- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortimanager to manage the Forti VNF
Hi Team,
Is it necessary to have a Fortimanager to manage the Forti VNF that will be deploymed on a VMWare SD WAN edge
as per this document it asks for it
but is it necessary or do we have any other way to manage the VNF on VCE.
Regards,
Sanjay S
- Labels:
-
FortiManager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiManager is not mandatory to manage Forti VNFs deployed on a VMware SD-WAN Edge. While the document you referenced may suggest using FortiManager for management, there are alternative methods available. You can manage Forti VNFs on VMware SD-WAN Edge using the VMware SD-WAN Orchestrator or other management tools provided by VMware. It is essential to ensure compatibility and functionality with the specific deployment environment and requirements.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ashishrathee thank you.
Do you mind sharing any document which will give us more insights on compatibility between Orchestrator and Fortigate? Also is there any document on how to set it up?
Regards,
Sanjay S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any update on this would be much appreciated please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After deploying the Fortigate VNF to the Velocloud Edge, you are able to connect to the Fortigate Webinterface on the configured IP.
To inspect traffic you must enable the so called VNF insertion. After that all traffic goes through a Fortigate in transparent mode.
The biggest issue: without asking your Broadcom SE you have only FortiOS versions up to 6.4.something for deployment. Everything else is „unsupported“, but you can upgrade with FortiOS upgrade functionality. I don‘t understand, why an unsupported FortiOS version is the only supported version on this hardware, it is a simple KVM version.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, we have a setup of over 30 of these VNF Fortigates on the Velocloud Edges. So FortiManager is always a good idea, if you do not want to play with Ansible for instance.
HA is relying on the Velocloud HA, so two independent Fortigate instances without FortiOS HA, one reason mir to use FortiManager, when HA failover took place, you can install automatically your Firewall policy to the now active one, because it is not accessible in standby.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's another reason we didn't go to the FTNT-VNF solution with Broadband/VMware/Velocloud edges. HA operation is very cumbersome and hard to manage.
Toshi
Created on 01-06-2025 12:32 PM Edited on 01-06-2025 12:33 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is quite fine with FMG.
And our partner said, they are working on a dedicated HA interface on the VC Edges, because currently only Checkpoint is supported with true HA. FNT and PAN are not.
But they are still sticking to FOS.6.4, so …
Created on 01-06-2025 12:40 PM Edited on 01-06-2025 12:41 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I even had to tell them why their deployment of newer version was not possible, they pushed this as part of the config:
config system settings
set opmode transparent
set manageip "x.x.x.x/y.y.y.y"
set inspection-mode "flow"
end
And set „inspection-mode“ wasn‘t a valid option there, this has been moved to policies long time ago. It broke their whole deployment because the whole section was not applied.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wouldn't say "fine" if you have to stick to 6.4. That point itself is a showstopper. It wouldn't satisfy any security audits including PCI-DSS.
Toshi