SD-WAN Fortinet Solution Deployment / Configuration Guide

ABOUT

This document describes the steps to deploy and configure the Fortinet SD-WAN solution.

PREREQUISITES

  • An administrator-level account in SevOne NMS.
  • SSH password for the tmp account.
  • IP address of the PAS.

➤   SevOne NMS

The following steps apply to perform an installation from scratch of the Fortinet solution on SevOne NMS.

  1. Using ssh, login to SevOne NMS appliance as root.
    ssh root@<SevOne NMS appliance IP address>
  2. To Install the SPK files, execute the following commands in the sequence as shown below.
    • To list all the podman containers along with their Id's:
      podman ps
    • To execute the commands in the container:
      podman exec -it <nms_container_id_or_name>/bin/bash
    • To create path:
      
      cd /tmp/
      
      mkdir Fortinet
      
      cd /tmp/Fortinet
  3. Download the following (latest) files from IBM Passport Advantage (https://www.ibm.com/software/passportadvantage/pao_download_software.html) via Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do not have access to IBM Passport Advantage but have an active Support contract, please contact IBM SevOne Support for the latest files. You must place <tar/zip> files in /tmp/Fortinet directory.
    1. sdwan-fortinet-installation-v7.1.0-build.<###>.tgz
    2. sdwan-fortinet-installation-v7.1.0-build.<###>.tgz.sha256.txt
    3. signature-tools-<latest-version>-build.<latest>.tgz
    4. signature-tools-<latest-version>-build.<latest>.tgz.sha256.txt
  4. Execute the following commands to verify the checksum of the code signing tool before extracting it.
    
    (cd /tmp/Fortinet && cat $(ls -Art signature-tools-*.tgz.sha256.txt | \
    tail -n 1) | sha256sum --check)
    
    sudo tar xvfz $(ls -Art /tmp/Fortinet/signature-tools-*.tgz | \
    tail -n 1) -C /tmp/Fortinet
  5. Verify the signature of Solutions .tgz files.
    sh usr/local/sbin/SevOne-validate-image \
    -i $(ls -Art /tmp/Fortinet/sdwan-*.tgz | tail -n 1) \
    -s $(ls -Art /tmp/Fortinet/sdwan-*.tgz.sha256.txt | tail -n 1)
  6. Make a directory. For example, sdwan-fortinet-installation.
    mkdir /tmp/Fortinet/sdwan-fortinet-installation
  7. Extract the latest build.
    tar xvfz $(ls -Art /tmp/Fortinet/sdwan-*.tgz | \
    tail -n 1) -C /tmp/Fortinet/sdwan-fortinet-installation 

    You will see the following files in the folder.

    • Fortigate.MIBs.spk - it imports two Fortigate MIB files (FORTINET-CORE-MIB.mib and FORTINET-FORTIGATE-MIB.mib).
    • Fortigate.Certification.spk - it creates one device type Fortinet Fortigate and 58 object types suffixed with (Fortinet Fortigate).
    • Fortigate.Interface.SubType.Rules.spk - it imports the interface subtype rules to allow mapping the subtypes.
    • Fortigate.Metadata.Schema.spk - it imports the metadata schema for Fortigate devices.
    • Fortigate.DeviceGroups.spk - it creates 4 device groups.
    • Fortigate.ObjectGroups.spk - it creates 1 object group class (Fortigate) and 6 Object Groups underneath it.
    • SDWAN_Solution_Fortinet_Alerts_v1-1.spk - it imports 3 alert policies. All policies are imported as disabled by default.
    • Fortigate.TopN.spk - it imports 17 Top N Report views.
    • Fortigate.OOTB.Reports.tar - it imports one SevOne Data Insight report and 3 templates.
  8. Change directory to /tmp/Fortinet/sdwan-fortinet-installation .
    cd /tmp/Fortinet/sdwan-fortinet-installation
  9. Please check the following things for existing Device Types and Object Types.
    • (If available) Delete existing Device Type Fortigate which is available under Generic.
    • (If available) Delete existing Object Types suffixed by (Fortigate) to prevent the creation of duplicate objects.
  10. Import the following spk files in sequence.
    1. Fortinet Fortigate MIBs
      SevOne-import --allow-overwrite --file Fortigate.MIBs.spk
    2. Device Type and Object Types
      SevOne-import --allow-overwrite --file Fortigate.Certification.spk
    3. Interface Subtype Rules
      SevOne-import --allow-overwrite --file Fortigate.Interface.SubType.Rules.spk
    4. Metadata Schema
      SevOne-import --allow-overwrite --file Fortigate.Metadata.Schema.spk
    5. Device Groups
      SevOne-import --allow-overwrite --file Fortigate.DeviceGroups.spk
    6. Object Groups
      SevOne-import --allow-overwrite --file Fortigate.ObjectGroups.spk
    7. Alert Policies
      SevOne-import --allow-overwrite --file SDWAN_Solution_Fortinet_Alerts_v1-1.spk

      The following is the list of alerts imported.

      • Fortigate - Performance SLA - Latency - 3 Std Dev
      • Fortigate - Performance SLA - Jitter - 6 Std Dev
      • Fortigate - Performance SLA - Packet Loss - 10 Percent
      Important: All alerts are disabled by default.

➤   Device Onboarding

To onboard Fortinet devices in SevOne NMS, follow these steps:

  1. Enter the URL for the SevOne NMS appliance into your web browser to display the Login page. Enter your credentials on the login page and click Login. Fortinet NMS Login Page Fortinet NMS Home Page
  2. From the navigation bar, click the Devices menu and select Device Manager. Fortinet Device Manager
  3. Click Add Device to display the New Device page. Fortinet Add Device
  4. On the New Device page, please add the following details. Fortinet New Device
    1. In the Name field, enter the device name.
    2. In the Alternate Name field, enter an alternate device name. You can search for a device by its alternate name.
    3. In the Description field, enter the device description. You can use this to provide additional information about the function, location, or any other pertinent information about the device.
    4. In the IP Address field, enter the device IP address.
    5. Click the plugin drop-down. By default, it is set to SNMP . Select SDWAN .
      1. Select the Enable SDWAN API Integration checkbox. Fortinet SDWAN Plugin
      2. Click the Vendor drop-down and select the FortiManager option.
      3. In the FortiManager URL field, enter the URL for SDWAN vendor, FortiManager.
      4. In the Username field, enter the username for SDWAN vendor, FortiManager.
      5. In the Password field, enter the password for SDWAN vendor, FortiManager.
      6. Enable field Auto-discover and monitor associated FortiGates - Use SNMP Plugin to automatically discover and monitor FortiGate devices.
    6. Click Save As New to save the current changes as a New Device.
    7. Once the SDWAN plugin is configured, from the plugin drop-down, select plugin SNMP. Fortinet SNMP Plugin
    8. Ensure that the field SNMP Capable check box is selected to enable the discovery of SNMP object types and to poll SNMP data on the device.
    9. Enter credentials (Username & Password) for FortiGate devices. (Make sure to have same SNMP credentials for all Fortigate Devices)
    10. Select other options and click Save As New to save the current changes as a New Device. This device is then queued for discovery.
    11. A new device has been added to the Device Manager screen.
    12. Click the Devices menu and select Discovery Manager . Here, you will see the device is in the discovery queue.
    13. After the discovery process is completed, FortiGate devices will be visible on the Device Manager screen. Fortinet Devices
    14. To retrieve the metadata of a FortiGate device, follow these steps:
      1. Choose a device from the list that you wish to view metadata for.
      2. Click Edit metadata in the Actions column to open the Edit Metadata pop-up.
      3. In the Edit Metadata pop-up, locate the section SDWAN_DEVICES to find the metadata fields.
        Fortinet Metadata
    15. To retrieve the metadata of a Fortinet Fortigate object, follow these steps:
      1. From the navigation bar, click the Devices menu and select Object Manager.
      2. Select an object from the list with the type Virtual WAN Link/Virtual WAN Link (Fortinet Fortigate) or Interface/Interface (Fortinet Fortigate) for which you wish to view metadata for.
      3. Click Edit metadata in the Actions column to open the Edit Metadata pop-up.
        Fortinet Object Metadata
Note:

TopN Report Views - Import on SevOne NMS

SevOne-import --allow-overwrite --file Fortigate.TopN.spk

The following is the list of TopN reports imported.

  • Fortigate - Aggregate Links Utilization - In & Out
  • Fortigate - CPU Utilization
  • Fortigate - Device Reachability
  • Fortigate - Disk Utilization
  • Fortigate - Highest Interface Errors
  • Fortigate - ICMP Response Time
  • Fortigate - Memory Utiization
  • Fortigate - Most Utilized Interface - In
  • Fortigate - Most Utilized Interface - Out
  • Fortigate - Most Utilized Interfaces - In & Out
  • Fortigate - Packet Loss - ICMP from SevOne
  • Fortigate - Performance SLA - Jitter
  • Fortigate - Performance SLA - Latency
  • Fortigate - Performance SLA - Packet Loss
  • Fortigate - Performance SLA - State, Pkt Loss, Jitter, Latency
  • Fortigate - Total Errors and Discards
  • Fortigate - Tunnel Utilization - In & Out

SevOne Data Insight

  1. OOTB Reports on SevOne Data Insight

    Method #1 - Import via CLI

    $ sevone-cli sdi reports load <REPORTS-TAR-FILE-PATH>

    OR

    Method #2 - Import via Data Insight

    1. Log in to your SevOne Data Insight machine by navigating to the appropriate URL in your browser.
    2. On the Report Manager screen, click Import button. Import Button
    3. Click or drag file to upload. For example, Fortigate.OOTB.Reports.tar.
      1. Select an apt datasource from the Datasource drop-down.
      2. Select the Assign each report to its original owner's username check box to assign the reports imported to its original owner's username.
      3. Click Upload.
        Import OOTB
        Note:
        • Reports can only be imported from a .tar file. Other file extensions are not acceptable. If the file extension is not a .tar file then it will simply ignore the action.
        • Reports can be imported to the same or newer version of SevOne Data Insight as the one they were exported from, by drag and drop into Reports.
        • SevOne does not support the importing of reports from a newer to older version.

    The following is the list of reports imported.

    • Fortigate Device Summary
    • Fortigate Interface Summary
    • Fortigate Performance SLA Tests
    • Fortigate Tunnel Summary
    • Fortinet Fortigate Dashboard

➤   DNC / Flow Specific Changes

Denying 'Router-Generated' on Flow Rules

Fortinet forwards duplicate flow records for the same conversion. So, it is necessary to deny flow from the Router Generated interface to avoid double counting. To create a rule , click the Administration menu, select Flow Configuration , and then select Flow Rules . For more details, please refer to SevOne NMS System Administration Guide > section Flow Rules.

Flow Rules

Supporting Long Flows on SevOne NMS

Warning: Sometimes, the flows are dropped when Fortigate devices send flows with a longer duration than what is configured. To allow long flows, from the navigation bar, click the Administration menu and select Cluster Manager > Cluster Settings (FlowFalcon) > uncheck Drop Long Flows option. Drop Long Flows

To check the flows received on SevOne NMS, from the navigation bar, click the Administration menu, select Flow Configuration, and then select Flow Interface Manager.

Flow Interface Manager

SOLUTION VERIFICATION & CUSTOMIZATION

Perform the following steps to log onto your SevOne NMS appliance. For more details, please refer to SevOne NMS System Administration Guide or SevOne NMS User Guide > section Login.

  1. Enter the URL for the SevOne NMS appliance into your web browser to display the Login page.
  2. Enter the credentials and click Login. For example, Username: admin and Password: SevOne
  3. To check MIB files imported, click the Administration menu, select Monitoring Configuration, and then select MIB Manager. For more details on MIB Manager, please refer to SevOne NMS System Administration Guide > section MIB Manager. MIBs Imported
  4. To check device groups imported, click the Devices menu and select Grouping, then Device Groups. For more details on Device Groups, SevOne NMS User Guide > section Device Groups. Device Groups
  5. To check object groups imported, click the Devices menu, select Grouping , and then select Object Groups . For more details on Object Groups, SevOne NMS System Administration Guide > section Object Groups. Objects Groups
    Important: You can change the Object Group Membership Rules based on your network environment.
  6. Check Fortinet OOTB reports imported on SevOne Data machine. OOTB SevOne Data Insight

    The following is the list of reports imported.

    • Fortigate Device Summary
    • Fortigate Interface Summary
    • Fortigate Performance SLA Tests
    • Fortigate Tunnel Summary
    • Fortinet Fortigate Dashboard