Fortinac Vmware Install 85

Download as pdf or txt
Download as pdf or txt
You are on page 1of 67

FortiNAC

VMware Virtual Machine


Installation Guide
FortiNAC Firmware Version 7.0 and Greater
Date: September 16, 2021
Rev: P

1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE


http://video.fortinet.com

FORTINET KNOWLEDGE BASE


http://kb.fortinet.com

FORTINET BLOG
http://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT


http://support.fortinet.com

FORTINET COOKBOOK
http://cookbook.fortinet.com

NSE INSTITUTE
http://training.fortinet.com

FORTIGUARD CENTER
http://fortiguard.com

FORTICAST
http://forticast.fortinet.com

END USER LICENSE AGREEMENT


http://www.fortinet.com/doc/legal/EULA.pdf

2
Contents
Overview ............................................................................................................................................... 4
Keys ................................................................................................................................................... 4
FortiNAC Deployment Configurations ............................................................................................. 5
Installation Procedure Overview ...................................................................................................... 6
Requirements .................................................................................................................................... 6
VMware .......................................................................................................................................... 6
ESX Server Hardware ................................................................................................................... 6
Virtual Machine Specifications and Resource Sizing ................................................................... 7
Adapters ......................................................................................................................................... 8
Open Ports ..................................................................................................................................... 8
Register Products .................................................................................................................................. 9
Requirements Checklist .................................................................................................................... 9
Before You Begin ............................................................................................................................. 11
Register the Managing Server ........................................................................................................ 14
Register Support Contract for Appliance........................................................................................ 20
Register Licenses ............................................................................................................................. 25
Register Support Contract for License............................................................................................ 28
Register Remaining Appliances ...................................................................................................... 32
Build Virtual Machines ...................................................................................................................... 35
Download the Virtual Machine ....................................................................................................... 35
Import Virtual Machine .................................................................................................................. 37
Clone the Virtual Machines ............................................................................................................ 39
Edit Settings .................................................................................................................................... 40
Set the IP Address for eth0 ............................................................................................................. 41
Record UUID and eth0 MAC Address ............................................................................................ 42
Generate and Download License Keys ............................................................................................... 43
Appendix ............................................................................................................................................. 47
Control/Application VM Server Pair Resource Sizing .................................................................... 47
Appliance Operating System........................................................................................................... 47
Virtual Machine Backup Considerations ........................................................................................ 48
Increase the Hard DriveSize ........................................................................................................... 49
Configure Time Settings for Host ................................................................................................... 63
License Distribution in Multiple Appliance Deployments ............................................................. 66
Change the MySQL UUID file of Cloned VMs ............................................................................... 68

3
Overview
This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to
be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library.
This installation guide is the first step in the deployment.

Virtual Appliance (VM) Part Numbers


Part Number Description
FNC-M-VM Control Manager
FNC-CA-VM Control and Application Server (CA)

Keys
Customers are required to register all products and licenses. Registration assigns
ownership and associates the maintenance contract to the appliance. Once all products are
registered, license key(s) will be generated during the initial configuration. FortiNAC
appliances will not start without a valid key installed. The type of license key generated
and applied to the appliance(s) will depend upon the deployment configuration and the
appliance roll within it. There are two different types of license keys:
 Endpoint License Key
o Defines the type of license (Base, Plus or Pro) and endpoint quantity
o Defines the type of appliance (Manager or CA)
o Installed on the appliance that is associated with license support (the “managing”
server)

 Appliance (Base) License Key


o Defines the type of appliance (Manager or CA)
o Appliance key(s) are installed on all VMs that do not have an endpoint license key
applied

4
FortiNAC Deployment Configurations
Below is a general listing of components involved in product registration and configuration. The
number of license keys, licenses and support contracts is determined by the type of deployment and
number of appliances.

A license “pool” is defined by license type (Base, Plus or Pro) and quantity of endpoint licenses
shared among multiple appliances. See License Distribution in the Appendix for details on how
licenses are shared.

 Standalone
o 1 CA, 1 support contract and 1 license
o 1 endpoint license key

 Standalone in High Availability


o 2 CA’s, 2 support contracts (1 per CA) and 1 license pool
o 1 endpoint license key and 1 appliance license key

 Multiple Independent Standalones


o Multiple CA’s, multiple support contracts and multiple licenses (1 per CA)
o Multiple endpoint license keys (1 per CA)

 Multiple Independent Standalones in High Availability


o Multiple CA’s, multiple support contracts (1 per CA) and multiple license
pools (1 per High Availability pair)
o Per High Availability pair: 1 endpoint license key and 1 appliance license key

 Distributed
o 1 Manager, Multiple CA’s, multiple support contracts (1 per CA and
Manager) and 1 license pool
o 1 endpoint license key (for Manager) and multiple appliance license keys (1
per CA)

 Distributed in High Availability


o Multiple CA’s, 1 Manager, multiple support contracts (1 per CA and
Manager) and 1 license pool
o 1 endpoint license key (for Manager) and multiple appliance license keys (1
per CA and secondary Manager)

5
Installation Procedure Overview
1. Register Products
Register all products and associate the applicable maintenance contract using the
instructions provided in the email. This step generates a serial number for the VM,
registers the maintenance contract and ties it to the appliance’s serial number.

2. Build Virtual Machines


Build VM(s) and record UUID(s) and MAC address(es).

3. Generate and Download License Keys


Login to FortiCare Customer Portal and generate appliance and license keys using UUID
and MAC Address information.

Requirements
FNAC Versions 8.8 and higher: External FTP access is required in order for the radius and
winbind packages to be installed. If the install fails, the management processes will not start. For
details and workaround if FTP access is not possible, see KB article FD49945.

VMware
The VM Guest is built with Virtual Hardware Version 7. This makes the guest compatible with
ESXi 4.x and above.

Deployment of the OVA has been tested and verified with vCenter 6.5 and above.

ESX Server Hardware


The requirements for the ESX server used to host your FortiNAC Virtual Machine will vary greatly
depending on many different factors. Factors include:
 The number of other Virtual Machines that are running on the same server
 The load those VMs place on the server
 The number of devices, hosts and users on your network that are to be managed by
FortiNAC

Note: vSphere Fault Tolerance is not supported as a High Availability solution. Refer to the
“Performance Best Practices for VMware vSphere” document on the VMware web site for
additional information.

6
Virtual Machine Specifications and Resource Sizing
Refer to the FortiNAC Data Sheet available online for the following details:

Specifications
Depending on the load, size of the database and whether or not agents are used, there may
be a need to increase the amount of memory or number of processors being used. It is
recommended the virtual environment be comparable to the physical environment of
hardware-based FortiNAC appliances. Refer to the Specifications table for details
regarding currently shipping hardware.

Resource Sizing
Virtual Machine settings will vary depending on the underlying hardware being used for
the hosting server and the type of FortiNAC server being run in the VM. The ideal result is
to yield a VM environment where the average load does not exceed the Total GHz Rating of
CPU Resources Allocated. Refer to the VM Server Resource Sizing table for suggested
memory and CPU requirements. For modification instructions, see section Edit Settings.

Note:
 The current OVA provided by Fortinet is built using VM Virtual Machine Hardware Version 7
for OVA compatibility with ESXi4.x and later. VM Virtual Machine Hardware Version 7
restricts the number of vCPU to 8. If host machine is running ESXi5.x or later on robust
hardware, then the VM Virtual Machine Hardware Version can be upgraded. Once upgraded,
the number of vCPU can be increased.

Refer to the following article for more information (note that the article is not controlled by
Fortinet and may have changed):
Upgrading a virtual machine to the latest hardware version (multiple versions)
(1010675)
https://kb.vmware.com/s/article/1010675

Hard Drive (Disk) Size


The initial sizes of the hard drive/disk are provided in the following table. To increase the
drive size once the VM is deployed, see section Increase the Hard Drive Size in the
Appendix. If you need assistance, contact Fortinet Support.
Note: Some versions of VMware provide the ability to select either a “Thick” or “Thin”
drive. If this option is available, it is recommended to select one of the Thick options. Thick
provides faster data access compared to Thin, however, either will work.

7
Adapters
The recommended adapter type is VMXNET 3 (default). Note the following:
 Older VMs used E1000 as the pre-set adapter type. The recommended type is
VMXNET 3.
 All adapters on the VM should be set to the same adapter type (e.g eth0 and eth1
both set to VMXNET 3). Otherwise, unexpected behavior may occur.
 Important: License key is created based upon eth0 MAC address and UUID. If
either component no longer matches the license key, the key will no longer be valid
and management processes will not start. Therefore:
o Ensure MAC address is set statically.
o If deleting and re-adding or modifying Network Adapter 1 (eth0) on an
existing FortiNAC VM with license key, configure the same MAC address
used by the adapter previously.
o If a new key is needed, contact Fortinet Customer Service for assistance.
o Network Adapter 2 (eth1) can be deleted and re-added without affecting the
license key.

Open Ports
The number of open (listening) TCP/UDP ports configured by default on the FortiNAC
appliance is based on current best practices. These ports are kept to a minimum to provide
maximum security by explicitly restricting unnecessary access from the outside. The best
practice is to keep the number of open ports to a minimum, and block all other ports. If you
need to provide users access to network resources through a static port (e.g., from outside a
firewall), the best option is to allow users to connect by VPN. Refer to section Open Port List
of the FortiNAC Deployment Guide in the Fortinet Document Library.

8
Register Products
Products must be registered in order for the appropriate keys to be generated for the appliances.
Without these keys, the appliances will not start.

Products include:
 Appliance(s)
 Maintenance Contract covering each appliance
 Endpoint Licenses
 Maintenance contract covering licenses (1 contract per 100 endpoints)

Requirements Checklist
 Email containing registration codes for all products

Open the email from [email protected] containing attached .zip files.

File name examples:


FNC-M-VM-XXX.zip = Manager VM Server
FC-10-NCV0M-xxx.zip = Support & Maintenance for Manager VM Server

FNC-CA-VM_XXX.zip = Control & Application VM Server (CAVM)


FC-10-NCVCA-xxx.zip = Support & Maintenance for Control & Application VM Server

LIC-FNAC-BASE-xxx.zip = License, Base level


FC1-10-FNAC0-xxx.zip = Support & Maintenance for Base Licenses
FCx-10-FNAC1-215-xx-xx.zip = Support & Maintenance for Base Licenses (Subscription)

LIC-FNAC-PLUS-xxx.zip = License, Plus level


FC2-10-FNAC0-xxx.zip = Support & Maintenance for Plus Licenses
FCx-10-FNAC1-213-xx-xx.zip = Support & Maintenance for Plus Licenses (Subscription)

LIC-FNAC-PRO-xxx.zip = License, Pro level


FC3-10-FNAC0-xxx.zip = Support & Maintenance for Pro Licenses
FCx-10-FNAC1-209-xx-xx.zip = Support & Maintenance for Pro Licenses (Subscription)

FP-10-PS-801-01-01.zip = Professional Service Days

9
10
Within the zip files are one or more PDFs which contain the Registration Code.

Example A – CAVM Example B – Support for CAVM

Before You Begin


Create Folders for Each Appliance
If registering more than two appliances, it may be beneficial to save the attached PDFs to separate
folders (one folder per appliance) in order to keep them organized. A Registration Code cannot be
used more than once.

Example: Registering 2 Control Managers (FNC-M-VM will be configured for High Availability)
and 4 Control/Application Servers (CAVM)

Organize folders in the following manner:

Manager Primary

Manager Secondary

CAVM 1

CAVM 2

CAVM 3

CAVM 4

11
Determine the “Managing” Server
The Endpoint License Key is installed on the “managing” server. The remaining servers in
multiple appliance deployments are installed with an Appliance (Base) License Key. Use the chart
below to determine which product requires the Endpoint License Key.

For more information on how licenses are distributed for each system configuration, see section
License Distribution in the Appendix.

Endpoint License Key


Deployment Configuration Managing Server Part Number
Standalone CA Server FNC-CA-VM
Standalone with High Primary CA Server FNC-CA-VM
Availability (HA)
Multiple Independent Each CA Server FNC-CA-VM
Standalones
Multiple Independent with Each Primary CA Server FNC-CA-VM
High Availability (HA)
Distributed Control Manager FNC-M-VM

Distributed with High Primary Control Manager FNC-M-VM


Availability (HA)

In this example, Manager Primary is the “Managing” server.

Organize PDF Files in Appliance Folders


Save the following PDF’s to the Managing server’s folder (Manager Primary):

 1 Appliance

 1 Appliance Maintenance Contract

 1 Endpoint Licenses

 License Support Contracts (there may be more than one)

For the remaining folders, ensure one of each file is saved per folder:

 1 Appliance

 1 Appliance Maintenance Contract

12
Procedure Overview
Note: It is recommended that all PDF files to be used to register a product are opened at once.

Step 1: Register Managing Appliance


Step 2: Register appliance Support Contract and associate to appliance
Step 3: Register Licenses
Step 4: Register License Support Contract and associate to appliance that will have the Licenses
installed
Step 5: Register Remaining Appliances

Open all PDF files in the managing appliance folder and proceed to Register Managing Appliance.

13
Register the Managing Server
1. Log into the Customer Portal at https://support.fortinet.com/

2. Click Register Product.

3. Enter registration code from the pdf found in file FNC-CA-VM_xxx


(or if there is a Manager FNC-M-VM.xxx).

4. Click Next.

14
This page may appear if there was a POC or active evaluation license.
If you are converting your POC to production, select Convert Evaluation.
If you not converting your POC to production, select Register.

15
5. Enter “Managing Server” under Product Description (this can be edited later)

6. Select Fortinet Partner (ignore all other fields).

7. Click Next.

16
8. Read terms and conditions.

9. Click on radio button.

10. Click Next.

17
Note: “No Entitlement” will display. This is correct.

11. Click on radio button to accept.

12. Click Confirm.

18
CAVM product registration is now complete.

13. Note the Serial Number (will be used to register the appliance support contract).

14. Proceed to register the support contract for the appliance. Click Register More.

19
Register Support Contract for Appliance
1. Enter registration code found on pdf from file FC-10-NCVCA_xxx
(file for Manager VM support is FC-10-NCVM_xxx).

2. Click Next.

20
3. Associate the support contract to the appropriate CAVM Serial Number noted in previous
step.

 If only one CAVM is registered, there will only be on choice – select that radio button.

 If more than one CAVM products are registered, select the appropriate CAVM.

Selecting the radio button will auto-complete the Serial Number field.

21
4. Click Next.

22
5. Click on radio button in the lower left corner.

6. Click Confirm.

23
Support contract registration is now complete and applied to the CAVM.

7. Next step: Register the License. Click Register More.

24
Register Licenses
1. Enter registration code from the pdf found in the appropriate License file:
 LIC-FNAC-BASE-100_xxx
 LIC-FNAC-PLUS-100_xxx
 LIC-FNAC-PRO-100_xxx

2. Click on Next.

25
3. Associate the License to the Primary or Control server CAVM.

 If only one CAVM is registered, there will only be one choice – select that radio
button.

 If more than one CAVM is registered, select the appropriate CAVM (Primary/Control
server).

Important: DO NOT license the secondary server. The secondary server (high availability)
will obtain its license from the Primary. This will occur during Professional Services Session
One.

4. Click Next.

26
License registration is complete.

5. Next step: Register the support contract for the License. Click Register More.

27
Register Support Contract for License
1. Enter registration code from the pdf found in the appropriate License Support file:
 FC1-10-FNAC0-240_xxx (support for Base license)
 FC2-10-FNAC0-240_xxx (support for Plus license)
 FC3-10-FNAC0-240_xxx (support for Pro license)

2. Click Next.

28
3. Associate the License Support contract to the same serial number as the License (in
previous step).

4. Click Next.

29
5. Click on radio button in lower left corner.

6. Click Confirm.

30
Registration the License support contract is complete.

The page will display the products and support contracts registered.

31
7. Close the PDF files used in the previous steps.

8. If there are additional CAVMs to register (and its support contracts), click on Register
More. Otherwise, click Done.

Register Remaining Appliances


1. Open the folder for the next appliance to be registered.

2. Open the 2 PDF files

3. Register the appliance

a. Click Register Product.

b. Enter registration code from the pdf found in file FNC-CA-VM_xxx

(or if there is a Manager FNC-M-VM.xxx).

c. Click Next.

d. If there was a POC or active evaluation license, a special page may display. If you
are converting your POC to production, select Convert Evaluation. If you not
converting your POC to production, select Register.

e. Enter the hostname or some other identifiable description under Product Description
(this can be edited later)

f. Select Fortinet Partner (ignore all other fields).

g. Click Next.

h. Read terms and conditions.

i. Click on radio button.

j. Click Next.

Note: “No Entitlement” will display. This is correct.

k. Click on radio button to accept.

l. Click Confirm.

CAVM product registration is now complete.

m. Note the Serial Number (will be used to register the appliance support contract).

n. Proceed to register the support contract for the appliance. Click Register More.

32
4. Register Support Contract for Appliance

a. Enter registration code found on pdf from file FC-10-NCVCA_xxx

(file for Manager VM support is FC-10-NCVM_xxx).

b. Click Next.

c. Associate the support contract to the appropriate CAVM Serial Number noted in
previous step.

d. If only one CAVM is registered, there will only be on choice – select that radio button.

e. If more than one CAVM products are registered, select the appropriate CAVM.

f. Click Next.

g. Click on radio button in the lower left corner.

h. Click Confirm.

i. Support contract registration is now complete and applied to the CAVM.

j. Close the PDF files used in the previous steps.

5. If there are additional CAVMs to register (and its support contracts), click on Register
More. If registering more Otherwise, click Done.

* DO NOT REGISTER THE PROFESSIONAL SERVICES CONTRACTS *

Important: If a file for Professional Services (FP-10-PS-801-01-01.zip) was included in the email,
do not attempt to register. These are ONLY to be registered one at a time and on the day of the
Professional Services session. One contract is like an “admission ticket” to the Professional
Services session.

33
End result:
Once product registrations are complete, the summary page will look like this…

If assistance is needed with registering devices, contact Fortinet Customer Service.

34
Build Virtual Machines
Download the Virtual Machine
After registering the products, download the appropriate .ova image.

Note: Both FortiNAC CA and Manager use the same image. The product type is defined by the
license key installed.

1. In the Customer Portal, navigate to Support > Downloads

2. Click VM Images

3. From drop down list, click Other and then click on here.

35
4. From drop down list, select FortiNAC.

5. Select the Download Tab to reveal the available versions. Please select the version as
recommended by Fortinet or Program Manager.

Note: The suggested version may be the GA version and not the newest version.

36
Import Virtual Machine
Note: Instructions for the Virtual Machine were written based on ESX Server V4.0 and vSphere
Client V4.0. If using a different version, some steps may be omitted.

1. Start vSphere Client and log into VCenter.


2. Select Hosts and Clusters.
3. In VCenter click File > Deploy OVF Template.
4. On the Deploy OVF Template window select Deploy from file.
5. Browse to the folder where you saved the compressed the VM file, select the file with
the .ova extension and click Open.
6. Click Next. Some versions of VMware provide the ability to select either a “Thick” or
“Thin” drive. If this option is available, it is recommended to select one of the Thick
options. Thick provides faster data access compared to Thin, however, either will
work.
7. Click Next until you reach the Name and Location window.
8. Enter a unique name for this VM in the Name field.
9. Make sure that the appropriate Data Center is selected in the Inventory Location
section and click Next.
10. On the Host / Cluster window select the Cluster where this VM will reside and click
Next.
11. On the Specify a Specific Host window, choose a Host for this VM and click Next.
12. On the Datastore window, choose a datastore for this VM and click Next.
13. On the Network Mapping window, you must map the network contained within the
VM template to a network at your facility. Click Destination Networks to display a
drop-down list of possible networks. Click Next.
14. The Ready to Complete window is displayed with a summary of all of your selections.
Review the summary. If anything is incorrect, use the Back button to go back to the
appropriate screen and make changes. Click Finish.

Note: This process will take several minutes due to the size of the VM.

37
Deploy OVF Template - Ready To Complete
Note: Importing the .ova into a vCenter/ESX environment running version 5.5.0 or earlier can
trigger the warning dialog below to be displayed in vCenter. This warning can be ignored.
Warning
The OVF package is valid but consider the following warnings.
Line XX: Unable to parse 'use3dRenderer' for attribute 'key' on element 'Config' Line XX: Unable
to parse 'slotInfo.pciSlotNumber' for attribute 'key' on element 'Config'
...
Line XX: Unable to parse 'nestedHVEnabled' for attribute 'key' on element 'Config'

38
Clone the Virtual Machines
Each appliance requires its own Virtual Machine and its own license. If multiple appliances
were purchased, follow the instructions below to clone as many VMs as required.

1. Start vSphere Client and log into VCenter.


2. Select Hosts and Clusters.
3. Open the Data Center and the appropriate Cluster. Select the Host where the
imported VM resides.
4. Right-click on the VM imported in the previous section and select Clone from the
menu.
5. The Clone Virtual Machine wizard displays.
6. On the Name and Location window click in the Name field and enter a
unique name for this VM.
You may want to include the server type in the name to assist Customer Support if
you should have a problem. For example, if this VM will be used as a FortiNAC
Control Server, include Control Server in the name (e.g.
Megatech Control Server 1).
7. Make sure that the appropriate Data Center is selected in the Inventory
Location section and click Next.
8. On the Host / Cluster window select the Cluster where this VM will reside and
click Next.
9. On the Specify a Specific Host window, choose a Host for this VM and click
Next.
10. On the Datastore window, choose a datastore for this VM and click Next.
11. On the Disk Format window select Same format as source and click Next.
12. Guest Customization is not required. Click Next.
13. The Ready to Complete window is displayed with a summary of all of your
selections. Review the summary. If anything is incorrect, use the Back button to go
back to the appropriate screen and make changes. Click Finish.
Note: This process will take several minutes due to the size of the VM.

39
Edit Settings
The following describes the procedures for editing Virtual Machine settings.

Note: Instructions for the Virtual Machine were written based on ESX Server V4.0 and vSphere
Client V4.0. If you are using a different version, some steps may not be necessary.

1. Start vSphere Client and log into VCenter.


2. Select View > Inventory > Hosts and Clusters.
3. Open the Data Center and the appropriate Cluster. Select the Host where the
FortiNAC VM resides.
4. Right-click on the VM and select Edit Settings from the menu.
5. Click on the Hardware tab to select it.

6. On the Hardware list, click Memory and modify the Memory Size field if
necessary. See the Requirements section to determine the setting required.
7. On the Hardware list, click CPUs and modify the Number of virtual processors
field. See the Requirements section to determine the setting required.
8. Click Network Adapter 1 and select a VLAN or Network from the Network label
drop-down. Network Adapter 1 represents eth0 or the management interface for the
FortiNAC configuration. Select the Network that contains the IP address you will use
for eth0. Important: Ensure MAC address is set to static.

40
9. Click Network Adapter 2 and select a VLAN or Network from the Network label
drop-down. Network Adapter 2 represents eth1 or the isolation interface for the
FortiNAC configuration. Select the Network that contains your DHCP IP addresses.
This network will be used for Isolation. Important: Ensure MAC address is set to
static.
Note: In a Layer 2 environment, isolation VLANs are tagged to the eth1 interface
(Network Adapter 2). For all VLANS tagged to a single interface you must create a
port with a VLAN ID of 4095 in VMware ESX. In ESX this is known as Virtual
Guest Tagging (VGT).
10. If additional hard drive space is needed, follow the directions in section Increase
the Hard Drive Size. Refer to the table of hard drive default sizes in the
Requirements section.
11. Click OK to save the new VM settings.

Set the IP Address for eth0


FortiNAC is configured by accessing the Configuration Wizard using the IP address of eth0.
Eth0 is the management interface for FortiNAC. Follow the instructions below to set the IP
address for eth0.

1. Make sure the FortiNAC virtual machine is running and the


console is displayed.

2. Login to the FortiNAC CLI using the following:

User name = admin


Password = admin
3. You must select an IP address to use as the management IP for the FortiNAC VM.
To set the IP address and default gateway, type the following:
sudo configIP <ip addr> <mask> <default gateway>
Example:
sudo configIP 192.168.5.244 255.255.255.0 192.168.5.1
The system pauses for several seconds while the interfaces are reset.
4. To confirm that the IP address for eth0 has been set correctly, type the
following:
ip addr show

41
Record UUID and eth0 MAC Address
Document eth0 MAC address and UUID for keying purposes.
1. View the UUID by typing either
sysinfo –v | grep –i uuid

or
sudo dmidecode | grep UUID

2. View the MAC address by typing


ifconfig eth0

Once all the required Virtual Machines have been built, addressed, and the information (MAC and
UUID) collected, proceed to the next section (Generate and Download License Keys).

42
Generate and Download License Keys
Update the product records with host name, UUID and eth0 MAC address information for each
appliance in order to generate key files to be applied to the VMs.

Managing Server

1. Login to the Customer Portal

2. Under products, click the serial number for the appliance with description “Managing
Server”.

3. Update the record with the appliance eth0 MAC Address and UUID. Click the pencil icon.

4. Enter the following:

 Description (Update with host name of server and other desired description content)

 Eth0 MAC Address

 UUID

Note: Once MAC address is entered and saved, it cannot be changed online. If assistance is
needed with registering devices or changing existing MAC address entries, contact Fortinet
Customer Service.

43
5. Click Save.

44
The summary page has updated with the link to “Get The License File”
Important: Customers with new appliances should select the FortiNAC License File.

6. Click Get the License File.

45
If a Control Manager is registered, this screen may appear.

7. Click the radio button for the serial number of the Control Manager that will be managing
this appliance (select Primary Control Manager if Managers are configured for High
Availability).

8. Click Download License Key File.

9. The .lic filename will reflect the appliance serial number.

10. Once the file is downloaded, click Close.

11. Save the .lic file to the appliance folder.

Remaining Servers
Repeat the previous steps to update each appliance record and download the key, saving each key
file to their appropriate folder.

Note: Once MAC address and UUID is entered and saved, it cannot be changed online. If
assistance is needed with registering devices or changing existing MAC address entries, contact
Fortinet Customer Service.

Proceed to the FortiNAC Deployment Guide to complete deployment.

46
Appendix
Control/Application VM Server Pair Resource Sizing
Note: The Control/Application Server pair is no longer available for purchase. For a current list of
available products, visit https://www.fortinet.com/products/network-access-control.html#models-
specs.

Default Drive
SKU Type Memory vCPU*
Size
FortiNAC High Performance
FNC-C-VM
Control /Application Server 12GB 6 100 GB
FNC-A-VM pair
Ultra High Performance
FNC-C-VM
Control/Application Server 64GB 14 100 GB
FNC-A-VM pair

*The values in the vCPU column are only guidelines. Individual environments may vary.

Appliance Operating System


Virtual appliance licenses for operating system, database and other FortiNAC services
included in the virtual package (VMware/Hyper-V) are supported until the operating
system is end of life.
FortiNAC currently ships with the CentOS 7 Linux operating system. Fortinet relies on the
CentOS organization to publish periodic bug fixes and security updates for the CentOS
Distribution.
Effective June 30 2024, CentOS will no longer provide updates for CentOS 7. Any
vulnerabilities found with CentOS 7 after June 30th will not be addressed. Software
releases will continue to be supported on CentOS 7 through December 31 2026.

47
Virtual Machine Backup Considerations
FortiNAC has features that allow you to backup the database to a remote server. Using
FortiNAC’s built in backup features is recommended. Refer to the FortiNAC help for
information on Remote Backup.
Most servers that host virtual machines also have an option to create a copy or a snapshot
of an existing virtual machine. This is another good option for periodically backing up your
FortiNAC virtual machine. However, this may be a manual process.

Some customers choose to use automated backup software that backs the entire virtual
machine. Because FortiNAC runs continuously these types of automated backups can cause
problems with the FortiNAC virtual machine including causing it to stop running. This
section outlines potential problems and possible solutions.
Automated backup software runs on the physical hardware that contains the virtual
machine, not inside the virtual machine. This type of backup software may attempt to force
the target virtual machine to flush everything being written to the disk drives to produce a
more reliable and consistent backup. However, this interference with the software
contained within the virtual machine can cause that software to stop running. Below are
some suggestions to assist in selecting and configuring backup software.
 FortiNAC runs on a CentOS platform, therefore backup software that supports
Linux and specifically CentOS is recommended. Refer to the backup software
documentation to determine how to configure backups for CentOS based virtual
machines.
 Verify with the manufacturer that your backup software has been installed and
configured correctly.
 Choose a time of day to run the backup when FortiNAC has the least amount of
traffic.
 Many backup software packages have an option to "quiesce the virtual machine's
hard drives". Set this parameter to false or disabled. When this parameter is
enabled, the backup is more reliable but could cause the virtual machine to shut
down. When this parameter is disabled, some amount of data may not make it into
the backup because it has not been written to the drive yet, but the virtual machine
should continue to run.

48
Increase the Hard Drive Size

Logical Volume Management provides a flexible method of allocating disk space. Logical
volumes combine partitions into physical volumes and groups that can be re- sized or moved
with minimal or no system interruption.
The following instructions describe how to:
 Verify available disk space, Physical Volumes, Partitions, Volume Groups, and
Logical Volumes.
 Create a Primary Partition for expanded space.
 Create a Physical Volume for the new partition.
 Add the Physical Volume to the Volume Group.
 Expand the size of the Logical Volume that contains the Volume Group.
 Verify that the size of the Logical Volume increased.

Logical Volume Manager Virtual Object Construction

FortiNAC firmware versions prior to 6.0.5 were configured with a default Disk Size of 50
GB and FortiNAC/Reporting/Analytics was configured with a default size of 300 GB. Refer
to Default Hard Drive Sizes.

49
This following information shows the required steps to increase the Virtual FortiNAC hard
drive for VMware from 50GB to 100GB, but any size greater than the default can be used.
From the console of VSphere:
1. Power off the VM whose disk space is to be increased.
2. Remove all snapshots.
Note: You cannot have snapshots if you need to increase the hard drive size in VSphere.

3. Back up or make a copy of the guest OS.


4. In the Hardware tab of the VM Settings, change the size of the hard drive. In this
example, set the new hard drive size to 100 GB.
5. Reboot the virtual appliance.

50
Once the system has been booted, log into the system as root via ssh or a console
window.
1. Shut down the FortiNAC processes. For FortiNAC, type
shutdownCampusMgr

For FortiNAC/Reporting/Analytics, type service bsc-wildfly stop


2. Using the following commands, check the disk space, physical volumes,
partitions, volume groups and logical volumes being used.

Check Disk Space

Type df –lh
In this example, see the /dev/mapper/centos-root has the available disk space.

Check Physical Volumes

Type pvs
In this example, see the Physical Volumes /dev/sda2 is part of centos.

51
Check Partition

Type fdisk –l –u /dev/sda


In this example, see there are two partitions: /dev/sda1 and /dev/sda2.

Check Volume Groups

Type vgdisplay
In this example, see VG Name centos and VG Size 49.51.

52
Check Logical Volumes

Type lvdisplay
In this example, see that the LV Name is root and the LV size is 44.47 GiB.

3. Create a Primary Partition for the newly allocated space with a type 8e
(Logical Volume) and write the new partition table.
Type fdisk /dev/sda
In this example, the Partition will be /dev/sda3 of type 8e.
Please refer to the values that correspond with the comments in italics.

53
54
4. Reboot the VM.
Type reboot

5. Verify the new partition was added.


Type fdisk –l –u
In this example, see /dev/sda3 was added with type 8e.

55
6. Create a new Physical Volume for the new space that was added.
Type pvcreate /dev/sda3
In this example, Physical Volume /dev/sda3 was created.

7. List the Volume Groups available.


Type vgdisplay
In this example, see that the VG Name is centos and the VG Size is still
49.51.

8. Extend the Volume Group by adding the Physical Volume that was created in
Step 6 (/dev/sda3) to the Volume Group (centos).
Type vgextend centos /dev/sda3

56
9. Display how much free space is available the Volume Group now that the new
Physical Volume is added.
Type vgdisplay centos
In this example, see that 50.04 GiB is free, so use 50 in the next step.

10. Display and verify the name of the Logical Volume path we want to extend.
Type lvdisplay
In this example, see that /dev/centos/root is the Logical Volume path.

57
11. Extend the Logical Volume by adding the free space of the Volume Group.
Type lvextend –L+50G /dev/centos/root
In this example, the previous step determined that the 50 GB is free, so use
–L+50G for /dev/centos/root.

12. Verify that the Logical Volume grew in size.

60
Type lvdisplay
In this example, see that the LV Name /dev/centos/root and LV Size is now
94.47 GiB (in Step 2, the LV size was 44.47).

13. Resize the CentOS 7 file system.


Type xfs_growfs /dev/centos/root
In this example, use the extended Logical Volume /dev/mapper/centos-root.

61
14. Verify the operation system recognizes the additional space.
Type df –lh
In this example, see /dev/mapper/centos-root now shows 95G.

Procedure is complete.

62
Configure Time Settings for Host
The server that hosts your VM should have a Time Configuration entered to ensure that it
synchronizes its internal clock and calendar with an NTP server. It is important that the time be
correct or you may experience problems with your certificates or with agent server
communications.

Note: If your FortiNAC VM is already up and running, make sure to stop and restart the VM after
you are done with the time configuration.

1. Login to VCenter.
2. Select View > Inventory > Hosts and Clusters.
3. In the tree on the left select the Host or machine that is hosting your FortiNAC
VM. This may display simply as an IP address.
4. In the right-hand pane select the Configuration tab.

5. In the Software section click on Time Configuration. The current


configuration is displayed. If there is no NTP server displayed, you must
configure one.
6. At the top of the Time Configuration option, click Properties.

Time Configuration Properties

7. In the Time Configuration Properties window click the Options button.


8. On the Options window, General. Start and Stop with host should be
selected by default.

63
Time Configuration Options - General

9. Click NTP Settings on the left.

Time Configuration Options - NTP Settings

64
10. On the NTP Settings window click the Add button. In the Add dialog enter the
address of the NTP server that should be used for time synchronization, such as
pool.ntp.org, and click OK.
11. Below the list of NTP servers check the Restart NTP service to apply
changes check box. Click OK to save your changes.
12. In VCenter tree on the left, right-click on the FortiNAC VM and select
Edit Settings.
13. On the Properties window select the Options tab.
14. From the list of options select VMware Tools.
15. In the panel on the right under Advanced, enable the Synchronize guest
time with host option and click OK.

Virtual Machine Properties (Settings)

65
License Distribution in Multiple Appliance Deployments
This section describes how a license pool’s license type and endpoint quantity are shared among
appliances in a multiple appliance deployment.

Standalone in High Availability


Endpoint License Key is installed on the Primary Server. When the High Availability
configuration is performed, the Primary Server updates the Secondary Server.

 Base, Plus or Pro License Secondary Server


Primary Server
(Endpoint License Key)  X Concurrent Endpoint Licenses (Appliance (Base) License
Key)

Multiple Independent Standalones in High Availability


Same as above for each High Availability pair.

Distributed
 Endpoint License Key is installed on the Manager. CA’s are updated by the Manager as
they are added to the Server List in the Dashboard panel.
 Manager removes license and endpoint quantity from CA’s as they are removed from the
Server List.

Manager
(Endpoint License • Base, Plus or Pro
Key) License
• X Concurrent Endpoint
Licenses

CA CA CA
(Appliance (Base) (Appliance (Base) (Appliance (Base)
License Key) License Key) License Key)

66
Distributed in High Availability
 Endpoint License Key is installed on the Manager. CA’s not in HA pair and Primary
Servers are updated as they are added to the Server List in the Dashboard panel.
 Manager updates Secondary Servers once a failover is executed after the
corresponding Primary Server has been added.
 Manager removes license and endpoint quantity from CA’s not in HA pair and Primary
Servers as they are removed from the Server List.

Primary Server Secondary Server


(Appliance (Base) (Appliance (Base)
License Key) License Key)

 Base, Plus or Primary Secondary


Pro License Manager
Manager
 X Concurrent (Appliance (Base)
(Endpoint License
endpoint Key) License Key)
licenses
CA
(Appliance (Base)
License Key)

Primary Server Secondary Server


(Appliance (Base) (Appliance (Base)
License Key) License Key)

67
Change the MySQL UUID file of Cloned VMs
If a VM was cloned for use as the secondary in a High Availability configuration, the cloned
UUID file used by MySQL can cause problems with MySQL replication between Primary
and Secondary servers.
1. Review contents of the cloned UUID file (auto.cnf) on both original and cloned VMs. Log
into the CLI using the root user and default password and type
cd /var/lib/mysql/
cat auto.cnf

2. Example
> cat auto.cnf
[auto]
server-uuid=ba26cab0-e9f8-11e9-988c-00505698d1c3

3. If UUID value of the cloned VM = value in original VM, remove the auto.cnf file of the
cloned VM. In the cloned VM CLI type
cd /var/lib/mysql/
rm auto.cnf

4. Restart MySQL in the cloned VM to create a new and unique auto.cnf file. Type
service mysqld restart

5. Review new UUID value


sysinfo –v | grep –i UUID

6. Compare with the UUID used by the license key.


licensetool

7. If the UUID values are different, contact Customer Service to update the UUID for the
appliance and download a new key file. FortiNAC processes will not start if the UUID in
the license key does not match. For instructions, see section Change Existing MAC
Address and UUID Information of the License Upgrade Guide in the Documentation
Library.

Once the above steps are completed, High Availability can be configured. For instructions, see
High Availability in the Documentation Library.

68
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other
jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except
to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-
identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such
warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto,
whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

69

You might also like