Delivering Advanced Security

Control and Visibility with

VMware NSX
VMware NSX and Fortinet
FortiGate-VMX
 Fortinet: A Global Leader in Network Security Appliances

Worldwide Network Security Appliance Shipments Worldwide Data Center Firewall Unit Share

500,000 30%

25%
400,000 w/o Sourcefire
Cisco
20%
300,000
Cisco
15%

200,000
Check Point
10%

100,000 Check Point

Juniper 5%
Palo Alto
Juniper
- 0%
2011 2012 2013 2014 McAfee
CY 2012 CY 2013 1H 2014

Fortinet Confidential 3
Advanced Threats – Perimeter Security Not Enough

50%
NEARLY 50% OPEN
E-MAILS AND CLICK ON
PHISHING LINKS WITHIN
THE FIRST HOUR

60%
IN 60% OF CASES,
ATTACKERS ARE ABLE
TO COMPROMISE AN
ORGANIZATION
WITHIN MINUTES
Typical Duration from Breach to Cleanup:
6-7 Months
Fortinet Confidential 4
From Detection to Containment: Micro-Segmentation

Mitigate advanced threats and the ever-

increasing concentration of data and risk in
consolidated, multi-tenant environments
 Declarative, whitelist-based policy model
 Fine-grained honeycomb of control-based
users, roles, and other metadata
 Deploy into flat, open networks without
disrupting network and infrastructure

Fortinet Confidential 5
FortiGate-VMX with VMware NSX
Deterrents with Traditional Approaches

• Protection has been historically north-south Traditional Deployments Inside Data

• Firewalls at the edge Center
If a threat or attack can
• Lack of east-west protection compromise a VM, it can
• No lateral control freely spread across or
gain access to the rest of
• Manual configuration and deployment the VMs
• Slows down growth and expansion
• Opens up system to potential configuration
errors
Hypervisor
• Multi-tenancy is an operational challenge
• Traditional security solutions don’t support
multi-tenancy
• Segmenting by security function is a challenge
• Legacy solutions don’t support security
function segmentation
• All security features need to be enabled for
Traditional Firewalls
all flows protect against External
Threats

Fortinet Confidential 7
A Software-Defined Approach to Security for SDDC
• Security service delivery, agility, and speed
• Centralized policy management with distributed enforcement
• Interoperabilty between best-of-breed security and infrastructure without requiring
backend integration by customer
Physical
& Virtual
Security
Appliances
FortiMail FortiGate FortiSandbox FortiManager FortiAnalyzer FortiWeb FortiADC

Server Virtualization Network Virtualization Private Cloud Public/Hybrid Cloud

vSphere NSX

Fortinet Confidential 8
NSX Security
Distributed Firewall

• High throughput rates on a per-hypervisor basis with in-

kernel DFW
• Every hypervisor adds additional east-west firewalling
capacity
• Enforcement at virtual interface
Cloud Management
Platform • Policies follow workloads
NSX API with partner
extensions Management Platform-based Security Operations
plane
NSX Manager Partner
Service
• Automated provisioning and workload adds/moves/changes
Manager
NSX Controller • Centralized management of single, logical distributed
NSX
firewall
Gateway
NSX vSwitch
Extensibility
• Dynamic Fortinet service insertion, deployment, and
orchestration
• Standard NSX tagging for context sharing across security
controls

Fortinet Confidential 9
NSX Platform Extensibility
NSX is the platform for adding additional security services
 Add Fortinet advanced security services to your micro-segmentation deployment for greater security
 Apply the SDDC operational model to your advanced security products
 Adapt to changing security conditions in the data center by enabling security solutions to share intelligence

1 2 3

Traditional Data Center NSX Data Center

Static Service Chain
In a traditional data center, security services must be configured when the
network is architected, meaning the “chain” of services is locked in once
deployed. This is an inefficient use of resources and cannot defend against
changing threat conditions.
Dynamic Service Chain
In an NSX data center, third-party security solutions use NSX security tags
to share intelligence, adapting to changing security conditions. NSX
automatically applies the correct security function as needed.

Fortinet Confidential 10
Fortinet FortiGate-VMX
 Purpose-built security solution with VMware NSX for SDDC
» VMware-validated for NSX interoperability
 Full next-generation, advanced-security functional solution in one platform
» Intrusion prevention
» Application control
» Antivirus
» URL filtering
» Anti-malware
 Backed by FortiOS™ policy configuration and FortiGuard™ for real-time
intelligence updates
 Proven multi-tenant capabilities using virtual domains (VDOM)
» MSSP
» Large enterprises
Fortinet Confidential 11
NSX Makes Micro-segmentation Operationally Feasible

FortiGate-VMX can be leveraged for workload isolation, segmentation, and advanced security services
Traffic will be redirected through the FortiGate-VMX based
on applied policy • Transparent service insertion and
chaining
Group B Group A Group C
• Automatic scale-out protection
based on workload security profile

• Policy sync to all FortiGate-VMX

Security Nodes deployed in the
security cluster
FortiGate VMX Security Node

• Policy segmentation and isolation

Hypervisor across clustered resources

Fortinet Confidential 12
FortiGate-VMX – VMware Platform Prerequisites

 VMware Components:
» vCenter Server Standard v5.5 Update 2 or later, v6.0
» vSphere Enterprise Plus license level v5.5 Update 2 or later, v6.0
» NSX Manager v6.1.3, v6.1.4
 Third-Party Component:
» Web server
 VMware Technologies:
» ESXi host cluster enabled with DRS
» Distributed Switch (management traffic can traverse legacy
vSwitch)
» vSphere Web Client required for NSX Manager add-on
 VMware Configurations:
» Agent VM Setting required to be set on each ESXi host in cluster
(for larger environments; this can also be set during Service
Deployment)

Fortinet Confidential 13
FortiGate-VMX Components

 Fortinet Components:
» FortiGate-VMX Service Manager v5.4 – centralized
manager and license repository
» FortiGate-VMX Security Node v5.4 – enforcement
virtual appliance deployed on each ESXi host in
cluster
 Fortinet Configurations:
» No “real” maximum for amount of FortiGate-VMX
Security Nodes that can be deployed/managed by
FortiGate-VMX Service Manager
» QA’d to hundreds of FortiGate-VMX Security Nodes

Fortinet Confidential 14
FortiGate-VMX Solution Interaction/Workflow
FortiGate-VMX Service
Manager

1. Register Fortinet as security service with NSX Manager

6. Real-time updates of object database

7. Policy synchronization to all FortiGate-

5. Redirection policy rules updated for enablement of

FortiGate-VMX Service Manager

2. Auto-deploy FortiGate-VMX to all hosts in 4. License verification and configuration

3. FortiGate-VMX connects with

synchronization with FortiGate-VMX

VMX deployed in cluster

FortiGate-VMX security service

security cluster

vDistributed Switch
VMware Kernel VMware Kernel

Fortinet Confidential 15
FortiGate-VMX and NSX Manager Setup

FortiGate VMX Service on NSX Manager

Adding VMware NSX details on FortiGate Service Manager

Fortinet Confidential 16
NSX Security Groups
 Configuring NSX Dynamic Security Groups
» Log in to NSX Manager
» Home -> Networking & Security -> Service
Composer -> Security Groups
» Security Group entities may consist of 14 options:

 Security Groups  IP Sets

 Clusters  MAC Sets
 Logical Switches  Security Tags
 Legacy Port  vNICs
Groups  Virtual Machines
 Networks  Resource Pools
 vApps  Distributed Port
 Datacenters Groups

Fortinet Confidential 17
 NSX Security Group Definition and Usage
Service Groups created on
NSX Manager automatically
get sent to the FortiGate-VMX
and are available for Policy
Creation

Server SG

FortiGate-VMX NSX Manager

Policy created on FortiGate-VMX

using Exchanged Security Group

Fortinet Confidential 18
Policy Creation
Created policy based on Security Group

 Firewall policy may be independent from vDS and DPG configuration

Distributed Virtual
Switch
Internal External

19
Demo - Configuration & Deployment

Fortinet Confidential 20
Benefit: Auto-Scale Protection for Elastic Workloads

• Enable business units to deliver web/SaaS

applications to connect with customers,
NSX Manager
partners, and users at speed of cloud
• Transparently ensure user confidentiality, FortiGate Service Manager
data privacy, and compliance

• Orchestrate security through

service insertion and chaining
• Auto-scale and provision FortiGate-VMX FortiGate-VMX FortiGate-VMX
security services to all affected Security Node Security Node Security Node
regions
vSphere vSphere vSphere
• Real-time protection for new
application
• Distributed security rule sets
across clusters and data centers
Hosted Web servers, databases,
application servers, etc.

Fortinet Confidential 21
Benefit: Internal Segmentation Firewall (ISFW)
Extend East-West Micro-Segmentation Across Data Center, Campus, and Cloud

SG3

SG2

SG1
NSX Manager
FortiGate-VMX
External Security Node FortiGate Service Manager
Private
Hypervisor
Cloud

Internal

ISFW

Expand Internal Segmentation Firewall

ISFW
Internet Functionality
Data Center
ISFW ISFW
1. Protect north-south traffic as always
Edge 2. Add protection between zones inside
Gateway Cloud the network and within the data center
ISFW Internal 3. Protect within sensitive zones by
ISFW
Network protecting traffic between VMs in the
(100 Gbps+)
same zone.

Fortinet Confidential 22
Advanced Use Cases
Patented Technology – Virtual Domains (VDOM)

 Fortinet-patented virtual domain

(VDOM) technology enables

VDOM 1

VDOM 2

VDOM 3
versatile configuration and
administration
 Each VDOM acts as an
independent, logical FortiGate
 VDOM’s can be defined across all
FortiGate appliances—physical,
virtual, and VMX editions
 All FortiOS security and networking
capabilities are encapsulated
 Common in telco and service
provider data centers for managed Customer A Customer B Customer C
services

Fortinet Confidential 24
Utilizing Fortinet Virtual Domains (VDOMs) with VMware NSX

 Fortinet Virtual Domains (VDOMs) allow network administrators to

segment a single FortiGate-VMX Security Node to service different
flows that are completely segregated from each other.
 Provides greater flexibility for both Enterprise and Managed
Service Providers as seen in the sample Security Policy
configurations below.

Fortinet Confidential VMware Confidential 25

Use Case: Multi-Tenancy

Web
• Fortinet Patented Virtual
Services Domain Technology
A1 B1 C1
NSX Manager • Only Security Vendor to
FortiGate-VMX support complete network
Security Node
FortiGate Service Manager segmentation including
Hypervisor
Administrative Segmentation

• Allows for Multi-Tenancy

VDOM 1: Tenant A • Tenants are segmented securely
VDOM 2: Tenant B • Tenants have complete
Tenant C VDOM 3: Tenant C autonomy over their Security
Tenant A Policy
Tenant B

Fortinet Confidential 26
 Use Case: Tenant, Function Segmentation with VDOMs

Security
Group A
NSX VDOM (on by default): NGFW, IPS, URL Filtering, Antivirus, etc. • Fortinet Patented Virtual
Domain Technology
• Only Security Vendor to
VDOM1: VDOM 2: VDOM 4: VDOM 5: support Virtual Segmentation
NGFW URL Filtering Antivirus Anti-spam
by Function for Security.
Security
Group B

• Segmented groups can have

unique feature sets applied
Security
VDOM 3:
• Provides performance benefits
Group C
App Control since groups do not have
identical security requirements
• Each department (e.g. Human
Security Resources, Legal, Marketing,
Group D
etc.) can have its own VDOM
and security features set

Fortinet Confidential 27
Demo – Advanced VDOM Use Case Configuration

Security Policies for Security Policies for

Common-VDOM engg-VDOM
Security
Source Destination
Profiles

engg-SG Any APP

Any engg-SG APP

Security
Source Destination
Profiles
AV WEB
Common-SG Any SSL IPS

Any Common-SG
AV
SSL
WEB
IPS
Security Policies for
sales-VDOM
Security
Source Destination
Profiles

sales-SG Any APP

Any sales-SG APP

PRX

Fortinet Confidential 28
About Fortinet
 FortiGate
Scalable Network Security Platform from Branch, to Data Center, to Cloud
Multi Multi-
Core Core
SoC NP CP CPU NP CP CPU

1 Gbps 3 Gbps 8 Gbps 50 Gbps 80 Gbps 320 Gbps 1 Tbps

DCFW/CCFW
3000 Series
Personality,
Performance, ISFW
& Scalability
5000 Series VM Series

1000 Series

300-900
NGFW & CFW &
30-90 100-200
Series Series
Series
NGIPS VMFW
UTM

Software & FortiGuard FortiOS FortiCare

Services Security Services Operating System Support Services

Virtual
Product Range Entry Level Mid-Range High-End
Appliances

Fortinet Confidential 30
 NSS Labs Validated Performance and Protection
Fortinet Consistently “Recommended” for Performance, Security Effectiveness, TCO
NGFW X-axis = TCO per protected Mbps, “Value” Y-axis = Security Effectiveness

Upper right quadrant = “Recommended” Lower left quadrant = “Caution” Other quadrants “Neutral”
Competitor B
Competitor B
Breach Detection
Competitor C
Competitor A
Next Generation IPS

Competitor A

Fortinet Confidential 31
The Fortinet + VMware Advantage

• Improved performance
sitting between hypervisor
and workload
• Faster deployment through
FAST NSX automation

• Best-in-class security • Rich, consistent feature set

effectiveness as from common OS across all
recommended by NSS FortiGate platforms
SECURE Labs, VB100, etc.
• Real-time updates from
• Tenant Function Segmentation,
Multi-tenancy using VDOM’s
GLOBAL
FortiGuard Labs

Fortinet Confidential 32
Where to start projects? Where to get started
A tangible place to get the most bang per buck The things you need to do…

Visit the Resource Centers

Test out NSX in the free hands-on Lab

Chat with NSX experts

Intra-data center IT automating IT

micro-segmentation
Thank you