Posted on February 25, 2021 3:10 pm
 |  Asked by Roman Chubugin
 |  319 views
0
0
Print Friendly, PDF & Email

Hi!

I was tried to create simple laboratory with MSS, Fortigate FW and IXIA traffick generator and have a problems with understanding how it should be configured. Schema and configuration was attached.

VXLAN is worked and connection between CVX and FortiManager was sucsessefully created but i didn’t received policy from FortiManager.

#show service mss status
Enabled: true
Running: true
Policy enforcement consistency: best-effort
Policy enforcement rules: group,verbatim

#show service mss dynamic
Total policies processed: 706
Policy Source Device Set Service Device State
——————— ———- ————– ———-
fortinet-fortimanager fnet xxxx active

#show service mss dynamic status
Service Device Policy Monitoring Status:

Device: xxxx
IP address: xxxx
Policy source type: FortinetFortiManager
Aggregation Manager: True
Device group member(s):
fg60e
Device set name: fnet
Device set state: Active
Last seen at time: 2021 Feb 25, 15:05:28

Device: fg60e
IP address: 0.0.0.0
Policy source type: FortinetFortiManager
Accessed via Aggregation Manager: 172.16.1.225
Device set name: fnet
Device set state: Active
Total policies processed: 666
Last seen at time: 2021 Feb 25, 15:05:23

#show service mss dynamic device-set fnet device fg60e policies
Policies for device: fg60e
Policy: host11-12 Tag: MSS1 Action: accept
——————————————————————————–
Source Zone: any Classification: intercept
Interfaces:
IP addresses: 10.0.0.1

Destination Zone: any Classification: intercept
Interfaces:
IP addresses: 10.0.0.2

Policy: host12-11 Tag: MSS1 Action: accept
——————————————————————————–
Source Zone: any Classification: intercept
Interfaces:
IP addresses: 10.0.0.2

Destination Zone: any Classification: intercept
Interfaces:
IP addresses: 10.0.0.1

show service mss policy
Macro-Segmentation L3 Policy Table
——————————————————————————-
Source Device Policy Offload Redirect Unconverged
status status IPs
———— ———— ———— ————- ————– ———–

Could you please help me to understand how it should be configured?

0
Posted by Lalitha Prasuna
Answered on March 23, 2021 5:21 am

Hi Roman,

 

The command " show service mss dynamic status " shows active indicating we are able to communicate with the Fortinet.

 

Few points we might want to check are if the direct flow is enabled and if policies are configured correctly on the Fortinet. Commands that might come handy in checking this are:

  1. Show direct flow counters|nz
  2. show service policy status >> presents a summary against each L3 policy fetched from the firewall. This command is useful in figuring out if necessary DirectFlow rules are configured on all VTEPs. Moreover, the output also shows the status for all intercepted hosts. In addition, as the implicit redirect is enabled with MSS L3, each offload policy has an associated Redirect status.

 

Here's also another guide for your reference: https://eos.arista.com/eos-4-21-3f/arista-macro-segmentation-service-integration-with-fortinet-firewalls/

 

Hope this helps!

 

Regards

Lalitha Prasuna

 

 

0
Posted by Gabor Luky
Answered on June 21, 2021 1:10 pm

Hello!

Can you please tell which EOS and FortiOs versions are compatible? We also configured MSS with Fortinet but it seems from the traceMonitor some API calls from CVX are not working properly.

2021-06-21 09:27:11.425214 2838 MssPolicyMonitor 0 FGT101FTest FortiGate API url /api/v2/monitor/network/lldprx/neighbors?vdom=Arista_VDOM returned status {u'message': u'Invalid url', u'code': -6} target ['adom/root/device/FGT101FTest']

At the moment we are on:

EoS 4.24.6M – cvx cluster

EOS 4.24.2.2F – leaf switches

FOS 6.4.4 – FortiGate

FMG 6.4.5 – FortiMGR

From the below outputs it seems the communicatino between FortiMgr/Gate is working:

show service mss dynamic
Total policies processed: 40668
Policy Source Device Set Service Device State
--------------------- ---------- -------------- ----------
fortinet-fortimanager fnet x.x.x.x active

cvx-1#show service mss dynamic status
Service Device Policy Monitoring Status:

Device: x.x.x.x
IP address: x.x.x.x
Policy source type: FortinetFortiManager
Aggregation Manager: True
Device group member(s):
FGT101FTest
Device set name: fnet
Device set state: Active
Last seen at time: 2021 Jun 21, 09:13:38

Device: FGT101FTest
IP address: y.y.y.y
Policy source type: FortinetFortiManager
Accessed via Aggregation Manager: x.x.x.x
Device set name: fnet
Device set state: Active
Total policies processed: 25561
Last seen at time: 2021 Jun 21, 09:13:47

But all the other related show commands are not working:

show service mss dynamic device-set fnet device x.x.x.x group-members
! Accessing external device(s), this may take a few seconds...

% No reply from external device. Waited for 4 seconds. Use cli-timeout option to wait longer.

 

0
Posted by Anuraag
Answered on August 4, 2021 4:27 am

Gabor,

Can you try with FortiOs version 6.2.2. or lower for this lab?

Thanks,

Anuraag

Post your Answer

You must be logged in to post an answer.