SD-WAN Fortinet Solution Deployment / Configuration Guide
About
This document describes the steps to deploy and configure the Fortinet SD-WAN solution.
Prerequisites
- An administrator-level account in SevOne NMS.
- SSH password for the root account.
- IP address of the PAS.
Installation Steps
SevOne NMS
The following steps apply to perform an installation from scratch of the Fortinet solution on SevOne NMS.
- Using ssh, login to SevOne NMS appliance as
root.
$ ssh root@<SevOne NMS appliance IP address>
- Create a directory, for example, Fortinet, in /root directory.
Example
$ cd /root $ mkdir Fortinet
- Download the following (latest) files from IBM Passport Advantage (https://www.ibm.com/software/passportadvantage/pao_download_software.html) via
Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do
not have access to IBM Passport Advantage but have an active Support contract, please contact
IBM
SevOne Support for the latest files.You must place <tar/zip> files in
/root/Fortinet directory.
-
sdwan-fortinet-installation-v6.7.0-build.2.tgz
-
sdwan-fortinet-installation-v6.7.0-build.2.tgz.sha256.txt
-
signature-tools-latest-version-build.<###>.tgz. For example, signature-tools-2.0.1-build.1.tgz
-
signature-tools-latest-version-build.<###>.tgz.sha256.txt. For example, signature-tools-2.0.1-build.1.tgz.sha256.txt
-
- Execute the following commands to verify the checksum of the code signing tool before
extracting
it.
$ (cd /root/Fortinet && cat $(ls -Art signature-tools-*.tgz.sha256.txt | \ tail -n 1) | sha256sum --check) $ sudo tar xvfz $(ls -Art /root/Fortinet/signature-tools-*.tgz | \ tail -n 1) -C /
- Verify the signature of Solutions .tgz
files.
$ /usr/local/sbin/SevOne-validate-image \ -i $(ls -Art /root/Fortinet/sdwan-*.tgz | tail -n 1) \ -s $(ls -Art /root/Fortinet/sdwan-*.tgz.sha256.txt | tail -n 1)
- Make a directory. For example,
sdwan-fortinet-installation.
$ mkdir /root/Fortinet/sdwan-fortinet-installation
- Extract the latest
build.
$ tar xvfz $(ls -Art /root/Fortinet/sdwan-*.tgz | \ tail -n 1) -C /root/Fortinet/sdwan-fortinet-installation
You will see the following files in the folder.
- Fortigate.MIBs.spk - It imports two Fortigate MIB files (FORTINET-CORE-MIB.mib and FORTINET-FORTIGATE-MIB.mib).
- Fortigate.Certification.spk - It creates one device type Fortinet Fortigate and 58 object types suffixed with (Fortinet Fortigate).
- Fortigate.Interface.SubType.Rules.spk - It imports the interface subtype rules to allow mapping the subtypes.
- Fortigate.Metadata.Schema.spk - It imports the metadata schema for Fortigate devices.
- Fortigate.DeviceGroups.spk - It creates 4 device groups.
- Fortigate.ObjectGroups.spk - It creates 1 object group class (Fortigate) and 6 Object Groups underneath it.
- SDWAN_Solution_Fortinet_Alerts_v1-1.spk - It imports 3 alert policies. All policies are imported as disabled by default.
- Fortigate.TopN.spk - It imports 17 Top N Report views.
- Fortigate.OOTB.Reports.tar - It imports one SevOne Data Insight report and 3 templates.
- Change directory to /root/Fortinet/sdwan-fortinet-installation
.
$ cd /root/Fortinet/sdwan-fortinet-installation
- Please check the following things for existing Device Types and Object Types.
- (If available) Delete existing Device Type Fortigate which is available under Generic.
- (If available) Delete existing Object Types suffixed by (Fortigate) to prevent the creation of duplicate objects.
- Import the following spk files in sequence.
- Fortinet Fortigate
MIBs
$ SevOne-import --allow-overwrite --file Fortigate.MIBs.spk
- Device Type and Object
Types
$ SevOne-import --allow-overwrite --file Fortigate.Certification.spk
- Interface Subtype
Rules
$ SevOne-import --allow-overwrite --file Fortigate.Interface.SubType.Rules.spk
- Metadata
Schema
$ SevOne-import --allow-overwrite --file Fortigate.Metadata.Schema.spk
- Device
Groups
$ SevOne-import --allow-overwrite --file Fortigate.DeviceGroups.spk
- Object
Groups
$ SevOne-import --allow-overwrite --file Fortigate.ObjectGroups.spk
- Alert
Policies
$ SevOne-import --allow-overwrite --file SDWAN_Solution_Fortinet_Alerts_v1-1.spk
The following is the list of alerts imported.
- Fortigate - Performance SLA - Latency - 3 Std Dev
- Fortigate - Performance SLA - Jitter - 6 Std Dev
- Fortigate - Performance SLA - Packet Loss - 10 Percent
Note: All alerts are disabled by default. - TopN Report Views
Import on SevOne NMS
$ SevOne-import --allow-overwrite --file Fortigate.TopN.spk
- Fortinet Fortigate
MIBs
SevOne Data Insight
- OOTB Reports on SevOne Data Insight
Method #1 - Import via CLI
$ sevone-cli sdi reports load <REPORTS-TAR-FILE-PATH>
OR
Method #2 - Import via Data Insight
- Log in to your SevOne Data Insight machine by navigating to the appropriate URL in your browser.
- On the Report Manager screen, click Import button.
- Click or drag file to upload. For example, Fortigate.OOTB.Reports.tar.
- Select an apt datasource from the Datasource drop-down.
- Select the Assign each report to its original owner's username check box to assign the reports imported to its original owner's username.
- Click Upload.Note:
- Reports can only be imported from a .tar file. Other file extensions are not acceptable. If the file extension is not a .tar file then it will simply ignore the action.
- Reports can be imported to the same or newer version of SevOne Data Insight as the one they were exported from, by drag and drop into Reports.
- SevOne does not support the importing of reports from a newer to older version.
- Reports can only be imported from a .tar file. Other file extensions are not acceptable. If the file extension is not a .tar file then it will simply ignore the action.
- Reports can be imported to the same or newer version of SevOne Data Insight as the one they were exported from, by drag and drop into Reports.
- SevOne does not support the importing of reports from a newer to older version.
The following is the list of reports imported.
- Fortigate Device Summary
- Fortigate Interface Summary
- Fortigate Performance SLA Tests
- Fortigate Tunnel Summary
- Fortinet Fortigate Dashboard
DNC / Flow Specific Changes
Denying 'Router-Generated' on Flow Rules
Fortinet forwards duplicate flow records for the same conversion. So, it is necessary to deny flow from the Router Generated interface to avoid double counting. To create a rule , click the Administration menu, select Flow Configuration , and then select Flow Rules . For more details, please refer to SevOne NMS System Administration Guide > section Flow Rules.
Supporting Long Flows on SevOne NMS
Sometimes, the flows are dropped when Fortigate devices send flows with a longer duration than what is configured. To allow long flows, from the navigation bar, click the Administration menu and select Cluster Manager > Cluster Settings (FlowFalcon) > uncheck Drop Long Flows option.
To check the flows received on SevOne NMS, from the navigation bar, click the Administration menu, select Flow Configuration, and then select Flow Interface Manager.
Device Onboarding
To onboard Fortinet devices in SevOne NMS, follow these steps:
-
Enter the URL for the SevOne NMS appliance into your web browser to display the Login page. Enter your credentials on the login page and click Login.
-
From the navigation bar, click the Devices menu and select Device Manager .
-
Click Add Device to display the New Device page.
-
On the New Device page, please add the following details.
-
In the Name field, enter the device name.
-
In the Alternate Name field, enter an alternate device name. You can search for a device by its alternate name.
-
In the Description field, enter the device description. You can use this to provide additional information about the function, location, or any other pertinent information about the device.
-
In the IP Address field, enter the device IP address.
-
Click the plugin drop-down. By default, it is set to SNMP . Select SDWAN .
-
Select the Enable SDWAN API Integration checkbox.
-
Click the Vendor drop-down and select the FortiManager option.
-
In the FortiManager URL field, enter the URL for SDWAN vendor, FortiManager.
-
In the Username field, enter the username for SDWAN vendor, FortiManager.
-
In the Password field, enter the password for SDWAN vendor, FortiManager.
-
Enable field Auto-discover and monitor associated FortiGates - Use SNMP Plugin to automatically discover and monitor FortiGate devices.
-
-
Click Save As New to save the current changes as a New Device.
-
Once the SDWAN plugin is configured, from the plugin drop-down, select plugin SNMP.
-
Ensure that the field SNMP Capable check box is selected to enable the discovery of SNMP object types and to poll SNMP data on the device.
-
Enter credentials (Username & Password) for FortiGate devices. (Make sure to have same SNMP credentials for all Fortigate Devices)
-
Select other options and click Save As New to save the current changes as a New Device. This device is then queued for discovery.
-
A new device has been added to the Device Manager screen.
-
click the Devices menu and select Discovery Manager . Here, you will see the device is in the discovery queue.
-
After the discovery process is completed, FortiGate devices will be visible on the Device Manager screen.
-
To retrieve the metadata of a FortiGate device, follow these steps:
-
Choose a device from the list that you wish to view metadata for.
-
Click in the Actions column to open the Edit Metadata pop-up.
-
In the Edit Metadata pop-up, locate the section SDWAN_DEVICES to find the metadata fields.
-
-
To retrieve the metadata of a Fortinet Fortigate object , follow these steps:
-
From the navigation bar, click the Devices menu and select Object Manager.
-
Select an object from the list with the type Virtual WAN Link/Virtual WAN Link (Fortinet Fortigate) or Interface/Interface (Fortinet Fortigate) for which you wish to view metadata for.
-
Click in the Actions column to open the Edit Metadata pop-up.
-
-
-
Solution Verification and Customization
Perform the following steps to log onto your SevOne NMS appliance. For more details, please refer to SevOne NMS System Administration Guide or SevOne NMS User Guide > section Login.
- Enter the URL for the SevOne NMS appliance into your web browser to display the Login page.
- Enter the credentials and click Login. For example, Username: admin and Password: SevOne
- To check MIB files imported, click the Administration menu, select Monitoring
Configuration, and then select MIB Manager. For more details on MIB Manager, please refer
to SevOne NMS System Administration Guide
> section MIB Manager.
- To check device groups imported, click the Devices menu and select Grouping, then
Device Groups. For more details on Device Groups, SevOne NMS User Guide > section
Device Groups.
- To check object groups imported, click the Devices menu, select Grouping , and
then select Object Groups . For more details on Object Groups, SevOne NMS System
Administration Guide
> section Object Groups.You can change the Object Group Membership Rules based on your network environment.
- Check Fortinet OOTB reports imported on SevOne Data machine.
The following is the list of reports imported.
- Fortigate Device Summary
- Fortigate Interface Summary
- Fortigate Performance SLA Tests
- Fortigate Tunnel Summary
- Fortinet Fortigate Dashboard