SlideShare a Scribd company logo

Fortinet & VMware integration

VMUG IT, profile picture
VMUG IT

Fortinet provides virtualized security solutions that can integrate with VMware NSX to enable micro-segmentation and east-west traffic control in software-defined data centers. The FortiGate-VMX integrates directly with the NSX manager to import network segments defined in NSX and apply firewall policies based on these segments. This allows fine-grained security policies to be applied across virtual machines and workloads in the hybrid cloud.

Technology
1 of 34
Downloaded 240 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
© Copyright Fortinet Inc. All rights reserved. Fortinet & VMware Integration VMUGIT Meeting Roma Antonio Gentile Systems Engineer, Italy agentile@fortinet.com 26/09/2016
Agenda • Fortinet Cloud & SDN Vision • Fortinet NSX Integration • Use Cases • Demonstration
3 End-to-End Global Cybersecurity Platform Coverage from Endpoint to Edge to Core to Data Center to Cloud Client Security Secure Access Network Segmentation Application Security Cloud Security Control & Visibility Security Services & Framework USERS NETWORK DATA CENTER FortiGate FortiManager FortiAnalyzer FortiGate for AWS FortiGate VMX FortiClient
4 Fortinet Cloud & SDN Vision Network Security as Agile and Elastic Underlying Infrastructure Virtualization SDN Cloud (IaaS) Cloud (SaaS) vSphere XenServer Hyper-V NSX Physical & Virtual Security Appliances FortiGate FortiManagerFortiSandbox FortiAnalyzer FortiWeb FortiADC FortiDDoSFortiWifiFortiMail
5 Security for the Cloud Virtualization Hypervisor Port Hypervisor Private Cloud SDDC - SDN - Orchestration Integration Public Cloud On-Demand IaaS Cloud Connector API East-West NGFW WAF Management Reporting APT SaaS Cloud Proxy CASI Broker API Hybrid
6 Security Across all of the Network - Global and Local App Control Antivirus Anti-spam IPS Web App Database Web Filtering Vulnerability Management Botnet Mobile Security Cloud Sandbox Deep App Control PartnerFortiWebFortiMailFortiClient FortiGate Threat Researchers Threat Intelligence Exchange FortiSandbox
7 Fortinet Virtualized (Guests) Security Solutions • FortiGate-VM • Unified Threat Management • FortiManager-VM • Centralized Management • FortiAnalyzer-VM • Logging and Reporting • FortiWeb-VM • Web Application Security • FortiMail-VM • Messaging Security • FortiAuthenticator-VM • User Identity Management • FortiADC-VM • Application Delivery • FortiCache-VM • Content Caching • FortiVoice-VM • Complete Business Phone Systems • FortiRecorder-VM • Video Security • FortiSanbox-VM • Advanced Threat Detection
8 Fortinet Virtualized (Guests) Security Solutions • FortiGate-VM • Unified Threat Management • FortiManager-VM • Centralized Management • FortiAnalyzer-VM • Logging and Reporting • FortiWeb-VM • Web Application Security • FortiMail-VM • Messaging Security • FortiAuthenticator-VM • User Identity Management • FortiADC-VM • Application Delivery • FortiCache-VM • Content Caching • FortiVoice-VM • Complete Business Phone Systems • FortiRecorder-VM • Video Security • FortiSanbox-VM • Advanced Threat Detection Guest-VMs
9 Virtual Appliance Platforms – Private and Public Cloud Virtual Appliance VMware Citrix Open Source Amazon Microsoft vSphere v4.0, 4.1 vSphere v5.0 vSphere v5.1, 5.5 vSphere v6.0 Xen Server v5.6 SP2 Xen Server v6.0 Xen KVM AWS Hyper-V 2008 R2 Hyper-V 2012 FortiGate-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiManager-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiAnalyzer-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiWeb-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiMail-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiAuthenticator-VM ✔ ✔ ✔ ✔ ✔ ✔ FortiADC-VM ✔ ✔ ✔ FortiCache-VM ✔ ✔ ✔ ✔ FortiVoice-VM ✔ ✔ ✔ ✔ ✔ ✔ FortiRecorder-VM ✔ ✔ ✔ ✔ ✔ ✔ FortiSandbox-VM ✔ ✔ FortiPrivateCloud ✔ ✔ * * Also available as pay-as-you-go licensing option *
10 Virtual Data Center Security Challenges § Difficult configuration to have security within the same vSwitch and/or forward domain § Perimeter-centric network security has proven insufficient § Use fine-grained network segmentation approach - wrap security control around much smaller groups of resources § Best practice approach from a security perspective, but difficult to apply in traditional environments § Two key operational barriers » throughput capacity » operations/change management East-West Micro-Segmentation Zero-Trust East-West Control Trust No One – Not Even Your End Users
FortiGate VMX with VMware NSX
12 Added Value of Security integration in SDDC Requirements Solution Not just firewall, but advanced features Micro-Segmentation and Zero Trust Control of ‘east-west’ traffic, Inter and Intra VM security, Logical Security Zone (multi-tier) Integration, Orchestration and Automation
13 Key Cloud Security Use Cases Segment End-to-End Traffic Within and Across the Hybrid Cloud or Intra-VM Mitigate increasing concentration of data and risk in consolidated data centers, and across private and public cloud Security Requirements Whitelist-based policy model Fine-grained honeycomb based on user, role, apps, devices Deployable into flat, open networks without disruption Monitor and restrict VPN and data connection between on-premise and public clouds Internet Cloud Internal Network (100 Gbps+) Private Cloud Edge Gateway Data Center ISFW ISFW ISFW ISFWISFW External Internal Hypervisor ISFW SG3 SG2 SG1 FortiGate-VMX Security Node
14 Manage Components for NSX Integration Mandatory Components for NSX Integration Third Party Solution Service Manager Service Appliance ESXi Hosts VMware vCenter Server V5.5 or v6.0 VMware vSphere (Enterprise Plus license v5.5 or v6.0) REST API Fortinet Solution FortiGate-VMX Service Manager FortiGate-VMX Security Appliance
15 FortiGate-VMX and NSX Integration/Interactions dvSwitch FGT-VMX FGT-VMX Pushpolicysynchronizationtoall FortiGate-VMXdeployedincluster 7 Register Fortinet as security service with NSX Manager1 Auto-deployFortiGate-VMX toallhostsinsecuritycluster 2 FortiGate-VMXconnects withFortiGate-VMX ServiceManager 3 License verification & configuration synchronization with FortiGate-VMX 4 NSXSecurityPolicydefinenetwork introspectionrulestoredirecttraffic 5 Real-time updates of object database6 FortiGate-VMX Service Manager
16 FortiGate-VMX and NSX Manager Setup Adding VMware NSX details on FortiGate Service Manager FortiGate VMX Service on NSX Manager
17 FGT-VMX imports NSX Security Groups § On NSX create Security Groups and assign “Objects” Security Groups defined on NSX are automatically created on FGT-VMX
18 FGT-VMX imports NSX Security Groups § On NSX create Security Groups and assign “Objects” § FortiGate VMX automatically imports the Security Groups as a dynamic firewall addresses with the VMs IP address Security Groups defined on NSX are automatically created on FGT-VMX
19 NSX Security Group definition and usage Server SG FortiGate-VMX NSX Manager Service Groups created on NSX Manager automatically get sent to the FortiGate- VMX and are available for Policy Creation Policy Created on FortiGate-VMX using Exchanged Security Group
20 VMware Kernel dvSwitch FGT-VMX and VMWARE NSX Filter Driver Interaction 1 Define NGFW Firewall Policies 2 FGT-VMX NetX NSX Filter Driver int ext Packet Flow 1. From VM to NSX Filter Driver 2. NSX Filter Driver Forward to Third party Solution (FGT-VMX) 3. FGT-VMX applies Security and sends packet back to NSX Filter Driver 4. NSX Filter Driver can do service chaining or send packet to destination FortiGate-VMX Service Manager
21 Policy Creation § Firewall Policy is now IP independent Policy created based on Security Group Internal External DistributedVirtual Switch
22 FortiGate-VMX License Model § One license for the FortiGate-VMX Service Manager § Simple license based on number of FGT-VMX Security Appliance deployed » One FortiGate-VMX license per ESXi host » No limits placed on resources (virtual or hardware), nor number of protected VM workloads Hypervisor with 2 sockets Hypervisor with 1 socket 2 FGT-VMX Licenses 3 FGT-VMX Licenses Hypervisor with 2 sockets Central license server with auto decrement
23 Multiple Services/Customers § Real Multi-tenancy (VDOM) support » Virtual Domain (VDOM) dedicated per tenant or individual security feature » Service Profile and Groups ensure proper segmentation
24 Resource Monitoring § Per Security Appliance instance Resource monitor
25 CLOUD SECURITY
Use Cases
27 TELCO – Use Case – Dedicated Customer Firewall (FortiGate-VM) Web Servers Application Servers Database Servers vSwitch APP Hypervisor vSwitch DBvSwitch WEB vSwitch External Internet •Customer Managed Firewall •Orchestrated Customer Creation •FortiGate-VM to control east-west application traffic • Traffic is required to flow through the FortiGate-VM (L2 or L3) to secure traffic • Intra-VM security requires L2 VDOMs and inter-VDOM link configuration • Physical FortiGate to control north-south traffic App Control Antivirus Anti-spam IPS Web App Web Filtering Botnet Cloud Sandbox
28 ENTERPRISE – NSX Integration Use Case: Function Segmentation with VDOMs Security Group D Security Group C Security Group B VDOM1: IPS VDOM 2: URL Filtering VDOM 3: App Control VDOM 5: Anti-Virus VDOM 6: Anti spam nsx VDOM (on by default): NGFW, IPS, URL Filtering, Anti-Virus etc.. Security Group A • Segmented groups can have unique feature set applied • Provides performance benefits as all groups don’t have identical security requirements • Each department eg.. Human Resources, Legal, Marketing etc. can have it’s own VDOM and it’s own security feature set • Fortinet Patented Virtual Domain Technology • Only Security Vendor to support Virtual Segmentation by Function for Security. VDOM 4: Web Application Firewall
29 ENTERPRISE – NSX Integration Use Case: Function Segmentation with VDOMs Security Group D Security Group C Security Group B VDOM1: IPS VDOM 2: URL Filtering VDOM 3: App Control VDOM 5: Anti-Virus VDOM 6: Anti spam nsx VDOM (on by default): NGFW, IPS, URL Filtering, Anti-Virus etc.. Security Group A VDOM 4: Web Application Firewall
Demo!!
31 Multi-Tier Application Diagram web-01 web-02 Web-01 10.0.1.0/24 .11 .12 External 192.168.195.0/23 App-01 .11 .1 .1 .1 .2 App-02 .12 App-01 10.0.2.0/24 DB-01 .11 .1 DB-01 10.0.3.0/24 Transit-01 172.16.1.0/24 .2 VIP-Web: 192.168.195.143:80 (Web-01:80+Web-02:80) VIP-App: 172.16.1.6:80 (App-01:80+App-02:80) Client to Web: HTTP (80)1 Web to App: HTTP (80)2 App to DB: mysql (3306)3
32 Demonstration - Use Cases 1 § Security Policies for Multi-Tier Application Segmentation » Web Tier allowed to receive request from outside and generate requests to App Tier only » App Tier allowed to receive requests from Web Tier and generate requests to BD Tier only » DB Tier allowed to receive requests from App Tier and not allowed to generate requests App-02 App-01 Web-02 Web-01 DB-01 IPS Web App App Control IPS Antivirus
Questions??
Fortinet & VMware integration

More Related Content

PDF
Stl meetup cloudera platform - january 2020
Adam Doyle
 
PDF
Microsoft Power BI Copilot
essindiaseo
 
PPTX
You Need a Data Catalog. Do You Know Why?
Precisely
 
PPTX
[DSC Europe 22] Overview of the Databricks Platform - Petar Zecevic
DataScienceConferenc1
 
PDF
Mlflow with databricks
Liangjun Jiang
 
PDF
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
PDF
CDC patterns in Apache Kafka®
confluent
 
PDF
Power the SOC of the Future with scale, speed and choice - Splunk Public Sect...
Splunk EMEA
 
Stl meetup cloudera platform - january 2020
Adam Doyle
 
Microsoft Power BI Copilot
essindiaseo
 
You Need a Data Catalog. Do You Know Why?
Precisely
 
[DSC Europe 22] Overview of the Databricks Platform - Petar Zecevic
DataScienceConferenc1
 
Mlflow with databricks
Liangjun Jiang
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
CDC patterns in Apache Kafka®
confluent
 
Power the SOC of the Future with scale, speed and choice - Splunk Public Sect...
Splunk EMEA
 

What's hot (20)

PDF
Data Storage Formats in Hadoop
Botond Balázs
 
PPTX
Splunking HL7 Healthcare Data for Business Value
Splunk
 
PPTX
Data mesh
ManojKumarR41
 
PDF
The Parquet Format and Performance Optimization Opportunities
Databricks
 
PPTX
vmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptx
VitNguyn252054
 
PPTX
Vce vxrail-customer-presentation new
Jennifer Graham
 
PDF
Modern Data Architecture
Mark Hewitt
 
PDF
Alphorm.com Formation Microsoft Azure (AZ-104) : Administration
Alphorm
 
PDF
Data Analytics Strategies & Solutions for SAP customers
Visual_BI
 
PDF
Cloud-native Semantic Layer on Data Lake
Databricks
 
PDF
Serverless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Kai Wähner
 
PPTX
Azure purview
Shafqat Turza
 
PDF
Essential Metadata Strategies
DATAVERSITY
 
PPTX
Data Lakehouse, Data Mesh, and Data Fabric (r2)
James Serra
 
PPT
Hadoop Security Architecture
Owen O'Malley
 
PDF
From Data Warehouse to Lakehouse
Modern Data Stack France
 
PDF
Dell Technologies - Company and Portfolio Introduction in 20 Minutes
Smarter.World
 
PDF
Data Governance — Aligning Technical and Business Approaches
DATAVERSITY
 
PPTX
Data platform modernization with Databricks.pptx
CalvinSim10
 
PPTX
Apache Atlas: Why Big Data Management Requires Hierarchical Taxonomies
DataWorks Summit/Hadoop Summit
 
Data Storage Formats in Hadoop
Botond Balázs
 
Splunking HL7 Healthcare Data for Business Value
Splunk
 
Data mesh
ManojKumarR41
 
The Parquet Format and Performance Optimization Opportunities
Databricks
 
vmware_cloud_foundation_on_vxrail_technical_customer_presentation.pptx
VitNguyn252054
 
Vce vxrail-customer-presentation new
Jennifer Graham
 
Modern Data Architecture
Mark Hewitt
 
Alphorm.com Formation Microsoft Azure (AZ-104) : Administration
Alphorm
 
Data Analytics Strategies & Solutions for SAP customers
Visual_BI
 
Cloud-native Semantic Layer on Data Lake
Databricks
 
Serverless Kafka on AWS as Part of a Cloud-native Data Lake Architecture
Kai Wähner
 
Azure purview
Shafqat Turza
 
Essential Metadata Strategies
DATAVERSITY
 
Data Lakehouse, Data Mesh, and Data Fabric (r2)
James Serra
 
Hadoop Security Architecture
Owen O'Malley
 
From Data Warehouse to Lakehouse
Modern Data Stack France
 
Dell Technologies - Company and Portfolio Introduction in 20 Minutes
Smarter.World
 
Data Governance — Aligning Technical and Business Approaches
DATAVERSITY
 
Data platform modernization with Databricks.pptx
CalvinSim10
 
Apache Atlas: Why Big Data Management Requires Hierarchical Taxonomies
DataWorks Summit/Hadoop Summit
 
Ad

Viewers also liked (20)

PDF
Nutanix - Inail User Case
VMUG IT
 
PPTX
Fortinet av
Lan & Wan Solutions
 
PDF
Advanced Threat Protection – ultimátní bezpečnostní řešení
MarketingArrowECS_CZ
 
PPTX
Fortinet
ABEP123
 
PPTX
Advanced Threat Protection
Lan & Wan Solutions
 
PDF
Fortinet security ecosystem
Mark Oakton
 
PPSX
CTAP
Lan & Wan Solutions
 
PDF
NSE7
Łukasz Korbasiewicz
 
PPTX
CTAP
Lan & Wan Solutions
 
PPTX
Devops journey chefpopup-2016.04.26-v2
Chef
 
PPTX
InterVision-Overview.January-2016
Arthur Sobczyk
 
PPTX
OpenStack Foundation 2H 2015 Marketing Plan
OpenStack Foundation
 
PPTX
Cloud Native Applications - DevOps, EMC and Cloud Foundry
Bob Sokol
 
PPT
Fortinet FortiOS 5 Presentation
NCS Computech Ltd.
 
PDF
Intro to Platform9: Private Clouds Made Easy
Platform9
 
PDF
Managing vSphere Across Multiple Regions and Multiple vCenters
Platform9
 
PDF
Patterns and Practices of a Successful DevOps Transformation
Chef
 
PPTX
Achieving DevOps Success with Chef Automate
Chef
 
PDF
Creating a fortigate vpn network & security blog
Kamlesh Mishra Sr. Executive - IT Infra "IT infra Lead"
 
PDF
Chef Automate Workflow Demo
Chef
 
Nutanix - Inail User Case
VMUG IT
 
Fortinet av
Lan & Wan Solutions
 
Advanced Threat Protection – ultimátní bezpečnostní řešení
MarketingArrowECS_CZ
 
Fortinet
ABEP123
 
Advanced Threat Protection
Lan & Wan Solutions
 
Fortinet security ecosystem
Mark Oakton
 
CTAP
Lan & Wan Solutions
 
NSE7
Łukasz Korbasiewicz
 
CTAP
Lan & Wan Solutions
 
Devops journey chefpopup-2016.04.26-v2
Chef
 
InterVision-Overview.January-2016
Arthur Sobczyk
 
OpenStack Foundation 2H 2015 Marketing Plan
OpenStack Foundation
 
Cloud Native Applications - DevOps, EMC and Cloud Foundry
Bob Sokol
 
Fortinet FortiOS 5 Presentation
NCS Computech Ltd.
 
Intro to Platform9: Private Clouds Made Easy
Platform9
 
Managing vSphere Across Multiple Regions and Multiple vCenters
Platform9
 
Patterns and Practices of a Successful DevOps Transformation
Chef
 
Achieving DevOps Success with Chef Automate
Chef
 
Creating a fortigate vpn network & security blog
Kamlesh Mishra Sr. Executive - IT Infra "IT infra Lead"
 
Chef Automate Workflow Demo
Chef
 
Ad

Similar to Fortinet & VMware integration (20)

PDF
PLNOG19 - Michał Taterka - FortiGate-VMX - integracja z VMware NSX
PROIDEA
 
PDF
07 - VMUGIT - Lecce 2018 - Antonio Gentile, Fortinet
VMUG IT
 
PPTX
Software defined security-framework_final
Lan & Wan Solutions
 
PPTX
PeeringOne - Raffcomm Migration Proposal v1.4 (1).pptx
SuriaRao2
 
PDF
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld
 
PDF
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
NETSCOUT
 
PPTX
FortiProxy sales presentation-02022020_Vee.pptx
NuttapolMix
 
PDF
VMware NSX for vSphere - Intro and use cases
Angel Villar Garea
 
PPTX
VMWARE Professionals - Security, Multitenancy and Flexibility
Paulo Freitas
 
PPTX
Secure AWS with Fortinet Security Fabric.pptx
Yitao Cen
 
PDF
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Graeme Wood
 
PDF
Vss Security And Compliance For The Cloud
Graeme Wood
 
PPTX
VMware-vShield-Presentation-pp-en-Dec10.pptx
Abasse KPEGOUNI
 
PPTX
Self service it with v realizeautomation and nsx
solarisyougood
 
PDF
Business Agility and Security with VMware
Angel Villar Garea
 
PPT
04 vsx power-r65
Richard Cove
 
PDF
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Khash Nakhostin
 
PPTX
VMware vShield - Overview
Irsandi Hasan
 
PDF
GAMO VMware vCloud Air
GAMO a.s.
 
PDF
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
VMworld
 
PLNOG19 - Michał Taterka - FortiGate-VMX - integracja z VMware NSX
PROIDEA
 
07 - VMUGIT - Lecce 2018 - Antonio Gentile, Fortinet
VMUG IT
 
Software defined security-framework_final
Lan & Wan Solutions
 
PeeringOne - Raffcomm Migration Proposal v1.4 (1).pptx
SuriaRao2
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 1 - Segmentation
VMworld
 
End to End Application Visibility and Troubleshooting Across the Virtual Clou...
NETSCOUT
 
FortiProxy sales presentation-02022020_Vee.pptx
NuttapolMix
 
VMware NSX for vSphere - Intro and use cases
Angel Villar Garea
 
VMWARE Professionals - Security, Multitenancy and Flexibility
Paulo Freitas
 
Secure AWS with Fortinet Security Fabric.pptx
Yitao Cen
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Graeme Wood
 
Vss Security And Compliance For The Cloud
Graeme Wood
 
VMware-vShield-Presentation-pp-en-Dec10.pptx
Abasse KPEGOUNI
 
Self service it with v realizeautomation and nsx
solarisyougood
 
Business Agility and Security with VMware
Angel Villar Garea
 
04 vsx power-r65
Richard Cove
 
Securing Your AWS Global Transit Network: Are You Asking the Right Questions?
Khash Nakhostin
 
VMware vShield - Overview
Irsandi Hasan
 
GAMO VMware vCloud Air
GAMO a.s.
 
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...
VMworld
 

More from VMUG IT (20)

PDF
04 vmugit aprile_2018_raff_poltronieri
VMUG IT
 
PDF
03 vmugit aprile_2018_veeam
VMUG IT
 
PDF
02 vmugit aprile_2018_il_restodelcarlino
VMUG IT
 
PDF
01 vmugit aprile_2018_bologna_benvenuto
VMUG IT
 
PDF
07 vmugit aprile_2018_massimiliano_moschini
VMUG IT
 
PDF
06 vmugit aprile_2018_alessandro_tinivelli
VMUG IT
 
PDF
05 vmugit aprile_2018_7_layers
VMUG IT
 
PDF
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
VMUG IT
 
PDF
05 - VMUGIT - Lecce 2018 - Raff Poltronieri, CloudItalia
VMUG IT
 
PDF
04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik
VMUG IT
 
PPTX
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
VMUG IT
 
PDF
02 - VMUGIT - Lecce 2018 - Enrico Signoretti, OpenIO
VMUG IT
 
PPTX
01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware
VMUG IT
 
PPTX
00 - VMUGIT - Lecce 2018 - Intro
VMUG IT
 
PPTX
Luca dell'oca - italian vmug usercon 2017
VMUG IT
 
PPTX
Luc Dekens - Italian vmug usercon
VMUG IT
 
PPTX
Gianni Resti
VMUG IT
 
PDF
Frank Denneman keynote
VMUG IT
 
PPTX
Vmug 2017 Guido Frabotti
VMUG IT
 
PPTX
Claudio Panerai - Achab
VMUG IT
 
04 vmugit aprile_2018_raff_poltronieri
VMUG IT
 
03 vmugit aprile_2018_veeam
VMUG IT
 
02 vmugit aprile_2018_il_restodelcarlino
VMUG IT
 
01 vmugit aprile_2018_bologna_benvenuto
VMUG IT
 
07 vmugit aprile_2018_massimiliano_moschini
VMUG IT
 
06 vmugit aprile_2018_alessandro_tinivelli
VMUG IT
 
05 vmugit aprile_2018_7_layers
VMUG IT
 
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
VMUG IT
 
05 - VMUGIT - Lecce 2018 - Raff Poltronieri, CloudItalia
VMUG IT
 
04 - VMUGIT - Lecce 2018 - Giampiero Petrosi, Rubrik
VMUG IT
 
03 - VMUGIT - Lecce 2018 - Massimiliano Mortillaro, Tech Unplugged
VMUG IT
 
02 - VMUGIT - Lecce 2018 - Enrico Signoretti, OpenIO
VMUG IT
 
01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware
VMUG IT
 
00 - VMUGIT - Lecce 2018 - Intro
VMUG IT
 
Luca dell'oca - italian vmug usercon 2017
VMUG IT
 
Luc Dekens - Italian vmug usercon
VMUG IT
 
Gianni Resti
VMUG IT
 
Frank Denneman keynote
VMUG IT
 
Vmug 2017 Guido Frabotti
VMUG IT
 
Claudio Panerai - Achab
VMUG IT
 

Recently uploaded (20)

PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
KodekX | Application Modernization Development
KodekX
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Approach and Philosophy of On baking technology
30anthuong17
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 

Fortinet & VMware integration

  • 1. © Copyright Fortinet Inc. All rights reserved. Fortinet & VMware Integration VMUGIT Meeting Roma Antonio Gentile Systems Engineer, Italy agentile@fortinet.com 26/09/2016
  • 2. Agenda • Fortinet Cloud & SDN Vision • Fortinet NSX Integration • Use Cases • Demonstration
  • 3. 3 End-to-End Global Cybersecurity Platform Coverage from Endpoint to Edge to Core to Data Center to Cloud Client Security Secure Access Network Segmentation Application Security Cloud Security Control & Visibility Security Services & Framework USERS NETWORK DATA CENTER FortiGate FortiManager FortiAnalyzer FortiGate for AWS FortiGate VMX FortiClient
  • 4. 4 Fortinet Cloud & SDN Vision Network Security as Agile and Elastic Underlying Infrastructure Virtualization SDN Cloud (IaaS) Cloud (SaaS) vSphere XenServer Hyper-V NSX Physical & Virtual Security Appliances FortiGate FortiManagerFortiSandbox FortiAnalyzer FortiWeb FortiADC FortiDDoSFortiWifiFortiMail
  • 5. 5 Security for the Cloud Virtualization Hypervisor Port Hypervisor Private Cloud SDDC - SDN - Orchestration Integration Public Cloud On-Demand IaaS Cloud Connector API East-West NGFW WAF Management Reporting APT SaaS Cloud Proxy CASI Broker API Hybrid
  • 6. 6 Security Across all of the Network - Global and Local App Control Antivirus Anti-spam IPS Web App Database Web Filtering Vulnerability Management Botnet Mobile Security Cloud Sandbox Deep App Control PartnerFortiWebFortiMailFortiClient FortiGate Threat Researchers Threat Intelligence Exchange FortiSandbox
  • 7. 7 Fortinet Virtualized (Guests) Security Solutions • FortiGate-VM • Unified Threat Management • FortiManager-VM • Centralized Management • FortiAnalyzer-VM • Logging and Reporting • FortiWeb-VM • Web Application Security • FortiMail-VM • Messaging Security • FortiAuthenticator-VM • User Identity Management • FortiADC-VM • Application Delivery • FortiCache-VM • Content Caching • FortiVoice-VM • Complete Business Phone Systems • FortiRecorder-VM • Video Security • FortiSanbox-VM • Advanced Threat Detection
  • 8. 8 Fortinet Virtualized (Guests) Security Solutions • FortiGate-VM • Unified Threat Management • FortiManager-VM • Centralized Management • FortiAnalyzer-VM • Logging and Reporting • FortiWeb-VM • Web Application Security • FortiMail-VM • Messaging Security • FortiAuthenticator-VM • User Identity Management • FortiADC-VM • Application Delivery • FortiCache-VM • Content Caching • FortiVoice-VM • Complete Business Phone Systems • FortiRecorder-VM • Video Security • FortiSanbox-VM • Advanced Threat Detection Guest-VMs
  • 9. 9 Virtual Appliance Platforms – Private and Public Cloud Virtual Appliance VMware Citrix Open Source Amazon Microsoft vSphere v4.0, 4.1 vSphere v5.0 vSphere v5.1, 5.5 vSphere v6.0 Xen Server v5.6 SP2 Xen Server v6.0 Xen KVM AWS Hyper-V 2008 R2 Hyper-V 2012 FortiGate-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiManager-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiAnalyzer-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiWeb-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiMail-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FortiAuthenticator-VM ✔ ✔ ✔ ✔ ✔ ✔ FortiADC-VM ✔ ✔ ✔ FortiCache-VM ✔ ✔ ✔ ✔ FortiVoice-VM ✔ ✔ ✔ ✔ ✔ ✔ FortiRecorder-VM ✔ ✔ ✔ ✔ ✔ ✔ FortiSandbox-VM ✔ ✔ FortiPrivateCloud ✔ ✔ * * Also available as pay-as-you-go licensing option *
  • 10. 10 Virtual Data Center Security Challenges § Difficult configuration to have security within the same vSwitch and/or forward domain § Perimeter-centric network security has proven insufficient § Use fine-grained network segmentation approach - wrap security control around much smaller groups of resources § Best practice approach from a security perspective, but difficult to apply in traditional environments § Two key operational barriers » throughput capacity » operations/change management East-West Micro-Segmentation Zero-Trust East-West Control Trust No One – Not Even Your End Users
  • 11. FortiGate VMX with VMware NSX
  • 12. 12 Added Value of Security integration in SDDC Requirements Solution Not just firewall, but advanced features Micro-Segmentation and Zero Trust Control of ‘east-west’ traffic, Inter and Intra VM security, Logical Security Zone (multi-tier) Integration, Orchestration and Automation
  • 13. 13 Key Cloud Security Use Cases Segment End-to-End Traffic Within and Across the Hybrid Cloud or Intra-VM Mitigate increasing concentration of data and risk in consolidated data centers, and across private and public cloud Security Requirements Whitelist-based policy model Fine-grained honeycomb based on user, role, apps, devices Deployable into flat, open networks without disruption Monitor and restrict VPN and data connection between on-premise and public clouds Internet Cloud Internal Network (100 Gbps+) Private Cloud Edge Gateway Data Center ISFW ISFW ISFW ISFWISFW External Internal Hypervisor ISFW SG3 SG2 SG1 FortiGate-VMX Security Node
  • 14. 14 Manage Components for NSX Integration Mandatory Components for NSX Integration Third Party Solution Service Manager Service Appliance ESXi Hosts VMware vCenter Server V5.5 or v6.0 VMware vSphere (Enterprise Plus license v5.5 or v6.0) REST API Fortinet Solution FortiGate-VMX Service Manager FortiGate-VMX Security Appliance
  • 15. 15 FortiGate-VMX and NSX Integration/Interactions dvSwitch FGT-VMX FGT-VMX Pushpolicysynchronizationtoall FortiGate-VMXdeployedincluster 7 Register Fortinet as security service with NSX Manager1 Auto-deployFortiGate-VMX toallhostsinsecuritycluster 2 FortiGate-VMXconnects withFortiGate-VMX ServiceManager 3 License verification & configuration synchronization with FortiGate-VMX 4 NSXSecurityPolicydefinenetwork introspectionrulestoredirecttraffic 5 Real-time updates of object database6 FortiGate-VMX Service Manager
  • 16. 16 FortiGate-VMX and NSX Manager Setup Adding VMware NSX details on FortiGate Service Manager FortiGate VMX Service on NSX Manager
  • 17. 17 FGT-VMX imports NSX Security Groups § On NSX create Security Groups and assign “Objects” Security Groups defined on NSX are automatically created on FGT-VMX
  • 18. 18 FGT-VMX imports NSX Security Groups § On NSX create Security Groups and assign “Objects” § FortiGate VMX automatically imports the Security Groups as a dynamic firewall addresses with the VMs IP address Security Groups defined on NSX are automatically created on FGT-VMX
  • 19. 19 NSX Security Group definition and usage Server SG FortiGate-VMX NSX Manager Service Groups created on NSX Manager automatically get sent to the FortiGate- VMX and are available for Policy Creation Policy Created on FortiGate-VMX using Exchanged Security Group
  • 20. 20 VMware Kernel dvSwitch FGT-VMX and VMWARE NSX Filter Driver Interaction 1 Define NGFW Firewall Policies 2 FGT-VMX NetX NSX Filter Driver int ext Packet Flow 1. From VM to NSX Filter Driver 2. NSX Filter Driver Forward to Third party Solution (FGT-VMX) 3. FGT-VMX applies Security and sends packet back to NSX Filter Driver 4. NSX Filter Driver can do service chaining or send packet to destination FortiGate-VMX Service Manager
  • 21. 21 Policy Creation § Firewall Policy is now IP independent Policy created based on Security Group Internal External DistributedVirtual Switch
  • 22. 22 FortiGate-VMX License Model § One license for the FortiGate-VMX Service Manager § Simple license based on number of FGT-VMX Security Appliance deployed » One FortiGate-VMX license per ESXi host » No limits placed on resources (virtual or hardware), nor number of protected VM workloads Hypervisor with 2 sockets Hypervisor with 1 socket 2 FGT-VMX Licenses 3 FGT-VMX Licenses Hypervisor with 2 sockets Central license server with auto decrement
  • 23. 23 Multiple Services/Customers § Real Multi-tenancy (VDOM) support » Virtual Domain (VDOM) dedicated per tenant or individual security feature » Service Profile and Groups ensure proper segmentation
  • 24. 24 Resource Monitoring § Per Security Appliance instance Resource monitor
  • 27. 27 TELCO – Use Case – Dedicated Customer Firewall (FortiGate-VM) Web Servers Application Servers Database Servers vSwitch APP Hypervisor vSwitch DBvSwitch WEB vSwitch External Internet •Customer Managed Firewall •Orchestrated Customer Creation •FortiGate-VM to control east-west application traffic • Traffic is required to flow through the FortiGate-VM (L2 or L3) to secure traffic • Intra-VM security requires L2 VDOMs and inter-VDOM link configuration • Physical FortiGate to control north-south traffic App Control Antivirus Anti-spam IPS Web App Web Filtering Botnet Cloud Sandbox
  • 28. 28 ENTERPRISE – NSX Integration Use Case: Function Segmentation with VDOMs Security Group D Security Group C Security Group B VDOM1: IPS VDOM 2: URL Filtering VDOM 3: App Control VDOM 5: Anti-Virus VDOM 6: Anti spam nsx VDOM (on by default): NGFW, IPS, URL Filtering, Anti-Virus etc.. Security Group A • Segmented groups can have unique feature set applied • Provides performance benefits as all groups don’t have identical security requirements • Each department eg.. Human Resources, Legal, Marketing etc. can have it’s own VDOM and it’s own security feature set • Fortinet Patented Virtual Domain Technology • Only Security Vendor to support Virtual Segmentation by Function for Security. VDOM 4: Web Application Firewall
  • 29. 29 ENTERPRISE – NSX Integration Use Case: Function Segmentation with VDOMs Security Group D Security Group C Security Group B VDOM1: IPS VDOM 2: URL Filtering VDOM 3: App Control VDOM 5: Anti-Virus VDOM 6: Anti spam nsx VDOM (on by default): NGFW, IPS, URL Filtering, Anti-Virus etc.. Security Group A VDOM 4: Web Application Firewall
  • 31. 31 Multi-Tier Application Diagram web-01 web-02 Web-01 10.0.1.0/24 .11 .12 External 192.168.195.0/23 App-01 .11 .1 .1 .1 .2 App-02 .12 App-01 10.0.2.0/24 DB-01 .11 .1 DB-01 10.0.3.0/24 Transit-01 172.16.1.0/24 .2 VIP-Web: 192.168.195.143:80 (Web-01:80+Web-02:80) VIP-App: 172.16.1.6:80 (App-01:80+App-02:80) Client to Web: HTTP (80)1 Web to App: HTTP (80)2 App to DB: mysql (3306)3
  • 32. 32 Demonstration - Use Cases 1 § Security Policies for Multi-Tier Application Segmentation » Web Tier allowed to receive request from outside and generate requests to App Tier only » App Tier allowed to receive requests from Web Tier and generate requests to BD Tier only » DB Tier allowed to receive requests from App Tier and not allowed to generate requests App-02 App-01 Web-02 Web-01 DB-01 IPS Web App App Control IPS Antivirus