Celem sesji jest pokazanie sposobu integracji rozwiązania FortiGate VMX z infrastrukturą VMware NSX oraz jego możliwości zabezpieczenia wirtualnego środowiska. W ciągu kilkudziesięciu minut przeprowadzimy pełną instalację rozwiązania wraz z jego przykładową konfiguracją i uruchomieniem w środowisku produkcyjnym.
2. 2
Vmware NSX
What is Fortinet VMX?
Why Fortigate VMX with NSX?
The Recipe
Deployment Options
How to Design a Cost Effective VMX Solution
FortiGate-VMX Logs to FortiAnalyzer
FortiGate-VMX License Model
Key Differentiators
Agenda
8. 8
Why Fortigate VMX with NSX?
Not just firewall, but advanced featuresNot just firewall, but advanced features
Micro-Segmentation and Zero TrustMicro-Segmentation and Zero Trust
Control of ‘east-west’ traffic, Inter Logical Security
Zone (multi-tier)
Control of ‘east-west’ traffic, Inter Logical Security
Zone (multi-tier)
Integration, Orchestration and AutomationIntegration, Orchestration and Automation
Requirements Solution
10. 10
ESXi servers – all of ’em ;)
NSX Manager – 1 piece
HTTP Server holding images for deployment – 1 piece
FortiGate-VMX Server Manager – 1 ovf file to deploy
VMware Distributed Firewall – 1 piece
FortiGate-VMX Security Nodes – 1 per each ESXi server
Distributed vSwitch – at least one :)
The Recipe
11. 11
Fortigate VMX and it’s Components
Manage
Third Party Solution
Service ManagerService Manager
Service ApplianceService Appliance
ESXi Hosts
VMware
vCenter Server
V5.5 or v6.0
VMware vSphere
(Enterprise Plus license
v5.5 or v6.0)
VMware vSphere
(Enterprise Plus license
v5.5 or v6.0)
REST API
Fortinet Solution
FortiGate-VMX
Service Manager
FortiGate-VMX
Security Appliance
12. 12
dvSwitchdvSwitch
FGT-VMX FGT-VMX
Pushpolicysynchronization
toallFortiGate-VMX
deployedincluster
7
Register Fortinet as security service with NSX Manager1
Auto-deployFortiGate-VMX
toallhostsinsecurity
cluster
2
FortiGate-VMX
connects
withFortiGate-VMX
ServiceManager
3
License verification & configuration
synchronization with
FortiGate-VMX
4
NSXSecurityPolicydefinenetwork
introspectionrulestoredirecttrafc
5
Real-time updates of object database6
FortiGate-VMX Service Manager
FortiGate-VMX and NSX Integration/Interactions
13. 13
VMware Kernel
dvSwitch
1 Define NGFW Firewall Policies
2
FGT-VMX
NetX NSX Filter Driver
int
ext
Packet Flow
1. From VM to NSX Filter Driver
2. NSX Filter Driver Forward to Third party Solution
(FGT-VMX)
3. FGT-VMX applies Security and sends packet back
to NSX Filter Driver
4. NSX Filter Driver can do service chaining or send
packet to destination
FortiGate-VMX
Service Manager
FGT-VMX and VMWARE NSX Filter Driver Interaction
15. 15
• Option 1 : DFW + Fortigate VM or FortiOS
• More than just stateful Edge firewalling
• Option of Statefull firewall at DFW and NGFW/UTM at Edge
Deployment Options
20. 20
• Categorize the workload
• Critical Workload placed on VMX enabled cluster
• Catalogue based design – Pay per feature for MSSP’s
• Cost optimization - For Enterprises
+
How to Design a Cost Effective VMX Solution
22. 22
Configuration is done on the FortiGate-VMX Service Manager
Logs are relayed from the FortiGate-VMX to the FortiGate-VMX Service Manager
Only the FortiGate-VMX Service Manager serial number is reported on FortiAnalyzer
FortiGate-VMX Logs to FortiAnalyzer
24. 24
Expandable license model
Two product SKUs
» FortiGate-VMX Service Manager - FG-VMX-MGMT
Centralized management and license repository for
FortiGate-VMX environments
» FortiGate-VMX Security Node - FG-VMX-1
One FortiGate-VMX Security Node instance for securing
VMware environments
Multiple length Service and Support SKUs
Lab SKUs available for development
environments
FortiGate-VMX Licensing
25. 25
No limits placed on resources (virtual or
hardware), nor number of protected VM
workloads.
Instance-based licensing.
» Example: 10 ESXi hosts in cluster; 10 x FortiGate-VMX
Security Nodes licenses are required.
FortiGate-VMX Service Manager is used as the
license repository for FortiGate-VMX Security
Nodes
FortiGate-VMX Security Nodes automatically
validate to the FortiGate-VMX Service Manager
Registration/
Synchronization
Securitydbase
updates
FortiCare / FortiGuard
- Service license
registration and security
database updates
FortiGate-VMX
Service Manager
- License Repository
- Centralized
synchronization of
configuration/policy
FortiGate-VMX
Security Nodes
FortiGate-VMX Licensing
27. 27
Real Multi-tenancy (VDOM) support
Per Security Appliance instance Resource monitor
Key Differentiators
28. 28
Real Multi-tenancy (VDOM) support
Per Security Appliance instance Resource monitor
Improved throughput for firewall and security functionality using TSO (TCP
Segment Offload)
Service Manager to Security Appliance instant security policy update using
HA Sync
Automatic creation of NSX Security Groups in FortiGate-VMX Service Manager
Central license server with auto decrement
OVF footprint < 40 MB
License independent from physical or virtual resources
NSX integrated upgrade process
Real-time FortiGuard updates
Key Differentiators