Fortinet black logo

Administration Guide

Creating VMware NSX-T connector

Creating VMware NSX-T connector

FortiManager supports VMware NSX-T connectors. After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Following is an overview of the steps required to set up a VMware NSX-T connector:

  1. Enabling read-write JSON API access
  2. Creating a fabric connector for VMware NSX-T
  3. Configure the NSX-T Manager
  4. Use the groups in a FortiManager policy
Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. On FortiManager, go to System Settings > Admin > Administrators.
  2. Select your Administrator account, and click Edit.
  3. From the JSON API Access dropdown, select Read-Write, and click OK.
    The FortiManager will log you out to activate the settings.
Creating a fabric connector for VMware NSX-T

In FortiManager, create a fabric connector for VMware NSX-T.

To configure an NSX-T connector on FortiManager:
  1. Log into FortiManager.
  2. Go to Policy & Objects > Objects Configuration > Fabric Connectors > Endpoint/Identity.
  3. Click Create New > NSX-T Connector.

  4. Configure the parameters for the new NSX-T connector, and click OK.

    For example:
    1. Name: NSXT-Manager.
    2. Status: ON.
    3. NSX-T Manager Configurations:
      1. Server: NSX-T server.
      2. User Name: NSX-T user name.
      3. Password: NSX-T password.
    4. FortiManager Configurations:
      1. IP Address: FortiManager IP or FQDN.
      2. User Name: Your FortiManager administrator user name.
        Note

        The user name under FortiManager configurations can be any other FortiManager local user with JSON API access set to read-write. This user will be used by the NSX-T Manager to perform the API calls to the FortiManager in order to dynamically update the VM groups objects.

      1. Password: Your administrator password.
To configure a registered service:
  1. Edit the previously configured NSX-T connector. Under Registered Service, click Add Service.
  2. In the Name field, enter the service name to register to NSX-T's partner service catalog.
  3. For Integration, select East-West or North-South as desired.
  4. For FortiGate Password, enter your FortiGate's administrator password.
  5. For License Type, select License File or Flex-VM.
    1. When using a License File:
      1. For License URL Prefix, enter the license URL prefix, for example: http://x.x.x.x/lics/.
      2. Click the add icon to add a new image location, and configure the following details:
        1. Type: Select the VM type, for example VM01.
        2. Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf.
    2. When using Flex-VM:
      1. Select a previously configured Flex-VM Connector from which to obtain the license. See Creating Flex-VM connectors.
  6. Click OK, and save the NSX-T connector.
  7. In the NSX-T Manager, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.
Configure the NSX-T Manager
To configure NSX-T Manager:
  1. In the NSX-T Manager, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.

  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiManager. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.

  5. Go to Security > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.

  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.

  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to East West Security > Network Introspection (E-W), and click on Add Policy.
  14. Click on the policy name and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FGT-EW-VM instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.
Use the groups in a FortiManager policy
To use groups in a policy:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors.
  2. Edit the NSXT-Manager object.
  3. Scroll down and check that the objects with addresses appear. If there aren't any objects, select Apply & Refresh.
  4. Click Cancel.
    Note

    These groups and their members are automatically synchronized between FortiManager and NSX-T Manager. As soon as you add a VM/IP to a group that the Redir-Rule applies to on NSX-T Manager, it will be synchronized.

  5. You can have the FortiManager create Firewall Addresses or create your own. Go to Firewall Objects > Addresses, and click Create New > Address.
  6. Configure the parameters, and click OK.
    1. Address Name: Enter a name.
    2. Type: Dynamic.
    3. Sub Type: FSSO.
    4. FSSO Group: nsx_NSXT-Manager_Default/groups/<group name>

Creating VMware NSX-T connector

FortiManager supports VMware NSX-T connectors. After configuration is complete, FortiManager can retrieve groups from VMware NSX-T manager and store them as dynamic firewall address objects, and a FortiGate that is deployed by the registered VMware NSX-T service can connect to FortiManager to receive dynamic objects for VMware NSX-T.

Following is an overview of the steps required to set up a VMware NSX-T connector:

  1. Enabling read-write JSON API access
  2. Creating a fabric connector for VMware NSX-T
  3. Configure the NSX-T Manager
  4. Use the groups in a FortiManager policy
Enabling read-write JSON API access

A VMware NSX-T connector requires read-write access to the FortiManager JSON API.

The JSON API registers a service with VMware NSX-T manager and retrieves object updates from VMware NSX-T manager.

To enable read-write JSON API access:
  1. On FortiManager, go to System Settings > Admin > Administrators.
  2. Select your Administrator account, and click Edit.
  3. From the JSON API Access dropdown, select Read-Write, and click OK.
    The FortiManager will log you out to activate the settings.
Creating a fabric connector for VMware NSX-T

In FortiManager, create a fabric connector for VMware NSX-T.

To configure an NSX-T connector on FortiManager:
  1. Log into FortiManager.
  2. Go to Policy & Objects > Objects Configuration > Fabric Connectors > Endpoint/Identity.
  3. Click Create New > NSX-T Connector.

  4. Configure the parameters for the new NSX-T connector, and click OK.

    For example:
    1. Name: NSXT-Manager.
    2. Status: ON.
    3. NSX-T Manager Configurations:
      1. Server: NSX-T server.
      2. User Name: NSX-T user name.
      3. Password: NSX-T password.
    4. FortiManager Configurations:
      1. IP Address: FortiManager IP or FQDN.
      2. User Name: Your FortiManager administrator user name.
        Note

        The user name under FortiManager configurations can be any other FortiManager local user with JSON API access set to read-write. This user will be used by the NSX-T Manager to perform the API calls to the FortiManager in order to dynamically update the VM groups objects.

      1. Password: Your administrator password.
To configure a registered service:
  1. Edit the previously configured NSX-T connector. Under Registered Service, click Add Service.
  2. In the Name field, enter the service name to register to NSX-T's partner service catalog.
  3. For Integration, select East-West or North-South as desired.
  4. For FortiGate Password, enter your FortiGate's administrator password.
  5. For License Type, select License File or Flex-VM.
    1. When using a License File:
      1. For License URL Prefix, enter the license URL prefix, for example: http://x.x.x.x/lics/.
      2. Click the add icon to add a new image location, and configure the following details:
        1. Type: Select the VM type, for example VM01.
        2. Location: Enter the image location, for example: http://x.x.x.x/FortiGate-VM64xCPU.nsxt.ovf.
    2. When using Flex-VM:
      1. Select a previously configured Flex-VM Connector from which to obtain the license. See Creating Flex-VM connectors.
  6. Click OK, and save the NSX-T connector.
  7. In the NSX-T Manager, go to System > Service Deployment > CATALOG to confirm that the FortiGate-VM service was properly registered on NSX-T Manager.
Configure the NSX-T Manager
To configure NSX-T Manager:
  1. In the NSX-T Manager, go to Inventory > Groups, and click ADD GROUP.
  2. Enter a name, and click Set Members.
  3. Select the IP Addresses tab, and add the IP addresses to add as members of this group.

  4. Save your changes, and repeat these steps until you have created all of the groups that you require.
    Note

    Group membership is what is used to determine dynamic NSX-T addresses in FortiManager. There are multiple criteria which can be defined on the NSX-T Manager to make a virtual machine part of that group.

  5. Go to Security > Network Introspection Settings > Service Profiles.
  6. Select the Registered Service from the Partner Service dropdown list, and click ADD SERVICE PROFILE.

  7. Configure the following parameters, and click Save.
    1. Name: Enter a name.
    2. Vendor Template: Select the template listed in the dropdown.
  8. Go to the Service Chains tab and click ADD CHAIN.
  9. Configure the following parameters, and click Save.
    1. Name:Enter a name.
    2. Service Segment: Service-Segment.
  10. Click Set Forward Path, and then click ADD PROFILE IN SEQUENCE.

  11. Select the profile you just created, and click ADD.
  12. Save your changes.
  13. Go to East West Security > Network Introspection (E-W), and click on Add Policy.
  14. Click on the policy name and you can change it if required.
To create the redirection rule in NSX-T:
  1. Select the policy you created in the previous step, and click ADD RULE.
  2. Configure the parameters as follows:
    1. Name: Redir-Rule.
    2. Source: Any (Groups needs to be selected).
    3. Destination: Any (Groups needs to be selected).
    4. Services: Any.
    5. Applied To: DFW.
    6. Action: Redirect.

    This rule will redirect all traffic to the FGT-EW-VM instance. You can be more granular by selecting any combination of Sources, Destinations, Services, or Applied To for specific groups. If specific groups are selected, only they will be associated with the Service Manager and show up on FortiManager.

  3. Click PUBLISH to apply the changes.
Use the groups in a FortiManager policy
To use groups in a policy:
  1. Go to Policy & Objects > Object Configurations > Fabric Connectors.
  2. Edit the NSXT-Manager object.
  3. Scroll down and check that the objects with addresses appear. If there aren't any objects, select Apply & Refresh.
  4. Click Cancel.
    Note

    These groups and their members are automatically synchronized between FortiManager and NSX-T Manager. As soon as you add a VM/IP to a group that the Redir-Rule applies to on NSX-T Manager, it will be synchronized.

  5. You can have the FortiManager create Firewall Addresses or create your own. Go to Firewall Objects > Addresses, and click Create New > Address.
  6. Configure the parameters, and click OK.
    1. Address Name: Enter a name.
    2. Type: Dynamic.
    3. Sub Type: FSSO.
    4. FSSO Group: nsx_NSXT-Manager_Default/groups/<group name>