SOLUTION BRIEF

Automating Advanced Security for the Benefits

Software Defined Data Center nnAutomated deployment and
orchestration of FortiGate-VMX
for Software Defined Data
With the growing investment in virtualization; data centers are Centers
becoming home to increasing volumes of data and applications.
nnOperationallyfeasible NSX-
Data center security is proving to be a foundational design aspect
based micro-segmentation with
when it comes to building the Data Center of today. Most common advanced threat protection of
data center security architectures today revolve around building a East-West traffic
strong perimeter defense to prevent any threats from penetrating the
nnSecured VXLAN segments to
Data Center. This however fails to account for any threats that do
enable tiered workload mobility
manage to get through the perimeter as once in, threats then have
nnCentralized visibility and
unrestricted access to the whole datacenter. The solution is to protect
proactive protection with
by controlling traffic as it flows east to west within the datacenter.
FortiGuard across virtual and
Another key pain point seen in the deployment phase is the need for physical environments
manual intervention when it comes to deploying and managing an
nnSecurity services provisioned in
ever-expanding datacenter with resulting in costly mistakes and in the
minutes
slowing of growth and expansion.
A Software Defined Data Center (SDDC) approach enables fundamentally better data
center security. Fortinet leverages VMware NSX, the network virtualization pillar of the
SDDC, to fully automate FortiGate-VMX 2.0 for advanced protection of server-server traffic
inside the data center.

NSX enables FortiGate-VMX security nodes to be automatically provisioned and deployed

to each ESXi and allows effective automated configuration of security policies per
workload for maximum consistency and visibility into threats while reducing error-prone
manual intervention.

www.fortinet.com 1
SOLUTION BRIEF: DELIVERING SOFTWARE-DEFINED SECURITY WITH VMWARE NSX

FortiGate-VMX v2.0 further integrates with VMware NSX Service functions and workload characteristics to designate proper
Composer to implement a new model for consuming network security policies for app, web or data tiers by asking questions
and security services. It allows IT administrators to provision like “What will this workload be used for?” “Who can access
and assign firewall policies and security services to application the workload?” “What is the data sensitivity zoning for each
workloads in real time. workload?” Micro- segmentation merges these characteristics
to define inherited policy attributes as they are added to the
The solution is part of the VMware NSX partner ecosystem and
security cluster, without the need to configure firewall rules and
extends the NSX distributed firewalling capability with Fortinet’s
complex access control policies.
advanced firewall. FortiGate-VMX features can be updated in
real time with FortiGuard advanced threat intelligence. This granular and layered approach to security policy filtering
and mapping workload characteristics allows administrators to
segment a single policy into sub-policies, and create a network
segment to apply security rules. It also provides the East-West
inter-VM traffic visibility in the SDDC.

Secure VXLAN Segments with Advanced

Protection Across Tiers
To enable communication between Web, App, and Data
tiers,VMware utilizes the logical routing function in NSX to create
a single logical router instance across distributed switches. In
the NSX enabled security cluster, the distributed firewall (DFW)
module redirects traffic to a FortiGate-VMX firewall for threat
inspection. Security policies defined in the FortiGate-VMX
Service Manager are enforced based on workload segments.
Automated Provisioning and Orchestration via
VMware NSX Multi Tenancy using Virtual Domains
In VMware NSX-enabled datacenters, FortiGate-VMX With Fortinet’s patented Virtual Domain(VDOM) Technology,
deployments are fully automated to address elastic workloads FortiGate-Service Manager supports the use of multiple
and constantly changing (e.g. resizing) ESXi clusters. Policy VDOMS to allow for effective segmentation between tenants
is dynamically synchronized with all FortiGate-VMX instances while allowing each Tenant complete administrative autonomy
in the complete security cluster. The solution supports re- over their segment. Fortinet’s virtual portfolio is the only virtual
balancing of workloads in the ever-changing environment (e.g., security solution today to support this.
support for vMotion and full DRS clusters).
Tenant Function Segmentation with Virtual
The NSX distributed firewall is a stateful firewall that runs in
Domains
the kernel and does L2-L4 traffic filtering. NSX enables policy
to be applied at the vNIC or virtual layer and intercepts traffic Using VDOMs, enterprises are able to apply more effective
at the hypervisor level not allowing any workload to by- security policies by segmenting them across both separate
pass inspection. The NSX firewall steers traffic selectively to departments and application types. This allows the
FortiGate-VMX based on policy for advanced traffic inspection. administrator to apply targeted policies tailored to each domain
while improving the overall performance of the system. This also
Persistent Security Utilizing VMware NSX provides for unmatched visibility across the network.

Micro-Segmentation
VMware NSX provides inherent network isolation and a
“honeycomb” of trust zones to make micro-segmentation easier
than ever before. IT administrators can describe the service

2
SOLUTION BRIEF: DELIVERING SOFTWARE-DEFINED SECURITY WITH VMWARE NSX

Security Orchestration and Automated Provisioning with VMware NSX

The VMware NSX network virtualization platform provides a distributed service framework to enable partner services like FortiGate-
VMX to be dynamically inserted, deployed and orchestrated. NSX enables fully automation of FortiGate-VMX inside the data center
perimeter.

There are two main components in the solution:

nnFortiGate-VMX Service Manager not only registers the security service definitions with NSX, but centralizes license management
and configuration synchronization with all FortiGate-VMX Security Node instances
nnFortinet FortiGate-VMX Security Node processes runtime traffic and enforces policy
Fortinet FortiAnalyzer (optional) for network security logging, analysis, and reporting securely aggregates log data from the Fortinet
FortiGate-VMX security solution

FortiGate-VMX Service Manager communicates directly with the NSX environment. It registers the FortiGate-VMX security service
to allow for enablement and auto-deployment of required FortiGate-VMX Security Nodes. The management plane flow is two-way
in that the FG-VMX Service Manager supplies service definitions to the NSX Manager, while NSX Manager sends updates to the
FortiGate-VMX Service Manager about new or updated dynamic security groups and objects, upon which policy is based in real
time.

FortiGate-VMX Service Manager obtains proactive security threat updates from FortiGuard and synchronizes those updates to all
FortiGate-VMX Security Nodes.

1 Register Fortinet as a security service

with NSX Manager
6 2 Auto-deploy FortiGate-VMX
1 to all hosts in security cluster

3 FortiGate-VMX connects with

FortiGate-VMX Service Manager
4
4 License verification and configuration
synchronization with FortiGate-VMX

5 Redirection policy rules updated for

2
enablement of FortiGate-VMX
security service
3 7
6 Real time updates of object database

7 Push policy synchronization to all

FortiGate-VMX deployed in cluster
5 vDistributed Switch
VMware Kernel VMware Kernel

Summary
FortiGate-VMX v2.0 integrated with VMware NSX solution extends the NSX firewall functionality with advanced security services and
allows IT to unlock all the benefits of the software defined data center with agility and efficiency. IT organizations can automatically
provision the delivery of best-in- class security services from Fortinet where management plane, control plane and data plane work
seamlessly in lockstep.

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA SALES OFFICE
Fortinet Inc. 120 rue Albert Caquot 300 Beach Road 20-01 Paseo de la Reforma 412 piso 16
899 Kifer Road 06560, Sophia Antipolis, The Concourse Col. Juarez
Sunnyvale, CA 94086 France Singapore 199555 C.P. 06600
United States Tel: +33.4.8987.0510 Tel: +65.6513.3730 México D.F.
Tel: +1.408.235.7700 Tel: 011-52-(55) 5524-8428
www.fortinet.com/sales

Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other
results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied,
except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in
such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal
lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable. Oct 8, 2015