SD-WAN Fortinet Solution Deployment / Configuration Guide
About
This document describes the steps to deploy and configure the Fortinet SD-WAN solution.
Prerequisites
- An administrator-level account in SevOne NMS.
- SSH password for the tmp account.
- IP address of the PAS.
Installation Steps
SevOne NMS
The following steps apply to perform an installation from scratch of the Fortinet solution on SevOne NMS.
- Using ssh, login to SevOne NMS appliance as
support.
ssh support@<SevOne NMS appliance IP address> - To install the spk files, execute the following commands in the sequence as shown below.
- For a list of containers and its ids, run the following
command.
podman ps - Go to SevOne NMS
container.
podman exec -it <nms_container_id_or_name>/bin/bash - Make a directory Fortinet under the /tmp folder and change the directory to
/tmp/Fortinet.
cd /tmp/ mkdir Fortinet cd /tmp/Fortinet
- For a list of containers and its ids, run the following
command.
- Download the following (latest) files from IBM Passport Advantage (https://www.ibm.com/software/passportadvantage/pao_download_software.html) via
Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do
not have access to IBM Passport Advantage but have an active Support contract, please contact
IBM
SevOne Support for the latest files. You must place <tar/zip> files in
/tmp/Fortinet directory.
- sdwan-fortinet-installation-v7.2.0-build.<###>.tgz
- sdwan-fortinet-installation-v7.2.0-build.<###>.tgz.sha256.txt
- signature-tools-<latest-version>-build.<latest>.tgz
- signature-tools-<latest-version>-build.<latest>.tgz.sha256.txt
- Execute the following commands to verify the checksum of the code signing tool before
extracting it.
(cd /tmp/Fortinet && cat $(ls -Art signature-tools-*.tgz.sha256.txt | \ tail -n 1) | sha256sum --check) sudo tar xvfz $(ls -Art /tmp/Fortinet/signature-tools-*.tgz | \ tail -n 1) -C /tmp/Fortinet - Verify the signature of Solutions .tgz
files.
sh usr/local/sbin/SevOne-validate-image \ -i $(ls -Art /tmp/Fortinet/sdwan-*.tgz | tail -n 1) \ -s $(ls -Art /tmp/Fortinet/sdwan-*.tgz.sha256.txt | tail -n 1) - Make a directory. For example,
sdwan-fortinet-installation.
mkdir /tmp/Fortinet/sdwan-fortinet-installation - Extract the latest
build.
tar xvfz $(ls -Art /tmp/Fortinet/sdwan-*.tgz | \ tail -n 1) -C /tmp/Fortinet/sdwan-fortinet-installationYou will see the following files in the directory.
- Fortigate.MIBs.spk - it imports two Fortigate MIB files (FORTINET-CORE-MIB.mib and FORTINET-FORTIGATE-MIB.mib).
- Fortigate.Certification.spk - it creates one device type Fortinet Fortigate and 58 object types suffixed with (Fortinet Fortigate).
- Fortigate.Interface.SubType.Rules.spk - it imports the interface subtype rules to allow mapping the subtypes.
- Fortigate.Metadata.Schema.spk - it imports the metadata schema for Fortigate devices.
- Fortigate.DeviceGroups.spk - it creates 4 device groups.
- Fortigate.ObjectGroups.spk - it creates 1 object group class (Fortigate) and 6 Object Groups underneath it.
- SDWAN_Solution_Fortinet_Alerts_v1-1.spk - it imports 3 alert policies. All policies are imported as disabled by default.
- Fortigate.TopN.spk - it imports 17 TopN Report views.
- Change the directory to
/tmp/Fortinet/sdwan-fortinet-installation.
cd /tmp/Fortinet/sdwan-fortinet-installation - Please check the following for existing Device Types and Object Types.
- (if available) Delete existing Device Type Fortigate which is available under Generic.
- (if available) Delete existing Object Types suffixed by (Fortigate) to prevent the creation of duplicate objects.
- Import the following spk files, run the commands in the following sequence.
- Fortinet Fortigate
MIBs
SevOne-import --allow-overwrite --file Fortigate.MIBs.spk - Device Type and Object Types
SevOne-import --allow-overwrite --file Fortigate.Certification.spk - Interface Subtype Rules
SevOne-import --allow-overwrite --file Fortigate.Interface.SubType.Rules.spk - Metadata
Schema
SevOne-import --allow-overwrite --file Fortigate.Metadata.Schema.spk - Device
Groups
SevOne-import --allow-overwrite --file Fortigate.DeviceGroups.spk - Object Groups
SevOne-import --allow-overwrite --file Fortigate.ObjectGroups.spk - Alert
Policies
SevOne-import --allow-overwrite --file SDWAN_Solution_Fortinet_Alerts_v1-1.spkThe following is the list of alerts imported.
- Fortigate - Performance SLA - Latency - 3 Std Dev
- Fortigate - Performance SLA - Jitter - 6 Std Dev
- Fortigate - Performance SLA - Packet Loss - 10 Percent
Important: All alerts are disabled by default.
- Fortinet Fortigate
MIBs
Device Onboarding
To onboard Fortinet devices in SevOne NMS, execute the following steps.
- Using a web browser of your choice, enter the URL for the SevOne NMS appliance. Enter the
credentials and click Login.
- From the navigation bar, click the Devices menu and select Device Manager.
- Click Add Device to create a new device.
- On the New Device page, add the following details.
- In the Name field, enter the device name.
- In the Alternate Name field, enter an alternate device name. You can search for a device by its alternate name.
- In the Description field, enter the device description. You can use this to provide additional information about the function, location, or any other pertinent information about the device.
- In the IP Address field, enter the device IP address.
- Click the plugin drop-down. By default, it is set to SNMP. Select SDWAN.
- Select the Enable SDWAN API Integration check box.
- Click the Vendor drop-down and select the FortiManager option.
- In the FortiManager URL field, enter the URL for SDWAN vendor, FortiManager.
- In the Username field, enter the username for SDWAN vendor, FortiManager.
- In the Password field, enter the password for SDWAN vendor, FortiManager.
- Enable field Auto-discover and monitor associated FortiGates - Use SNMP Plugin to automatically discover and monitor FortiGate devices.
- Select the Enable SDWAN API Integration check box.
- Once the SD-WAN plugin details are entered, select the SNMP plugin from the plugin
drop-down menu.
- Ensure that the field SNMP Capable check box is selected to enable the discovery of SNMP object types and to poll SNMP data on the device.
- In the Version field and select the version. For example, select 3 from the available options in the drop-down list.
- Enter credentials (Username & Password) for FortiGate devices. (Make sure to have same SNMP credentials for all Fortigate Devices)
- Select other options and click Save As New to save the current changes as a New Device. This device is then queued for discovery.
- A new device has been added to the Device Manager screen.
- Click the Devices menu and select Discovery Manager. Here, you will see that thedevice is in the discovery queue.
- After the discovery process is completed, FortiGate devices will be visible on the Device
Manager screen.
- To retrieve the metadata of a FortiGate device, execute the steps below.
- Choose a device from the list that you wish to view the metadata for.
- Click
in the Actions column to open the Edit Metadata pop-up. - In the Edit Metadata pop-up, locate the section SDWAN_DEVICES to find the metadata
fields.
- To retrieve the metadata of a Fortinet Fortigate object, follow these steps.
- From the navigation bar, click the Devices menu and select Object Manager.
- Select an object from the list with the type Virtual WAN Link/Virtual WAN Link (Fortinet Fortigate) or Interface/Interface (Fortinet Fortigate) for which you wish to view metadata for.
- Click in the Actions column to open the Edit Metadata pop-up.
Note:
TopN Report Views - Import on SevOne NMS
SevOne-import --allow-overwrite --file Fortigate.TopN.spkThe following is the list of TopN reports imported.
- Fortigate - Aggregate Links Utilization - In & Out
- Fortigate - CPU Utilization
- Fortigate - Device Reachability
- Fortigate - Disk Utilization
- Fortigate - Highest Interface Errors
- Fortigate - ICMP Response Time
- Fortigate - Memory Utiization
- Fortigate - Most Utilized Interface - In
- Fortigate - Most Utilized Interface - Out
- Fortigate - Most Utilized Interfaces - In & Out
- Fortigate - Packet Loss - ICMP from SevOne
- Fortigate - Performance SLA - Jitter
- Fortigate - Performance SLA - Latency
- Fortigate - Performance SLA - Packet Loss
- Fortigate - Performance SLA - State, Pkt Loss, Jitter, Latency
- Fortigate - Total Errors and Discards
- Fortigate - Tunnel Utilization - In & Out
Note: When upgrading from NMS version 7.1.x to version 7.2.x, you will see that a .tar file
will be present in the Fortigate spk directory as mentioned below, in addition to other files.
- Fortigate.OOTB.Reports.tar - it imports 1 SevOne Data Insight report and 3 templates.
Fortinet OOTB Reports
- Log in to your SevOne Data Insight by navigating to the appropriate URL in your web
browser. Enter your credentials on the login page and click Login.
- On the Report Manager screen, click Reports and then click on SevOne
Folders.
- Under SevOne Folders, select Fortinet folder from the SD-WAN drop-down
list.
- Select the Fortinet Report displayed. You can either click on the Run button as
shown below or click on the report link directly to view detailed OOTB reports.
Note: The following reports get imported.- Fortigate Device Summary
- Fortigate Interface Summary
- Fortigate Performance SLA Tests
- Fortigate Tunnel Summary
- Fortinet Fortigate Dashboard
DNC / Flow Specific Changes
Flow Interface Manager
To check the flows received on SevOne NMS, from the navigation bar, click the Administration menu, select Flow Configuration, and then select Flow Interface Manager.
Deny 'Router-Generated' on Flow Rules
Fortinet forwards duplicate flow records for the same conversion. So, it is necessary to deny flow from the Router Generated interface to avoid double counting. To create a rule, click the Administration menu, select Flow Configuration, and then select Flow Rules. For more details, please refer to SevOne NMS System Administration Guide > section Flow Rules.
Support Long Flows on SevOne NMS
Warning: Sometimes, the flows are dropped when Fortigate devices send flows with a
longer duration than what is configured. To allow long flows, from the navigation bar, click the
Administration menu and select Cluster Manager > Cluster Settings tab >
FlowFalcon subtab > uncheck Drop Long Flows field.
Solution Verification & Customization
Perform the following steps to log onto your SevOne NMS appliance. For more details, please refer to SevOne NMS System Administration Guide or SevOne NMS User Guide > section Login.
- Enter the URL for the SevOne NMS appliance into your web browser to display the Login page.
- Enter the credentials and click Login. For example, Username: admin and Password: SevOne
- To check MIB files imported, click the Administration menu, select Monitoring
Configuration, and then select MIB Manager. For more details on MIB Manager, please refer
to SevOne NMS System Administration Guide
> section MIB Manager.
- To check device groups imported, click the Devices menu and select Grouping, then
Device Groups. For more details on Device Groups, SevOne NMS User Guide > section
Device Groups.
- To check object groups imported, click the Devices menu, select Grouping, and
then select Object Groups. For more details on Object Groups, SevOne NMS System
Administration Guide > section Object Groups.
Important: You can change the Object Group Membership Rules based on your network environment. - To check object types, click on the Administration menu and select Monitoring
Configuration, then Object Types.For more details on Object Groups, SevOne NMS System
Administration Guide > section Object Types.
