Creating VMware NSX-T connector
With FortiManager, you can create a fabric connector for VMware NSX-T. You can create multiple VMware NSX-T connectors per ADOM.
Requirements:
- FortiManagerwith ADOM version 6.2 or later.
The method described in this topic for creating fabric connectors requires ADOM version 6.2 or later.
- FortiGate is managed by FortiManager.
To enable read-write JSON API access:
- Go to System Settings > Administrators.
- Double-click the admin account to open it for editing.
- Beside JSON API Access, select Read-Write, and click OK.
To create a fabric connector for VMware NSX-T:
- Go to Fabric View > Fabric Connectors.
- Click Create New. The Create New Fabric Connector wizard is displayed.
- Under Endpoint/Identity, select VMware NSX-T. The VMware NSX-T screen is displayed.
- Configure the following options, and then click OK:
Name
Type a name for the fabric connector object.
Status
Toggle On to enable the fabric connector object. Toggle OFF to disable the fabric connector object.
NSX-T Manager Configuration
Server
Type the IP address of the NSX-T server.
User Name
Type the user name for the NSX-T server.
Password
Type the password for the NSX-T server.
FortiManager Configurations
IP Address
Type the IP address for FortiManager.
User Name
Type the user name for FortiManager.
Password
Type the password for FortiManager.
A fabric connector for VMware NSX-T is created and a connection to VMware NSX-T manager is established
- Edit the connector to set Status to On.
FortiManager retrieves the groups from VMware NSX-T and stores them as dynamic firewall objects.
To download the FortiGate VM deployment image:
- Download the preconfigured deployment image from the Fortinet Support Site for (https://support.fortinet.com) FortiGate VM for VMware NSX-T:
fortigate-vm64-nsxt.ovf
- Place the deployment image on a server that VMware NSX-T and FortiManager can access.
- Note the URL for the deployment image. You will need to add the URL to FortiManager.
To register a service from FortiManager to VMware NSX-T:
- Ensure that you know the URL for the location of the preconfigured deployment image for FortiGate VM and VMware NSX-T.
- On the Fabric View pane, edit the connector for VMware NSX-T, and click Add Service.
- In the Service Name box, type a name for the service.
- In the Integration box, select East-West or North-South to specify the direction of network traffic.
- In the Image Location box, type the URL for the location of the preconfigured deployment file for FortiGate VM.
- Click OK.
The service is added and registered with the VMware NSX-T manager.
To deploy a FortiGate VM from VMware NSX-T and enable central management:
- Go to VMware NSX-T manager, and deploy the FortiGate VM.
The deployment file is configured to automatically enable central management.
-
When prompted by the deployment of FortiGate VM, enter the IP address of the FortiManager used for central management.
The FortiGate is displayed in FortiManager on the Device Manager pane as an unauthorized device.
- On FortiManager, go to Device Manager and authorize the FortiGate.
To add the service chain and configure a VMware NSX-T service with liveness detection:
- Go to Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity and select the added NSX-T service.
- Right-click on the selected service and click Configure. The Configure Devices of NSX-T Service dialog appears.
- Select the FortiGate device listed in the table and click Add. The Add Service Chain dialog appears.
- Toggle the Enable Liveness Detection setting to ON. It is set to ON by default.
- Select the appropriate options for the Service Profile and Service Chain fields as required from the drop-down lists.
- Click OK.
To complete the fabric connector setup:
- In the policy package in which you will be creating the new policy, create an IPv4 virtual wire pair policy and include the firewall address objects for VMware NSX-T. See IP policies.
- Install the policy package to FortiGate.
See Install a policy package.
FortiGate communicates with NSX-T via FortiManager to dynamically populate the firewall address objects with IP addresses.