• Services
    • Managed Services
      • Managed Virtual Data Center
      • Managed Security Services
      • Managed Services Cloud
      • Managed Networks
    • Consulting
      • Consulting
      • Network Consulting
    • Custom Software
      • Custom Software
      • Consulting for custom software
      • Custom Software Development
      • Cloud Operation for Custom Software
  • Solutions
    • Big Data
      • Big Data
      • Elasticsearch
      • Kafka
      • Data Warehouse
      • Data Lakehouse
      • MLOps
    • Microsoft
      • Microsoft
      • Microsoft Azure
      • Azure VMware Solution
      • Azure Stack
    • AWS
      • AWS Consulting and Managed Cloud Services
      • AWS Managed Service Provider
      • AWS Managed Cloud Migrations
      • AWS Well-Architected
      • AWS Cost Optimization
      • AWS Cloud Services
    • VMware
      • VMware
      • VMware Tanzu
      • Network Virtualization
      • Hyper Converged Infrastructure (HCI)
      • VMware Security
    • Security
      • Security
      • VMware Carbon Black
      • SIEM
      • Cloud Security
      • Penetration Test
    • More
      • Dell
      • Dell VxRail
      • evoila cloud platform
  • References
  • Partners
  • Company
    • Company
    • Leadership
    • Locations
    • Blog
    • Podcasts
  • Careers
    • Working at evoila
    • Open positions
Contact
Language
    Deutsch Deutsch Polski Polski Deutsch (Schweiz) Deutsch (Schweiz) Italiano Italiano English English

NSX integration for Fortinet Fortigate Firewalls

Daniel Krieger
26. August 2024
Reading time: 4 min
NSX integration for Fortinet Fortigate Firewalls

Modern SDN solutions are flexible, fast and effective. The rules of the classic perimeter firewall should be exactly the same. To make life easier, Fortinet has an NSX integration that allows us to write our perimeter rules to dynamic NSX groups.

First things first

The Fortinet NSX integration works via a so-called external connector. For this purpose, the Fortigate contacts the NSX Manager at regular intervals and updates the previously imported groups. This allows us to use dynamic groups that were previously created in NSX using tags, for example.

First we need to configure our connector. To do this, go to the Fortigate at <Security Fabric> / <External Connectors> and click on <Create New>.

01 External Connector

Here we need to enter our NSX Manager, if we have an NSX Manager Cluster then of course the Cluster VIP or FQDN is needed. We can define an update interval, this determines how long it takes to update the groups on the Fortigate. In my lab I chose 30 seconds, depending on the environment lower or higher values may make sense. In a productive environment, the certificate should always be verified. In my homelab environment I deliberately turned this off.

02 External Connector Settings

Importing the dynamic NSX groups

The groups need to be imported via the Fortigate CLI. This is relatively easy to do for all groups and specifically for individual groups. Groups imported this way will be automatically updated in the future. If new groups are configured in NSX, they must be imported via the CLI if they play a role in the rules.

execute nsx group import <SDN Connector> <VDOM> <group>

If you want to import all NSX groups, you need to omit the group name in the CLI call. In the screenshot you can see me importing the dFG_AlpineLinux NSX group. This uses an NSX tag to combine all VMs of type Alpine Linux into one security group.

03 Group Import

In the Fortigate, you can now find the group under <Policy & Objects> / <Addresses> and use it like any other group in firewall policies. The NSX groups can be used not only for firewall rules, but also for policy-based routing via the SD-WAN feature.

04 Firewall Groups

In my example, I am prohibiting the Alpine Linux VMs from accessing the Internet. The current realised group assignment can be checked at any time via <Policy & Objects> / <Addresses> and a double click on the group.

05 Matched Addresses in Firewall Group

Delete groups

Groups need to be deleted manually. The easiest way to do this is via the Fortigate CLI. To do this, execute the following CLI command:

execute nsx group delete <VDOM> <filter>

If you want to delete all groups, you can simply leave the filter empty. If a group is used in a firewall policy, it cannot be deleted and you will receive a message that the group is in use.

Testing the solution

To do this, I log on to the Alpine2 VM and check the current IP. The VM has currently been assigned 172.31.2.10. We can also find this on the Fortigate in our dFG_AlpineLinux group. I am trying to send an ICMP to the Internet, which is blocked by the Fortigate firewall as expected.

06 Test 01

Next, I remove the Alpine Linux tag in the NSX, which ensures that the VM is no longer realised in the dFG_Alpine Linux group on the Fortigate after 30 seconds at the latest.

07 Test 02

Finally, I repeated my ping test. As expected, Internet access is now without any problems.

08 Test 03

Remarks

If the connection to NSX Manager is interrupted, group membership remains at the last synchronised state. This means that in highly dynamic environments, too much or too little traffic may be allowed or blocked. For this reason, the SDN connection should always be monitored. All group changes are saved in the Log SDN Connector Log of the Fortigate.

Use cases

One conceivable scenario would be to enable a dynamic firewall for VMs that are allowed to access the Internet. This can be done in NSX using a tag and a group. Every VM that does not have a tag and is therefore not in the group will be blocked at the Fortigate perimeter firewall.

09 Firewall Rule in FortiOS

The firewall rule allows everything that does not go into RFC1918 networks (private IP range). Of course, this is only a simple example and more complex setups are possible.

Additional information

Fortinet Documentation: Public and private SDN connectors

Get the newsletter

Get the most important tech news in your inbox each week.

Name
Datenschutz(Required)
This field is for validation purposes and should be left unchanged.

Relevant posts

NSX 4.X Certificate exchange of the NSX Manager
NSX 4.X Certificate exchange of the NSX Manager

NSX 4.X Certificate exchange of the NSX Manager Certificate creation First of all, we need a CSR request. This can...

Daniel Krieger

5. April 2024
vSphere with Tanzu – NSX-T + ALB integration
vSphere with Tanzu – NSX-T + ALB integration

In my past blog articles, I wrote about the integration of Antrea with NSX-T and how to implement NSX ALB...

Steven Schramm

12. February 2024
NSX: Sharing the overlay transport VLAN between ESXi TEPs and Edge TEPs
NSX: Sharing the overlay transport VLAN between ESXi TEPs and Edge TEPs

Since NSX-T version 3.1.0 and higher, it is possible under certain circumstances to use the Edge TEP and the Host...

Daniel Krieger

5. December 2023
NSX Identity Firewall – A Case Study With the Flavour VDI
NSX Identity Firewall – A Case Study With the Flavour VDI

DisclaimerThere are of course other ways of using the Identity Firewall. This is the way I have used it with...

Daniel Krieger

2. August 2024
evoila Achieves Fortinet “SD-WAN” and “Secure Connectivity LAN” Specializations
evoila Achieves Fortinet “SD-WAN” and “Secure Connectivity LAN” Specializations

We are pleased to announce that we have acquired two new Fortinet specializations: “SD-WAN” and “Secure Connectivity LAN“. As a...

Simon Köhler

18. December 2024
Scaling with NSX-T and ALB beyond vNIC limits
Scaling with NSX-T and ALB beyond vNIC limits

When using NSX-T for networking in combination with NSX ALB for load balancing in the vSphere IaaS Control Plane, the...

Maximilian Marschall

19. July 2024
Home » Blog » NSX integration for Fortinet Fortigate Firewalls

evoila GmbH
Robert-Bosch-Str. 36
55129 Mainz

+49 61 31 / 95 07 444
info@evoila.de
  • Imprint
  • Privacy Policy
  • Data Protection Applicants
  • Whistleblower
©2025 evoila GmbH