Fortinet black logo

Administration Guide

Creating VMware NSX-T connector example

Creating VMware NSX-T connector example

FortiManager supports VMware NSX-T connectors.

After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Following is an overview of the steps required to set up a VMware NSX-T connector:

  1. Enabling read-write JSON API access
  2. Creating a fabric connector for VMware NSX-T
  3. Downloading the FortiGate VM deployment image
  4. Registering a service from FortiManager to VMware NSX-T
  5. Deploying a FortiGate VM from VMware NSX-T
  6. Creating and installing policy packages
Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. On FortiManager, go to System Settings > Administrators.
  2. Double-click an administrator account to open it for editing.
  3. Beside JSON API Access, select Read-Write, and click OK.

Creating a fabric connector for VMware NSX-T

In FortiManager, create a fabric connector for VMware NSX-T. You can configure a fabric connector for East-West or North-South traffic.

To create a fabric connector for VMware NSX-T:
  1. On FortiManager, go to Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity.
  2. Click Create New and select NSX-T Connector.

  3. Complete the options, and click OK.

    A fabric connector for VMware NSX-T is created and a connection to VMware NSX-T manager is established.

  4. Double-click the VMware NSX-T connector to open it for editing.
  5. Toggle Status to On and click OK.

    FortiManager retrieves the groups from VMware NSX-T manager and stores them as dynamic firewall address objects.

Downloading the FortiGate VM deployment image

You must download from the Fortinet Technical Support site a preconfigured deployment image for FortiGate VM and VMware NSX-T, and then place the image on a server that VMware NSX-T manager can access.

To download the FortiGate VM deployment image:
  1. Go to the Fortinet Support site (https://support.fortinet.com), and download the following preconfigured FortiGate VM image to use for deployment:

    fortigate-vm64-nsxt.ovf

  2. Place the deployment image on a server that VMware NSX-T manager can access.
  3. Identify the URL for the image. You will need to add the URL to FortiManager.
Registering a service from FortiManager to VMware NSX-T

Before you can deploy a FortiGate VM from VMware NSX-T manager, you must register a service from FortiManager to the VMware NSX-T manager. The service includes the location of the preconfigured deployment image for the FortiGate VM.

The FortiManager JSON API registers the service with VMware NSX-T manager.

To register a service from FortiManager to VMware NSX-T:
  1. Ensure that you know the URL for the location of the preconfigured deployment image for FortiGate VM and VMware NSX-T.
  2. On FortiManager, go to Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity.
  3. Double-click the VMware NSX-T connector to open it for editing, and click Add Service.

  4. Complete the following options, and click OK:
    • In the Name box, type a name for the service.
    • Beside Integration, select East-West or North-South to identify the flow of traffic.
    • In the Image Location box, type the URL of the location where the preconfigured FortiGate VM deployment image is located.

    The service is added and registered with the VMware NSX-T manager.

    You can add multiple services.

Deploying a FortiGate VM from VMware NSX-T

You must deploy the preconfigured FortiGate VM image from the VMware NSX-T manager, and then authorize FortiManager to centrally manage the FortiGate VM.

To deploy a FortiGate VM from VMware NSX-T:
  1. On VMware NSX-T, ensure that the service is registered, and the Deploy option is available for FortiGate VMs via the image link.

  2. On VMware NSX-T, deploy a FortiGate VM.

    The FortiGate VM image is preconfigured to automatically enable central management by FortiManager.

  3. When prompted by the deployment of FortiGate VM, enter the IP address of the FortiManager used for central management.

    The FortiGate VM is deployed and displays in FortiManager on the Device Manager pane as an unauthorized device.

  4. On FortiManager, go to Device Manager, and authorize the FortiGate VM for management by FortiManager.

    FortiManager can now manage FortiGate.

Creating and installing policy packages

You must create an IPv4 virtual wire pair policy that contains the dynamic firewall address objects, and install the policy to FortiGate. Then FortiGate can use the dynamic address objects.

To create and install policy packages:
  1. In FortiManager, go to Policy & Objects > Object Configuration > Firewall Objects > Addresses, and double-click an address to view the dynamic firewall address objects in the FSSO Group.

  2. In the policy package in which you will be creating the new policy, create an IPv4 virtual wire pair policy and include the firewall address objects for VMware NSX-T.

  3. Install the policy package to FortiGate.

    FortiGate uses the information and FortiManager to communicate with VMware NSX-T to dynamically populate the firewall address objects with IP addresses.

Creating VMware NSX-T connector example

FortiManager supports VMware NSX-T connectors.

After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Following is an overview of the steps required to set up a VMware NSX-T connector:

  1. Enabling read-write JSON API access
  2. Creating a fabric connector for VMware NSX-T
  3. Downloading the FortiGate VM deployment image
  4. Registering a service from FortiManager to VMware NSX-T
  5. Deploying a FortiGate VM from VMware NSX-T
  6. Creating and installing policy packages
Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. On FortiManager, go to System Settings > Administrators.
  2. Double-click an administrator account to open it for editing.
  3. Beside JSON API Access, select Read-Write, and click OK.

Creating a fabric connector for VMware NSX-T

In FortiManager, create a fabric connector for VMware NSX-T. You can configure a fabric connector for East-West or North-South traffic.

To create a fabric connector for VMware NSX-T:
  1. On FortiManager, go to Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity.
  2. Click Create New and select NSX-T Connector.

  3. Complete the options, and click OK.

    A fabric connector for VMware NSX-T is created and a connection to VMware NSX-T manager is established.

  4. Double-click the VMware NSX-T connector to open it for editing.
  5. Toggle Status to On and click OK.

    FortiManager retrieves the groups from VMware NSX-T manager and stores them as dynamic firewall address objects.

Downloading the FortiGate VM deployment image

You must download from the Fortinet Technical Support site a preconfigured deployment image for FortiGate VM and VMware NSX-T, and then place the image on a server that VMware NSX-T manager can access.

To download the FortiGate VM deployment image:
  1. Go to the Fortinet Support site (https://support.fortinet.com), and download the following preconfigured FortiGate VM image to use for deployment:

    fortigate-vm64-nsxt.ovf

  2. Place the deployment image on a server that VMware NSX-T manager can access.
  3. Identify the URL for the image. You will need to add the URL to FortiManager.
Registering a service from FortiManager to VMware NSX-T

Before you can deploy a FortiGate VM from VMware NSX-T manager, you must register a service from FortiManager to the VMware NSX-T manager. The service includes the location of the preconfigured deployment image for the FortiGate VM.

The FortiManager JSON API registers the service with VMware NSX-T manager.

To register a service from FortiManager to VMware NSX-T:
  1. Ensure that you know the URL for the location of the preconfigured deployment image for FortiGate VM and VMware NSX-T.
  2. On FortiManager, go to Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity.
  3. Double-click the VMware NSX-T connector to open it for editing, and click Add Service.

  4. Complete the following options, and click OK:
    • In the Name box, type a name for the service.
    • Beside Integration, select East-West or North-South to identify the flow of traffic.
    • In the Image Location box, type the URL of the location where the preconfigured FortiGate VM deployment image is located.

    The service is added and registered with the VMware NSX-T manager.

    You can add multiple services.

Deploying a FortiGate VM from VMware NSX-T

You must deploy the preconfigured FortiGate VM image from the VMware NSX-T manager, and then authorize FortiManager to centrally manage the FortiGate VM.

To deploy a FortiGate VM from VMware NSX-T:
  1. On VMware NSX-T, ensure that the service is registered, and the Deploy option is available for FortiGate VMs via the image link.

  2. On VMware NSX-T, deploy a FortiGate VM.

    The FortiGate VM image is preconfigured to automatically enable central management by FortiManager.

  3. When prompted by the deployment of FortiGate VM, enter the IP address of the FortiManager used for central management.

    The FortiGate VM is deployed and displays in FortiManager on the Device Manager pane as an unauthorized device.

  4. On FortiManager, go to Device Manager, and authorize the FortiGate VM for management by FortiManager.

    FortiManager can now manage FortiGate.

Creating and installing policy packages

You must create an IPv4 virtual wire pair policy that contains the dynamic firewall address objects, and install the policy to FortiGate. Then FortiGate can use the dynamic address objects.

To create and install policy packages:
  1. In FortiManager, go to Policy & Objects > Object Configuration > Firewall Objects > Addresses, and double-click an address to view the dynamic firewall address objects in the FSSO Group.

  2. In the policy package in which you will be creating the new policy, create an IPv4 virtual wire pair policy and include the firewall address objects for VMware NSX-T.

  3. Install the policy package to FortiGate.

    FortiGate uses the information and FortiManager to communicate with VMware NSX-T to dynamically populate the firewall address objects with IP addresses.