Enhance NSX capabilities with Fortinet VMX


I have been designing NSX solutions for the customer since quite a time now and I am sure you would agree NSX has all the capabilities to transform today’s Network and Security framework. Although, I am a firm believer in NSX native firewalling functionality which strongly optimizes firewall policies and gives you programming functionalities to play around while meaning business.

But when it comes to L7 funtionalities, NSX natively doesn’t support them. I have been recently involved in designing a solution for a customer looking for IPS (Intrusion Protection System) along with NSX. That’s where things go a bit complex if you are a beginner in NSX but hold on, there’s a rescue plan as well.

Fortinet’s FortiGate-VMX solution overview:

Fortinet’s FortiGate-VMX solution programmatically integrates directly with the latest NSX API to provide industry-leading firewall and UTM functionality as a service into SDDC deployments. This service insertion and service chaining, which enable advanced layer 4-7 services such as guest introspection and IPS/IDS.

VMware NSX has a powerful traffic-steering capability, which it uses to intercept traffic at the hypervisor level and redirects it to FortiGate-VMX for advanced security policy enforcement.

There are two required components and an optional one in the solution:
• FortiGate-VMX Service Manager not only registers the security service definitions with NSX, but centralizes license management and configuration synchronization with all FortiGate-VMX Security Node instances .
• Fortinet FortiGate-VMX Security Nodes receive the redirected traffic and apply the protection policies on this traffic .
• Fortinet FortiAnalyzer (optional) for network security logging, analysis, and reporting securely aggregates log data from the Fortinet FortiGate-VMX security solution.

FortiGate-VMX Service Manager communicates directly with the NSX environment. The management plane communication is two-way in that FortiGate-VMX Service Manager supplies service definitions to NSX Manager, while NSX Manager sends updates to FortiGate-VMX Service Manager about new or updated dynamic security groups and objects, upon which policy is based in real time .

FortiGate-VMX utilizes the VMware NSX Service Composer to implement a new model for consuming network and security services . It allows IT administrators to provision and assign firewall policies and security services to application workloads in real time .

Here is solution registration workflow:

Fortinet VMX with NSX Manager

1 . FortiGate-VMX Service Manager registers the Fortinet security service with NSX Manager (FortiGate-VMX): The registration process uses the NetX management plane API to enable bidirectional communication between FortiGate-VMX Service Manager and NSX Manager .
2 . FortiGate-VMX is auto-deployed to all hosts in security cluster: NSX Manager collects the FortiGate-VMX image from the URL specified during registration and installs an instance of FortiGate-VMX on each VMware ESXi™ host in the designated clusters . The FortiGate-VMX image is very small (in the order of tens of megabytes), providing fast and efficient deployment to each host in the cluster .
3 . FortiGate-VMX connects with FortiGate-VMX Service Manager: FortiGate-VMX initiates a connection to FortiGate-VMX Service Manager to register with the Service Manager and obtain its license .
4 . License verification and configuration synchronization with FortiGate-VMX: FortiGate-VMX Service Manager verifies the serial number and synchronizes configuration and policy .
5 . Redirection policy rules are updated for enablement of FortiGate-VMX security service: For all objects secured in the cluster, a policy of redirection of specified traffic to FortiGate-VMX is ready .
6 . Real-time updates of the object database: NSX Manager sends real-time updates on the changes in the virtual environment to FortiGate-VMX Service Manager .
7 . FortiGate-VMX Service Manager dynamically synchronizes the object database and policy to all FortiGate-VMX virtual appliance instances deployed in the cluster .


For those of you who haven’t had your hards dirty on NSX Service Composer yet, it is a built-in tool that defines a new model for consuming network and security services; it allows you to provision and assign firewall policies and security services to applications in real time in a virtual infrastructure. It lets you create Security Groups, with Static Inclusions (specifying objects statically for e.g. A VM Name, IP, IP Range, Logical Switch etc) and Dynamic Inclusions (defining criteria of selection of objects e.g. all VMs having name Web-*, all VMs assigned with Security Tag DMZ etc)

For real time protection of applications / workloads with Fortigate-VMX solution, A new tag is created for infected systems . This will be dynamically assigned to any systems detected as infected. Idea is to block / restrict traffic as soon as it is detected infected and that is achieved using security tag assignation.

A security group is created with dymanic membership enabled and configured for security tag created for infected machines so that it dynamically includes all infected systems . If a VM is marked as an infected system with the tag just created, the VM becomes part of this group . On FortiGate-VMX Service Manager, a policy is created to allow infected systems access only to a restricted domain or to block traffic and to apply all protection to these flows.

This policy has been pre-enforced on the security group supposed to dynamically contain all infected servers leveraging Security Tag. Any VM which is detected infected, gets Security Tag, gets membership of Security Group, gets enforced with pre defined policy to block / restrict traffic and the job is done. By doing this, we can exercise precise control over east-west traffic and prevent spreading of threats and infections laterally.

The NSX with FortiGate-VMX security solution joins the flexibility afforded by VMware NSX and the industry-leading security of Fortinet FortiOS with real-time intelligence updates by FortiGuard Labs . Together, these components provide threat visibility and protection for both east-west and north-south traffic .
This solution is especially ideal for scale-up and scale-out scenarios . NSX and FortiGate-VMX ensure that new workloads and changes to existing workloads are automatically provided with FortiGate-VMX’s security service .

With the automation and orchestration capabilities provided by the NSX API and the FortiGate single pane of glass visibility and control, this solution provides extremely effective security while making data center security management simpler and more efficient .

Leave a Reply

2 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
2 Comment authors
minecraftminecraft Recent comment authors
newest oldest most voted
Notify of

Thanks for some other magnificent article. Where else may just anyone get that kind of
info in such a perfect means of writing? I
have a presentation next week, and I am at the look for such info.


Attractive part of content. I just stumbled upon your website and in accession capital to claim that I get in fact loved account your
blog posts. Any way I will be subscribing on your augment or even I fulfillment you get
right of entry to persistently rapidly.