Fortinet black logo

VMware NSX-T Administration Guide

Home FortiGate Private Cloud 7.0.0 VMware NSX-T Administration Guide
7.0.0
7.0.0
6.4.0

Registering the service insertion definition to NSX-T

Registering the service insertion definition to NSX-T

FortiManager supports VMware NSX-T connectors. After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Following is an overview of the steps required to set up a VMware NSX-T connector:

  1. Enabling read-write JSON API access
  2. Creating a fabric connector for VMware NSX-T
  3. Configure the NSX-T Manager
  4. Registering the service insertion definition to NSX-T
Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. On FortiManager, go to System Settings > Admin > Administrators.
  2. Select your Administrator account, and click Edit.
  3. From the JSON API Access dropdown, select Read-Write, and click OK.
    The FortiManager will log you out to activate the settings.
Creating a fabric connector for VMware NSX-T

In FortiManager, create a fabric connector for VMware NSX-T.

To configure an NSX-T connector on FortiManager:
  1. Log into FortiManager.
  2. Go to Policy & Objects > Objects Configuration > Fabric Connectors > Endpoint/Identity.
  3. Click Create New > NSX-T Connector.

  4. Configure the parameters for the new NSX-T connector, and click OK.

    For example:
    1. Name: NSXT-Manager.
    2. Status: ON.
    3. NSX-T Manager Configurations:
      1. Server: NSX-T server.
      2. User Name: NSX-T user name.
      3. Password: NSX-T password.
    4. FortiManager Configurations:
      1. IP Address: FortiManager IP or FQDN.
      2. User Name: Your FortiManager administrator user name.
        Note

        The user name under FortiManager configurations can be any other FortiManager local user with JSON API access set to read-write. This user will be used by the NSX-T Manager to perform the API calls to the FortiManager in order to dynamically update the VM groups objects.
      1. Password: Your administrator password.
To configure a registered service:
  1. On FortiManager, edit the configured NSX-T connector, and click Add Service under Registered Services.
  2. Configure the service details:
    1. Integration: Integration, for example East-West.
    2. FortiGate Password: Your FortiGate admin password.
    3. License URL Prefix: Enter the license URL prefix, for example: http://x.x.x.x/lics/.
  3. Click the plus icon to add a new image location, and click OK.
    1. Type: Select the VM type, for example VM01.
    2. Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf.
  4. Click OK, and save the NSX-T connector.
  5. In the NSX-T Manager, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.
Configure the NSX-T Manager
To configure NSX-T Manager:
  1. In the NSX-T Manager, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.

  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiOS. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.
  5. Go to Settings > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.

  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.

  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to East West Security > Network Introspection (E-W), and click on Add Policy.
  14. Click on the policy name and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FGT-EW-VM instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.
Previous
Next

Registering the service insertion definition to NSX-T

FortiManager supports VMware NSX-T connectors. After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Following is an overview of the steps required to set up a VMware NSX-T connector:

  1. Enabling read-write JSON API access
  2. Creating a fabric connector for VMware NSX-T
  3. Configure the NSX-T Manager
  4. Registering the service insertion definition to NSX-T
Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. On FortiManager, go to System Settings > Admin > Administrators.
  2. Select your Administrator account, and click Edit.
  3. From the JSON API Access dropdown, select Read-Write, and click OK.
    The FortiManager will log you out to activate the settings.
Creating a fabric connector for VMware NSX-T

In FortiManager, create a fabric connector for VMware NSX-T.

To configure an NSX-T connector on FortiManager:
  1. Log into FortiManager.
  2. Go to Policy & Objects > Objects Configuration > Fabric Connectors > Endpoint/Identity.
  3. Click Create New > NSX-T Connector.

  4. Configure the parameters for the new NSX-T connector, and click OK.

    For example:
    1. Name: NSXT-Manager.
    2. Status: ON.
    3. NSX-T Manager Configurations:
      1. Server: NSX-T server.
      2. User Name: NSX-T user name.
      3. Password: NSX-T password.
    4. FortiManager Configurations:
      1. IP Address: FortiManager IP or FQDN.
      2. User Name: Your FortiManager administrator user name.
        Note

        The user name under FortiManager configurations can be any other FortiManager local user with JSON API access set to read-write. This user will be used by the NSX-T Manager to perform the API calls to the FortiManager in order to dynamically update the VM groups objects.
      1. Password: Your administrator password.
To configure a registered service:
  1. On FortiManager, edit the configured NSX-T connector, and click Add Service under Registered Services.
  2. Configure the service details:
    1. Integration: Integration, for example East-West.
    2. FortiGate Password: Your FortiGate admin password.
    3. License URL Prefix: Enter the license URL prefix, for example: http://x.x.x.x/lics/.
  3. Click the plus icon to add a new image location, and click OK.
    1. Type: Select the VM type, for example VM01.
    2. Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf.
  4. Click OK, and save the NSX-T connector.
  5. In the NSX-T Manager, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.
Configure the NSX-T Manager
To configure NSX-T Manager:
  1. In the NSX-T Manager, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.

  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiOS. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.
  5. Go to Settings > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.

  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.

  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to East West Security > Network Introspection (E-W), and click on Add Policy.
  14. Click on the policy name and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FGT-EW-VM instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.
Previous
Next