07 - VMUGIT - Lecce 2018 - Antonio Gentile, Fortinet

© Copyright Fortinet Inc. All rights reserved.
Le nuove sﬁde della cyber security su
infrastrutture software deﬁned.
Advanced Security in Vmware NSX with FortiGate-VMX
Antonio Gentile
agentile@fortinet.com
Systems Engineer, Italy

Agenda
➢ Fortinet Security Fabric
➢ Fortinet Cloud & SDN Vision
➢ FortiGate-VMX Integration with NSX
➢ Key Points and Licensing
➢ Q&A

‹N›
2018 Fortinet Security Fabric
A Security Architecture that provides:
BROAD Visibility & Protection of the
Digital Attack Surface
INTEGRATED Detection of Advanced
Threats
AUTOMATED Response & Continuous
Trust Assessment
Delivered as:
Appliance Virtual
Machine
Hosted Cloud Software

‹N›
2018 Fortinet Solutions
Network
Security
Multi-Cloud
Security
Endpoint
Security
Email
Security
Web Application
Security
Secure
Uniﬁed Access
Advanced
Threat Protection
Management
- Analytics
FortiGate
Enterprise Firewall
FortiGate
Cloud Firewall
Network Security
FortiClient
EPP
FortiWeb
Web Application
Firewall
FortiMail
Secure Email
Gateway
FortiSandbox
Advanced Threat
Protection
FortiAnalyzer
Central Logging /Reporting
FortiManager
Central Security Management
FortiSIEM
Security Information &
Event Management
FortiGate
Virtual Firewall
Network Security
FortiAP
Wireless
Infrastructure
FortiSwitch
Switching
InfrastructureSWG
SD-WAN
IPS

Agenda
➢ Key Points And Licensing
➢ Q&A

‹N›
Virtualization SDN Cloud (IaaS) Cloud (SaaS)
Fortinet Cloud & SDN Vision
Physical & Virtual Security Appliances
FortiGate FortiManagerFortiSandbox FortiAnalyzer FortiWeb FortiADC FortiDDoSFortiWiﬁFortiMail
vSpher
e
XenServe
r
Hyper-V NSX

‹N›
Fortinet Programmable Networking Partnership Ecosystem
Platform Extensibility
Orchestration Platforms
Programmable Switching
vCNS certiﬁed
NSX Partner program
NSX Manager
Full NSX
Centralized Policy & Analytics
ACI

‹N›
SDx
Physical/Virtual/SDN/Cloud
North
South
East
West
Hybrid Cloud
Public
Cloud
Private
Cloud
FortiAnalyzer FortiManager
FortiWeb
FortiGate
VirtualCloud VirtualCloud
CLOUD SECURITY
FortiCore FortiGate VMX
FortiOSFortiGuardFortiASIC
5.4
Security for the Cloud

‹N›
NSX Platform Network and Security Virtualization
Components
Cloud Consumption
(CMP)
NSX Manager
NSX Controller
Data Plane
• Self Service Portal
• VMware vRealize Automation, vCloud Director, OpenStack, Custom
CMS
• High-performance data plane
• Scale-out distributed forwarding model
• Single conﬁguration portal
• REST API entry-point
• Manages logical networks
• Run-time state
• Scale out, HA
• Separation of control and data plane
ESXi, KVM, Xen
Distributed Services
• Logical Switch
• Distributed Logical Router
• Firewall
• Load Balancer
HW VTEPNSX Edge

‹N›
VMWare-NSX Architecture
Physical Host
NSX vSwitch
VM
VM
VM
NSX vSwitch
VM
User Space
VM
VM
Hypervisor
User Space
Hypervisor
Virtual Network
Cluster Controller
Cloud Mgt Platform
Simplified IP Backplane No VLANs, No ACLs, No Firewall Rules
Existing Physical Network
SrcIP = Hypervisor-1
DstIP = Hypervisor-2
???????

‹N›
Added Value of Security integration in SDDC
Requirements Solution
Visibility on Guest to Guest traffic
Micro-Segmentation and Zero Trust
Control of ‘east-west’ traffic, Inter and Intra VM
security, Logical Security Zone (multi-tier)
Not just firewall, but advanced features

‹N›
Manage
Components for NSX Integration
Mandatory Components for NSX Integration
Third Party Solution
Service Manager
Service Appliance
ESXi Hosts
VMware
vCenter Server
V5.5 or v6.0
VMware vSphere
(Enterprise Plus license
v5.5 or v6.0)
REST API
Fortinet Solution
FortiGate-VMX
Service Manager
FortiGate-VMX
Security Appliance

‹N›
FortiGate-VMX and NSX Integration/Interactions
dvSwitch
FGT-VMX FGT-VMX
Push
polic
y
synch
roniz
ation
to all
Forti
Gate-
VMX
deplo
yed
in
cluste
r 7
Register Fortinet as security service with NSX Manager1
Auto-
deploy
FortiGat
e-VMX
to all
hosts in
security
cluster
2
FortiGat
e-VMX
connects
with
FortiGat
e-VMX
Service
Manager
3
License verification & configuration
synchronization with
FortiGate-VMX
4
NSX
Secur
ity
Polic
y
define
netwo
rk
intros
pectio
n
rules
to
redire
ct
traffic
5
Real-time updates of object database6
FortiGate-VMX
Service Manager

‹N›
FortiGate-VMX and NSX Manager Setup
Adding VMware NSX details on FortiGate Service Manager
FortiGate VMX Service on NSX Manager

‹N›
FGT-VMX imports NSX Security Groups
● On NSX create Security Groups and assign “Objects”
Security Groups deﬁned on NSX are automatically created on FGT-VMX

‹N›
FGT-VMX imports NSX Security Groups
● On NSX create Security Groups and assign “Objects”
● FortiGate VMX automatically imports the Security Groups as a dynamic ﬁrewall
addresses with the VMs IP address
Security Groups deﬁned on NSX are automatically created on FGT-VMX

‹N›
NSX Security Group deﬁnition and usage
Server SG
FortiGate-VMX NSX Manager
Service Groups created on NSX Manager
automatically get sent to the FortiGate-VMX and
are available for Policy Creation
Policy Created on FortiGate-
VMX using Exchanged
Security Group

‹N›
VMware Kernel
dvSwitch
FGT-VMX and VMWARE NSX Filter Driver Interaction
1 Deﬁne NGFW Firewall Policies
2
Sync conﬁg on FGT-VMX
FGT-VMX
NetX NSX Filter Driver
int
ext
Packet Flow
1. From VM to NSX Filter Driver
2. NSX Filter Driver Forward to Third
party Solution (FGT-VMX)
3. FGT-VMX applies Security and sends
packet back to NSX Filter Driver
4. NSX Filter Driver can do service
chaining or send packet to destination
FortiGate-VMX
Service Manager
A B

‹N›
Policy Creation
● Firewall Policy is now IP independent
Policy created based on Security Group
Internal External
Distributed
Virtual
Switch

‹N›
VMWare-NSX Architecture with FortiGate-VMX
Physical Host
NSX vSwitch
VM VM
VM
NSX vSwitch
VM
User Space
VM
VM
Hypervisor
User Space
Hypervisor
Virtual Network
Cluster Controller
Cloud Mgt Platform
Existing Physical Network
Anti-botnet
Intrusion
Prevention
Antivirus
Application
Control
Web Application
Firewall
Web Filtering
FortiAnalyzer
Logging & Reporting
FortiSandbox
ATP
FortiGate-VMX
Service Manager
FortiGate-VMX
Security Appliance
FortiGate-VMX
Security Appliance

Agenda
➢ License Model and Key Points
➢ Q&A

‹N›
FortiGate-VMX License Model
● One license for the FortiGate-VMX Service Manager
● Simple license based on number of FGT-VMX Security Appliance deployed
» One FortiGate-VMX license per ESXi host
» No limits placed on resources (virtual or hardware), nor number of protected VM workloads
Hypervisor with 2 sockets Hypervisor with 1 socket 2 FGT-VMX
Licenses
3 FGT-VMX
Licenses
Hypervisor with 2 sockets
Central license server with auto decrement

‹N›
● Utilizing Fortinet Virtual Domains
(VDOMs)
• Segment a single FortiGate-VMX Security
Node to service different flows completely
segregated from each other.
• Greater flexibility for both Enterprise and
Managed Service Providers as seen in the
sample Security Policy configurations
below.
FortiGate-VMX VDOMs

‹N›
Migration (vMotion) Support
● Migration
» Session handover done by VM is picked up by VMX
Hypervisor with 2 sockets Hypervisor with 2 sockets
Web-01 App-
01
SSH
SSH

‹N›
FortiGate-VMX Key Points
● Real Multi-tenancy (VDOM) support
● Per Security Appliance instance Resource monitor
● Improved throughput for ﬁrewall and security functionality using TSO (TCP Segment Ofﬂoad)
● Service Manager to Security Appliance instantaneous update of the security policies
● Automatic creation of NSX Security Groups in FortiGate-VMX Service Manager
● Central license server with auto decrement
● OVF footprint < 40 MB
● License independent from physical or virtual resources
● NSX integrated upgrade process
● Real-time FortiGuard updates

07 - VMUGIT - Lecce 2018 - Antonio Gentile, Fortinet

07 - VMUGIT - Lecce 2018 - Antonio Gentile, Fortinet

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 07 - VMUGIT - Lecce 2018 - Antonio Gentile, Fortinet

Similar to 07 - VMUGIT - Lecce 2018 - Antonio Gentile, Fortinet (20)

More from VMUG IT

More from VMUG IT (20)

Recently uploaded

Recently uploaded (20)

07 - VMUGIT - Lecce 2018 - Antonio Gentile, Fortinet