Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ssan239
New Contributor III

Fortimanager to manage the Forti VNF

Hi Team,

Is it necessary to have a Fortimanager to manage the Forti VNF that will be deploymed on a VMWare SD WAN edge 

https://docs.vmware.com/en/VMware-SD-WAN/3.3/VMware-SD-WAN-by-VeloCloud-Administration-Guide/GUID-B6...

as per this document it asks for it 

but is it necessary or do we have any other way to manage the VNF on VCE.

Regards,

Sanjay S

10 REPLIES 10
ashishrathee
Staff
Staff

FortiManager is not mandatory to manage Forti VNFs deployed on a VMware SD-WAN Edge. While the document you referenced may suggest using FortiManager for management, there are alternative methods available. You can manage Forti VNFs on VMware SD-WAN Edge using the VMware SD-WAN Orchestrator or other management tools provided by VMware. It is essential to ensure compatibility and functionality with the specific deployment environment and requirements.

ssan239
New Contributor III

@ashishrathee thank you.

Do you mind sharing any document which will give us more insights on compatibility between Orchestrator and Fortigate? Also is there any document on how to set it up?

Regards,

Sanjay S

ssan239
New Contributor III

Any update on this would be much appreciated please.

ffiene
New Contributor

After deploying the Fortigate VNF to the Velocloud Edge, you are able to connect to the Fortigate Webinterface on the configured IP.
To inspect traffic you must enable the so called VNF insertion. After that all traffic goes through a Fortigate in transparent mode.
The biggest issue: without asking your Broadcom SE you have only FortiOS versions up to 6.4.something for deployment. Everything else is „unsupported“, but you can upgrade with FortiOS upgrade functionality. I don‘t understand, why an unsupported FortiOS version is the only supported version on this hardware, it is a simple KVM version.

ffiene
New Contributor

By the way, we have a setup of over 30 of these VNF Fortigates on the Velocloud Edges. So FortiManager is always a good idea, if you do not want to play with Ansible for instance.
HA is relying on the Velocloud HA, so two independent Fortigate instances without FortiOS HA, one reason mir to use FortiManager, when HA failover took place, you can install automatically your Firewall policy to the now active one, because it is not accessible in standby.

Toshi_Esumi

That's another reason we didn't go to the FTNT-VNF solution with Broadband/VMware/Velocloud edges. HA operation is very cumbersome and hard to manage.

Toshi

ffiene

It is quite fine with FMG.

And our partner said, they are working on a dedicated HA interface on the VC Edges, because currently only Checkpoint is supported with true HA. FNT and PAN are not.

But they are still sticking to FOS.6.4, so …

ffiene
New Contributor

I even had to tell them why their deployment of newer version was not possible, they pushed this as part of the config:

config system settings
 set opmode transparent
 set manageip "x.x.x.x/y.y.y.y"
 set inspection-mode "flow"
end

 

And set „inspection-mode“ wasn‘t a valid option there, this has been moved to policies long time ago. It broke their whole deployment because the whole section was not applied.

Toshi_Esumi

I wouldn't say "fine" if you have to stick to 6.4. That point itself is a showstopper. It wouldn't satisfy any security audits including PCI-DSS.

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors