMX security nodes through the sync interface: 700, 703, and 720. These are for the cluster protocol, configuration synchronization, and traffic, such as license registration and log traffic.

note icon

SVM must be connected to the Internet for license validation with FortiGuard.

Configured networks

mgmt: management network for communication between the FortiGate-VMX Service Manager and VMware components as well as the FortiGuard Distribution Network (FDN).

sync: sync network for communication between the FortiGate-VMX Service Manager and all deployed FortiGate-VMX Security Nodes