FortiNAC FortiGate VPN Integration
FortiNAC FortiGate VPN Integration
FortiGate VPN
Integration
Version: 8.7, 8.8
Date: December 16, 2021
Rev: S
1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET BLOG
http://blog.fortinet.com
FORTINET COOKBOOK
http://cookbook.fortinet.com
NSE INSTITUTE
http://training.fortinet.com
FORTIGUARD CENTER
http://fortiguard.com
FORTICAST
http://forticast.fortinet.com
2
Contents
Overview ............................................................................................................................................... 5
About this Document ......................................................................................................................... 5
What it Does ...................................................................................................................................... 5
How it Works ..................................................................................................................................... 6
Requirements .................................................................................................................................... 9
Considerations ................................................................................................................................. 10
Integration .......................................................................................................................................... 11
Configure FortiGate ........................................................................................................................ 11
System Administrator Account ................................................................................................... 11
REST API Administrator Account (Optional) ............................................................................. 11
REST API ..................................................................................................................................... 11
Address Objects............................................................................................................................ 12
RADIUS Server ............................................................................................................................ 14
Syslog Settings ............................................................................................................................. 15
SSL VPN ...................................................................................................................................... 17
IPSec VPN .................................................................................................................................... 20
Configure FortiNAC ........................................................................................................................ 22
Isolation Interfaces ...................................................................................................................... 22
Policy Based Routes ..................................................................................................................... 25
System Defined Uplink Count ..................................................................................................... 26
Authentication Server Settings ................................................................................................... 26
Add Device Model ........................................................................................................................ 26
FortiGate Device Model Configuration ....................................................................................... 28
Logical Networks ......................................................................................................................... 29
Security Fabric Communication .................................................................................................. 29
Captive Portal .............................................................................................................................. 30
Persistent Agent Configuration ................................................................................................... 31
Disable Captive Network Assistant ............................................................................................ 32
Default Endpoint Compliance Policy (Optional) ......................................................................... 33
Network Access Policies............................................................................................................... 36
Finalize Configuration .................................................................................................................... 37
Establish Security Fabric Connection with FortiGate................................................................ 37
Create User Group in FortiGate (Required for FortiOS versions prior to 6.2) .......................... 39
3
Create FortiGate Firewall Policies .............................................................................................. 40
Enable VPN Management for Existing FortiGate Models ......................................................... 43
Validate ............................................................................................................................................... 44
Troubleshooting .................................................................................................................................. 45
Related KB Articles ......................................................................................................................... 45
Debugging ........................................................................................................................................ 46
Appendix ............................................................................................................................................. 47
VPN Connection Process Details .................................................................................................... 47
SSL VPN Settings (UI) .................................................................................................................... 48
DNS File Entry Descriptions .......................................................................................................... 50
Policy Based Routing ....................................................................................................................... 52
Disable Persistent Agent Notifications ........................................................................................... 55
FSSO Groups on the SSL Interface (6.0.x Only) ............................................................................ 55
ARP Data Collection Prioritization ................................................................................................. 57
Disable Windows Browser Popups .................................................................................................. 57
4
Overview
About this Document
The information in this document provides guidance for configuring the Fortinet FortiGate to
support the management of VPN sessions by FortiNAC (FortiNAC). This document details the
items that must be configured.
The intent of this document is to build new VPN configurations in order to allow any existing
connections to continue working. Once the FortiNAC managed VPN has been tested, clients can be
moved to the new tunnel.
What it Does
FortiNAC controls access to the remote user’s device connecting over the VPN. In order for the
device to be able to gain access the network, FortiNAC must know about the connecting device and
verify the device is in good standing.
Syslog
Internet FSSO
API RADIUS
Authentication
FortiGate RADIUS FortiNAC LDAP
VPN Tunnel Server
4. FSSO tags are sent to the FortiGate so the correct policy is matched and device is
unrestricted.
5
How it Works
FortiNAC controls network access by leveraging Fortinet Single Sign-On (FSSO) on the Fortigate.
Network access is restricted for VPN users by default when users connect. Access is only modified if
the user successfully authenticates through FortiNAC, runs an appropriate FortiNAC agent and
passes any required compliance checks. Once the user and host are identified and verified to be in
compliance with the organization's prescribed policies, network access restrictions can be lifted. FortiNAC
sends group and/or tag information to the FortiGate to adjust the user's network access according to the
rules established in both FortiNAC and the FortiGate by the administrator.
User ID (collected via RADIUS, syslog and API from the FortiGate)
Remote IP address for the remote user connection (collected via syslog and API from
the FortiGate and from the FortiNAC agent)
RADIUS
Syslog
Agent communication
API communication
FSSO
6
The following occurs when a device connects to a FortiGate VPN managed by FortiNAC:
1. The remote user authenticates using either IPSec or SSL VPN client processes.
3. If authentication is successful, the FortiGate establishes a session and sends a syslog message
to FortiNAC containing user, IP, and other session information.
4. FortiGate firewall rules exist to restrict all network access from the VPN interface and
remote IP address range configured for VPN connections. The rules only allow access to
FortiNAC isolation interface. DNS rules exist on the FortiNAC to resolve all queries to its
isolation interface.
5. Devices without a FortiNAC agent: while restricted, all user HTTP requests are redirected
to a VPN captive portal on FortiNAC. The portal page indicates that the user is currently
restricted and, based upon administrator policy, can allow users to download and run a
FortiNAC agent.
Note: Until a FortiNAC agent executes, all VPN sessions that satisfy the FortiGate firewall
rules created for containment remain isolated. Devices that sense captive networks may
trigger browsers while restricted.
7
6. Once an FortiNAC agent executes and successfully communicates with the FortiGate,
FortiNAC correlates information from the agent with data from the FortiGate to determine
the host and adapter being used for the connection. It then updates the connection status of
the host/adapter and triggers policy lookup and FSSO updates.
7. If the host/adapter is compliant with all necessary policies, FortiNAC tag/group information is
sent to the FortiGate using FSSO which affects which FortiGate firewall rules control the
session.
9. The host connection is terminated in FortiNAC which triggers FSSO to update the FortiGate
to remove any tag/group information.
Scan = Passed
Unrestricted
(Production)
Private Network
8
Requirements
FortiNAC
Supported Engine Version: 8.7.2 or greater
Recommended Engine Version: 8.8.8, 9.1.2 or greater
Remote device must have either the FortiNAC Dissolvable or Persistent Agent
o Supported FortiNAC Agent Version: 5.2.3 or greater
o Recommended FortiNAC Agent Version: 5.2.6
o Agent Supported Operating Systems:
Windows (not Windows CE)
MAC OS
Linux
Android
Note: FortiNAC doesn't have an app or agent for iOS. Therefore, iOS mobile devices
cannot connect through VPN.
o Dissolvable Agent can be downloaded as part of the VPN connection process from the
Captive Portal
o Persistent Agent can also be downloaded from the Captive Portal or pre-installed
o Operating systems that cannot run a FortiNAC agent will always remain isolated
when connecting to a VPN that is managed by FortiNAC
o Remote device firewall settings must allow TCP 4568 (bi-directional) for agent
communication with FortiNAC
FortiGate
Supported Firmware Version: 6.0.5 or greater
Recommended Firmware Version:
o 6.2: 6.2.8 or greater
o 7.0: (if using post-login banner) Requires FortiNAC 8.8.8, 9.1.2 or greater.
SNMP community or account
Administrator account
o Visibility only: System read access to all VDOMs
o Control: System read/write access to all VDOMs
VPN tunnel cannot be configured to use DHCP relay
9
Considerations
NOTE: When SSL VPN Settings are applied via the FortiGate UI, all existing SSL VPN
connections are disconnected. Applying settings should be done during a Maintenance
Window.
Automated Captive Portal Detection: Devices that sense captive networks may
trigger browsers during initial connection. To avoid this, automated captive portal
detection must be disabled for VPN connections in FortiNAC. Instructions provided in
section Disable Captive Network Assistant.
Split Tunnels: Whether or not split tunnel (certain traffic doesn't go over tunnel) or full
tunnel (all traffic goes over tunnel) is configured is dependent upon the customer
requirements.
o If the Dissolvable Agent (DA) will be used, it is recommended to disable split-
tunneling for the VPN configured on the FortiGate. This ensures user's browser is
automatically redirected to the URL where they can download the run-once agent.
o FortiNAC validates endstation after the tunnel is established. In order to do that,
initial access is restricted. Once confirmed, restricted access is lifted. In full
tunnel implementations, there will be interruption on applications that are
running prior to connecting.
Windows machines: Recommended to disable browser popups on managed machines.
See Disable Windows Browser Popups in the Appendix.
FortiGate can only support one FSSO agent sending tags for a specific endpoint
IP address. If there are multiple agents, the FortiGate entries will be overwritten when
other FSSO agents send information for the same endpoint IP. Therefore, the following
should be done prior to integration:
o Identify any other FSSO agents that provide logon information for the same
endpoints FortiNAC would be managing through the FortiGate. For additional
information, see section Agent-based FSSO in the FortiOS 6.0.0 Handbook (Tip:
Open in New Tab):
https://docs2.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-
fsso
o For those agents, logon events must be blocked. See related KB article Excluding
IP addresses from FSSO logon events (Tip: Open in New Tab):
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Excluding-IP-addresses-
from-FSSO-logon-events/ta-p/196270
10
Integration
Configure FortiGate
System Administrator Account
A System Administrator account is used for SSH and REST API access on the FortiGate.
To create or view user accounts, navigate to System > Administrators.
Username
Comments
REST API
REST API is required for communication with FortiNAC and must be configured. Verify the
appropriate port is configured:
1. In the FortiGate UI, navigate to System > Settings.
2. Under Administration Settings, modify the HTTPS port as necessary (another service
may already use 443).
3. Click Apply to save any modifications.
11
Address Objects
Via the UI or CLI, configure Address objects for the VPN IP addresses. Note: These addresses
will be configured in FortiNAC Configuration Wizard and VPN Network Access Policies in later
steps.
UI:
Examples:
VPN DHCP range (SSL): 10.200.80.10-
10.200.80.99
VPN DHCP range (IPSec): 10.200.80.100 –
10.200.80.200
Interface Any
Show in address list enabled
SSL UI Example
12
SSL CLI Example
config firewall address
edit "FNAC_SSL_VPN_ADDR" << Address Object name
set uuid 67dd7c4c-3143-51ea-6b02-828a306a7e68
set type iprange << Type
set color 7
set start-ip 10.200.80.10 << Start of range
set end-ip 10.200.80.99 << End of range
next
end
IPSec UI Example
13
RADIUS Server
Configure FortiGate to point RADIUS to FortiNAC when VPN clients connect.
Multiple VDOM/Split-Task VDOM: RADIUS settings must be configured for each VDOM sending
RADIUS requests to FortiNAC.
UI:
1. Create a RADIUS server entry for FortiNAC. Navigate to User & Device > RADIUS
Servers
2. Select Create New
3. Configure based on the entries in the table below. Click OK to save
4. Create a User Group containing the FortiNAC RADIUS server entry. Navigate to User &
Device > User Groups
5. Select Create New
6. Configure based on the entries in the table below:
CLI Example
Syslog Settings
In the FortiGate CLI configure FortiNAC as a syslog server:
Enable send logs to syslog
Add the primary (Eth0) FortiNAC IP Address of the control server.
Important: Source-IP setting must match IP address used to model the FortiGate in
Topology
Enable Event Logging and make sure that VPN activity event is selected.
Log messages with ids of 0101039947 and 0101039948 (SSL), or 0101037129 and
0101037134 (IPSec) must be sent to FortiNAC.
Note: Care should be taken to avoid having the FortiGate send too many unnecessary log
messages to FortiNAC. This can cause delays in message processing or even loss of messages.
15
CLI Settings:
SSL VPN
IPSec VPN
16
SSL VPN
Important: When SSL VPN Settings are applied, all existing SSL VPN connections are
disconnected, regardless of portal. Applying SSL VPN Settings should be done during a
Maintenance Window.
Domain Name for agent communication (required if agents are delivered through Captive
Portal):
o Must match the domain to be configured in the VPN scope of FortiNAC. FortiNAC
only answers SRV queries from connecting agents sourced from this domain. See
DNS File Entry Descriptions in the Appendix for details.
o If FortiNAC is managing multiple VPN scopes where agents are delivered through
the portal, they must all use the same domain.
o Avoid using .local suffix. macOS and some Linux systems may have communication
issues.
VPN Portals
UI
3. Click OK to save
17
CLI Example
Applying SSL VPN Settings disconnects all existing SSL VPN connections on the FortiGate.
If there are VPN tunnels in production, this should be done during a Maintenance Window.
VPN settings should be configured via CLI in order to apply them to the specific portal (UI
configures all SSL portals).
19
IPSec VPN
UI: VPN > IPsec Wizard
For instructions, refer to the following document (Tip: Open in New Tab):
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/786021/configuring-the-ipsec-vpn
Note: CLI access may be required for additional tunnel customization as desired.
20
Login to the FortiGate CLI to complete configuration.
CLI:
Ensure the following is configured on the IP/Sec phase1 interface.
DNS server IP’s (primary= production server, secondary = FortiNAC VPN interface)
Domain Name for agent communication. This must match the domain configured in the
VPN scope in FortiNAC. In order for the FortiNAC agent installed on the remote endpoint
to be able to locate the FortiNAC to talk to, the FortiGate must be configured with the
domain used by the agent to look up FortiNAC. NOTE: If FortiNAC is managing multiple
VPN scopes, they must all use the same domain.
21
Configure FortiNAC
The following items must be configured on the FortiNAC appliance:
RADIUS/LDAP Authentication
FSSO settings
Isolation Interfaces
Configure the eth1 VPN isolation interface using Configuration Wizard.
22
Virtual Private Network Interface eth1
Interface IPv4 Address IPv4 address for the VPN interface on eth1.
Mask VPN interface subnet mask (IPv4).
IPv4 Gateway Gateway IP address used by the VPN interface
Interface IPv6 Address (optional) IPv6 address for the VPN interface on eth1.
Interface IPv6 Mask in CIDR notation Subnet IPv6 mask for the VLAN interface in CIDR
(optional) notation format (e.g., 64).
Interface IPv6 Gateway(optional) IPv6 Gateway for the VLAN interface for eth1 when
clients connect through this VLAN.
NOTE:
11. Enter the IP Addresses for Start and End of the lease pool range for the VPN scope defined
in the FortiGate Address Object.
23
15. Click Summary when finished.
16. Review the data on the Summary View to confirm the configured settings.
17. Click Apply. The Configuration Wizard writes the data to the files on the appliances. This
process may take several minutes to complete. When completed, the Results page appears.
18. Review the Results. Errors are noted at the top of the Results page.
19. Scroll down through the results and note errors or warnings. Make changes and apply them
until a successful configuration is written.
Example values:
FortiNAC CA FQDN: Server01.Fortinet.com
Eth0 (Management interface): 10.200.20.20
Registration interface: 10.200.5.20
Remediation interface: 10.200.5.21
VPN interface: 10.200.5.22
Eth1 GW: 10.200.5.1
20. After committing the changes in Configuration Wizard, run the command ifconfig
in the FortiNAC CLI to identify the sub-interfaces assigned to the isolation
networks. If separate Control and Application Servers, access the CLI of the
Application Server.
> ifconfig
24
Policy Based Routes
Configure policy-based routing. Policy-based routing ensures traffic is transmitted out the same
interface it was received. This allows FortiNAC agents to communicate to FortiNAC through both
the management (eth0) or VPN sub-interface depending on whether the endpoint is isolated or not.
Important: If High Availability is configured, execute the steps outlined in sections Isolation
Interfaces and Policy Based Routes on the Secondary Server and make the same modifications.
Otherwise, VPN will not work should a failover occur.
1. Login to the CLI as root of the FortiNAC server (Application Server if separate Control
and Application Servers)
Important: The following instructions presume the script has not yet been run. If script
has been run previously and are modifying or adding an interface, see Appendix for
instructions.
a. Type setupAdvancedRoute
b. Type I to install
c. Enter the gateway for each interface (eth0, eth1, etc) as prompted.
There should now be a rule listed for each interface and sub-interface configured:
0: from all lookup local
10: from <eth0 IP address> lookup eth0
20: from <eth1 IP address> lookup eth1
30: from <eth1:1 IP address> lookup eth1:1
40: from <eth1:2 IP address> lookup eth1:2
32766: from all main
32767: from all default
Example:
>ip rule show
0: from all lookup local
10: from 10.200.20.20 lookup eth0
20: from 10.200.5.20 lookup eth1
30: from 10.200.5.21 lookup eth1:1
40: from 10.200.5.22 lookup eth1:2
32766: from all main
32767: from all default
4. Reboot appliance.
25
System Defined Uplink Count
Ensure the System Defined Uplink Count value is larger than the maximum number of VPN
clients that could be online at the same time. Otherwise, the VPN virtual port in FortiNAC could
be changed to an uplink. All clients would then be marked as offline and the FSSO tags removed,
affecting network access. For details on setting this value, see System Defined Uplink Count in
section Network device of the Administration Guide.
SNMP Settings: SNMP v1 or v3 credentials used for device discovery and ARP
collection/L3 polling
Note: If a “?” appears as the icon, then support needs to be added for that device. See KB
article Options for Devices Unable to Be Modeled in Topology for instructions.
The FortiGate will display in Topology as a wireless device since it can act as a wireless
controller. Device Type will show the part number.
26
Since the FortiGate displays as a wireless device, the Network Device Summary panel under
Bookmarks > Dashboard lists FortiGate models as Wireless Access Points. Clicking on the
icon lists the devices.
3. Once added, right click on the model and select Resync Interfaces. The ports will be
listed under the Ports tab.
4. Enable L3 Polling. Right click on the model in the left panel and select Group
Membership.
5. Check the box next to L3 Polling (IPMAC) and click OK.
6. Click the Polling tab.
a. Check the box next to L2 Hosts Polling. If configuring Device Detection traps,
set the L2 (Hosts) Polling value for 15 minutes.
b. Check the box next to L3 (IPMAC) Polling.
c. Click Save.
Once the FortiGate is discovered, new VPN interfaces in the Ports view will appear. The new
interface is created for the FortiGate device model with the name format:
<VDOM name>_<IPSEC_VPN or SSL_VPN>
27
7. If utilizing the FortiGate REST API key (FortiNAC versions 8.8.3 and greater), login to
the FortiNAC CLI as root and enter the following:
Device -ip <FortiGate model IP> -SetAttr -name APIToken -value <API Key>
2. RADIUS: Enter a value for the RADIUS secret. This must match the one entered on the
FortiGate for the RADIUS server definition created for FortiNAC.
28
Logical Networks
For more details, refer to the below section in the Administration Guide (Tip: Open in New Tab):
Logical networks
1. Navigate to System > Settings > System Communication > Fortinet FSSO Settings.
2. Select Enable FSSO Communication.
3. Leave the port set to 8000 unless it has been changed on the FortiGate.
4. Enter the password that will be used in the fabric connector definition on the FortiGate.
29
Captive Portal
Develop Content
Configure the settings and behavior of the portal pages to be presented to users when connecting to
the VPN. The following Content Fields are listed under the VPN branch in Content Editor
(System > Portal Configuration)
Content Description
Index (Redirect) Presented to user while NAC evaluates host to
determine which page to display.
Download Page The VPN Login page displayed to hosts that
connect with user information available from
the VPN device, but do not have an agent.
Profile Configuration Download If the host matches a supplicant policy, this
page will allow them to download the
Supplicant Configuration. This is primarily
used for Apple iOS devices as other devices will
download the supplicant configuration via the
Agent. Other devices that end up at this page
will download the Agent.
Mobile Agent Download A page presented to download the Agent from
the relevant App store.
Instructions Relates to the Download Page. Like other
Login Forms, the optional instructions may be
displayed inline in the download page or as a
separate page opened from a link.
“Instructions” option is selected in Download
Page or User Login (In-line only) content.
User Login (In-line only) Reached from VPN_Redirect when the user
first hits the VPN context. If no user
information can be found from the VPN device,
then this login form is used.
Success Host has successfully scanned and is released
from isolation.
For more details, refer to the following section in the Administration Guide (Tip: Open in New
Tab): VPN Portal
30
Using Multiple Captive Portals with VPN
When Multiple Captive Portals are configured, Portal Policies are used to determine which portal
is presented upon isolation. FortiNAC cannot properly determine the portal for VPN connections
if the host does not have an Agent already installed. Therefore, the default portal should be used
for VPN connections.
For more details, refer to the following section in the Administration Guide (Tip: Open in New
Tab): Portal Policies
1. Navigate to System > Settings > Persistent Agent > Security Management.
5. Specify the network used for the VPN IP Pool then click OK. This allows FortiNAC to
communicate with agents from that network regardless of connection status.
Example:
IP Address: 10.200.80.0
CIDR/mask: 24
31
For more details, refer to the following section in the Administration Guide (Tip: Open in New
Tab): Security Management
Notification Messages
By default, the agent will display messaging to the user informing them of their network status
when connecting over VPN.
When end stations first connect, access is restricted and the agent displays:
“Network restrictions have been applied for this device”
Once FortiNAC has evaluated the end station and moved the IP address to the unrestricted
network object group, the agent displays:
“Network restrictions have been lifted for this device”
These messages will display regardless of the ClientStateEnabled Persistent Agent setting. For
more details, refer to the following section in the Administration Guide: For more information on
this setting, see section Persistent Agent Settings in the Persistent Agent Deployment Guide
(Tip: Open in New Tab): Persistent Agent Deployment and Configuration
To disable the messaging see Disable Persistent Agent Notifications in the Appendix.
iOS/macOS/Samsung Android
FortiNAC must not have Captive Network Assistant configured. This feature is disabled by
default. If enabled, see section Disable CNA (iOS/macOS/Samsung Android) in the Captive
Networks Assistant reference manual.
Note: This function is disabled for all portals for these operating systems.
Windows
By default, it is possible for Windows machines to automatically popup the default browser. Refer
to the following article for more information:
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-
open-connect-corporate-public-network
The following options are available for disabling Windows Captive Portal Detection.
32
Note: These options are not necessary if only managed Windows machines are connecting and the
Registry Key has been set as specified under Requirements.
Option 1: Prevent Captive Portal Detection (VPN Portal Only) for Windows
The zones.vpn file can be modified through the appliance CLI.
Add the following domains to the Allowed Domains List. For instructions on adding domains, see
Add a domain in section Allowed Domains of the Administration Guide.
msftconnecttest.com
msedge.net
c-msedge.net
Note: Since a device remains in an isolated state until the scan completes, the complexity
of the scan may introduce delays in the time it takes the remote user to complete the
connection process.
33
3. Click the Agent tab.
4. Select the agent type and version to provide to connecting computers that do not have an
agent installed. There are three agent types:
Persistent Agent (PA): Installed on the user's PC and remains there, communicating
with FortiNAC whenever the PC is on the network.
Dissolvable Agent (DA): Downloaded and installed every time the user connects to
the network. After scanning the user's PC and reporting results to FortiNAC, the agent
removes itself.
Note:
It is recommended users are sent to the download location through DNS and
URL redirection.
Mobile Agent: Installed on a handheld device running Android and remains there,
communicating with FortiNAC whenever the device is on the network.
Note: Due to unsupported features by the vendor, mobile devices running iOS cannot
connect through VPN.
34
For more details, refer to the following section in the Administration Guide (Tip: Open in New
Tab): Add or modify a configuration
Persistent Agent
Required: Host [VPN Client: Yes]
Optional: Add other criteria as desired. Optionally with some other criteria to avoid
undesired scanning of non-VPN offline hosts.
Dissolvable Agent
Required: Adapter [Connected: Offline]
Optional:
Host [Persistent Agent: No]
Adapter [IP Address: <VPN IP subnets. Can use wildcard (*)>]
Important: Do not include any other criteria when using the Dissolvable Agent. See
related KB article for details.
2. Click OK.
For more details, refer to the following section in the Administration Guide (Tip: Open in New
Tab): User/host profiles.
35
Network Access Policies
Configure Network Access Policies for the IP address ranges used for VPN access. If multiple IP
address ranges are used for different types of VPN access (SSL or IPSec), different policies can be
created or they can be combined into a single policy.
Configuration Steps
1. Create a User/Host Profile with the following for each level of access (such as Staff
and Executives):
IP scopes that correspond to the addresses used for the VPN types being
managed
(Adapter Tab) IP Address: <VPN IP subnets>
2. Choose an existing one for the desired VPN network to assign to VPN sessions.
3. Create a Network Access Configuration that references the Logical Network chosen for
VPN sessions
4. Create a Network Access Policy that uses both the new VPN User/Host Profile
and Network Access Configuration
For more details, refer to the following section in the Administration Guide (Tip: Open in New
Tab): Network Access Policies
36
Finalize Configuration
Establish Security Fabric Connection with FortiGate
Have both FortiGate and FortiNAC UI’s open for the following steps.
d. Click OK to save.
f. Define the IP address the Fabric Connector will use for communicating with
FortiNAC. If VPN is configured within the Management VDOM, enter the address
used to model the FortiGate in Topology.
If FortiGate UI does not provide this option, configure via FortiGate CLI.
Commands
config user fsso
edit "<FSSO Connector name>”
set source-ip <FortiGate IP Address>
d. Define the Source IP Address. This must match the source IP entered in the
previous step.
3. In the FortiGate UI
b. The FortiGate will read in all the FortiNAC Tags and user/host groups.
c. The FortiNAC Tags and user/host groups are now available for use within FortiGate
User groups.
37
FortiOS versions prior to 6.2: Proceed to Create User Group in FortiGate
FortiOS versions 6.2 and later: Proceed to Create FortiGate Firewall Policies
38
Create User Group in FortiGate (Required for FortiOS versions prior to 6.2)
39
Create FortiGate Firewall Policies
Create firewall policies to:
Allow network access to VPN clients authenticated by FortiNAC (authorized hosts).
Restrict network access to all other VPN clients. They are considered untrusted.
Workflow:
1. When a client initially connects to the VPN tunnel, network access is restricted.
2. While restricted, FortiNAC answers all DNS queries. Limited network access is granted.
The amount of network access allowed is dependent upon the organization’s policies. For
example, it may be necessary to allow clients to update antivirus programs. In which case,
network access to the internet may be required. FortiNAC would control which domains are
resolved to the actual IP address.
3. Once authenticated, clients match a FortiNAC Network Access Policy and a Logical
Network is assigned. FortiNAC sends the group or tag associated with the Logical Network
to the FortiGate.
4. The matching FortiGate firewall policy applies the appropriate network access.
Note:
The following examples are for illustration purposes. It is up to the firewall administrator
to configure their policies as appropriate to achieve the above goals.
It is assumed the applicable components required for firewall policies have already been
configured (such as network interfaces).
Block DNS (at a minimum) or all traffic to/from FortiNAC VPN Interface (Ensures DNS
requests are forwarded to production DNS).
40
Allow traffic to/from the desired network destinations.
Example
Legend:
FNAC_SSL_VPN_ADDR VPN IP Address Object (SSL)
FNAC_IPsec_VPN_ADDR VPN IP Address Object (IPsec)
VPN_AUTH FSSO Group sent by FortiNAC
SERVER NET FortiNAC VPN Isolation Network
FNAC_ETH1_VPN VPN Isolation Interface Address
wan1 Interface to internet
MGMT NET Internal
ID 10: Block VPN traffic from any network to FortiNAC VPN Interface
ID 11: Allow VPN traffic from any interface out to the internet
ID 13: Allow VPN traffic from any interface to the Management network
Allow traffic to/from FortiNAC VPN Interface (to ensure DNS requests are forwarded to
FortiNAC)
Example
Legend:
FNAC_SSL_VPN_ADDR VPN IP Address Object (SSL)
FNAC_IPsec_VPN_ADDR VPN IP Address Object (IPsec)
VPN_AUTH FSSO Group sent by FortiNAC
SERVER NET FortiNAC VPN Isolation Network
FNAC_ETH1_VPN VPN Isolation Interface Address
wan1 Interface to internet
MGMT NET Internal
ID 9 & 15: Allow SSL and IPsec VPN traffic to the FortiNAC VPN eth1 interface
ID 12 & 16: Block SSL and IPsec VPN traffic to all interfaces
If endpoint does not match a policy that permits regular network access (ID’s 10, 11, 13), then
endpoint is considered untrusted. Therefore, apply policies to restrict endpoint’s network access to
the FortiNAC Service Network (ID’s 9, 12, 15 16).
42
Enable VPN Management for Existing FortiGate Models
Note: If the FortiGate was modeled during the Configure FortiNAC section of this document,
this step is not needed. Proceed to Validate.
Perform the following steps if the FortiGate was already modeled in Topology prior to the VPN
integration:
1. In the FortiNAC Administration UI, navigate to Network Devices > Topology.
2. Select the FortiGate device model in the tree.
3. Right click and select Network Access/VLANs.
4. Click Read VLANs.
FortiNAC reviews the list of DNS Servers in the FortiGate's VPN configuration. If one of the DNS
server IP's match one of the FortiNAC interface IP's, the VPN tunnel is considered to be managed.
FortiNAC updates the FortiGate device model's VPNManagedNetworks attribute value.
Example:
Name = VPNManagedNetworks value = FNAC_SSL_VPN_ADDR << FortiGate address
Object Name used by VPN tunnel
Proceed to Validate.
43
Validate
Using the VPN client, establish a connection and verify the following:
1. Host is assigned an IP address from the VPN address pools defined on the FortiGate and in
Configuration Wizard.
2. If an agent is not already installed on the connecting host, depending on the VPN Endpoint
Compliance Policy, the user may be prompted to download an agent. Without an agent, the
VPN session will not be authorized by FortiNAC.
3. If agent is installed, the appropriate scan configured in the VPN Endpoint Compliance
Policy is run.
4. Once the scan completes and passes, FortiNAC sends the FSSO tag/group values to the
FortiGate which changes the firewall rules that match the VPN traffic from that point
forward, and the host is granted access to the appropriate networks.
44
Troubleshooting
If experiencing problems with the VPN device and users managed by FortiNAC, check the
following:
1. Proper route(s) are defined to send traffic to FortiNAC from the VPN device. This may
include running the setupAdvancedRoute tool to create policy-based routes.
2. The remote IP assigned to the VPN session comes from the correct VPN pool on the
FortiGate and the address scope is correctly defined for the VPN context on the FortiNAC
appliance.
3. SNMP and CLI credentials are configured correctly on both FortiNAC and the VPN device
to facilitate device discovery and FortiNAC/FortiGate communication.
4. The RADIUS secret is the same on the VPN device, the FortiNAC RADIUS server
configuration and the FortiNAC model configuration for the VPN device. Ensure FortiNAC
is authenticating the VPN sessions as they connect.
5. The FortiNAC Server or Control Server should always be able to communicate with the
FortiGate via FSSO to set and remove tags/groups as appropriate.
6. Firewall policies and routes are defined to allow users on both restricted and non-restricted
networks to access the FortiNAC VPN interface.
7. Endpoint compliance and Network access control policies are configured correctly on the
FortiGate to match the VPN sessions being managed.
8. Logical Network to tag/group mappings are configured correctly on the FortiGate model in
FortiNAC to cause the correct values to be sent to the FortiGate when the session is
authorized.
9. Syslog messages are configured to be sent to FortiNAC. Log messages with ids of
0101039947 and 0101039948 (SSL), or 0101037129 and 0101037134 (IPSec) must be sent to
FortiNAC.
Related KB Articles
Troubleshooting FortiGate VPN integrations
Unable to model FortiGate in High Availability mode
RADIUS timeout during 2 Factor Authentication
45
Debugging
RADIUS activity:
CampusMgrDebug –name RadiusManager true
Syslog activity:
CampusMgrDebug –name SyslogServer true
VPN activity
CampusMgrDebug –name RemoteAccess true
Disable debugging:
CampusMgrDebug -name <debug name> false
SSO activity:
CampusMgrDebug -name SSOManager true
Note: Debugs disable automatically upon restart of FortiNAC control and management processes.
46
Appendix
VPN Connection Process Details
The following sequence describes the process for remote users that connect to the network
through a FortiGate VPN when network access is controlled by FortiNAC.
When SSL VPN Settings are applied, all existing SSL VPN connections are disconnected.
Applying settings should be done during a Maintenance Window.
48
49
DNS File Entry Descriptions
/var/named/chroot/etc/domain.zone.vpn is used for managing DNS SRV records for agent
communications over all VPN tunnels. This file is modified when the eth1 VPN isolation interface
is configured/modified using Configuration Wizard. There is a domain.zone.* file for each
FortiNAC Service interface (Isolation, Registration, Remediation, etc). For more details, see DNS
Server Configuration in the Administration Guide.
<…>
$ORIGIN example.com.
b._dns-sd._udp PTR @
lb._dns-sd._udp PTR @
*.example.com. IN A 172.16.99.6
;*.example.com. IN AAAA BN_VPN_6IP
*Portal SSL Fully-Qualified Host Name configured in the UI under System > Settings >
Security > Portal SSL
1. VPN isolation interface is configured and DHCP scope created with domain example.com.
3. Endpoint connects to VPN tunnel and obtains DHCP information from VPN SERVER
50
6. Upon receipt of query, FortiNAC searches the domain.zone.* files for a matching domain in
the $ORIGIN entry
51
Policy Based Routing
Why it is Needed
Because VPN client IP addresses do not change when the network access changes, it is possible for
traffic between agent and FortiNAC to drop due to asymmetric routes. By default, CentOS 7 drops
asymmetrically routed packets before they leave the interface. If asymmetric traffic were to be
allowed to transmit, the packet would most likely be dropped within the network.
Example 1:
Default route = eth0
Resulting behavior:
Restricted (isolated) host communication over VPN would ingress eth1 and egress eth0,
resulting in an asymmetric route.
Non-restricted (production) host communication over VPN would ingress eth0 and egress
eth0.
Example 2:
Default route = eth0
Static route = eth1 for VPN network
Resulting behavior:
Restricted (isolated) host communication over VPN would ingress eth1 and egress eth1
Non-restricted (production) host communication over VPN would ingress eth0 and egress
eth1, resulting in an asymmetric route.
Policy Based Routing is used to ensure FortiNAC responds to inbound traffic using the interface
from which it was received.
How it Does it
Using a script, individual route tables are built for each FortiNAC interface (eth0, eth1. eth1:1,
eth1:2, etc.). Each table contains routes for various networks to be used by the eth interface. If a
packet is received on an interface, FortiNAC first looks for a route containing the source IP’s
network in the individual table. If no route for that network is found, FortiNAC looks at the main
route table. IP rules determine the order used to lookup the tables.
Example:
Main Route Table
Destination Gateway Mask Interface
0.0.0.0 10.10.200.1 0.0.0.0 Eth0
10.10.18.0 10.10.201.129 255.255.255.0 Eth1
10.10.19.0 10.10.201.129 255.255.255.0 Eth1:1
52
10.10.19.0 10.10.200.1 255.255.255.0 Eth0
The files containing the route tables and ip rules for each configured interface are written to
/etc/sysconfig/network-scripts/
Route files:
route-eth0
route-eth1
route-eth1:1
Example
> cat route-eth0
default via 10.10.200.1 dev eth0 src 10.10.200.147 table eth0
10.10.200.0/24 dev eth0 proto kernel scope link src 10.10.200.147 table eth0
Rule files:
rule-eth0
rule-eth1
rule-eth1:1
Example
> cat rule-eth0
from 10.10.200.147 lookup eth0 prio 10
Other Commands
Display IP rules in effect and the order in which route tables will be read
ip rule show
Display routing table for a specific interface (table name = interface name)
ip route show table <table name>
Example: ip route show table eth1
53
Modifying or Adding Interfaces After Script Has Run
2. Type U to uninstall
4. Type I to install
There should now be a rule listed for each interface and sub-interface configured:
0: from all lookup local
10: from <eth0 IP address> lookup eth0
20: from <eth1 IP address> lookup eth1
30: from <eth1:1 IP address> lookup eth1:1
40: from <eth1:2 IP address> lookup eth1:2
32766: from all main
32767: from all default
Example:
>ip rule show
0: from all lookup local
10: from 10.200.20.20 lookup eth0
20: from 10.200.5.20 lookup eth1
30: from 10.200.5.21 lookup eth1:1
40: from 10.200.5.22 lookup eth1:2
32766: from all main
32767: from all default
54
Disable Persistent Agent Notifications
Login to the CLI as root and configure attributes specific to the FortiGate device model. Contact
Support for assistance.
Example:
device –ip 192.168.1.1 –setAttr –name DisableClientTransitionMessages –value true
Note: There is a range there by default but its tied to the SSLVPN Interface and can’t be
used with interface “all”
55
3. Create a new firewall Policy using:
c. Source is new SSLVPN IP Range and FortiNAC FSSO Group for Rogues
56
ARP Data Collection Prioritization
ARP collection can be done via CLI, API and SNMP. If FortiNAC receives ARP data using more
than one method, FortiNAC will update tables based upon following precedence:
1. CLI
2. API
3. SNMP
57
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other
jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except
to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-
identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such
warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto,
whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
58