SOLUTION BRIEF

ACCELERATED SOFTWARE-DEFINED SECURITYWITH CISCO APPLICATION CENTRIC INFRASTRUCTURE

Organizations are looking to deliver more agile private cloud infrastructure, from compute to storage to networking, to enable applications that can connect more easily and rapidly with end-users, customers, and partners. But networking and network security traditionally tied to rigid dedicated hardware increases OPEX costs and management complexity. Networking and Layer 4 through Layer 7 application services usually requires manual configuration and constant management updates to keep up with changes. In order to respond to agility requirements in the software-defined data center/private cloud paradigm shift, networking and application services also need to respond with automation based on predefined policies and on-demand orchestration.

Cisco® Application Centric Infrastructure (ACI) integrates Fortinet FortiGate appliances for the private cloud to deliver application-centric security automation in modern data centers.

The integration of Cisco ACI architecture with the FortiGate solutions provides automated, predefined policy-based security provisioning and security policy updates for NGFW, UTM and VPN services. The solution enables transparent security services insertion anywhere in the network fabric through a single-pane-of-glass management.

Cisco ACI provides the improvements in terms of forwarding packets. The network’s application-aware policy model is the foundation of security within Application Centric Infrastructure. It essentially “dictates what can talk to what on this network − it all gets enforced in appliances at the edge.

SOLUTION HIGHLIGHTS

nn Better visibility and security correlated with overlay/underlay networks

nn Lower TCO from reduced administrative OPEX Accelerated application and L4-L7 security deployment

nn Increased efficiency in service provisioning and network security segmentation

FIGURE 1: CISCO ACI AND FORTIGATE SOLUTION

WebEPG

DBEPG

NIC

FortiGate

ACI Fabric in Data CenterSpine Node Spine Node Spine Node

Leaf Node Leaf Node Leaf Node Leaf Node

APIC

VM

WebVM

FortiGate VM

1 2 3 4

ACI Domain Types1. VMM Domain

2. Physical Domain

3. External Layer 2

4. External Layer 3

SOLUTION BRIEF: ACCELERATED SOFTWARE-DEFINED SECURITY WITH CISCO APPLICATION CENTRIC INFRASTRUCTURE

Copyright © 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730

LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990

February 21, 2018 4:54 PM

The integration of Cisco ACI and the Fortinet FortiGate solution comes with the following benefits:

nn Consistency and transparency across physical and virtual application workloads

nn Single-pane-of-glass management enablement from Cisco APIC with full visibility on security policy enforcement

nn Predefined security policies are deployed rapidly through complete application deployment lifecycle

HOW DOES IT WORK TOGETHER?

Fortinet Software Defined Security (SDS) framework provides the visionary integration path for software-defined networking (SDN), network function virtualization (NFV), and programmable switches platforms and enables service policy automation through RESTful APIs, scripting with JSON and XML data format.

The integration requires two components:

nn Fortinet FortiGate device packages to be uploaded to APIC

nn Cisco ACI-certified FortiGate appliances both physical and virtual

LAYER 4 AND LAYER 7 SERVICE INSERTION FLOW

IT administrators define the service policies like High Availability, virtual IP, port-forward and so on for different applications in APIC and creates service graphs to identify the set of network or service function that are needed by the applications. When a security policy is triggered during application deployment lifecycle, Cisco APIC will force the package to route through the Fortinet FortiGate for advanced firewall inspection without manual configuration.

The Cisco APIC integrates with Fortinet FortiGate appliances for the private cloud to simplify network security deployment. To connect the FortiGate appliance to the Cisco ACI fabric, the virtualization administrator simply needs to associate the predefined security policy with the virtual machine networks created by the Cisco APIC. Cisco ACI fabric is designed to provide overlay independence and can bridge frames to and from in the heterogeneous environments.

FIGURE 2: SERVICE GRAPH DESIGN IN APIC CONTROLLER SIMPLIFIES

LOGICAL APPLICATION FLOW 

Device Model XML

Device Scripts

Supporting Text Files

Image File

Device Package zip file APIC

Policy Manager

Device Model XML Image File

Device Model XML Image File

Scriptwrapper Process

Linux name space for device package

REST/CLI Interface to Devices

Upload Device Package

FIGURE 3: DEVICE PACKAGE ARCHITECTURE