Posted on February 25, 2021 3:10 pm
 |  Asked by Roman Chubugin
 |  78 views
0
0
Print Friendly, PDF & Email

Hi!

I was tried to create simple laboratory with MSS, Fortigate FW and IXIA traffick generator and have a problems with understanding how it should be configured. Schema and configuration was attached.

VXLAN is worked and connection between CVX and FortiManager was sucsessefully created but i didn’t received policy from FortiManager.

#show service mss status
Enabled: true
Running: true
Policy enforcement consistency: best-effort
Policy enforcement rules: group,verbatim

#show service mss dynamic
Total policies processed: 706
Policy Source Device Set Service Device State
——————— ———- ————– ———-
fortinet-fortimanager fnet xxxx active

#show service mss dynamic status
Service Device Policy Monitoring Status:

Device: xxxx
IP address: xxxx
Policy source type: FortinetFortiManager
Aggregation Manager: True
Device group member(s):
fg60e
Device set name: fnet
Device set state: Active
Last seen at time: 2021 Feb 25, 15:05:28

Device: fg60e
IP address: 0.0.0.0
Policy source type: FortinetFortiManager
Accessed via Aggregation Manager: 172.16.1.225
Device set name: fnet
Device set state: Active
Total policies processed: 666
Last seen at time: 2021 Feb 25, 15:05:23

#show service mss dynamic device-set fnet device fg60e policies
Policies for device: fg60e
Policy: host11-12 Tag: MSS1 Action: accept
——————————————————————————–
Source Zone: any Classification: intercept
Interfaces:
IP addresses: 10.0.0.1

Destination Zone: any Classification: intercept
Interfaces:
IP addresses: 10.0.0.2

Policy: host12-11 Tag: MSS1 Action: accept
——————————————————————————–
Source Zone: any Classification: intercept
Interfaces:
IP addresses: 10.0.0.2

Destination Zone: any Classification: intercept
Interfaces:
IP addresses: 10.0.0.1

show service mss policy
Macro-Segmentation L3 Policy Table
——————————————————————————-
Source Device Policy Offload Redirect Unconverged
status status IPs
———— ———— ———— ————- ————– ———–

Could you please help me to understand how it should be configured?

0
Posted by Lalitha Prasuna
Answered on March 23, 2021 5:21 am

Hi Roman,

 

The command " show service mss dynamic status " shows active indicating we are able to communicate with the Fortinet.

 

Few points we might want to check are if the direct flow is enabled and if policies are configured correctly on the Fortinet. Commands that might come handy in checking this are:

  1. Show direct flow counters|nz
  2. show service policy status >> presents a summary against each L3 policy fetched from the firewall. This command is useful in figuring out if necessary DirectFlow rules are configured on all VTEPs. Moreover, the output also shows the status for all intercepted hosts. In addition, as the implicit redirect is enabled with MSS L3, each offload policy has an associated Redirect status.

 

Here's also another guide for your reference: https://eos.arista.com/eos-4-21-3f/arista-macro-segmentation-service-integration-with-fortinet-firewalls/

 

Hope this helps!

 

Regards

Lalitha Prasuna

 

 

Post your Answer

You must be logged in to post an answer.