SOLUTION BRIEF

SDN SECURITY FOR

VMWARE DATA CENTER
ENVIRONMENTS

Purpose-built virtual security

appliances will be increasingly
used alongside hardware
appliances to secure enterprise
data centers, which are
becoming increasingly dynamic
due to rapid adoption of server
virtualization and SDN

SDN Security for VMware

Data Center Environments
Fortinet FortiGate-VMX with VMware Network
Extensibility (NetX) API Controller Integration Benefits
n Next-generation firewall and
threat prevention for VMware
FortiGate-VMX is a Fortinet Virtual Appliance Solution for VMware n Automatic inspection on
that provides purpose-built integration for VMware-only environments, inter-VM network traffic with
and interoperability with vSphere, vCNS (vCloud Networking and hypervisor-level integration
Security), or NSX. It provides visibility into Virtualized Network traffic n Real-time security policy
orchestration for VM deployment
on the vSphere hypervisor through direct API-level integration,
n Security rules and policies are
and management orchestration to secure workloads in dynamic provisioned on-demand as ESXi
software-defined networks and infrastructure without protection hosts and VMs are added
and compliance gaps. n Support VM migration to ensure
security persistency

Fortinet “In-Guest” Virtual Machines for Perimeter Security

Fortinet offers a security solution for cloud and software-defined data centers and protects
virtualized applications while enhancing the elasticity and mobility benefits of virtualization.
It combines state-of-the-art network security and agentless monitoring to provide
application protection.

1
SOLUTION BRIEF: SDN SECURITY FOR VMWARE DATA CENTER ENVIRONMENTS

Today’s Security Hardening Trend Fortinet Security VM Products

of Virtualization
With virtualization and cloud computing technology, IT can
provision Virtual Machines (VMs) to run a web application
within minutes at a fraction of the cost of physical machines.
Fortinet supports server virtualization platforms like VMware,
Hyper-V, Xen, and KVM. There are a number of reasons
why server virtualization has been so beneficial, including
hardware cost savings and decreased data center footprint.
Simply replacing hardware appliances with software ports
running on VMs helps to improve cost and introduce
data center agility. For more information on the current
VM-centric security solution, download the solution brief
http://www.fortinet.com/resource_center/solution_briefs/
fortinet_virtual_appliance_solutions.html.

Service Provider/ Remote Office/

Cloud Provider Branch Office

CLOUD

FortiGate-VM
FortiWeb-VM
Web Application Firewall FortiGate-VM

FortiADC-VM FortiCache-VM
Application Delivery Controllers High-Performance Caching
FortiMail-VM
Messaging Security

FortiGate-VMX
FortiAuthenticator-VM
User Identity Management
FortiClient

FortiGuard Services
FortiVoice-VM
Phone Systems

FortiManager-VM FortiRecorder-VM
Centralized Management Video Security Surveillance
Headquarters

FortiAnalyzer-VM
Logging and Reporting

Current Fortinet Virtual Appliances

2 www.fortinet.com
 SOLUTION BRIEF: SDN SECURITY FOR VMWARE DATA CENTER ENVIRONMENTS

Software-Defined Networking (SDN) Security Purpose Built for vSphere and

Data Center Networking is going through a major overhaul
driven by virtualization (server compute and storage) and
convergence (data, I/O, and control network). Current
work on network virtualization is focused on the Layer 2/3
infrastructure level, leaving advanced application features,
such as content firewall and network IPS/IDS, to either
hardware hair-pinning or software appliances complementing
hardware-based services in the network.
Rigid infrastructure will soon become the bottleneck as a new
generation of applications demands a fully elastic platform in
the cloud, public, hybrid, or private.
vCloud Networking and Security
FortiGate-VMX is based on the latest version of the Fortinet
FortiOS, a security-hardened, purpose-built operating
system, which delivers the advanced protection and
performance that standalone products simply cannot match.
It supports all the advanced NGFW/UTM features of FortiOS.
IT administrators set IPS/IDS, AV, web filtering, etc.,
policies just as they would in any FortiOS deployment.
Fortinet services work together as a system to provide better
visibility and mitigation of the latest network and application
threats, stopping attacks before damage can occur. This
ensures the product is deployed from all ESXi hypervisors.

FortiGate-VMX is a virtual appliance solution for VMware FortiGate-VMX Supported Security Features
environments that provides purpose-built integration for Firewall Intrusion Prevention Web Filtering
VMware’s Software-Defined Data Center (SDDC) and WAN Optimization Antivirus Email Filter
interoperability with vSphere and vCloud Networking Application Control Data Loss Prevention Explicit Proxy
and Security.

How Does it Work?

1
1 Initiate communication
with vCenter Server

7 2 Register Fortinet as security

service with vCNS Manager
2
3 Auto-deploy FortiGate-VMX
to all hosts in security cluster
5 4 FortiGate-VMX connects with
FortiGate-VMX Service Manager

5 License verification and configuration

3 synchronization with FortiGate-VMX

4 8 6 Kernel agent creation and default

redirection rules for each host cluster

7 Real-time updates of object database

6 8 Push policy synchronization to all

vDistributed Switch
FortiGate-VMX deployed in cluster
VMware Kernel VMware Kernel

vCenter Server

3
SOLUTION BRIEF: SDN SECURITY FOR VMWARE DATACENTER ENVIRONMENTS

Leveraging a shared object database with VMware vCenter FortiGate-VMX offers seamless Intrusion
for easy creation of security policies, FortiGate-VMX makes Prevention Service (IPS) for Enterprise,
process-intensive deployment of security services and policy Cloud, and Private Cloud:
enforcement with greater agility. FortiGate-VMX also supports
live migrations of applications within clustered environments. USE CASE

The solution provides protection against network-level

With the VMware NSX compatibility integration, any host
threats, detects and blocks attacks in real time, packet
added will embrace the security zone policy, and these
logging and attacker quarantine, and automated updates
updates are real-time and dynamic for newly created
from the proven Fortinet Global Threat Research Team.
services without normal time lag in the paper trail requests.
Benefits
With NetX API providing backward compatibility to VMware
Antivirus / Anti-spyware (AV)
NSX manager, FortiGate-VMX can provide network visibility
Protection against virus, spyware, worms, and other forms of malware
and inspection on East-West network traffic among VMs
“Set and forget” functionality to reduce security management overhead
instantly.
Automated content updates from FortiGuard virus, spyware, and
heuristic detection engines
Secured by FortiGuard
Beyond the platform integration, FortiGuard can be
USE CASE
implemented to provide a continuous protection model
in the integration with real-time sandboxing detecting FortiGate-VMX inserts a virtual filter between vNIC of the
new malware variants. FortiGuard helps recognize protected VM and the virtual switch (i.e. hypervisor-based
suspect content exhibiting malicious attributes, and security) resulting in a fully automated deployment of secu-
investigate accordingly. rity services and policies. It provides dynamic security policy
updates to enforce policy on newly created VMs (services)
without requiring notification of the security administrator.
Benefits
Data loss prevention
Identification and control over data in motion
RegEx-based matching engine
Common file format inspection
Content archiving
Firewall
WAN optimization
Web filtering
Application control
Email filter

4 www.fortinet.com
 SOLUTION BRIEF: SDN SECURITY FOR VMWARE DATA CENTER ENVIRONMENTS

The integrated solution provides full next-generation security

functionality in one platform, accommodating different
network and security functions. And the IT administrator
does not need to guess how much network security is
required. The joint integrated solution is the most cost-
effective, simplified, and secure approach to apply security
policies when any hypervisor is provisioned on-demand.

Virtual Appliance VMware Citrix Open Source Amazon Microsoft

Xen Xen
vSphere vSphere vSphere vSphere Hyper-V Hyper-V
Server Server Xen KVM AWS
v4.0/4.1 v5.0 v5.1 v5.5 2008 R2 2012
v5.6 SP2 v6.0

FortiGate-VM ✔ ✔ ✔ ✔ * ✔ ✔ ✔ ✔ ✔ * ✔ ✔

FortiManager-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔

FortiAnalyzer-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔

FortiWeb-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ * ✔

FortiMail-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

FortiAuthenticator-VM ✔ ✔ ✔ ✔ ✔ ✔

FortiADC-VM ✔ ✔ ✔

FortiCache-VM ✔ ✔ ✔ ✔

FortiVoice-VM ✔ ✔ ✔ ✔ ✔ ✔

FortiRecorder-VM ✔ ✔ ✔ ✔ ✔ ✔

FortiSandbox-VM ✔ ✔

FortiGate-VMX ✔

* Also available as pay-as-you-go licensing option.

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA SALES OFFICE
Fortinet Inc. 120 rue Albert Caquot 300 Beach Road 20-01 Prol. Paseo de la Reforma 115 Int. 702
899 Kifer Road 06560, Sophia Antipolis, The Concourse Col. Lomas de Santa Fe,
Sunnyvale, CA 94086 France Singapore 199555 C.P. 01219
United States Tel: +33.4.8987.0510 Tel: +65.6513.3730 Del. Alvaro Obregón
Tel: +1.408.235.7700 México D.F.
www.fortinet.com/sales Tel: 011-52-(55) 5524-8480

Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect perfor-
mance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified
product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of
the publication shall be applicable.