Installing Fortinet Fortigate VMX with VMware NSX-V

Recently I had to do an installation of Fortinet Fortigate VMX 6.* on a small cluster that already was running NSX. Since there is hardly any documentation on it besides an older pdf from Fortinet I decided to document my own following of that document.

Since my lab’s still on 6.5 I decided to do everything within the flash client of vCenter.

Disclaimer: I am not a Networking or Security professional so there’s a good chance I am not keeping to some standards in those worlds.

What you need

  • both Fortigate vmx ovf files with vmdk’s for version 6.*
  • Webserver with anonymous access for the deployment of the security vm’s
  • NSX already pre-installed

Setting up the VMX Manager

First you start with deploying the VMX Service Manager from vSphere. It’s important that note that there are two ovf files. One for the Service Manager and one for the Security VM. You need the FortiGate-VMX-Service-Manager.ovf first. During this deployment you need to select two networks. One for management and a sync network. The latter is for communication with the security vm’s only so can be non-routed. It is possible to have a dhcp server running in this vlan as long as it doesn’t provide a default gateway (Servers don’t like multiple gateways. capiche?). For the security vm’s the service manager is able to act as dhcp for the security vm’s. Since I use this vlan for more things I have dhcp running on my domain controller but will set a static ip on the service manager.

When the deployment has finished you can power the VM on and you need to open the console for some commands. Please note that I added the extra end’s to the commands compared to the manual.

Somehow they put the ip config in the ovf but that doesn’t work so you need to set it manually

config global
config system interface
edit mgmt
set ip <IP address for the MGMT interface > <subnet mask>
set allowaccess ping https ssh http
end
end

 

Now we need to configure the default gateway

config vdom
edit root
config router static
edit 0
set device mgmt
set gateway <IP address of gateway>
end
end

 

and configure dns ( I only have 1 dns host)

config global
config system dns
set primary <IPv4 address of DNS server>
set secondary <IPv4 address of DNS server>
end
end

 

So the basic configuration has been done and we should have access to the web interface by now. Just regular https on port 443. Default is admin without password.

If you want you can change the password now (recommended!!)

You’ll see a dashboard similar to this but with an evaluation license.

If you click on FGTVMX License you’ll get a button to install the license.

Click on upload and click ok to install the license, the VMX Service Manager will reboot after this.

With this done we need to set some default settings under Global > System > Settings

Since I only have my Domain Controller for ntp I need to do this from the CLI

config global
config system ntp
set type custom
config ntpserver
edit 0
set server <IPv4 address of NTP server>
end
end
end

and the result

Connecting with NSX

Here we find one of the bigger changes with the manuals of the 5.* releases of Fortigate VMX.

The 6.* releases of Fortigate VMX already come with the NSX service installed so the only thing we need to do is register the VMware NSX SDN. This can be done under Global>Dashboard>Security Fabric> Fabric Connectors.

Fill in all the fields, the image location has to be an anonymous 🙁 webserver that has both the vmdk files and the ovf. Click on ok when you are done.

Now we need to edit the connector again to register the service. Select the NSX Connector and click on edit.

Hit the Add Service button and the service will be created for you (previously this had to be done from the cli)

If you now go to the Service Definitions in NSX it will show an Extra one called Fortigate_VMX or whatever you named it.

Configuring NSX for Fortigate VMX

Next thing to do is to create a service deployment. Click on add on the Service Deployment tab under Networking & Security > Installation and Upgrade.

Select the Fortigate service name

Select the cluster where you want to deploy Fortigate VMX

Select the datastore where the Service VM’s need to be placed, the correct portgroup and if you want to use dhcp or an ip pool for the service vm’s.

and finally click finish

NSX will now start deploying the service vm’s. Usually it creates a new resource pool for these but that somehow failed for me.

Next up is creating Security groups for the vm’s that we need to firewall. This is done in the service manager for NSX.

Click add

Choose a name

Choose a rule for when vm’s are a member of this group

I didn’t use the next 2

And hit finish

The group now consists of several of my VDI Desktops

Last but not least we need to create a redirection policy.

Under service composer > security policies click add

Choose a name

skip Guest introspection and firewall rules. Under Network Introspection click add

Choose a name and select the direction of the traffic that gets filtered within the group where this gets applied.

I created two service for all incoming traffic to my security groups and all outgoing.

click next & finish.

Now click on the newly created security policy

click Apply

Select the security group where you want to apply the policy, put it in selected objects and click apply.

With this traffic should be redirected to Fortigate VMX and the firewalling can be setup over there.

My Experience with the NSX 6.2 ICM On-Demand traning and the VCP-NV exam

For the people who are only interested in the result: today I passed the VCP-NV exam with 367 points. This after I followed the NSX Install, Configure, Manage (hence the ICM) On-Demand course in May. This training was provided through the Partner training funds that my employer TenICT/AnylinQ have been assigned by VMware.

About the NSX ICM On-Demand training.

For the people not familiar with the on-demand training possibilities from VMware: with these courses one has a month the time to follow a set of computer narrated lectures covering all the same subjects as the official classroom training provides. Besides this you have access to a digital book belonging to the training. You also have access to a lab environment during this month where you have to complete all the lab tasks during the training.

Personally, I prefer classroom training since this allows the trainer to deviate from the official training when possible or required. Think about explaining things in a bit different matter or diving deeper into some of the material. Also, the computer-generated voice gets boring pretty fast and the sound quality also went sub par during some of the chapters. Combine this with a price that is only a fraction lower than the official price and I wouldn’t really recommend it unless you have someone sponsoring it for you.

What the training did was provide a good base for the exam. After this it’s a question of reading blog posts, playing with it in the lab (or Hands on Labs) and maybe you might need to read a book.

About the exam

So I did the exam as almost usual at @TheAcademy in Eindhoven, The Netherlands. They have a new room setup since over a year that I hadn’t been into yet (doing SME jobs has its perks) equipped with what I believe to be 21″ full HD screens. While these don’t provide for a better experience for vcp exams they do for vcap’s so that’s good to know. There are 77 multiple choice questions and I had two hours to spend on these. This time I didn’t need, and I left the building after 45 minutes. I can read English just as fast or sometimes faster than my native Dutch. The questions where a bit easier than I expected so maybe that score of 367 should have been a bit higher.

What you need to know

  • What permission level is needed to know what (Enterprise admin, NSX Admin, Auditor, Security Admin)
  • Order of installing things or setting them up
  • Be able to read drawings to follow the packets
  • Be able to create those drawings in your head and follow the packets
  • Some basic command line stuff for example for the controller cluster (only that what can be found in the courseware!)
  • Know your Distributed switches and what they can do
  • VPN Types
  • Best practices
  • What vm/function related to NSX does what
  • Networking basics
  • Numbers & maximums i.e. how many of what can do what, what’s needed to do that, what numbers needs this to be, What’s the default number for this.

Study Materials Used

  • NSX ICM On-Demand training
  • the links in vmiss’s blog post here
  • The Official Cert guide. Be aware that the exam is for 6.2 and not the 6.1 of the book but most still applies.

Do I know NSX inside out now?

No, and do you want to know why? This exam only hits the top of the iceberg in NSX possibilities, for example it hardly touches any real configuration nor does it have a lot of load balancing or nerd knob settings. For those things you really need to have a lot more experience and do the vcap exam. I am not sure if I will be following that path but this training and exam at least gives me enough knowledge to break things in NSX.

And a Queen video for those still reading

The VMware Labs flings monthly for April 2018

It’s been a rather quiet month on the VMware flings front. No wonder with the vSphere 6.7 and other releases this month. Did you already test them? I have to say like vSphere 6.7 but it’s consider the numbering good as well, it wouldn’t have fit to be a 7.* release. One new fling with the PowerCLI for NSX-T Preview, two updated ones with the vSphere HTML5 Web Client and Cross vCenter VM Mobility – CLI. Another fling has gone GA in vSphere 6.7: VMFork for pyVmomi.

PowerCLI Preview for NSX-T

The one thing lacking for NSX-T was PowerCLI availability, this is solved with the release of the PowerCLI Preview for NSX-T fling. Please be aware that the fling still contains bugs and might even be considered an alpha release.

Cross vCenter VM Mobility – CLI

Cross vCenter VM Mobility – CLI is the go to tool when you want to move vm’s between vCenter servers and don’t want to use the GUI fling. The versioning is a bit weird since we already had 1.6 and now they released 1.6.0.

Version 1.6.0

  • Relocate is failing with validation error “cln is missing”.

vSphere HTML5 Web Client

Not sure what exact version of the html5 web client went into the vSphere 6.7 release but here you can find an overview of the functionality, don’t mind the url because the text clearly states it’s for 6.7. If you want an even more updated version or want to get used to it in vSphere 6.* then use the fling.

Fling 3.37 – Build 8313530

New Features

  • Add VM vApp option properties read-only view
  • SRIOV networking in clone wizard customize HW page

Improvements

  • Prevent the user from creating a GOSc spec with no specified timezone
  • Resize the migrate wizard to use the largest possible size based on VMware Clarity design standards

Bug Fixes

  • Drag and Drop VM to folder

 

 

NSX 6.2.3 release includes vShield license

Until now if you wanted agentless anti-malware but not owned full blown NSX you needed vShield that VMware had announced it to go EOL in september. As expected VMware announced today NSX 6.2.3 that includes a vshield License.Sadly it still only supports anti-malware so don’t expect a lot of ransomware protection to be done agentless.

The rest of the changes:

 

Changes introduced in NSX vSphere 6.2.3:

Logical Switching and Routing

NSX Hardware Layer 2 Gateway Integration: expands physical connectivity options by integrating 3rd-party hardware gateway switches into the NSX logical network

New VXLAN Port 4789 in NSX 6.2.3 and later: Before version 6.2.3, the default VXLAN UDP port number was 8472. See the NSX Upgrade Guide for details.

Networking and Edge Services

New Edge DHCP Options: DHCP Option 121 supports static route option, which is used for DHCP server to publish static routes to DHCP client; DHCP Options 66, 67, 150 supports DHCP options for PXE Boot; and DHCP Option 26 supports configuration of DHCP client network interface MTU by DHCP server.

Increase in DHCP Pool, static binding limits: The following are the new limit numbers for various form factors: Compact: 2048; Large: 4096; Quad large: 4096; and X-large: 8192.

Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.

NSX Edge — On Demand Failover: Enables users to initiate on-demand failover when needed.

NSX Edge — Resource Reservation: Reserves CPU/Memory for NSX Edge during creation. Admin user can modify the CPU/Memory settings after NSX Edge deployment using REST API to configure VM appliances.

Change in NSX Edge Upgrade Behavior: Replacement NSX Edge VMs are deployed before upgrade or redeploy. The host must have sufficient resources for four NSX Edge VMs during the upgrade or redeploy of an Edge HA pair. Default value for TCP connection timeout is changed to 21600 seconds from the previous value of 3600 seconds.

Cross VC NSX — Universal Distributed Logical Router (DLR) Upgrade: Auto upgrade of Universal DLR on secondary NSX Manager, once upgraded on primary NSX Manager

Flexible SNAT / DNAT rule creation: vnicId no longer needed as an input parameter; removed requirement that the DNAT address must be the address of an NSX Edge VNIC.

NSX Edge VM (ESG, DLR) now shows both Live Location and Desired Location. NSX Manager and NSX APIs including GET api/4.0/edges//appliances now return configuredResourcePool and configuredDataStore in addition to current location.

Security Services

Distributed Firewall — TFTP ALG: enables use cases such as network boot for VMs.

Firewall — Granular Rule Filtering: simplifies troubleshooting by providing granular rule filters in UI, based on Source, Destination, Action, Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag, Service, Protocol.

Guest Introspection — Windows 10 support

SSL VPN Client — Mac OS El Capitan support

Service Composer — Performance Improvements: enables faster startup/reboot of NSX Manager by optimizing synchronization between security policy and firewall service, and disabling auto-save of firewall drafts by default.

Service Composer — Status Alarms: raises system alarm if security policy is out-of-sync, and takes specific actions based on alarm code to resolve issue.

Operations and Troubleshooting

NSX Dashboard: Simplifies troubleshooting by providing visibility into the overall health of NSX components in one central view.

Traceflow Enhancement — Network Introspection Services: Enhances ability to trace a packet from source to destination, by identifying whether packets were forwarded to 3rd-party network introspection services, and whether the packet comes back from the 3rd-party service VM or not.

SNMP Support: Configure SNMP traps for events from NSX Manager, NSX Controller, and Edge.

Logging is now enabled by default for SSL VPN and L2 VPN. The default log level is notice.

Firewall rules UI now displays configured IP protocols and TCP/UDP port numbers associated with services.

NSX Edge technical support logs have been enhanced to report memory consumption per process.

Central CLI Enhancements

Central CLI for Host Health: Shows host health status, with 30+ checks in one command (including network config, VXLAN config, resource utilization, etc.)

Central CLI for Packet Capture: Provides ability to capture packet on the host and transfer the capture file to user’s remote server. This eliminates the need to open up hypervisor access to network administrators, when troubleshooting logical network issues.

Technical support bundle per host: Gathers per-host logs and creates a bundle that can be saved and submitted to VMware technical support for assistance.

Licensing Enhancements

Change in default license & evaluation key distribution: default license upon install is “NSX for vShield Endpoint”, which enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only. Evaluation license keys can be requested through VMware sales.

License usage reporting: NSX license usage counts are displayed on NSX Manager’s Summary UI and also retrievable via API. NSX license usage counts will no longer be reported through vCenter licensing service.

Solution Interoperability

Customer Experience Improvement Program: NSX supports reporting system statistics via the VMware Customer Experience Improvement Program (CEIP). Participation is optional and is configured in the vSphere Web Client.

VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX, with monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis and alerts. This version accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2+.