Fortinet black logo

FortiWeb-VM on Citrix XenServer

Home FortiWeb Private Cloud FortiWeb-VM on Citrix XenServer

Mapping the virtual NICs (vNICs) to physical NICs

Mapping the virtual NICs (vNICs) to physical NICs

Appropriate mappings of the FortiWeb-VM network adapter ports to the host computer’s physical ports depends on your existing virtual environment.

Often, the default bridging vNICs work, and don’t need to be changed.

If you are unsure of your network mappings, try bridging first before non-default vNIC modes such as NAT or host-only networks. The default bridging vNIC mappings are appropriate where each of the host’s guest virtual machines should have their own IP addresses on your network.

The most common exceptions to this rule are for VLANs and the transparent modes. See Configuring the vNetwork for the transparent modes.

When you deploy the FortiWeb-VM package, 4 bridging vNICs are created and automatically mapped to a port group on 1 virtual switch (vSwitch) within the hypervisor. Each of those vNICs can be used by one of the 4 network interfaces in FortiWeb-VM. (Alternatively, if you prefer, some or all of the network interfaces may be configured to use the same vNIC.) vSwitches are themselves mapped to physical ports on the server.

You can change the mapping, or map other vNICs, if either your VM environment requires it or the FortiWeb-VM will be operating in either true transparent proxy or Transparent Inspection mode. (For information on how to choose the operation mode, see the setup instructions in the FortiWeb Administration Guide.)

The following table provides an example of how vNICs could be mapped to the physical network ports on a server.

Example: Network mapping for Reverse Proxy mode
Citrix XenServer FortiWeb-VM
Physical Network Adapter Network Mapping (vSwitch Port Group) Virtual Network Adapter for FortiWeb-VM Network Interface Name in Web UI/CLI
eth0 Network 0 Management port1
eth1 External port2
Internal port3
Network 1 External port4
To map network adapters
  1. On your management computer, start Citrix XenCenter.

  2. In the pane on the left side, double-click the name of the XenServer. This will open an authentication dialog.
  3. In Server, type the IP address or FQDN of the Citrix XenServer server.

    In User name, type the name of your account on that server.

    In Password, type the password for your account on that server.

    Click Connect.

  4. In the pane on the right side, click the Networking tab, then click Add Network.

    5. The hypervisor’s networking dialog appears.

  5. In the list of virtual hardware on the left side of the dialog, click the name of a virtual network adapter to see its current settings.

  6. From the Network Connection drop-down menu, select the virtual network mapping for the virtual network adapter.

    7. The correct mapping varies by your virtual environment’s network configuration. In the example illustration below, the vNIC is mapped to the virtual network (vNetwork) named Network 3.


  7. Click OK.
  8. Continue with Powering on and shutting down the virtual appliance.

Configuring the vNetwork for the transparent modes

The default vNetwork configuration does not function with FortiWeb bridges (V-zones). You use bridges when you deploy your FortiWeb-VM in either true transparent proxy or Transparent Inspection operation mode.

Use the following general configuration steps to support the transparent modes:

  • Add 2 vSwitches or distributed vSwitches (dvSwitch) for the bridge: one for the web server side, and one for the client side

    Alternatively, add a single vSwitch that provides two different VLAN IDs. Use these IDs to create VLAN subinterfaces to add to a bridge.

  • Set both to promiscuous mode
  • Set each vSwitch you add to promiscuous mode and map it to a network adapter (vNIC)

Similar to a deployment that does not use virtual machines, connections between clients and servers travel through the two vSwitches (or two VLANs) that comprise the bridge, with FortiWeb-VM in between them.

The following instructions assume your configuration uses 2 vSwitches.

To create a vSwitch
  1. On your management computer, start Citrix XenCenter.

  2. In the pane on the left side, double-click the name of the XenServer. This will open an authentication dialog.
  3. In Server, type the IP address or FQDN of the Citrix XenServer server.

    In User name, type the name of your account on that server.

    In Password, type the password for your account on that server.

    Click Connect.

  4. In the pane on the left side, select either the name of a XenServer pool, or (if your web servers are on the same XenServer as FortiWeb-VM) a single XenServer.

    5. vSwitches will allow communication between different Xen Servers in the same pool.

  5. On the Configuration tab, click Networking.

    6. A window appears where you can configure single server vSwitches or (if you selected a pool in the previous step) distributed vSwitches.

  6. Depending on whether FortiWeb-VM will run transparently between clients and web servers on the same Xen server, select either:
  • Cross-Server Private Network — Select this option if your web servers are not hosted on the same Xen server as your FortiWeb-VM, but are in the same resource pool.

    This option is greyed out and unavailable if you have not yet installed Citrix’s Distributed Virtual Switch Controller (Open vSwitch) or have software-defined networking (SDN) available. You must also add the XenServer to the dvSwitch; enter this command on the CLI of each XenServer, then reboot it:

    xe-switch-network-backend openvswitch

  • Single Server Private Network — If your web servers are on the same Xen server as your FortiWeb-VM, you can select this option.
  • Click Next.
  • Follow the wizard, providing a name such as Client-Side-vSwitch1 that identifies the port group.
  • Click Finish.
  • Repeat this procedure to create the other, server-side vSwitch.
  • Continue with To configure promiscuous mode for the new vSwitches.
    • To configure promiscuous mode for the new vSwitches
    1. Connect to the CLI of the XenServer where you are deploying FortiWeb-VM.
    2. To show the UUID of the vNetwork enter the command:

      3. xe pif-list network-name-label="Client-Side-vSwitch1"

      where Client-Side-vSwitch1 is the name of a network as it appears in XenCenter.

    3. Enter the command:

      4. xe pif-param-set uuid="0" other-config:promiscuous="true"

      where 0 is the UUID of the physical interface. If successful, the output of this command will verify that the physical interface is now in promiscuous mode:

      xe pif-param-list uuid="0"

    4. To show the UUID of the virtual network interface, enter the command:

      5. xe vif-list vm-name-label=FortiWeb-vm

      where FortiWeb-vm is the name of the virtual machine as it appears in XenCenter.

    5. Enter the command:

      6. xe vif-param-set uuid="0" other-config:promiscuous="true"

      where 0 is the UUID of the virtual interface. If successful, the output of this command will verify that the virtual interface is now in promiscuous mode:

      xe vif-param-list uuid="0"

    6. Unplug and re-connect the virtual network interface by entering these commands:

      7. xe vif-unplug uuid="0"

      xe vif-plug uuid="0"

    7. Repeat this procedure to configure the mode of the other, server-side vSwitch.
    8. Continue with To map a network adapter to the new vSwitches.
    To map a network adapter to the new vSwitches
    1. In the pane on the left side, click the name of the virtual appliance, such as FortiWeb-VM.

    2. On the Networking tab, select a vNIC (Device), then click Properties.

      3. A properties window appears.

    3. Select the new vSwitch from the Network drop-down list.
    4. Click OK.
    5. Repeat this procedure with the other vSwitch for the bridge.
    6. Later, when configuring FortiWeb-VM, add port2 and port3, or whichever FortiWeb ports correspond to the vSwitches you created in this procedure, to the bridge (V-zone).
    Previous
    Next

    Mapping the virtual NICs (vNICs) to physical NICs

    Appropriate mappings of the FortiWeb-VM network adapter ports to the host computer’s physical ports depends on your existing virtual environment.

    Often, the default bridging vNICs work, and don’t need to be changed.

    If you are unsure of your network mappings, try bridging first before non-default vNIC modes such as NAT or host-only networks. The default bridging vNIC mappings are appropriate where each of the host’s guest virtual machines should have their own IP addresses on your network.

    The most common exceptions to this rule are for VLANs and the transparent modes. See Configuring the vNetwork for the transparent modes.

    When you deploy the FortiWeb-VM package, 4 bridging vNICs are created and automatically mapped to a port group on 1 virtual switch (vSwitch) within the hypervisor. Each of those vNICs can be used by one of the 4 network interfaces in FortiWeb-VM. (Alternatively, if you prefer, some or all of the network interfaces may be configured to use the same vNIC.) vSwitches are themselves mapped to physical ports on the server.

    You can change the mapping, or map other vNICs, if either your VM environment requires it or the FortiWeb-VM will be operating in either true transparent proxy or Transparent Inspection mode. (For information on how to choose the operation mode, see the setup instructions in the FortiWeb Administration Guide.)

    The following table provides an example of how vNICs could be mapped to the physical network ports on a server.

    Example: Network mapping for Reverse Proxy mode
    Citrix XenServer FortiWeb-VM
    Physical Network Adapter Network Mapping (vSwitch Port Group) Virtual Network Adapter for FortiWeb-VM Network Interface Name in Web UI/CLI
    eth0 Network 0 Management port1
    eth1 External port2
    Internal port3
    Network 1 External port4
    To map network adapters
    1. On your management computer, start Citrix XenCenter.

    2. In the pane on the left side, double-click the name of the XenServer. This will open an authentication dialog.
    3. In Server, type the IP address or FQDN of the Citrix XenServer server.

      In User name, type the name of your account on that server.

      In Password, type the password for your account on that server.

      Click Connect.

    4. In the pane on the right side, click the Networking tab, then click Add Network.

      5. The hypervisor’s networking dialog appears.

    5. In the list of virtual hardware on the left side of the dialog, click the name of a virtual network adapter to see its current settings.

    6. From the Network Connection drop-down menu, select the virtual network mapping for the virtual network adapter.

      7. The correct mapping varies by your virtual environment’s network configuration. In the example illustration below, the vNIC is mapped to the virtual network (vNetwork) named Network 3.


    7. Click OK.
    8. Continue with Powering on and shutting down the virtual appliance.

    Configuring the vNetwork for the transparent modes

    The default vNetwork configuration does not function with FortiWeb bridges (V-zones). You use bridges when you deploy your FortiWeb-VM in either true transparent proxy or Transparent Inspection operation mode.

    Use the following general configuration steps to support the transparent modes:

    • Add 2 vSwitches or distributed vSwitches (dvSwitch) for the bridge: one for the web server side, and one for the client side

      Alternatively, add a single vSwitch that provides two different VLAN IDs. Use these IDs to create VLAN subinterfaces to add to a bridge.

    • Set both to promiscuous mode
    • Set each vSwitch you add to promiscuous mode and map it to a network adapter (vNIC)

    Similar to a deployment that does not use virtual machines, connections between clients and servers travel through the two vSwitches (or two VLANs) that comprise the bridge, with FortiWeb-VM in between them.

    The following instructions assume your configuration uses 2 vSwitches.

    To create a vSwitch
    1. On your management computer, start Citrix XenCenter.

    2. In the pane on the left side, double-click the name of the XenServer. This will open an authentication dialog.
    3. In Server, type the IP address or FQDN of the Citrix XenServer server.

      In User name, type the name of your account on that server.

      In Password, type the password for your account on that server.

      Click Connect.

    4. In the pane on the left side, select either the name of a XenServer pool, or (if your web servers are on the same XenServer as FortiWeb-VM) a single XenServer.

      5. vSwitches will allow communication between different Xen Servers in the same pool.

    5. On the Configuration tab, click Networking.

      6. A window appears where you can configure single server vSwitches or (if you selected a pool in the previous step) distributed vSwitches.

    6. Depending on whether FortiWeb-VM will run transparently between clients and web servers on the same Xen server, select either:
    • Cross-Server Private Network — Select this option if your web servers are not hosted on the same Xen server as your FortiWeb-VM, but are in the same resource pool.

      This option is greyed out and unavailable if you have not yet installed Citrix’s Distributed Virtual Switch Controller (Open vSwitch) or have software-defined networking (SDN) available. You must also add the XenServer to the dvSwitch; enter this command on the CLI of each XenServer, then reboot it:

      xe-switch-network-backend openvswitch

    • Single Server Private Network — If your web servers are on the same Xen server as your FortiWeb-VM, you can select this option.
  • Click Next.
  • Follow the wizard, providing a name such as Client-Side-vSwitch1 that identifies the port group.
  • Click Finish.
  • Repeat this procedure to create the other, server-side vSwitch.
  • Continue with To configure promiscuous mode for the new vSwitches.
    • To configure promiscuous mode for the new vSwitches
    1. Connect to the CLI of the XenServer where you are deploying FortiWeb-VM.
    2. To show the UUID of the vNetwork enter the command:

      3. xe pif-list network-name-label="Client-Side-vSwitch1"

      where Client-Side-vSwitch1 is the name of a network as it appears in XenCenter.

    3. Enter the command:

      4. xe pif-param-set uuid="0" other-config:promiscuous="true"

      where 0 is the UUID of the physical interface. If successful, the output of this command will verify that the physical interface is now in promiscuous mode:

      xe pif-param-list uuid="0"

    4. To show the UUID of the virtual network interface, enter the command:

      5. xe vif-list vm-name-label=FortiWeb-vm

      where FortiWeb-vm is the name of the virtual machine as it appears in XenCenter.

    5. Enter the command:

      6. xe vif-param-set uuid="0" other-config:promiscuous="true"

      where 0 is the UUID of the virtual interface. If successful, the output of this command will verify that the virtual interface is now in promiscuous mode:

      xe vif-param-list uuid="0"

    6. Unplug and re-connect the virtual network interface by entering these commands:

      7. xe vif-unplug uuid="0"

      xe vif-plug uuid="0"

    7. Repeat this procedure to configure the mode of the other, server-side vSwitch.
    8. Continue with To map a network adapter to the new vSwitches.
    To map a network adapter to the new vSwitches
    1. In the pane on the left side, click the name of the virtual appliance, such as FortiWeb-VM.

    2. On the Networking tab, select a vNIC (Device), then click Properties.

      3. A properties window appears.

    3. Select the new vSwitch from the Network drop-down list.
    4. Click OK.
    5. Repeat this procedure with the other vSwitch for the bridge.
    6. Later, when configuring FortiWeb-VM, add port2 and port3, or whichever FortiWeb ports correspond to the vSwitches you created in this procedure, to the bridge (V-zone).
    Previous
    Next