From bcf37fdb8872b5073aa8ad919daca93090a48e61 Mon Sep 17 00:00:00 2001 From: Martin Borg Date: Mon, 26 Aug 2019 15:02:02 +0200 Subject: Example Use-cases: Update Fortigate example - Replace bundles with VNF images and update onboarding instructions - Remove screenshots of uCPE manager GUI - Cleanup of unnecessary information Change-Id I36ec799b5843be80c44c7606e6e7b8bc6b5979e6 Signed-off-by: Martin Borg Change-Id: I6f1f81443ca6d1c6764228cf1097ede8129c7c22 --- .../doc/forti_vnf_examples.xml | 684 +++++++-------------- 1 file changed, 229 insertions(+), 455 deletions(-) diff --git a/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml b/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml index 48f2995..6205ced 100644 --- a/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml +++ b/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml @@ -7,23 +7,10 @@ appliances. The virtual appliances can be integrated in Firewall or SD-WAN solution development. - Enea provides a prepared VNF bundle for usage with Enea NFV Access. - The bundle includes the FortiGate VNF image as well as a VNF Descriptor and - other onboarding related configuration files. - - The VNF Descriptor represents one specific setup, suitable for usage - with the Firewall and SD-WAN VPN instructions in this guide. Alternative VNF - Descriptor configurations may be needed to support other setups desired by - the customer. - - Enea can offer assistance and provide alternative VNF Descriptor - configurations. -
Prerequisites - The following hardware and software resources are needed for this - example use case: + System requirements for the uCPE device: @@ -37,6 +24,15 @@ 1 GB of RAM memory + + + The following files are needed for this example use case: + + + + FortiGate VNF image. This file is provided by the local Fortinet + sales representatives in your region. + FortiGate VNF license file. This file is provided by the local @@ -44,8 +40,13 @@ - FortiGate specific documentation. These files are provided by - the local Fortinet sales representatives in your region. + FortiGate specific documentation. This is provided by the local + Fortinet sales representatives in your region. + + + + FortiGate configuration example files. These files are provided + with your Enea NFV Access release.
@@ -53,13 +54,6 @@
FortiGate VNF as a Firewall - FortiGate Next Generation Firewall utilizes purpose-built security - processors and threat intelligence security services to deliver top-rated - protection and high performance, including encrypted traffic. FortiGate - reduces complexity with automated visibility into applications, users and - networks, and provides security ratings to adopt security best - practices. - Enea provides an example of a simple base firewall configuration for the FortiGate VNF. @@ -67,7 +61,9 @@ FortiGate VNF Example Configuration - + + + @@ -110,11 +106,11 @@ 1FortiGate In-Band Management is a - feature for running FortiGate Management traffic over WAN. + feature used for running FortiGate Management traffic over WAN. - Instructions on how to alter the default configuration are provided, + Instructions on how to alter the default configuration are provided in section FortiGate VNF Management in FortiGate VNF Web Management in . @@ -123,8 +119,8 @@ Lab Setup Before starting the configuration of the FortiGate Firewall, a lab - setup of hardware and software configurations has to be built. The - following table illustrates the requirements. + setup concerning hardware and software components has to be created. The + following table illustrates the requirements for this setup. Lab Setup Prerequisites @@ -147,11 +143,11 @@ - DHCP enabled Lab Network + DHCP enabled Lab Network. - Internet Connectivity + Internet Connectivity. @@ -164,32 +160,32 @@ - Minimum 4 Physical Network Devices + Minimum 4 Physical Network Devices. - 4 GB RAM and 4 cores (C3000 or Xeon D) + 4 GB RAM and 4 cores (C3000 or Xeon D). - Enea NFV Access Installed + Enea NFV Access Installed. - WAN Connected to Lab Network + WAN Connected to the Lab Network. - LAN1 Connected to Test Machine + LAN1 Connected to the Test Machine. - LAN2 Unconnected + LAN2 Unconnected. ETH0 connected to the Lab Network (for Enea uCPE - Manager communications) + Manager communications). @@ -201,15 +197,15 @@ - Connected to Lab Network + Connected to the Lab Network. - Running either Windows or CentOS + Running either Windows or CentOS. - Enea uCPE Manager installed + The Enea uCPE Manager installed. @@ -221,45 +217,15 @@ - Connected to Whitebox LAN - - - - Internet Connectivity via LAN + Connected to Whitebox LAN. - Configured as DHCP client on LAN - - - - - - - FortiGate VNF - - - - - Copy the FortiGate VNF Bundle provided by Enea to - the Lab Machine file system. - - - - Copy the FortiGate configuration examples from Enea - to the Lab Machine file system. Unpack the configuration - examples onto the Lab Machine. - - - - Retrieve the FortiGate VNF license file from - Fortinet and store it on the Lab Machine file system. See - FortiGate VNF for details. + Internet Connectivity via LAN. - Optionally, retrieve FortiGate VNF documentation - from Fortinet. See FortiGate VNF for details. + Configured as the DHCP client on LAN. @@ -274,7 +240,7 @@ + contentwidth="600" /> @@ -283,93 +249,43 @@
Use-case Setup - Configuring Network Interfaces on uCPE - devices - - Before deploying the FortiGate Firewall, the Enea NFV Access - platform has to be configured to the specific networking setup. + Network Configuration: Since the firewall uses three External Network Interfaces, three bridges need to be configured. Each bridge provides the ability to connect a physical network interface to the virtual machines' virtual - network interface. Each physical to virtual network interface connection - is setup in two steps: - - - - Bind the physical network interfaces with a DPDK - driver. - - - - Create a named bridge for each physical network - interface. - - + network interface. - Start the setup by preparing each interface for attachment to - a bridge. Bind the physical network interfaces to the DPDK by - selecting the uCPE device, then accessing: - Configuration -> - OpenVSwitch -> Host Interfaces - -> Add. - - The result of binding these three physical network interfaces - should look like the following: - -
- Successful Binding - - - - - - -
- - - - Create one Open vSwitch bridge for each firewall network - connection (WAN, LAN1 and LAN2), by selecting: - Configuration -> - OpenVSwitch -> Bridges - -> Add. + Select the uCPE device, access + Configuration and bind the three physical network + interfaces to DPDK. - Repeat this step for each type of connection until all are - bridges are configured. - -
- Configured Bridges per Connection Type - - - - - - -
+ Create three OVS bridges, one for each DPDK network interface + (WAN, LAN1 and LAN2). Alternatively, the firewall can be setup to use bridges as - connection points for the Fortigate VNF, by replacing the OVS-DPDK + connection points for the FortiGate VNF, by replacing the OVS-DPDK bridges with SR-IOV connection points. - It was previously assumed that three physical interfaces are - available for VNF connection. In the case of a firewall setup only two - physical interfaces are needed for the data path (one for WAN and one - for LAN). Only two interfaces will be configured as DPDK, with two - bridges created, one for each type of connection. + Please note that while previously three physical interfaces were + presumed necessary for VNF connection, in the case of a firewall setup + only two physical interfaces are required for the data path + (one for WAN and one for LAN). + + Only two interfaces will be configured as DPDK, with two bridges + created, one for each type of connection. - Please note that at VNF instantiation instead of assigning - distinct bridges for each LAN interface, only one will be used for both - LAN1 and LAN2, with no changes in WAN interface configuration. Please - see the picture below for the final setup: + At VNF instantiation instead of assigning distinct bridges for + each LAN interface, only one will be used for both LAN1 and LAN2, + with no changes in WAN interface configuration. + + See the picture below for the final setup:
Two-Interface Configuration @@ -377,123 +293,138 @@ + contentwidth="600" />
- Onboarding the FortiGate - VNF: + Onboarding the VNF: - + Onboard the FortiGate VNF by filling the required fields with the + following values: + + - To onboard the Fortigate VNF select from the top toolbar - VNF -> Descriptors -> - On-board. + VM Image File: Provide the + path to the FortiGate VNF qcow2 image. - Click Browse to view selections, and choose - the Fortigate.zip file, before clicking - Send. + Memory in MB: 1024 - - Instantiating the FortiGate - VNF + + Num of CPUs: 1 + - - Fortigate VNF instantiation requires the following - settings: + Storage in GB: 20 + -
- Instantiation Requirements + + Interfaces: Add 3 + interfaces. + - - + + Cloud-init Datasource: + ConfigDrive + - + + Cloud-init Disk Type: + cdrom + - - - Component + + Cloud-init content file: Add + a license file entry. + + - Description - - + Instantiating the VNF: - - - Name + Instantiate the FortiGate VNF by filling the required fields with + the following values: - Name of the VM which will be created on - the uCPE device. - +
+ Instantiation Requirements - - VNF Type + + - Name of the onboarded VNF - bundle. - + - - VIM + + + Field - Name and IP address of the device where - the VNF will be instantiated. - + Description + + - - License file + + + Name - FortiGate license file provided by - Fortinet. - + Name of the VM which will be created on the + uCPE device. + - - Configuration file + + VNF Type - Firewall example configuration file - provided by Enea - (FGVM080000136187_20180828_0353_basic_fw.conf). - + Name of the onboarded VNF. + - - Port1 - WAN + + uCPE Device - Set the External Interface type to Dpdk - and connect it to the wanmgrbr ovs - bridge. - + Select the uCPE device where the VNF will be + instantiated. + - - Port2 - LAN1 + + License file - Set the Incoming Interface type to Dpdk - and connect it to the lan1 ovs - bridge. - + The FortiGate license file provided by + Fortinet. + - - Port3 - LAN2 + + Configuration file - Set the Outgoing Interface type to Dpdk - and connect it to the lan2 ovs - bridge. - - - -
- + The Firewall example configuration file provided + by Enea + (FGVM080000136187_20180828_0353_basic_fw.conf). + - - Select the uCPE device, then from the top toolbar select - VNF -> Instances -> - Add. - - + + Port1 - WAN + + Set the External Interface type to + DPDK and connect it to the wanmgrbr ovs + bridge. + + + + Port2 - LAN1 + + Set the Incoming Interface type to + DPDK and connect it to the lan1 ovs + bridge. + + + + Port3 - LAN2 + + Set the Outgoing Interface type to + DPDK and connect it to the lan2 ovs + bridge. + + + +
@@ -513,9 +444,9 @@ The FortiGate VNF management interface is accessible through the WAN interface. The WAN IP address can be used from a web browser on the - Lab Machine to access the Fortigate VNF Management Web UI. Please check + Lab Machine to access the FortiGate VNF Management Web UI. Please check Fortigate VNF web managementFortiGate VNF web management @@ -526,19 +457,12 @@
FortiGate VNF as an SD-WAN VPN - The Software-Defined Wide-Area Network (SD-WAN or SDWAN) is a - specific application of software-defined networking (SDN) technology - applied to WAN connections. It connects enterprise networks, including - branch offices and data centers, over large geographic distances. - SD-WAN decouples the network from the management plane, detaching traffic management and monitoring functions from hardware. Most forms of SD-WAN technology create a virtual overlay that is transport-agnostic, - i.e. it abstracts underlying private or public WAN connections. With an - overlay SD-WAN, a vendor provides an edge device to the customer that - contains the software necessary to run the SD-WAN technology. + i.e. it abstracts underlying private or public WAN connections. - For deployment, the customer plugs in WAN links into the device, + For deployment, the user plugs in WAN links into the device, which automatically configures itself with the network. Example SD-WAN configurations for the FortiGate VNF are provided by @@ -547,7 +471,7 @@
Prerequisites - The following table illustrates the use-case prerequisites of the + The following table illustrates the use-case prerequisites for the setup: @@ -599,21 +523,21 @@ - VNFMgr Connected to Lab Network for VNF management + VNFMgr connected to the Lab Network for VNF management access. - WAN interfaces directly connected through Ethernet + WAN interfaces directly connected through the Ethernet cable. - LAN Connected to Test Machine. + LAN connected to the Test Machine. - ETH0 connected to Lab Network (for Enea uCPE + ETH0 connected to the Lab Network (for Enea uCPE Manager communications). @@ -626,7 +550,7 @@ - Connected to Lab Network. + Connected to the Lab Network. @@ -634,7 +558,7 @@ - Enea uCPE Manager installed. + The Enea uCPE Manager installed. @@ -654,36 +578,7 @@ - Configured as DHCP client on LAN. - - - - - - - FortiGate VNF - - - - - FortiGate VNF Bundle copied from Enea to the Lab - Machine file system. - - - - FortiGate configuration examples from Enea, copied - to the Lab Machine file system. Unpack the configuration - examples specific for SD-WAN onto the Lab Machine. - - - - Retrieve the FortiGate VNF license from Fortinet - and store it on the Lab Machine file system. - - - - Optionally, retrieve FortiGate VNF documentation - from Fortinet. + Configured as the DHCP client on LAN. @@ -810,17 +705,13 @@
- Download locally the valid license files for the Fortigate VNF - from Fortinet and the configuration file provided by Enea as - examples. -
SD-WAN: VPN Configuration + fileref="images/sdwan_vpn_overview_1.png" contentwidth="600" />
@@ -829,130 +720,52 @@
Use-case Setup - Configuring Network Interfaces on uCPE - devices - - Before deploying the FortiGate SD-WAN, the Enea NFV Access - platform has to be configured to the specific networking setup. + Network Configuration: Since the SD-WAN VNF uses three External Network Interfaces, three bridges need to be configured. Each bridge provides the ability to connect a physical network interface to the VM's virtual network - interface. Each physical to virtual network interface connection is - setup in two steps: - - - - Bind the physical network interfaces with a DPDK - driver. - - - - Create a named bridge for each physical network - interface. - - - - Start the setup by preparing each physical interface for - attachment to a bridge. Each VNF instance will have a virtual interface - for VNF management, for the WAN network and for LAN - communication. + interface. + + Each VNF instance will have a virtual interface for VNF + management, for the WAN network and for LAN communication. - Bind a physical interface to the DPDK by selecting uCPE device - 1 first, then: Configuration -> - OpenVSwitch -> Host - Interfaces -> Add. - - Repeat this step for the other two interfaces. The result of a - successful binding should look like the following: - -
- Results of Binding - - - - - - -
+ Select uCPE Device 1, access Configuration + and bind the three physical network interfaces to the DPDK. - Create an Open vSwitch bridge for each SD-WAN network - connection (VNF management, WAN and LAN) by selecting the uCPE - device then: Configuration -> - OpenvSwitch -> Bridges - -> Add. + Create three OVS bridges, one for each DPDK network interface + (VNF management, WAN and LAN). - Repeat this step for all network connections. Three bridges - will be created: - -
- OVS Bridges - - - - - - -
+ Repeat the steps above for uCPE device 2. - Onboarding the FortiGate - VNF - - - - To onboard a VNF, select a uCPE device on the map and click - the VNF button in the top toolbar. Then, click - the Descriptors -> On-board - -> Browse options, and select the - Fortigate.zip file, before pressing - Send: - -
- Onboarding FortiGate VNF - - - - - - -
- + Onboarding the FortiGate VNF - - Wait for the Onboarding Status popup to - display the confirmation message and select - OK. - - + See the onboarding parameters detailed in the previous use-case above. - Instantiating the FortiGate - VNF + Instantiating the FortiGate VNF - FortiGate VNF instantiation requires the following - settings: + Instantiate the FortiGate VNF by filling the required fields with + the following values: - FortiGate VNF Instantiation Requirements + Instantiation Requirements - + - + - Component + Field Description @@ -960,57 +773,59 @@ - Name + Name - The name of the VM which will be created on the uCPE - device. + Name of the VM which will be created on the + uCPE device. - VNF Type + VNF Type - The name of the onboarded VNF bundle. + Name of the onboarded VNF. - VIM + uCPE Device - Name and IP address of the device where the VNF will be + Select the uCPE device where the VNF will be instantiated. - License file + License file - The FortiGate license file provided by Fortinet. + The FortiGate license file provided by + Fortinet. - Configuration file(s) + Configuration files - SD-WAN example configuration files provided by Enea: + The SD-WAN example configuration files provided + by Enea: FGVM080000136187_20180215_0708_sdwan1.conf FGVM080000136188_20180215_0708_sdwan2.conf - Port1 - VNFMgr + Port1 - VNFMgr - Set as Dpdk type and connect it to the + Set the type to DPDK and connect it to the vnfmgrbr bridge. - Port2 - WAN + Port2 - WAN - Set as Dpdk type and connect it to the + Set the type to DPDK and connect it to the wanbr bridge. - Port3 - LAN + Port3 - LAN - Set as Dpdk type and connect it to the + Set the type to DPDK and connect it to the lanbr bridge. @@ -1019,33 +834,15 @@ - Select a uCPE device on the map, then from the top toolbar - click VNF -> Instances - -> Add. + Instantiate the FortiGate VNF on uCPE device 1 using the + sdwan1 example configuration file. - Use the sdwan1 example configuration file - for uCPE device 1: - -
- Configuring uCPE device 1 - - - - - - -
- - - - To complete the branch-to-branch setup, configure the peer - uCPE device in the same way as uCPE device 1. - Make sure to use the - FGVM080000136188_20180215_0708_sdwan2.conf - configuration file for the second VNF instantiation. + To complete the branch-to-branch setup, configure uCPE device + 2 in the same way as uCPE device 1. Make sure to + use the sdwan2 configuration file for the second VNF + instantiation. @@ -1080,7 +877,7 @@ In this SD-WAN VPN setup example, bridges were used as - connection points for the Fortigate VNF. It is possible to replace + connection points for the FortiGate VNF. It is possible to replace OVS-DPDK bridges with SR-IOV connection points. @@ -1089,74 +886,51 @@
FortiGate VNF Web Management - In order to check the IP address assigned to the Fortigate VNF you - need to connect to the Fortigate CLI. - - Connecting to the Fortigate - CLI + In order to check the IP address assigned to the FortiGate VNF you + need to connect to the FortiGate CLI. - Connect to the Fortigate VNF by using: SSH - -> user (root) and attach to the VNF's console - using the virsh console command shown below: - -
- Attaching to the VNF Console + SSH to the uCPE Device (Username: root) and connect to the + FortiGate VNF console: - - - - - -
+ virsh list +virsh console <id of FortiGate VNF> - To access Fortigate CLI, use admin as the + To access the FortiGate CLI, use admin as the user, leaving the password blank/empty, and press enter. Use the CLI command get system interface to get the dynamic interfaces configuration. - -
- Accessing and configuring Fortigate CLI - - - - - - -
Use the IP address assigned for the management interface in the web browser (https://<IP>), to access the - Fortinet VNF web management interface. Use the same credentials as + FortiGate VNF Web Management Interface. Use the same credentials as before to login. - You can browse through the configuration and perform changes + Browse through the configuration and perform changes according to your setup:
- The Fortinet Web Interface + The FortiGate VNF Web Management Interface + fileref="images/fortinet_interface.png" contentwidth="600" />
- Optionally, alter the default Fortinet example configuration + Optionally, alter the default FortiGate example configuration provided by Enea, through the following steps: @@ -1188,4 +962,4 @@
- \ No newline at end of file + -- cgit v1.2.3-54-g00ecf