FortiNAC

Deployment
Prerequisite Task List
Date: July 17, 2020
Rev: M

1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET KNOWLEDGE BASE

http://kb.fortinet.com

FORTINET BLOG
http://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

http://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTINET COOKBOOK
http://cookbook.fortinet.com

NSE INSTITUTE
http://training.fortinet.com

FORTIGUARD CENTER
http://fortiguard.com

FORTICAST
http://forticast.fortinet.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

2
Contents
Overview ............................................................................................................................................... 4
FNAC Part Numbers ......................................................................................................................... 4
License Keys ...................................................................................................................................... 4
FortiNAC Appliance Deployment Configurations ............................................................................ 5
License Distribution in Multiple Appliance Deployments ............................................................... 6
Prerequisite Task List .......................................................................................................................... 8
Open Ports........................................................................................................................................... 14
Appliance Password Requirements .................................................................................................... 16
SSL Certificates .................................................................................................................................. 17
Determine FortiNAC Service Configuration (Network Type) ........................................................... 18
FortiNAC Service Network VLANs .................................................................................................... 20
Prerequisite Checklist (Printable Version) ........................................................................................ 23

3
Overview
FNAC Part Numbers
Virtual Appliance (VM) Part Numbers
Part Number Description
FNC-M-VM Control Manager
FNC-CA-VM Control and Application Server (CA)

Physical Part Numbers

Part Number Description
FNC-M-550C Control Manager
FNC-CA-500C Control and Application Server (CA)
FNC-CA-600C Control and Application Server (CA)
FNC-CA-700C Control and Application Server (CA)

License Keys
Once all product is registered, license key(s) will be generated during the initial
configuration. FortiNAC appliances will not start without a valid key installed. The type of
license key generated and applied to the appliance(s) will depend upon the deployment
configuration and the appliance roll within it. There are two different types of license keys:
 Endpoint License Key
o Defines the type of license (Base, Plus or Pro) and endpoint quantity
o Defines the type of appliance (Manager or CA)
o Installed on the appliance that is associated with license support (the “managing”
server)

 Appliance (Base) License Key

o Defines the type of appliance (Manager or CA)
o All hardware appliances are shipped with appliance key installed
o Appliance key(s) are installed on all VMs that do not have an endpoint license key
applied

4
FortiNAC Appliance Deployment Configurations
Below is a general listing of components involved in product registration and configuration. The
number of license keys, licenses and support contracts is determined by the type of deployment and
number of appliances.

A license “pool” is defined by license type (Base, Plus or Pro) and quantity of endpoint licenses
shared among multiple appliances. See License Distribution in the Appendix for details on how
licenses are shared.

 Standalone
o 1 CA, 1 support contract and 1 license
o 1 endpoint license key

 Standalone in High Availability

o 2 CA’s, 2 support contracts (1 per CA) and 1 license pool
o 1 endpoint license key and 1 appliance license key

 Multiple Independent Standalones

o Multiple CA’s, multiple support contracts and multiple licenses (1 per CA)
o Multiple endpoint license keys (1 per CA)

 Multiple Independent Standalones in High Availability

o Multiple CA’s, multiple support contracts (1 per CA) and multiple license
pools (1 per High Availability pair)
o Per High Availability pair: 1 endpoint license key and 1 appliance license
key

 Distributed
o 1 Manager, Multiple CA’s, multiple support contracts (1 per CA and
Manager) and 1 license pool
o 1 endpoint license key (for Manager) and multiple appliance license keys (1
per CA)

 Distributed in High Availability

o Multiple CA’s, 1 Manager, multiple support contracts (1 per CA and
Manager) and 1 license pool
o 1 endpoint license key (for Manager) and multiple appliance license keys (1
per CA and secondary Manager)

5
 License Distribution in Multiple Appliance Deployments
This section describes how a license pool’s license type and endpoint quantity are shared among
appliances in a multiple appliance deployment.

Standalone in High Availability

Endpoint License Key is installed on the Primary Server. When the High Availability
configuration is performed, the Primary Server updates the Secondary Server.

 Base, Plus or Pro License Secondary Server

Primary Server
(Endpoint License Key)  X Concurrent Endpoint Licenses (Appliance (Base) License
Key)

Multiple Independent Standalones in High Availability

Same as above for each High Availability pair.

Distributed
 Endpoint License Key is installed on the Manager. CA’s are updated by the Manager as
they are added to the Server List in the Dashboard panel.
 Manager removes license and endpoint quantity from CA’s as they are removed from the
Server List.

Manager
(Endpoint License • Base, Plus or Pro
Key) License
• X Concurrent Endpoint
Licenses

CA CA CA
(Appliance (Base) (Appliance (Base) (Appliance (Base)
License Key) License Key) License Key)

6
Distributed in High Availability
 Endpoint License Key is installed on the Manager. CA’s not in HA pair and Primary
Servers are updated as they are added to the Server List in the Dashboard panel.
 Manager updates Secondary Servers once a failover is executed after the
corresponding Primary Server has been added.
 Manager removes license and endpoint quantity from CA’s not in HA pair and Primary
Servers as they are removed from the Server List.

Primary Server Secondary Server

(Appliance (Base) (Appliance (Base)
License Key) License Key)

 Base, Plus or Primary Secondary

Pro License Manager
Manager
 X Concurrent (Appliance (Base)
(Endpoint License
endpoint Key) License Key)
licenses
CA
(Appliance (Base)
License Key)

Primary Server Secondary Server

(Appliance (Base) (Appliance (Base)
License Key) License Key)

7
Prerequisite Task List
Click here for a printable version of the checklist.

Step Pre-requisite Resource

Appliance Network Addressing - Define the following
for each FortiNAC appliance:
 Hostname (Important: for internal name
resolution reasons, avoid using “nac” as name.
It is used for internal name resolution)
o Example of correct usage: IT-NAC-HQ
Appliance Installation o Example of incorrect usage: NAC
and Configuration Network Team
 IP address and Network Mask for Eth0
(Management Interface)
 Default Gateway
 Domain name
 DNS server(s)
 NTP server(s)

Open Ports - Certain ports are required to remain

Appliance
open for FortiNAC integrations. Click here for more Security team
Configuration
detail.
Appliance Passwords – Define for the following
access:
 root CLI
Appliance Network/Server
 admin CLI
Configuration Team
 Configuration Wizard

Click here for more detail.

Determine FortiNAC Service Network Configuration
 Layer 2: FortiNAC Service Network(s) trunk
back to eth1 interface
 Layer 3: FortiNAC Service Network(s) trunk
back to eth1 interface
Appliance  IP address and Network Mask for Eth1 Network Team
Configuration (FortiNAC Service Interface)
 At least one DHCP scope for FortiNAC Service
Network.

Click here for more detail.

External Network Access - Each appliance must

have outbound internet access:
 FTP access to
downloads.bradfordnetworks.com from
each appliance or virtual machine. (If not
Operating System and
feasible, then HTTP or HTTPS).
Software Updates Network team
 HTTP access to centos.org from each
appliance or virtual machine
 Software Updates
 FTP, PFTP, HTTP or HTTPS access to
update.bradfordnetworks.com

8
Step Pre-requisite Resource
DNS Records: Add host(s) name entries for the
System Settings Server Team
FortiNAC appliances into production DNS system(s).
SSL certificates
Have a resource available that can issue Internally
signed certificates and/or request publically signed
certificates.

 Admin UI
o Corporate Internal Certificate Authority
(recommended)
 Individual
 SAN
o 3rd Party Public Certificate Authority
 Individual
 SAN
 Wildcard
 Local RADIUS Server (EAP)
o Corporate Internal Certificate Authority
(recommended)
 Individual
 SAN
o 3rd Party Public Certificate Authority
 Individual
 SAN
 Wildcard
 Agent
o Corporate Internal Certificate Authority
System Settings Server Team
(recommended)
 Individual
 SAN
o 3rd Party Public Certificate Authority
 Individual
 SAN
 Wildcard
 Portal
o 3rd Party Public Certificate Authority
 Individual
 SAN
 Wildcard
 RADIUS Endpoint Trust (EAP-TLS)
o Corporate Internal Certificate Authority
(recommended)
 Individual
 SAN
o 3rd Party Public Certificate Authority
 Individual
 SAN
 Wildcard

Click here for more detail.

9
Step Pre-requisite Resource
Authentication Directory Account and Details
Provide the following for Directory Authentication
integration
 Identify IP, MAC Address and Hostname of
Directory server(s)
 LDAP/Active Directory service account
System Settings (account must have read access to all Server Team
requested search branches)
 Provide specific User search branch(es)
 Provide specific Group search branch(es) (if
needed)
 Identify any non-standard directory attributes
used
Email Account and Details
Provide the following to enable FortiNAC to send email
notifications.
 Email Server
 Email address for FortiNAC (may want to
configure an alias for this address to better
System Settings Server Team
identify sender as FortiNAC)
 Username and password if authentication is
desired
 Port used on email server.
 Encryption used on email server for email
communication (if any).
Remote Backup Server
System Settings Provide an FTP or SSH remote server for FortiNAC Server Team
database and system configuration backup.
SNMP Credentials
Create if one does not already exist:

SNMP community name (v1/v2) or account (v3) for all

network infrastructure devices:
Network Visibility  Devices FortiNAC will control: Read/write Network Team
privileges
 L3 devices from which FortiNAC will obtain
ARP information but not control: Read
privileges

10
Step Pre-requisite Resource
CLI Credentials
Create if one does not already exist:

CLI access account (SSH or Telnet) for all network

infrastructure devices:
 Devices FortiNAC will control: Read/write
privileges (Cisco must be level 15 local user
account)
 L3 devices from which FortiNAC will obtain
ARP information but not control: Read access
Network Visibility (level 7) Network Team

Important: When configuring the hardware device

itself, use only letters, numbers and hyphens (-) in
names for items within the device configuration, in
SNMP and CLI credentials. Other characters may
prevent FortiNAC from reading the device
configuration. For example, in many cases the # sign is
interpreted by FortiNAC as a prompt. Cisco restricts
the use of @ and #.

Network Device IP’s

Be able to provide the IP’s of all specific network
Network Visibility devices (routers, switches, firewalls, Access Points or Network Team
controllers) that will be controlled or queried by
FortiNAC.
Required for distributing Persistent Agents: Line up
Endpoint resource responsible for deployment of software
Server Team
Classification packages (i.e. SCCM administrator, Microsoft GPO).

DHCP Fingerprints (Optional)

FortiNAC can listen to DHCP exchanges and collect
enhanced information about endpoints (hostname and
operating system). Configure IP Helper addresses on
L3 switches or routers for all production VLANs that
use DHCP. Use the IP address of FortiNAC eth0
interface.

Note:
• Fingerprint collection is not required in order to
Endpoint achieve visibility, but does provide additional
Network Team
Classification information.
• FortiNAC updates or creates a Host record when it
hears a DHCP packet (discover, request or inform) that
provides OS and/or hostname. It does not matter if the
host is offline or online.
• Not all DHCP fingerprints provide hostname and
FortiNAC is not always able to determine OS for all
DHCP packets. The device’s DHCP fingerprint may be
unknown or too similar to other devices to name an
OS.

11
Step Pre-requisite Resource
SNMP Traps
The following must be done on all wired network
devices FortiNAC will control:

 Trap Receivers: Configure trap receivers for

the eth0 interface of the FortiNAC Server.
 All devices: Enable Cold start and Warm start
traps.
 Enable one of the following traps to notify
FortiNAC of endpoints connecting and
disconnecting from the network: Network/Security
Enforcement o MAC Notification traps (recommended) Team
on supported devices. For a list of
devices supported for MAC Notification
traps, refer to the SNMP Trap
Support chart in the Fortinet
Document Library. For general
configuration details, see Configuring
Traps for MAC Notification in the
Fortinet Document Library.
o All other vendors - Enable
Linkup/Linkdown traps.

Define and configure isolation service VLANs:

 Registration
 Remediation
 Dead End

or alternatively

 Isolation (combining all 3 states above)

Network/Security
Enforcement Note: Layer 3 deployments require a VLAN per state Team
per location that is separated by an L3 device

Ensure routing, ACLs, or Firewall rules configurations

set to support required policy enforcement / isolation
networks; includes routing from policy networks and
access control within the policy networks.

Click here for more detail.

12
Step Pre-requisite Resource
Production Network Access (available with Plus and
Pro licensing)

Identify network segmentation for

 Who
 What
 Where
 When

Enforcement Examples: Network Team

 Employees with corporate assets connecting to
the network at either Site 1 or Site 2 require
internal network access. They are assigned
VLAN 10 (CorpData).
 Visitors connecting to the network at either Site
1 or Site 2 are allowed internet access only.
They are assigned VLAN 20 (Guest).

Wireless Integrations

For instructions on managing wireless networks using

FortiNAC, review the applicable integration guide
under the Reference Manual section of the Fortinet
Document Library.

 Review FortiNAC Integration Guides

 Create test wireless environment identical to
Enforcement production environment Network Team
 Determine authentication method for FortiNAC
integrations
o MAC Authentication
o 802.1X
 Provide RADIUS Server IP
 Configured FortiNAC ‘s eth0
IP as a RADIUS Client on the
RADIUS Server

13
Open Ports
The number of open (listening) TCP/UDP ports configured by default on the FortiNAC
appliance is based on current best practices. These ports are kept to a minimum to provide
maximum security by explicitly restricting unnecessary access from the outside. The best
practice is to keep the number of open ports to a minimum, and block all other ports. If there is
a need to provide users access to network resources through a static port (e.g., from outside a
firewall), the best option is to allow users to connect by VPN.

Related Documents
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

Validate Open Ports

The current listening port configuration can be viewed by running an nmap of the appliance.
Another useful command is “netstat” to list all listening and connected ports on the current
appliance (e.g. netstat -ln lists just the listening ports).

In the FortiNAC CLI logged in as root, use the “netstat” command to verify that a TCP/UDP port is
open.
netstat -ln | grep <port number>

For example, use netstat -ln | grep 4568 to verify that the port used for Agent communications to
FortiNAC is open.
tcp 0 0 0.0.0.0:4568 0.0.0.0:* LISTEN

Open Port List

The tables on the following pages list ports that should be open to end users, and ports that
need to be open for FortiNAC communications.

14
Port Protocol Description Direction
Used by Device Profiler to classify devices.
eth0: Outbound
All ports outbound All Uses NMAP as one of the profiling choices.
eth1: Outbound
Also can use SNMP to profile.
UDP 21 FTP Product Updates eth0: Outbound to internet
TCP 21 FTP Product Updates eth0: Outbound to internet
Primary Server eth0: Outbound to
High Availability: MYSQL replication from
Secondary Server eth0
Primary Server to Secondary Server
TCP 22 SSH
Control Manager (M) eth0: Manage FortiNAC
Bi-directional between Managed
Servers
Servers eth0 and Manager eth0
TCP 23 Telnet Network Device Management eth0: Outbound
eth0: Outbound
UDP 53 DNS Name Service
eth1: Inbound
eth0: Outbound
TCP 53 DNS Name Service
eth1: Inbound
eth0: DHCP Fingerprinting
eth0: Inbound
UDP 67 DHCP eth1: Serving IP Addresses for Isolation
eth1: Inbound
Scopes
eth0: DHCP Fingerprinting
eth0: Inbound
UDP 68 DHCP eth1: Serving IP Addresses for Isolation
eth1: Outbound
Scopes
eth0: Inbound
TCP 80 HTTP Web Server (Portal)
eth1: Inbound
TCP 22 SFTP Product Updates eth0: Outbound to internet
UDP 123 NTP Time Service eth0: Outbound
eth0: Outbound
(Bi-directional if FortiNAC is
UDP 161 SNMP Network Device Management configured to respond to SNMP
queries. See section SNMP of the
Administration Guide).
SNMP Device Changes Notification (Mostly Host
UDP 162 eth0: Inbound
Traps Access Notification)
Product Updates eth0: Outbound to internet
TCP 443 HTTPS
Web Server (Portal) Secure HTTP eth1: Inbound
Device Change Notification and RTR (inbound)
UDP 514 Syslog eth0: Bi-directional
Logging of events to external server (outbound)
Communication with FortiAnalyzer
TCP 514 OFTP eth0: Outbound
(Available in FortiNAC version 8.5 and higher)
Bi-directional between Primary and
Secondary Server eth0
Server Communication (See note on page 5)
TCP 1050 CORBA
High Availability
Bi-directional between Managed
Servers and Manager eth0
UDP 1812 RADIUS Host/User Authentication eth0: Bi-directional
RADIUS
UDP 1813 Host/User Authentication Changes and RTR eth0: Inbound
Accounting
RADIUS Host/User Authentication Action
UDP 3799 eth0: Outbound
COA (Moving/Removing)
Persistent Agent Communication
Agent eth0: Bi-directional
UDP 4567 (No longer used by agent 5.x and above with
Server eth1: Bi-directional
NAC 8.2 and above – TCP 4568 only)

15
 Port Protocol Description Direction
Used to establish the Persistent Agent
eth0: Bi-directional
TCP 4568 Agent Communication (SSL) connection
eth1: Bi-directional
Server (Used by agent 3.x and above)
Bi-directional between Primary and
Internally used by FortiNAC Secondary Server eth0
Fortinet
TCP 5555 High Availability
Server
Bi-directional between Managed
Servers and Manager eth0
TCP 5986 WMI profiling method
WinRM eth0 and eth1: Outbound
(user modifiable) (Available in FortiNAC version 8.5 and higher)
Fortinet Security Fabric (FSSO)
Private
TCP 8000 communications eth0: Inbound
Protocol
(Available in FortiNAC version 8.5 and higher)
TCP 8443 HTTPS Web Server Secure HTTP (Admin UI) eth0: Inbound
HTTP
TCP 8080 Web Server (Admin UI) eth0: Inbound
Alternative
Analytics
TCP 8180 Used to update/download the agent. eth0: Inbound
Server
Analytics Used to transfer data to the Analytics Server
TCP 8543 eth0: Bi-directional
Server and for queries from the web browser.

Note: FortiNAC uses port 1050 for CORBA (Common Object Request Broker Architecture)
Management for accessing server objects and for interprocess communication between FortiNAC
subsystems and servers. When a requestor connects to this port, the appliance dynamically
reassigns it to a port in the 30000-64000 range.

Appliance Password Requirements

Define passwords to be used to access appliance(s):
 admin: CLI/SSH password customer uses to log into the appliance.
 root: CLI/SSH password Support uses to log into the appliance.
 Configuration Wizard: Password used to log into the Configuration Wizard.
 Administration UI: User Name and password used to log into the Administration UI with
full access.

Password Requirements
 Must be at least 8 characters and no more than 64 characters.
 Contain a lowercase letter, an uppercase letter, a number, and one required symbol.

16
 Required Symbols Prohibited Symbols
! exclamation point ( open parenthesis
@ at space
_ underscore { open curly bracket
# pound ) close parenthesis
$ dollar ; semicolon
~ tilde } close curly bracket
% percent ' back quote
^ caret : colon
- hyphen [ open square bracket
* asterisk & ampersand
? question mark " double quote
] close square bracket
+ plus
' single quote
, comma
= equal
< less than
. period
| pipe
> greater than
/ forward slash
\ back slash

SSL Certificates
Required for securing FortiNAC communications for the components listed below. For additional
details regarding the certificate installation process, refer to the SSL Certificates How To in the
Fortinet Document Library.

Admin UI: Secures the Administration User Interface.

Local RADIUS Server (EAP): Available for FortiNAC versions 8.8 and higher. For
use when FortiNAC is acting as the 802.1x EAP termination point. For details about
this feature see section Local RADIUS Server of the Administration Guide in the
Fortinet Document Library.
Persistent Agent: Secures the communications between FortiNAC and the Persistent Agent.
Portal: Secures the captive portal and communications between FortiNAC and the Dissolvable
Agent.
RADIUS Endpoint Trust: Endpoint Trust Certificate used by FortiNAC to validate the
client-side certificate when Local RADIUS Server is configured and EAP-TLS is used for
authentication. For details about this feature see section Local RADIUS Server of the
Administration Guide in the Fortinet Document Library.
17
 Determine FortiNAC Service Configuration
(Network Type)
The FortiNAC Service Interface (Eth1) can be configured for either a Layer 2 or Layer 3
implementation. This configuration is referred to as Network Type in the Configuration Wizard.
See below for descriptions and logical diagrams for each implementation type. The most common
Network Type used by customers is Layer 3.

Layer 3 Implementation
 The FortiNAC Service Interface is a standard interface
o The interface exists on a single network
o The interface is not within the same broadcast domain as a host assigned to an
isolation network
o The interface uses multiple IP addresses within the same subnet
o DHCP relays must be configured on each isolation network pointing back to the
isolation interface
o The individual IP address is used by DNS

Eth1

VLAN 100 Isolation

Service IP FortiNAC Service Interfaces
10.10.100.1/28 eth1 IP 10.10.100.2/28
L3 Site 1 Registration DHCP
S1 Scope: 10.10.30.100-10.10.30.200
RegistrationS1 VLAN 30 S2 Scope: 10.20.30.100-10.20.30.200
IP 10.10.30.1/24
Registration DNS
IP helper 10.10.100.2
RemediationS1 VLAN 40
IP 10.10.40.1/24
WAN Registration Captive Portal

IP helper 10.10.100.2
DeadEndS1 VLAN 50
IP 10.10.50.1/24
IP helper 10.10.100.2
L3 Site 2
RegistrationS2 VLAN 30
IP 10.20.30.1/24
IP helper 10.10.100.2
RemediationS2 VLAN 40
IP 10.20.40.1/24
IP helper 10.10.100.2
eth1:1 IP 10.10.100.3/28
Remediation DHCP
S1 Scope: 10.10.40.100-10.10.40.200
S2 Scope: 10.20.40.100-10.20.40.200
Remediation DNS
Remediation Captive Portal
eth1:2 IP 10.10.100.4/28
Dead End DHCP
S1 Scope: 10.10.50.100-10.10.50.200
S2 Scope: 10.20.50.100-10.20.50.200
DeadEnd DNS
DeadEnd Captive Portal

DeadEndS2 VLAN 50 GW 10.10.100.1

IP 10.20.50.1/24
IP helper 10.10.100.2
18
 Layer 2 Implementation
 The FortiNAC Service Interface
o 802.1q trunk
o The interface accepts traffic tagged from any pf the isolation VLANs
o Same broadcast domain as hosts
o IP address for each isolation subnet

Building 1

Registration VLAN 30
IP Subnet 10.10.30.x

Remediation VLAN 40
IP Subnet 10.10.40.x

DeadEnd VLAN 50 Registration, Remediation

IP Subnet 10.10.50.x and DeadEnd VLANs are Eth1
tagged across the network.

Data Center

FortiNAC Service Interfaces

eth1 IP 10.10.30.2/24
VLAN 30 (Registration)
Registration DHCP (Scope 10.10.30.100-10.10.30.200)
Registration DNS
Registration Captive Portal

eth1:1 IP 10.10.40.3/24
VLAN 40 (Remediation)
Building 2 Remediation DHCP (Scope 10.10.40.100-10.10.40.200)
Remediation DNS
Registration VLAN 30 Remediation Captive Portal
IP Subnet 10.10.30.x
eth1:2 IP 10.10.50.4/24
Remediation VLAN 40 VLAN 50 (DeadEnd)
IP Subnet 10.10.40.x DeadEnd DHCP (Scope 10.10.50.100-10.10.50.200)
DeadEnd DNS
DeadEnd VLAN 50 DeadEnd Captive Portal
IP Subnet 10.10.50.x

19
FortiNAC Service Network VLANs
In the switches to be controlled by FortiNAC, configure the appropriate Service Network VLANs.

 Registration (Containment for Rogue hosts)

 Remediation (Quarantine: Containment for “At-Risk” hosts)
 Dead End (Containment for disabled hosts)

or alternatively

 Isolation (combining all 3 states above)

Layer 3 deployments require a VLAN per state per location that is separated by an L3 device.

See following pages for logical network diagram examples.

20
 Multiple FortiNAC Service Network Configuration
Individual VLANs per Isolation State

Eth0 - Server Mgmt Interface

VLAN 10 CorpDataS1 IP 10.10.50.2/24
IP 10.10.10.1/24 GW 10.10.50.1
IP helper <Prod DHCP> L3 Site 1
Admin UI
VLAN 20 GuestS1 Receives Traps
IP 10.10.20.1/24 VLAN 50 Server Mgmt L2/L3 Communication
IP helper <Prod DHCP> IP 10.10.50.1/24 Agent Communication
IP helper <Prod DHCP> DHCP Fingerprints
VLAN 30 RegistrationS1
IP 10.10.30.1/24 VLAN 100 Isolation Service
IP helper 10.10.100.2 IP 10.10.100.1/28
VLAN 40 RemediationS1
IP 10.10.40.1/24
IP helper 10.10.100.2 Eth1 FortiNAC Service Interfaces
IPs: eth1 10.10.100.2/28
VLAN 50 DeadEndS1
eth1:1 10.10.100.3
IP 10.10.50.1/24 eth1:2 10.10.100.4
IP helper 10.10.100.2
WAN GW 10.10.100.1
Registration DHCP and DNS
Remediation DHCP and DNS
Dead End DHCP and DNS
Captive Portal
VLAN 10 CorpDataS2
IP 10.20.10.1/24
IP helper <Prod DHCP>
VLAN 20 GuestS2
IP 10.20.20.1
IP helper <Prod DHCP>
VLAN 30 RegistrationS2
IP 10.20.30.1/24
IP helper 10.10.100.2
VLAN 40 RemediationS2 L3 Site 2
IP 10.20.40.1/24
IP helper 10.10.100.2
VLAN 50 DeadEndS2
IP 10.20.50.1/24
IP helper 10.10.100.2

21
 Single FortiNAC Service Network Configuration
Shared VLAN for all Isolation States

Eth0 - Server Mgmt Interface

VLAN 10 CorpDataS1 IP 10.10.50.2/24
IP 10.10.10.1/24 GW 10.10.50.1
IP helper <Prod DHCP> L3 Site 1
Admin UI
VLAN 20 GuestS1 Receives Traps
IP 10.10.20.1/24 VLAN 50 Server Mgmt L2/L3 Communication
IP helper <Prod DHCP> IP 10.10.50.1/24 Agent Communication
IP helper <Prod DHCP> DHCP Fingerprints
VLAN 30 IsolationS1
IP 10.10.30.1/24 VLAN 100 Isolation Service
IP helper 10.10.100.2 IP 10.10.100.1/28

FortiNAC Service Interfaces

IPs: eth1 10.10.100.2/28
eth1:1 10.10.100.3
eth1:2 10.10.100.4
WAN GW 10.10.100.1
Registration DHCP and DNS
Remediation DHCP and DNS
Dead End DHCP and DNS
Captive Portal
VLAN 10 CorpDataS2
IP 10.20.10.1/24
IP helper <Prod DHCP>
VLAN 20 GuestS2
IP 10.20.20.1
IP helper <Prod DHCP>
VLAN 30 IsolationS2
IP 10.20.30.1/24
IP helper 10.10.100.2
L3 Site 2

22
Prerequisite Checklist (Printable Version)
Step Pre-requisite Resource

Appliance Installation
FNAC Hostname Network Team
and Configuration

Appliance Installation IP address and Network Mask for FNAC Eth0

Network Team
and Configuration (Management Interface)

Appliance Installation
FNAC Default Gateway Network Team
and Configuration

Appliance Installation
Domain name Network Team
and Configuration

Appliance Installation
DNS server(s) Network Team
and Configuration

Appliance Installation
NTP server(s) Network Team
and Configuration

Appliance Apply firewall policies ensuring ports are open for

Security Team
Configuration FortiNAC integrations.

Appliance Network/Server
FNAC root CLI password
Configuration Team

Appliance Network/Server
FNAC admin CLI password
Configuration Team

Appliance Network/Server
FNAC Configuration Wizard
Configuration Team

Appliance Determine FortiNAC Service Network Configuration

Network Team
Configuration (L2 or L3 Network Type)

Appliance IP address and Network Mask for FNAC Eth1

(FortiNAC Service Interface) Network Team
Configuration

Appliance At least one DHCP scope for FortiNAC Service

Network Team
Configuration Network.

23
Step Pre-requisite Resource

Operating System and External network access (FTP, HTTP or HTTPS) from
Network Team
Software Updates each appliance to downloads.bradfordnetworks.com

Operating System and External network access (HTTP) from each appliance
Network Team
Software Updates to HTTP access to centos.org

External network access (FTP, PFTP, HTTP or

Operating System and
HTTPS) from each appliance to Network Team
Software Updates
update.bradfordnetworks.com

Step Pre-requisite Resource

Add host(s) name entries for the FortiNAC appliances

System Settings Server Team
into production DNS system(s).

Have a resource available that can issue Internally

System Settings signed certificates and/or request publically signed Server Team
certificates.

System Settings LDAP/Active Directory Server(s) IP Address Server Team

System Settings LDAP/Active Directory Server(s) MAC Address Server Team

System Settings LDAP/Active Directory Server(s) Hostname Server Team

LDAP/Active Directory service account (account must

System Settings Server Team
have read access to all requested search branches)

System Settings LDAP/Active Directory User search branch(es) Server Team

LDAP/Active Directory Group search branch(es) (if

System Settings Server Team
needed)

System Settings Non-standard LDAP/Active Directory attributes used Server Team

System Settings Email Server (example: smtp.googlemail.com) Server Team

Email address for FortiNAC (may want to configure an

System Settings alias for this address to better identify sender as Server Team
FortiNAC)

24
Step Pre-requisite Resource

FNAC email account User Name (if authentication is

System Settings Server Team
desired).

FNAC email account Password (if authentication is

System Settings Server Team
desired).

System Settings Port used on email server. Server Team

Encryption used on email server for email

System Settings Server Team
communication (if any).

Remote Backup Server (Physical only)

System Settings Provide an FTP or SSH remote server for FortiNAC Server Team
database and system configuration backup.

Step Pre-requisite Resource

SNMP community name (v1/v2) or account (v3) for all

Network Visibility Network Team
network infrastructure devices

CLI access account (SSH or Telnet) for all network

Network Visibility Network Team
infrastructure devices.

IP’s of all specific network devices (routers, switches,

Network Visibility firewalls, Access Points or controllers) that will be Network Team
controlled or queried by FortiNAC.

Step Pre-requisite Resource

Required for distributing Persistent Agents: Line up

Endpoint
resource responsible for deployment of software Server Team
Classification
packages (i.e. SCCM administrator, Microsoft GPO).

DHCP Fingerprints: Configure IP Helper addresses on

Endpoint
L3 switches or routers for all production VLANs that Network Team
Classification
use DHCP. Use FortiNAC eth0 IP Address.

25
Step Pre-requisite Resource

On all wired network devices FortiNAC will control,

Network/Security
Enforcement configure trap receivers for the FortiNAC eth0 IP
Team
Address

On all wired network devices FortiNAC will control, Network/Security

Enforcement
enable Cold start and Warm start traps. Team

On all wired network devices FortiNAC will control, Network/Security

Enforcement
enable either MAC Notification or Link State traps. Team

Network/Security
Enforcement Define and configure isolation service VLANs
Team

Ensure routing, ACLs, or Firewall rules configurations

set to support required policy enforcement / isolation Network/Security
Enforcement
networks; includes routing from policy networks and Team
access control within the policy networks.

Identify network segmentation for

 Who
Enforcement  What Network Team
 Where
 When

(Wireless integrations) Review applicable FortiNAC

Enforcement Network Team
Integration Guides

(Wireless integrations) Create test wireless

Enforcement Network Team
environment identical to production environment

(Wireless integrations) Determine authentication

Enforcement method for FortiNAC integrations (MAC Auth or Network Team
802.1x)

(802.1X Wireless integrations) RADIUS Server IP

Enforcement Network Team
Address

(802.1X Wireless integrations) Configure FortiNAC ‘s

Enforcement Network Team
eth0 IP as a RADIUS Client on the RADIUS Server

26