Fortinet Document Library

Version:


Table of Contents

Deploying FortiGate-VMX

VMware-NSX Security Fabric integration

6.0.1
Copy Link

About FortiGate VMX

Fortinet's FortiGate-VMX is a next generation firewall virtual appliance for VMware environments that provides purpose-built integration for VMware's Software-Defined Data Center (SDDC) and interoperability with VMware vSphere and NSX. FortiGate-VMX provides visibility into virtualized network traffic in the vSphere hypervisor through direct API-level integration and management orchestration to secure workloads in dynamic software-defined networks and infrastructure without protection and compliance gaps.FortiGate-VMX provides integrated protection of East/West traffic flow inside VMWare's NSX environment.

Through the close partnership VMware and Fortinet maintain, VMware-specific APIs were made available to enable the FortGate-VMX integration. This allows for interception and policy enforcement at the hypervisor level.

There are two components comprising FortiGate-VMX:

Component

Description

FortiGate-VMX Service Manager (SVM)

  • Dedicated VM providing management/visibility across all VMX security nodes. The SVM communicates with NSX through an API.
  • A single SVM can handle an almost unlimited number of FortiGate-VMX security nodes, up to the licensed number of security nodes.
  • The SVM must be able to connect to the Internet to validate its license against FortiGuard.

FortiGate-VMX instances

  • A FortiGate-VM firewall to protect each segment on NSX. Usually multiple VMX nodes depending on the segmentation complexity.
  • Only one FortiGate-VMX security node is required per ESXi host.
  • Simple in that one security node requires one license.

Once properly configured and licensed, FortiGate-VMX Security Nodes will be automatically deployed to each ESXi host in the designated cluster(s). If a new ESXi host is introduced into a designated cluster, a FortiGate-VMX Security Node will auto-deploy and policy synchronized.

The FortiGate-VMX Security Node is not in Transparent Mode as might be assumed because there is no NAT occurring. The FortiGate-VMX Security Node only has internal interfaces. For FortiGate-VMX v1, they are conveniently named “internal” & “external”. For FortiGate-VMX (second generation), there is an internal port pair per VDOM, so the naming convention is <VDOM name>-int & <VDOM name>-ext. FortiGate-VMX security policies are configured and applied using these interfaces.

FortiGate-VMX6.0.1 is certified for use with NSX 6.3.0+, 6.4.0, and 6.4.1, and vSphere ESXi 6.0, 6.5, and 6.7.

For information on additional supported software, see the VMware Compatibility Guide.

The integration/interaction process

After the software is properly installed, the deployment of FortiGate-VMX Security Nodes will be automatic. The deployment process is as follows:

 

  1. FortiGate-VMX Service Manager registers the Fortinet security service with NSX Manager (FortiGate-VMX):
  2. The registration process uses the NetX management plane API to enable bi-directional communication between the FortiGate-VMX Service Manager and the NSX Manager.
  1. Auto-deploy FortiGate-VMX to all hosts in designated cluster(s):
  2. The NSX Manager collects the FortiGate-VMX image from the URL specified during registration and installs an instance of FortiGate-VMX on each ESXi host in the designated cluster(s). The image update is instantaneous and beneficial for on-demand, software-defined data center requirements.
  1. FortiGate-VMX Security Node connects with FortiGate-VMX Service Manager:
  2. The FortiGate-VMX Security Node initiates a connection to the FortiGate-VMX Service Manager to register and obtain its license.
  1. License verification and configuration synchronization with FortiGate-VMX:
  2. FortiGate-VMX Service Manager verifies the serial number and synchronizes configuration and policy.
  1. Redirection policy rules updated for enablement of FortiGate-VMX security service:
  2. For all objects secured in the cluster, a policy redirecting all, or specific traffic to FortiGate-VMX is ready.
  1. Real-time updates of object database:
  2. The NSX Manager sends real-time updates on the changes in the virtual environment to the FortiGate-VMX Service Manager.
  1. FortiGate-VMX Service Manager dynamically synchronizes object database and policy to all FortiGate-VMX Security Nodes deployed in cluster.

Resources

About FortiGate VMX

Fortinet's FortiGate-VMX is a next generation firewall virtual appliance for VMware environments that provides purpose-built integration for VMware's Software-Defined Data Center (SDDC) and interoperability with VMware vSphere and NSX. FortiGate-VMX provides visibility into virtualized network traffic in the vSphere hypervisor through direct API-level integration and management orchestration to secure workloads in dynamic software-defined networks and infrastructure without protection and compliance gaps.FortiGate-VMX provides integrated protection of East/West traffic flow inside VMWare's NSX environment.

Through the close partnership VMware and Fortinet maintain, VMware-specific APIs were made available to enable the FortGate-VMX integration. This allows for interception and policy enforcement at the hypervisor level.

There are two components comprising FortiGate-VMX:

Component

Description

FortiGate-VMX Service Manager (SVM)

  • Dedicated VM providing management/visibility across all VMX security nodes. The SVM communicates with NSX through an API.
  • A single SVM can handle an almost unlimited number of FortiGate-VMX security nodes, up to the licensed number of security nodes.
  • The SVM must be able to connect to the Internet to validate its license against FortiGuard.

FortiGate-VMX instances

  • A FortiGate-VM firewall to protect each segment on NSX. Usually multiple VMX nodes depending on the segmentation complexity.
  • Only one FortiGate-VMX security node is required per ESXi host.
  • Simple in that one security node requires one license.

Once properly configured and licensed, FortiGate-VMX Security Nodes will be automatically deployed to each ESXi host in the designated cluster(s). If a new ESXi host is introduced into a designated cluster, a FortiGate-VMX Security Node will auto-deploy and policy synchronized.

The FortiGate-VMX Security Node is not in Transparent Mode as might be assumed because there is no NAT occurring. The FortiGate-VMX Security Node only has internal interfaces. For FortiGate-VMX v1, they are conveniently named “internal” & “external”. For FortiGate-VMX (second generation), there is an internal port pair per VDOM, so the naming convention is <VDOM name>-int & <VDOM name>-ext. FortiGate-VMX security policies are configured and applied using these interfaces.

FortiGate-VMX6.0.1 is certified for use with NSX 6.3.0+, 6.4.0, and 6.4.1, and vSphere ESXi 6.0, 6.5, and 6.7.

For information on additional supported software, see the VMware Compatibility Guide.

The integration/interaction process

After the software is properly installed, the deployment of FortiGate-VMX Security Nodes will be automatic. The deployment process is as follows:

 

  1. FortiGate-VMX Service Manager registers the Fortinet security service with NSX Manager (FortiGate-VMX):
  2. The registration process uses the NetX management plane API to enable bi-directional communication between the FortiGate-VMX Service Manager and the NSX Manager.
  1. Auto-deploy FortiGate-VMX to all hosts in designated cluster(s):
  2. The NSX Manager collects the FortiGate-VMX image from the URL specified during registration and installs an instance of FortiGate-VMX on each ESXi host in the designated cluster(s). The image update is instantaneous and beneficial for on-demand, software-defined data center requirements.
  1. FortiGate-VMX Security Node connects with FortiGate-VMX Service Manager:
  2. The FortiGate-VMX Security Node initiates a connection to the FortiGate-VMX Service Manager to register and obtain its license.
  1. License verification and configuration synchronization with FortiGate-VMX:
  2. FortiGate-VMX Service Manager verifies the serial number and synchronizes configuration and policy.
  1. Redirection policy rules updated for enablement of FortiGate-VMX security service:
  2. For all objects secured in the cluster, a policy redirecting all, or specific traffic to FortiGate-VMX is ready.
  1. Real-time updates of object database:
  2. The NSX Manager sends real-time updates on the changes in the virtual environment to the FortiGate-VMX Service Manager.
  1. FortiGate-VMX Service Manager dynamically synchronizes object database and policy to all FortiGate-VMX Security Nodes deployed in cluster.