FortiGuard Labs Threat Research

Results from the Third Annual “ETSI NFV Plugtest + OPNFV SFC/NSH” Event

By Nicolas Thomas | September 14, 2018

The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization headquartered in Sophia-Antipolis, France. For three years now, ETSI has conducted an NFV (Network Functions Virtualization) Plugtest event that provides an opportunity for vendors and open source communities to meet, collaborate, and assess the level of interoperability of their implementations and solutions, especially in multi-vendor environments.

This report reviews our recent participation in the third event, as well as draws from the official report from the ETSI Test team. 

Fortinet has been an active participant in the ETSI NFV plugtests since the initial event. Our expectation as a VNF participant is to be exposed to a wide combination of NFVI and MANO solutions in order to ensure compatibility with our virtual Next-Generation Firewalls without specifics requirements on our end customer’s environments.

At this year’s event, we confirmed that our development team has made critical progress since the first plug-test on the NFVi (NFV infrastructure) and MANO (Management and Orchestration) environments in terms of overall integration—which is exactly why we participate in these industry-wide tests.

I regularly receive requests for the "results” of these events, meaning some sort of scorecard. This is the result of a misunderstanding of the objectives of this event. Because it is an interoperability event, there is no real score given. However, here is a summary of the results:

  • FortiGate worked seamlessly with every  combination of solutions tested.
  • Most MANO teams could do on-boarding themselves, especially recurring participants.
  • We could analyze traffic and participate in chains with peer VNFs. 
  • We also showcased our advanced autoscaling and automation during the demo tracks sessions with partners.

The Use of Standards

There have been a lot of open critics of the standards lately, but those (like me) who are familiar with the specifications have seen that only minor feedback to the specifications documents have actually been necessary. Here is a quick overview of what this year’s plugtest highlighted in terms of those standards:

  • The ecosystem was not fully aligned and interoperable on the first round.
  • Interoperability then improved by aligning to the specifications.

This is the value that having a standard provides. Most of the criticism, IMO, is the result of simply not understanding either the specifications themselves or the reasons for creating those standards.

Interoperability alone, of course, is not "enough" proof to that you should move to production.  It is, however, a guarantee that a change likely makes sense. What you also need is evidence that a solution can also perform and scale to meet your evolving needs. This year, we were delighted to be able to jointly demo advanced automation and scaling as part of the organized voluntary demo track. Fortinet was pleased to be an early supporter of those demo tracks, and this year’s demos allowed us to showcase the advanced usage of the full NFV stack in a multi-partner integrated solution. 

Automation and Standards

Both the demos and regular tests showed that defining and using metrics in an automated orchestration environment is not a straightforward task. The best metrics are application and scenario dependent. However, this part of the integration process falls into the realm of the OSS/BSS (operations support system/business support system) ecosystem, so it was not fully specified by ETSI NFV on purpose. Regardless, the results were impressive. Advancements in zero-touch automation and multi-domain approaches are especially important to acknowledge because they were the ones with the most head-scratching moments between engineers. It also serves to validate that all the parts of the environment that the standards aimed to address have been realized, which is good news for organizations looking to adopt or expand an NFV environment.


Fortinet is committed to our continuing participation in events such as these. They help us validate and test our solutions in real world environments, provide our developers with specific issues to address or improve on, and help guarantee to our customers that they can confidently integrate Fortinet solutions into their complex production environments.

Fortinet also participates with Suse and OPNFV community to the first commercial NSH/SFC chain plug-test. Fortinet engineering creates and provides a specific firewall image for this test, hence not commercially available feature. Our goal was to test in advance with the ecosystem before reaching production.

The following image describes the test:

It was for us the occasion to experiment and test the OPNFV XCI project which aims to ease VNFs testing and development on a budget.

Fortinet actually has a similar approach (for more than 1 year) with the Fortistacks project which allows anyone to test Fortinet products seamlessly in real conditions.