Security Automation with VMware NSX and Network … · 8 8 • Purpose-built security solution with VMware NSX for SDDC which runs in between the VMs • Full Next Generation security

© Copyright Fortinet Inc. All rights reserved.

Security Automation with VMware NSX and Network Function Virtualization (NFV)

[NET1047BES]

VMworld 2017 Content: Not fo

r publication or distri

bution

2

• Fortinet in a Nutshell

• Fortinet’s SDDC Security Approach

• Fortinet and VMware’s SDDC Component Integration

• Fortinet’s FortiGate-VMX Licensing Model

SESSION OBJECTIVES



bution

3

FORTINET : GLOBAL NETWORK SECURITY LEADER

4,700+

EMPLOYEES WORLDWIDE

100+OFFICESACROSSTHE GLOBE

395PATENTS

316 INPROCESS

ISSUED

3.3mSHIPPEDSECURITYDEVICES

320KCUSTOMERS

$1bnREVENUE

IN EXCESS OF

$1.46bnIN CASH

30%YEAR ON YEARGROWTH

2000FOUNDED IN

HEADQUARTERED IN

SUNNYVALECALIFORNIA



bution

4

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

2009 2010 2011 2012 2013 2014 2015 2016

CONTINUED GROWTH – TAKING MARKET SHARENetwork Security Appliance Shipments

Fortinet Palo Alto Networks Cisco Check Point

IDC WW, 2016



bution

Advanced Security for VMware’s Software Defined Data Center



bution

6

ADDED VALUE OF SECURITY INTEGRATION IN SDDC

Not just firewall, but advanced features

Micro-Segmentation and Zero Trust

Control of ‘east-west’ traffic, Inter and Intra VM

security, Logical Security Zone (multi-tier)

Integration, Orchestration and Automation



bution

7

Manage

COMPONENTS FOR NSX FOR VSPHERE INTEGRATION

Third Party Solution

Service Manager

Service Appliance

ESXi Hosts

VMware

vCenter Server

v5.5 or v6.x

VMware vSphere

(Advanced license

v5.5 or v6.x)

REST APIFortinet Solution

FortiGate-VMX

Service Manager

FortiGate-VMX

Security ApplianceVMworld 2017 Content: N

ot for publicatio

n or distribution

88

• Purpose-built security solution

with VMware NSX for SDDC

which runs in between the VMs

• Full Next Generation security

functionality solution in one

platform

• Backed by FortiOS™ policy

configuration and FortiGuard™

for real time intelligence updates

• Proven multi-tenant capable

using virtual domains (VDOM)

Hypervisor

Group C

Traffic will be redirected through the

FortiGate-VMX based on applied policy

Group AGroup B

FortiGate-VMX Security Node

WHAT IS FORTIGATE-VMX?



bution

9

FORTIGATE-VMX INTERACTION / WORKFLOW

VMware Kernel VMware Kernel

vDistributed Switch

1. Register Fortinet as security service with NSX Manager

2. A

uto

-dep

loy F

ort

iGa

te-V

MX

to

all

hosts

in

se

cu

rity

clu

ste

r

3. F

ort

iGa

te-V

MX

co

nn

ects

with

Fort

iGa

te-V

MX

Se

rvic

e M

ana

ge

r

4. License verification and configuration

synchronization with FortiGate-VMX

5. R

edire

ction

po

licy r

ule

s u

pd

ate

d fo

r

ena

ble

me

nt o

f F

ort

iGa

te-V

MX

se

curity

se

rvic

e

6. Real-time updates of object database

7. P

olic

y s

yn

chro

niz

ation

to

all

Fort

iGa

te-V

MX

dep

loye

d in

clu

ste

r

FortiGate-VMX Service

Manager

NSX Manager



bution

10

VMware KerneldvSwitch

FORTIGATE-VMX AND VMWARE NSX FILTER DRIVER INTERACTION

1 Define NGFW Firewall Policies

2

FGT-VMX

NetX NSX Filter Driverint

ext

Packet Flow1. From VM to NSX Filter Driver

2. NSX Filter Driver Forward to Third

party Solution (FGT-VMX)

3. FGT-VMX applies Security and

sends packet back to NSX Filter

Driver

4. NSX Filter Driver can do service

chaining or send packet to

destination

FortiGate-VMX

Service Manager



bution

11

COMPETITIVE ADVANTAGES

Real Multi-tenancy (VDOM) support

Virtual Domain (VDOM) dedicated per tenant or individual security feature

Redirection Policy based on FortiGate VDOM ensure proper segmentation



bution

12



- Virtual Domain (VDOM) dedicated per tenant or individual security feature

- Redirection Policy based on FortiGate VDOM to ensure proper segmentation

- VDOMs can be used for different use cases



bution

13



OVF footprint < 40 MB

Automatic import and update of objects from NSX



bution

14

FORTIMANAGER NSX OBJECTS AND SERVICE MANAGER INTEGRATION

dvSwitch

FortiGate-VMX

Service Manager

FGT-VMX FGT-VMX

FortiManager

NSX

Objects

NSX

Objects

NSX

ObjectsNSX

Objects

NSX

ObjectsNSX

Objects

FortiGate

FortiGate

FortiGate

FortiGate

NSX

Objects

NSX

Objects

NSX

Objects

NSX

Objects

▪ NSX Security Groups Objects

imported in FortiManager using

Dynamic Objects

▪ FortiManager sends to FortiGate

reference to Dynamic Object

▪ Dynamic Objects automatically

updated from NSX Manager

▪ NSX Security Groups available in

hybrid environment for East-West

and North-South security



bution

15

CONFIGURE FIREWALL POLICY FROM FORTIMANAGER



bution

16

NSX SECURITY GROUP DEFINITION AND USAGE

Service Groups created in NSX

Manager automatically get sent

to the FortiGate-VMX and are

available for Policy Creation

Policy created in FortiGate-VMX

using Exchanged Security Group

FortiGate-VMX NSX Manager

Web-SG

Web-SG



bution

17

▪ Configuration is done on the FortiGate-VMX Service Manager

▪ Logs are relayed from the FortiGate-VMX to the FortiGate-VMX Service Manager

FORTIGATE-VMX LOGS TO FORTIANALYZER



bution

18

▪ Configuration is done on the FortiGate-VMX Service Manager

▪ Logs are relayed from the FortiGate-VMX to the FortiGate-VMX Service Manager

▪ Only the FortiGate-VMX Service Manager serial number is reported on FortiAnalyzer

FORTIGATE-VMX LOGS TO FORTIANALYZER



bution

19

FORTIGATE-VMX LICENSE MODEL

2 FGT-VMX

Licenses3 FGT-VMX

LicensesHypervisor with 2 sockets

2 vCPU

4 GB

Hypervisor with 1 socket

4 vCPU

8 GB

Hypervisor with 2 sockets

32 vCPU

16 GB

▪ One license for the FortiGate-VMX Service Manager

▪ Simple license based on number of FGT-VMX Security Appliance deployed

▪ One FortiGate-VMX license per ESXi host

▪ No limits placed on resources (virtual or hardware), nor number of protected VM

workloads



bution

© Copyright Fortinet Inc. All rights reserved.

NextGen Firewall use case at KPN

Use case, proof of concept and the next stepsSeptember 12th 2017, VMworld Barcelona



bution

21

Albert W. Alberts:

▪ Working at KPN since 1999:

▪ Started as Software Engineer

▪ KPN patents

▪ Currently Architect

Let me introduce myself …

https://www.linkedin.com/in/albertalberts/@[email protected]



bution

22

▪ KPN (Koninklijke PTT Nederland)

▪ Dutch landline and mobile telecommunications company

▪ 4G, 5G, LoRa

▪ Internet Services Provider

▪ TV

▪ ICT-services

KPN, the company



bution

23

▪ 15.000 employees

▪ 6.3 million fixed-line telephone customers

▪ 33 million subscribers in Netherlands, Germany, Belgium, France

and Spain

▪ 2.1 million Internet access customers

▪ 1 of 15 worldwide VMware showcase partners

KPN, the company



bution

KPN CloudNL VMware



bution

25



bution

26

CloudNL features:

• Services are delivered from KPN datacenters within the Netherlands;

• Operational maintenance from within the Netherlands under Dutch law and regulations;

• Assurance through the Cloud Compliance Framework (CCF).



bution

27

Cloud features:

• Self-service management• Create own infrastructure• Manage own infrastructure

• Scalable• Per-per-use



bution

28

CloudNL VMware, based on VMware technology

• vRealize Automation; • vRealize Orchestration;• NSX;• vCenter & vSphere.



bution

29

How does a customer get it?Interfaces

vRealizeAutomation

vRealizeOrchestration

Computeresources

Networkingresources

Storageresources

CloudNL VMware

Portal

ReST API

RubyGo

Python

C#



bution

30

What does a customer get?

Tenant ATenant Aprivate IP private IP

NSX Edge pair

public IPpublic IP

Tenant

ESG

Tenant

ESG

Perimeter

ESG

Perimeter

ESG

default GW

Perimeter

ESG

Perimeter

ESG

Distributed

Logical

Router

Tenant A

ESG

Tenant A

ESG

Distributed

Logical

Router

VM VM VM VM

VM VMVM VM

transport network

default GW

default

GW

default

GW

transport network

public network,

without NAT(ting)

private network,

with sNAT(ting)

Internet

Datacenter 1 Datacenter 2

Default network setup:

front-end & back-end



bution

31

What does a customer get?Default network setup:

front-end & back-end

Tenant

ESG

Distribute

d Logical

Router

Tenant B

ESG

transport network

Tenant A

Tenant

ESG

Distribute

d Logical

Router

Tenant B

ESG

transport network

Tenant A

private IP

public IP

Perimeter

ESG

default GW

Perimeter

ESG

VM VM

VM VM

default

GW

transport network

Internet

Tenant

ESGTenant A

ESG

Distribute

d Logical

Router


private IP

public IP

Perimeter

ESG

default GW

Perimeter

ESG

VM VM

VM VM

default

GW

transport network

Tenant

ESGTenant A

ESG

Distribute

d Logical

Router



bution

Next Gen FirewallProof-of-concept at KPN CloudNL VMware



bution

33

Next Gen Firewall PoC

Platform requirements:

▪ Integration with NSX

▪ Multi-tenancy within NSX

▪ Multi-tenant self-service portal

▪ Multi-tenant API

▪ Integration with vRealize

Client requirement:

▪ Next Gen Firewall



bution

34

KPN CloudNL VMware, default tenant network

private IP private IP

NSX Edge pair

public IPpublic IP

Core

Router

Tenant

ESG

Tenant

ESG

Perimete

r ESG

Perimete

r ESG

default GW

Perimeter

ESG

Perimeter

ESG

Distributed

Logical

Router

Tenant

ESG

Tenant

ESG

Distributed

Logical

Router

Core

Router

Core

RouterCore

Router

VM VM VM VM

VM VMVM VM

transport network

default GW

default

GW

default

GW

restriction of

10 connections

transport network

public network,

without NAT(ting)

private network,

with sNAT(ting)


internetinternet

Management network

NSX Manager

config

Management network

NSX Manager

config



bution

35

KPN CloudNL VMware, default tenant network

private IP private IP

NSX Edge pair

public IPpublic IP

Core

Router

Tenant

ESG

Tenant

ESG

Perimete

r ESG

Perimete

r ESG

default GW

Perimeter

ESG

Perimeter

ESG

Distributed

Logical

Router

Tenant

ESG

Tenant

ESG

Distributed

Logical

Router

Core

Router

Core

RouterCore

Router

VM VM VM VM

VM VMVM VM

transport network

default GW

default

GW

default

GW

restriction of

10 connections

transport network

public network,

without NAT(ting)

private network,

with sNAT(ting)

internetinternet

Management network

NSX Manager

config

Fortigate SVM

config

Fortigate-VMX

Security Node

Management network

NSX Manager

config

Fortigate SVM

config

Fortigate-VMX

Security Node




bution

36

Fortinet SVM

vRealize expected user interface

NSX Manager

vRealize

Orchestration

GUI only for KPN

administrators

API only via vRO

vRA portal as single “pane of glass”

= API

= GUI

vRealize

Automation

Fortigate Service

Manager

Management plane

SVM per datacenter

Advanced multi-cloud configuration tasks

Common configuration tasks

Fortigate-VMX

Security Node

Fortigate-VMX

Security Node

Control plane

VMX per vSphere

No easy integration with

vRealize AutomationVMworld 2017 Content: N

ot for publicatio

n or distribution

37

Fortinet SVM

vRealize actual user interface

NSX Manager

vRealize

Orchestration

GUI only for KPN

administrators

API only via vRO

A Fortigate Service Manager GUI for each datacenter

= API

= GUI

vRealize

Automation

Fortigate Service

Manager

Management plane

SVM per datacenter

Fortigate-VMX

Security Node

Fortigate-VMX

Security Node

Control plane

VMX per vSpherePossible but not preferred

Interface to Fortigate Service Manager in datacenter 1

Interface to Fortigate Service Manager in datacenter 2



bution

38

Fortinet SVM

vRealize preferred user interface

NSX Manager

FortiManager

vRealize

Orchestration

GUI only for KPN

administrators

API only via vRO

vRA portal for simple tasks, FortiManager GUI for more advanced tasks

= API

= GUI

vRealize

Automation

Fortigate Service

Manager

Management plane

SVM per datacenter

⋙

⋙Advanced multi-cloud configuration tasks

Common configuration tasks

Fortigate-VMX

Security Node

Fortigate-VMX

Security Node

Control plane

VMX per vSphere

FortiManager solves the dual interface problem

but was not available during the Poc.

Current status is beta



bution

39







Next Gen Firewall PoC results

✓

✗ no, this requires developer effort

✓

✓ but two self-service portals

✓ but two interfacesVMworld 2017 Content: N

ot for publicatio

n or distribution

40







Next Gen Firewall expected PoC results with FortiManager

✓

✗ plans to build it for most used configs

✓

✓

✓VMworld 2017 Content: N

ot for publicatio

n or distribution

Questions?



bution



bution

Security Automation with VMware NSX and Network … · 8 8 • Purpose-built security solution with VMware NSX for SDDC which runs in between the VMs • Full Next Generation security

Documents