SD-WAN Fortinet Solution Deployment / Configuration Guide
ABOUT
This document describes the steps to deploy and configure the Fortinet SD-WAN solution.
PREREQUISITES
- An administrator-level account in SevOne NMS.
- SSH password for the tmp account.
- IP address of the PAS.
INSTALLATION STEPS
➤ SevOne NMS
The following steps apply to perform an installation from scratch of the Fortinet solution on SevOne NMS.
- Using ssh, login to SevOne NMS appliance as
root.
ssh root@<SevOne NMS appliance IP address> - To Install the SPK files, execute the following commands in the sequence as shown below.
- To list all the podman containers along with their Id's:
podman ps - To execute the commands in the
container:
podman exec -it <nms_container_id_or_name>/bin/bash - To create path:
cd /tmp/ mkdir Fortinet cd /tmp/Fortinet
- To list all the podman containers along with their Id's:
- Download the following (latest) files from IBM Passport Advantage (https://www.ibm.com/software/passportadvantage/pao_download_software.html) via
Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do
not have access to IBM Passport Advantage but have an active Support contract, please contact
IBM
SevOne Support for the latest files. You must place <tar/zip> files in
/tmp/Fortinet directory.
- sdwan-fortinet-installation-v7.1.0-build.<###>.tgz
- sdwan-fortinet-installation-v7.1.0-build.<###>.tgz.sha256.txt
- signature-tools-<latest-version>-build.<latest>.tgz
- signature-tools-<latest-version>-build.<latest>.tgz.sha256.txt
- Execute the following commands to verify the checksum of the code signing tool before
extracting it.
(cd /tmp/Fortinet && cat $(ls -Art signature-tools-*.tgz.sha256.txt | \ tail -n 1) | sha256sum --check) sudo tar xvfz $(ls -Art /tmp/Fortinet/signature-tools-*.tgz | \ tail -n 1) -C /tmp/Fortinet - Verify the signature of Solutions .tgz
files.
sh usr/local/sbin/SevOne-validate-image \ -i $(ls -Art /tmp/Fortinet/sdwan-*.tgz | tail -n 1) \ -s $(ls -Art /tmp/Fortinet/sdwan-*.tgz.sha256.txt | tail -n 1) - Make a directory. For example,
sdwan-fortinet-installation.
mkdir /tmp/Fortinet/sdwan-fortinet-installation - Extract the latest
build.
tar xvfz $(ls -Art /tmp/Fortinet/sdwan-*.tgz | \ tail -n 1) -C /tmp/Fortinet/sdwan-fortinet-installationYou will see the following files in the folder.
- Fortigate.MIBs.spk - it imports two Fortigate MIB files (FORTINET-CORE-MIB.mib and FORTINET-FORTIGATE-MIB.mib).
- Fortigate.Certification.spk - it creates one device type Fortinet Fortigate and 58 object types suffixed with (Fortinet Fortigate).
- Fortigate.Interface.SubType.Rules.spk - it imports the interface subtype rules to allow mapping the subtypes.
- Fortigate.Metadata.Schema.spk - it imports the metadata schema for Fortigate devices.
- Fortigate.DeviceGroups.spk - it creates 4 device groups.
- Fortigate.ObjectGroups.spk - it creates 1 object group class (Fortigate) and 6 Object Groups underneath it.
- SDWAN_Solution_Fortinet_Alerts_v1-1.spk - it imports 3 alert policies. All policies are imported as disabled by default.
- Fortigate.TopN.spk - it imports 17 Top N Report views.
- Fortigate.OOTB.Reports.tar - it imports one SevOne Data Insight report and 3 templates.
- Change directory to /tmp/Fortinet/sdwan-fortinet-installation
.
cd /tmp/Fortinet/sdwan-fortinet-installation - Please check the following things for existing Device Types and Object Types.
- (If available) Delete existing Device Type Fortigate which is available under Generic.
- (If available) Delete existing Object Types suffixed by (Fortigate) to prevent the creation of duplicate objects.
- Import the following spk files in sequence.
- Fortinet Fortigate
MIBs
SevOne-import --allow-overwrite --file Fortigate.MIBs.spk - Device Type and Object
Types
SevOne-import --allow-overwrite --file Fortigate.Certification.spk - Interface Subtype
Rules
SevOne-import --allow-overwrite --file Fortigate.Interface.SubType.Rules.spk - Metadata
Schema
SevOne-import --allow-overwrite --file Fortigate.Metadata.Schema.spk - Device
Groups
SevOne-import --allow-overwrite --file Fortigate.DeviceGroups.spk - Object
Groups
SevOne-import --allow-overwrite --file Fortigate.ObjectGroups.spk - Alert
Policies
SevOne-import --allow-overwrite --file SDWAN_Solution_Fortinet_Alerts_v1-1.spkThe following is the list of alerts imported.
- Fortigate - Performance SLA - Latency - 3 Std Dev
- Fortigate - Performance SLA - Jitter - 6 Std Dev
- Fortigate - Performance SLA - Packet Loss - 10 Percent
Important: All alerts are disabled by default.
- Fortinet Fortigate
MIBs
➤ Device Onboarding
To onboard Fortinet devices in SevOne NMS, follow these steps:
- Enter the URL for the SevOne NMS appliance into your web browser to display the Login page.
Enter your credentials on the login page and click Login.
- From the navigation bar, click the Devices menu and select Device Manager.
- Click Add Device to display the New Device page.
- On the New Device page, please add the following details.
- In the Name field, enter the device name.
- In the Alternate Name field, enter an alternate device name. You can search for a device by its alternate name.
- In the Description field, enter the device description. You can use this to provide additional information about the function, location, or any other pertinent information about the device.
- In the IP Address field, enter the device IP address.
- Click the plugin drop-down. By default, it is set to SNMP . Select SDWAN .
- Select the Enable SDWAN API Integration checkbox.
- Click the Vendor drop-down and select the FortiManager option.
- In the FortiManager URL field, enter the URL for SDWAN vendor, FortiManager.
- In the Username field, enter the username for SDWAN vendor, FortiManager.
- In the Password field, enter the password for SDWAN vendor, FortiManager.
- Enable field Auto-discover and monitor associated FortiGates - Use SNMP Plugin to automatically discover and monitor FortiGate devices.
- Select the Enable SDWAN API Integration checkbox.
- Click Save As New to save the current changes as a New Device.
- Once the SDWAN plugin is configured, from the plugin drop-down, select plugin
SNMP.
- Ensure that the field SNMP Capable check box is selected to enable the discovery of SNMP object types and to poll SNMP data on the device.
- Enter credentials (Username & Password) for FortiGate devices. (Make sure to have same SNMP credentials for all Fortigate Devices)
- Select other options and click Save As New to save the current changes as a New Device. This device is then queued for discovery.
- A new device has been added to the Device Manager screen.
- Click the Devices menu and select Discovery Manager . Here, you will see the device is in the discovery queue.
- After the discovery process is completed, FortiGate devices will be visible on the Device
Manager screen.
- To retrieve the metadata of a FortiGate device, follow these steps:
- Choose a device from the list that you wish to view metadata for.
- Click
in the Actions column to open the Edit Metadata pop-up. - In the Edit Metadata pop-up, locate the section SDWAN_DEVICES to find the metadata fields.
- To retrieve the metadata of a Fortinet Fortigate object, follow these steps:
- From the navigation bar, click the Devices menu and select Object Manager.
- Select an object from the list with the type Virtual WAN Link/Virtual WAN Link (Fortinet Fortigate) or Interface/Interface (Fortinet Fortigate) for which you wish to view metadata for.
- Click in the Actions column to open the Edit Metadata pop-up.
Note:
TopN Report Views - Import on SevOne NMS
SevOne-import --allow-overwrite --file Fortigate.TopN.spkThe following is the list of TopN reports imported.
- Fortigate - Aggregate Links Utilization - In & Out
- Fortigate - CPU Utilization
- Fortigate - Device Reachability
- Fortigate - Disk Utilization
- Fortigate - Highest Interface Errors
- Fortigate - ICMP Response Time
- Fortigate - Memory Utiization
- Fortigate - Most Utilized Interface - In
- Fortigate - Most Utilized Interface - Out
- Fortigate - Most Utilized Interfaces - In & Out
- Fortigate - Packet Loss - ICMP from SevOne
- Fortigate - Performance SLA - Jitter
- Fortigate - Performance SLA - Latency
- Fortigate - Performance SLA - Packet Loss
- Fortigate - Performance SLA - State, Pkt Loss, Jitter, Latency
- Fortigate - Total Errors and Discards
- Fortigate - Tunnel Utilization - In & Out
SevOne Data Insight
- OOTB Reports on SevOne Data Insight
Method #1 - Import via CLI
$ sevone-cli sdi reports load <REPORTS-TAR-FILE-PATH>OR
Method #2 - Import via Data Insight
- Log in to your SevOne Data Insight machine by navigating to the appropriate URL in your browser.
- On the Report Manager screen, click Import button.
- Click or drag file to upload. For example, Fortigate.OOTB.Reports.tar.
- Select an apt datasource from the Datasource drop-down.
- Select the Assign each report to its original owner's username check box to assign the reports imported to its original owner's username.
- Click Upload.
Note:- Reports can only be imported from a .tar file. Other file extensions are not acceptable. If the file extension is not a .tar file then it will simply ignore the action.
- Reports can be imported to the same or newer version of SevOne Data Insight as the one they were exported from, by drag and drop into Reports.
- SevOne does not support the importing of reports from a newer to older version.
The following is the list of reports imported.
- Fortigate Device Summary
- Fortigate Interface Summary
- Fortigate Performance SLA Tests
- Fortigate Tunnel Summary
- Fortinet Fortigate Dashboard
➤ DNC / Flow Specific Changes
Denying 'Router-Generated' on Flow Rules
Fortinet forwards duplicate flow records for the same conversion. So, it is necessary to deny flow from the Router Generated interface to avoid double counting. To create a rule , click the Administration menu, select Flow Configuration , and then select Flow Rules . For more details, please refer to SevOne NMS System Administration Guide > section Flow Rules.
Supporting Long Flows on SevOne NMS
Warning: Sometimes, the flows are dropped when Fortigate devices send flows with a
longer duration than what is configured. To allow long flows, from the navigation bar, click the
Administration menu and select Cluster Manager > Cluster Settings
(FlowFalcon) > uncheck Drop Long Flows option. 
To check the flows received on SevOne NMS, from the navigation bar, click the Administration menu, select Flow Configuration, and then select Flow Interface Manager.
SOLUTION VERIFICATION & CUSTOMIZATION
Perform the following steps to log onto your SevOne NMS appliance. For more details, please refer to SevOne NMS System Administration Guide or SevOne NMS User Guide > section Login.
- Enter the URL for the SevOne NMS appliance into your web browser to display the Login page.
- Enter the credentials and click Login. For example, Username: admin and Password: SevOne
- To check MIB files imported, click the Administration menu, select Monitoring
Configuration, and then select MIB Manager. For more details on MIB Manager, please refer
to SevOne NMS System Administration Guide
> section MIB Manager.
- To check device groups imported, click the Devices menu and select Grouping, then
Device Groups. For more details on Device Groups, SevOne NMS User Guide > section
Device Groups.
- To check object groups imported, click the Devices menu, select Grouping , and
then select Object Groups . For more details on Object Groups, SevOne NMS System
Administration Guide
> section Object Groups.
Important: You can change the Object Group Membership Rules based on your network environment. - Check Fortinet OOTB reports imported on SevOne Data machine.
The following is the list of reports imported.
- Fortigate Device Summary
- Fortigate Interface Summary
- Fortigate Performance SLA Tests
- Fortigate Tunnel Summary
- Fortinet Fortigate Dashboard