FortiNAC v9.2 Getting Started Guide Partner
FortiNAC v9.2 Getting Started Guide Partner
2 POC
A Guide to POC Success
1
FortiNAC Proof Of Concept – Table of Contents
Before You Begin
Success Criteria Template Visibility - Network Inventory SNMP EXTRAS Other Sections
Important Notes Uplink Threshold SNMP Examples Using your company's DHCP Server for Isolation Networks
More Notes Network Inventory & Containers Cisco SNMPv3 Auth Social Media For Captive Portal
Reference Guides & Videos Add NW Device Manually Cisco SNMPv3 AuthPriv Device Profiling Example – OT Environment
NW Discovery Cisco SNMPv3 Example RADIUS Server Initial Config
VM Appliance Installation Results & Ports tab Cisco SNMP Traps RADIUS for FortiSwitch Ports
v9.X Internet Access Other tabs Fortigate SNMPv3 Auth-Privacy FortiOS6 Syslog Parser
Azure Notes Polling for IP Meraki Switch SNMPv3 Auth-Privacy Fortigate Security Fabric Integration
VM Download Adapters view Cisco ASA ASDM & CLI SNMPv3 L3 Isolation Reference Design
Import to Hypervisor Visibility Tips Cisco WLC SNMPv3 FortiNAC VM/Appliance Isolation Reference Example
VMware Notes Endpoint Fingerprints Aruba IAP SNMPv3 Additional Reference Material
Configure FortiNAC Management IP Service Connectors HP ProCurve CLI SNMPv3
Initial Login Basic Device Profiling Rules HP ProCurve CLI SNMPv3 Traps Wireless Integrations
Setup Wizard Basics FortiAP w/Fortigate Controller (MAB)
Register License How to Start Meraki iPSK Integration
Fortigate Details
Registration Of Your Appliance Example - TV
Interface Prep
Get the License File Test it
SNMP
Import License File Run it
Add to Inventory
Create Credentials Methods
Results
Tools
Change CLI Credentials? Session Polling
Filters for Hosts/Adapters
Customer Tasks Session Results
Test CLI root Access L2 & L3 Groups
Basic Network Test Device Mappings
Skip to Summary API Read-Only Access
Reboot
GUI Access
LDAP 1, LDAP 2 & LDAP Test
Add System Admins
Email Settings
Admin Time-out New or Changed Links
System Settings
Update Firmware CTRL-Click to Follow Links
Backups
2
Before You Begin Your FortiNAC POC
Let’s do some planning and discussion before we start!
3
FortiNAC Proof Of Concept – Success Criteria Template
Typical Success Criteria for a FortiNAC POC
Virtual Appliance: Installation and basic configuration
• Customer was able to install FortiNAC FNC-CA-VM on their platform of choice
• Customer was able to work through the start-up wizard and the “configWizard” with a little help from this guide and documentation links
• Customer was able to configure basic LDAP integration, email notification, review remote back-up options and begin the process of adding network devices in the Network Inventory
Visibility (for all locations in the scope of the POC.)
• Customer enabled NMAP and FortiGuard IoT as part of the start-up wizard and is sending copies of their DHCP requests to FortiNAC’s eth0 Management Address
• Customer was able to effectively add all of their network inventory into FortiNAC’s network inventory
• A host database was populated with MAC Address, IP and “location” (switch port, wireless interface)
• Endpoint Fingerprints show suggested device types
• MDM integration was performed where applicable, depending on customer’s applications (Intune, JAMF, GSuite etc.)
• Device profiling of at least 3 different device types (usually IP Phones, printers, cameras) and customer understands the process well enough to continue building device profiles on their own.
• Domain computers were registered with MDM, WMI or the FortiNAC Agent or both and the customer understands the difference between the three
• Created Filters in Adapters/Hosts views to look for specific device types and customer has the knowledge to build them on their own.
Control
• Created Host Profiles for device types we created in Visibility phase and customer understands how a host profile is used in policies and can build one on their own
• Created several NAC policies and customer understands how to build them on their own.
• Review Port Groups and Port Level Group Membership for Forced Registration, Forced Remediation, Forced Reset Default and Role Based Access.
• Created a POC Port Group and added one or more switch ports to this group.
• Discussed SNMP Traps vs RADIUS for switch ports and customer understands how a NAC policy is triggered.
• Customer understands the difference between manual Layer-2 polling and triggered MAC notification and why we might manually poll in a POC.
• Customer provided a device (laptop, printer, camera etc. ) we can use for testing on a switch port.
• NAC policies were successfully tested on the switch ports in the POC Port Group.
• Customer created a test SSID that uses RADIUS MAB and configured FortiNAC to manage network access and successfully tested one or more device types connecting to one SSID.
Other Discussion Topics
• Professional Services installation vs. POC installation
• Captive Portal and onboarding options for customer BYOD, Guest, Contractor etc.
• Discuss Certificates and where they are applied in an installation
• Answer any open questions
• Schedule reference call when POC didn’t cover every possible angle of installation
• Schedule executive summary if required by the customer
Table of Contents 4
FortiNAC Proof Of Concept – Important Notes
Getting Prepared – Customer Requirements Eth0 & Eth1 in a POC
Virtual Machine Config Eth0 is the Management address, Eth1 is for applications (DHCP, DNS, Portal etc.). Start
• 4vCPU – 12G of RAM – 100G disk space (we can load thin/dynamic except the POC with no Eth1 networks configured.
Azure for POC, but not for production)
• Two Ethernet Interfaces (included with basic machine image)
• Use your Password Manager to save your FortiNAC password changes!! Time Saving Tips
• LDAP Service Account that has BIND access to the directory 1. FortiNAC’s eth0 IP Address needs to have access to the network devices. Much
Visibility for Wired Networks and Most Wireless LAN Controllers time has been wasted on POC calls fixing ACLs and Firewall policies to allow PING,
• DHCP Relayed to FortiNAC (IP Helpers sent to FortiNAC Mgmt IP). If you SNMP, SSH, HTTPS access to various firewalls, routers, switches and wireless
already forward DHCP requests to a DHCP Server, add FortiNAC to the list. systems. Please be prepared!
• SNMP Read-Only access & SSH Access for Layer2/3 devices & WLC 2. FortiNAC needs management access of the network devices. Most of the time its
• Optional: SNMP MAC Traps sent to FortiNAC (can configure after first R/W SNMP and full SSH access (Cisco Level-15). Without it we usually do not have
session) a successful POC.
• API Keys for some products (Meraki, MIST etc) 3. We need a Service-Account for LDAP access. It does not have to be an
administrator account. If you use your personal account and your password
Control For Wired Networks
changes, LDAP look-up breaks on FortiNAC.
• SNMP R/W Access & SSH Access for Layer2/3 devices (non-Radius
4. There are several credentials associated to FortiNAC access. DO NOT FORGET
control) PASSWORDS!
• SNMP MAC Traps sent to FortiNAC Eth0 interface (Management IP)
• At least two VLANs on the switch for Role Based changes, one for each
role. Appliance Access to Updates
• Create at least one new VLAN for a sample Isolation
• Prepare some wired devices connected to switch for testing; Find a test 1. FortiNAC v9.2 uses CentOS yum repositories located at fnac-updates.fortinet.net
port or two (currently redirects to updates.bradfordnetworks.com)
Control For Wireless Networks 2. The access could be blocked by company Proxy, be prepared to work with your CSE
• Test SSID that is exclusive to FortiNAC testing to allow access.
• At least two Interfaces (VLANs, Roles) for Role Based changes 3. Default access is set to FTP but that can be changed after the appliance CLI is
available.
• Wireless Device able to see test SSID
4. Proxy for yum updates is only completed in the CLI while proxy access to system
Email me with questions along the way. Screen shots are helpful updates can be managed in the GUI in System Settings.
5
Table of Contents
FortiNAC Proof Of Concept – More Notes
Prior to First Online Session Customer Will: Many features that seem simple require ample discussion, planning and configuration
that are normally completed by the FortiNAC installation engineers. In order to keep
Review this Guide with your Fortinet/Partner SE our POC focused and successful we try to stay on track with specific features and
• Finalize Success Criteria (Slide 2 is template) scope.
VM Install
We have many reference accounts that will talk to you about their production usage of
• Appliance Import/Install to Hypervisor FortiNAC to make sure you understand how advanced features work in a similar
• Configure Linux VM via Hypervisor Console environment
• Register FortiNAC Evaluation License
• License the FortiNAC Appliance POC FAQs
• Run through this start up guide as far as possible
• Test CLI by SSH’ing to FortiNAC using CLI root account. Q. After the POC, is my FortiNAC fully Installed?
A. Absolutely not. The POC is aimed at showing specific features and we do not
perform a full installation.
FortiNAC Basics
• Add Authentication – LDAP (Active Directory) Integration Q. Can I give you access to my network and let you work unattended?
• Add Sys Admin Users with AD credentials A. Absolutely not. In addition to the testing of certain functions, this is also a
knowledge transfer opportunity. I will not do the driving for a POC, just the navigating.
• Configure Email notifications
Q. If I check the box to POC every single feature, will you.
Prepare for Visibility Session A. Probably not. The intent is to show you some great value but it’s not aimed at
• Build your Network Inventory having a fully functional system. We have customer references that can show you a
fully functional system.
• Add as many network devices as possible
Q. Can I use my POC for a full production test?
Email me with questions along the way. Screen shots are A. See Q #1, this is not a fully functional system. But sure, if you want to put a partially
installed system with no support into production that is an option.
helpful
6
Table of Contents
FortiNAC Proof Of Concept Reference Guides & Videos
General FortiNAC Documentation
FortiNAC | Fortinet Documentation Library
Table of Contents 7
FortiNAC POC
VM Appliance Installation
Greg Genta’s video describes how to set up the FortiNAC OVA Appliance for VMware. This
video is now deprecated because it shows the start up wizard prior to v9.2, but still worth
watching. https://www.youtube.com/watch?v=aoyf6N05iIU
FortiNAC install guide for all appliance Types (AWS, Azure, Hyper-V, KVM, VMware and HW
https://docs.fortinet.com/document/fortinac/9.1.0/hardware-and-vm-install-guides
8
Appliance Installation: v9.X Internet Access
FortiNAC v9.x runs on CentOS 7.7 and uses YUM for some FortiNAC module installs/updates and all CentOS updates. The updates are stored on
a Fortinet repository. Host name for the updates is fnac-updates.fortinet.net (currently redirects to updates.bradfordnetworks.com).
!! Default protocol to access the repositories is FTP
Without Internet access, a new install of FortiNAC will result in missing modules and not something we should use in a POC.
To change the protocol for repository access, SSH to the FortiNAC CLI. Use an editor like vi or nano or WINSCP.
• Cd /etc/yum.repos.d
• Edit bradford.repo
• Change 4 FTP instances to https or http
Check connectivity with yum repolist -v
If FortiNAC access is through your proxy, for YUM updates: To configure access for FortiNAC system updates, in the GUI
· Edit /etc/yum.conf System->Settings->System Communication->Proxy Settings
· Set (add) environment variable
• proxy=http://<Proxy-Server-IP-Address>:<Proxy-Port>
· if proxy credentials are needed, add these lines
• proxy_username={Proxy-User-Name}
• proxy_password={Proxy-Password}
Table of Contents 9
Appliance Installation Azure Notes
This example assumes you are deploying FNAC to an existing VNET
#SET PARAMETERS − MODIFY THESE VALUES TO MATCH YOUR ENVIRONMENT
with an existing Subnet. Also, the fixed-size disk image must be $mySubscrip = "9acc4558−b556−5558−9a54−b46d555906ae4"
uploaded to your Azure Blob Storage Account and be available. If that $myRG = "RG_FNAC"
is not the case, please create those objects before running this script. $myLoc = "eastus"
Update parameters with your company’s real world values. $myVNET = "VNET_FNA"
$pathToFixedSizeDiskBlob="https:ƒƒfstorage.blob.core.windows.netƒmydisksƒfortinac−8.6.0.320_fixed.vh
NOTE: the commands leverage the AZ module in leu of the legacy d"
$nacSubnet="SUBNET_FNAC"
AzureRM module.
$nacVMName="VM_FNAC"
https://azure.microsoft.com/en-us/blog/azure-powershell-cross-
platform-az-module-replacing-azurerm/ az configure −−defaults location=$myLoc group=$myRG az account set −−subscription $mySubscrip
You can download a standard HyperV FortiNAC image from the #CREATE RESOURCE GROUP FOR FNAC
download directory and convert to fixed disk using QEMU as az group create −−name $myRG
described here:
#CREATE DISK FOR FNAC
https://docs.fortinet.com/document/fortinac/hardware/azure-
az disk create −−name DISK_FNAC−LAB−01−OS −−source $pathToFixedSizeDiskBlob
deployment-guide?model=all
#DEPLOY VM FOR FNAC
Or az vm create −−name VM_FNAC−LAB−02 −−os−type linux −−attach−os−disk DISK_FNAC−LAB−01−OS
−−vnet−name
Download a pre-pared Azure Fix-Disk Image, use this link: $myVNET −−subnet $nacSubnet
fortinac-8.6.0.320-FIXED.vhd.zip
#UNSET PARAMETERS #SET PARAMETERS
https://fortinet.egnyte.com/dl/of7KcZSq4p/fortinac-8.6.0.320-
$mySubscrip = ""
FIXED.vhd.zip_ $myRG = ""
Password: FortiNAC-Fixed-Disk-Image $myLoc = ""
**Run OS and FortiNAC updates soon as it is online** $myVNET = ""
Un-Zip the download and load into your Azure Blob. Follow the $pathToFixedSizeDiskBlob=""
example script on the right. $nacSubnet=""
$nacVMName=""
Skip ahead to where you can access the FortiNAC GUI since Azure will
auto-assign an IP to your FortiNAC Appliance
Table of Contents 10
Appliance Installation: VM Download
FortiNAC VM Image Download
Please log into Fortinet Support and then hit the download
link:
https://support.fortinet.com/Download/FirmwareImages.as
px to download the Virtual Appliance image.
- Select Product: FortiNac from drop down list
- Select Download tab
- Navigate to 9.2,3
- Download proper image version (OVA, VHD, AWS etc) for
your hypervisor
Table of Contents 11
Appliance Installation: Import to Hypervisor
Greg’s video shows this process in great detail for VMware. https://www.youtube.com/watch?v=aoyf6N05iIU
**Production Sizing**
Network Size Target Environment vCPU Memory Disk
Up to 2,000 Small 4 16G 100G
Up to 10,000 Medium 12 24G 100G
Up to 15,000 Large 20 32G 100G
Up to 25,000 X-Large 36 96G 100G
Table of Contents 12
Appliance Installation: VMware Notes
FortiNAC OVA is compatible with VM Version 7 to support customers with older ESC Hosts. That version
is limited to 8 vCPUs. Upgrade to your highest “VM Compatibility” so ESX can better support FortiNAC
requirements.
Table of Contents 13
Appliance Installation: Configure FortiNAC Management IP via Hyperviser Console
• Start Guest VM, access FortiNAC’s CLI through hypervisor console
• Login to the FortiNAC CLI using the following credentials:
• User name = admin Password = admin
• Apply an IP address to eth0 to use as FortiNAC’s management IP
• sudo configIP <ip addr> <mask> <default gateway>
• Example: sudo configIP 192.168.5.244 255.255.255.0 192.168.5.1
• The system runs a script for several seconds to configure the new settings
• Reboot FortiNAC: sudo reboot
• Log back into the hypervisor console
• To confirm that the IP address for eth0 has been set correctly,
• ip addr show
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state
UP group default qlen 1000
FortiNAC CLI Basics
link/ether 00:0c:29:21:2e:a5 brd ff:ff:ff:ff:ff:ff • FortiNAC programs are in the /bsc directories
inet 192.168.5.244/24 brd 192.168.5.255 scope global eth0 • CampusManager = original product name
• PING <default gateway> to verify connectivity • YAMS = Yet Another Management System
• AZURE does not allow you to set the IP via a hypervisor console. See Azure
instructions. Did You Know? Mike Gadoury lived in Bradford NH,
he started Bradford Software Consulting (hence the
/bsc)
Table of Contents 14
Appliance Installation: Initial Login
After reboot wait 3-4 mins…
1.Navigate to your appliance https://<fortinac-ip>:8443/
2.Login with root/YAMS
Table of Contents 15
Appliance Installation: Setup Wizard
1. Accept License Agreement
Table of Contents 16
Appliance Installation: Server Register License
Table of Contents 17
Appliance Installation: Registration Of Your Appliance
On Support Portal
• Continue your FortiNAC product registration
• Enter the UUID & MAC Address
• Select a partner and click Next
• Agree to all of the check-boxes along the way
Table of Contents 18
Appliance Installation: Get the License File
When finished registering license, go back into your FortiNAC Product and “Get the
License File” – Select the FortiNAC License file (not the Bradford Sentry)
Table of Contents 19
Appliance Installation: Import License File
Import the downloaded FortiNAC License File, click Next
Table of Contents 20
Appliance Installation: Create Credentials
Enter a new User ID and Password to use when logging root/YAMS will be deleted
into the GUI and create CLI root password (duplicate to after this step for GUI access
CLI admin too)
a. Required in Passwords
i. At least 8 characters
ii. A lowercase letter
iii. An uppercase letter
iv. A number
v. A symbol ! @ # % ^ * ? _ ~ -
b. NOT permitted in Passwords:
i. ( ) ` $ & + | \ { } [ ] ; : " ' < > , . / =
ii. NOTE: Spaces are NOT permitted in passwords.
Table of Contents 21
Appliance Installation: Change CLI Credentials?
If you ever need to change the CLI Passwords, it will be
in the Administrators menu option.
a. Required in Passwords
i. At least 8 characters
ii. A lowercase letter
iii. An uppercase letter
iv. A number
v. A symbol ! @ # % ^ * ? _ ~ -
b. NOT permitted in Passwords:
i. ( ) ` $ & + | \ { } [ ] ; : " ' < > , . / =
ii. NOTE: Spaces are NOT permitted
in passwords.
Table of Contents 22
Appliance Installation: Setup Wizard - Customer Tasks
For the POC, visibility is very important to the process and DHCP Fingerprinting, FortiGuard
IoT service and NMAP scanning is a big part of the process. PING the blue options from FortiNAC CLI
The URL for the API to which FortiNAC must connect to query IoT data.
The possible servers are:
Anycast:
globaldevquery.fortinet.net
usdevquery.fortinet.net
eudevquery.fortinet.net
AWS:
globaldevquery2.fortinet.net
usdevquery2.fortinet.net
eudevquery2.fortinet.net
The URL for the API to which FortiNAC must connect to send IoT data.
The possible servers are:
Anycast:
globaldevcollect.fortinet.net
usdevcollect.fortinet.net
eudevcollect.fortinet.net
AWS:
globaldevcollect2.fortinet.net
usdevcollect2.fortinet.net
eudevcollect2.fortinet.net
**Please take the time to set up DHCP Relay to FortiNAC’s eth1 IP address**
Cisco examples HP/Aruba example Fortigate example
(config)# interface ethernet0/0 (config)# vlan 5
(config-if)# ip address 192.168.100.1 255.255.255.0 (vlan-5)# ip address 192.168.5.1 255.255.255.0
(config-if)# ip helper-address 10.55.11.3 -> Microsoft DHCP Server (vlan-5)# ip helper-address 10.55.11.3 -> Microsoft DHCP Server
(config-if)# ip helper-address 10.55.12.50-> FortiNAC eth1
(vlan-5)# ip helper-address 10.55.12.50-> FortiNAC Eth1
(config)# interface vlan5
(config-if)# ip address 192.168.5.1 255.255.255.0
(config-if)# ip helper-address 10.55.11.3 -> Microsoft DHCP Server
(config-if)# ip helper-address 10.55.12.50-> FortiNAC eth1
Table of Contents 23
Appliance Installation: Stop and Test CLI root Access !!!
Don’t keep going if you cannot SSH to FortiNAC’s eth0 management interface using the CLI root credentials.
You just set the root CLI password – make sure it works properly or you will have to reinstall the VM.
Table of Contents 24
Appliance Installation: Config Wizard Basic Network
Configure the Basic Network, * indicates required items. NTP is very important.
Table of Contents 25
Appliance Installation: Config Wizard: Skip to Summary
Skip to Summary, hit the Apply button. Then hit OK at the pop-up and wait
for Applying Settings (browser tabs spins indicating its working).
Table of Contents 26
Appliance Installation: Config Wizard: Reboot
Hit the Reboot button.
Table of Contents 27
Appliance Installation: Initial Web Interface (GUI) Access
https://<fortinac-ip>:8443/gui
Table of Contents 28
Appliance Installation: LDAP Integration Step 1
Add Directory
1. Network->Settings->Authentication->LDAP
2. Use the Add button at the bottom
3. Config settings for your closest AD Domain Controller
Table of Contents 29
Appliance Installation: LDAP Integration Step 2
Add Directory
1. **MAC Address can be any 6 sets of digits like 01:02:03:04:05:06**
2. Add Service Account in UPN format (ex- [email protected])
3. ALWAYS “Validate Credentials” – Don’t move forward if it fails
4. Accept User Attributes and Group Attributes default settings.
5. Search Branches: use your top-level DC=company,DC=com for now; we
can filter down later.
6. Select Groups: shows list of groups and users. DO NOT SELECT ANY
GROUPS YET. Click OK, go to next slide to test.
4
6
5
Table of Contents 30
Appliance Installation: LDAP Integration – Test via Preview
1. Select your authentication server
2. Use the Preview button at the top
3. In the Filter To box, enter your AD user ID
4. Hit Search
5. Results should show first and last name and other details configured in AD.
6. Click cancel or OK to exit
Table of Contents 31
Appliance Installation Add LDAP System Admins
1. User & Hosts-
>Administrators
2. Click Add at bottom
3. Enter User ID, click OK
button
4. Should say “This User ID
was found in the
directory”
5. Change Admin Profile:
to System
Administrator
6. Make sure there is an
email address
7. Repeat for all FortiNAC
Sys Admins
Table of Contents 32
Appliance Installation: Configure Email Settings
1. System->Settings-> System Communications->Email Settings
2. Fill in fields appropriate to your organization
3. Test Email
4. Save Settings
Table of Contents 33
Appliance Installation: Admin Time-out
Table of Contents 34
Appliance Installation: Settings
By enabling Unified Settings…
Table of Contents 35
Appliance Installation: Update Firmware
#1 - Configure Product and Distribution Directories #3 Download latest v9.2.X
• Product Distribution Directory: Version_9_2 #4 Install version you just downloaded
• Agent Distribution Directory: Agent_5
#2 Save Settings Follow as the updates are applied. Wait 5 mins and log back in.
Table of Contents 36
Appliance Installation: Backups *Please*
FortiNAC has a default backup, Database Backup
and Database Archiving schedule
Table of Contents 37
FortiNAC POC
Visibility: Network Inventory
38
Visibility: Network Discovery – Uplink Threshold
FortiNAC learns your network and
will create uplinks to other network
devices. Two main methods:
1. A MAC-Address for another
managed switch is found on a
switch port. We mark that as a
“Learned Uplink”.
2. More than XX number of
devices on a ports. By default,
the number is 20 but that is too
low when we initially perform
the network discovery. Too
many ports will be configured
for “Threshold Uplinks”.
Configure Network->Settings-
>Network Device->System Defined
Uplink Count to 2000 to prevent any
mis-labeled uplinks during the POC.
Table of Contents 39
Visibility: Network Inventory & Containers
The Network Inventory view is the key to visibility of your network
• R-Click “Customer” and change to Appliance or Company Name
• R-Click appliance/company name “add container”
• Create as many containers as you want. These can be floors, buildings, cities, countries, regions etc.
• See next page to add devices
Table of Contents 40
Visibility: Add Network Device Manually
• R-Click a container, “Add Device”
• IP Address must be PING-able from FortiNAC
• Use SNMP v1, v2c, or v3; FortiNAC almost always needs Read-Write access
• Enter SSH credentials; FortiNAC needs root or level-15 type access
• “Enable Password:” only when you actually type enable while logging in
• ALWAYS USE “Validate Credentials” BEFORE HITTING OK! Do not proceed
until you have success with both SNMP and CLI
Misc Notes
• Watch out for ACLs and FW Policies!! PING/SSH from FortiNAC CLI to test Add as many devices as you want. I perform this on full
• Fortigates need PING, SNMP, HTTPS and SSH enabled on Mgmt Interface and production networks all the time, no control is enabled by
FortiNAC added to System->SNMP users default. The more network devices we add, the better
• MIST Wireless, Meraki Switches & MRs have special needs you’ll understand visibility.
• Most WLCs only need SNMP Read-Only and SSH access
Table of Contents 41
Visibility: Add Network Device via Discovery
Practice using the manual
device method, then move to
Discovery for larger amounts of
network devices.
Discovery Progress
Table of Contents 42
Visibility: Network Inventory Results & Ports tab
After adding devices to
your containers, there
is a lot of good
information almost
immediately.
Table of Contents 43
Visibility: Network Inventory Results & Other tabs
Element tab is some of Model Configuration to be covered
the information we more in “Control” section
discovered
Table of Contents 44
Visibility: Polling for IP Addresses
To add IP Address info to your database, select your devices that have interesting
ARP like firewalls, switches with SVIs etc. and enable L3 polling.
Table of Contents 45
Visibility: Adapters view of the dynamic database
In the Adapters view, you should see IP Address, Physical Address, Vendor Name, Location etc. By selecting the
column headers, you can add or remove columns. You can slide columns left or right to align them to a different view.
Any devices without an IP might not have the L3 device set up for polling.
Table of Contents 46
Visibility: Tips for better visibility
Make sure the Active method and FortiGuard
method is enabled
Table of Contents 47
Visibility: Endpoint Fingerprints
FortiNAC’s Fingerprints view is the result of the various tools running in the background. The tools are listed as
“Source” on the far right. The results need validated and ranked, but very nice view of your network in the beginning.
Table of Contents 48
FortiNAC POC
Service Connectors
49
Service Connectors: Many Options
FortiNAC’s Service Connectors offer integrations with other services. MDM servers are a great way
to synchronize an existing database of your devices with FortiNAC.
EMS Integration:
https://docs.fortinet.com/document/fortinac/9.
2.0/forticlient-ems-device-integration
Table of Contents 50
FortiNAC POC
Basic Device Profiling Rules
(DPR)
51
DPR: Device Profiling Basics
FortiNAC’s Device Profiling Rules (DPR) are used to confirm a device type (Endpoint Fingerprints are suggestions). DPRs are mostly used
for IoT and OT devices. One good use case for WMI polling is for your corporate, domain-joined computers. The goal is to identify
hosts/adapters as a specific device type (shown in the Name column).** Changing a rogue device to a Device Type does nothing other
than provide clearer visibility into your database. It DOES NOT initiate any policy changes**
Table of Contents 52
DPR: New DPR – How to Start
You can find a device type (by filtering device Type), select
all the lines, R-Click and select Create Device Profiling Rule
Table of Contents 53
DPR: New DPR – Television Example
On the previous slide, we selected all the
Television examples and created a new DPR.
The General tab is mostly blank by default. On the Methods tab, FortiNAC added the vendor MAC Address info (OUI) and the DHCP
parameters
Table of Contents 54
DPR: New DPR – Test it
Back to the filtered list on Endpoint Fingerprints, r-click one of the lines and select Test Device Profiling Rule. The rule should match.
Table of Contents 55
DPR: New DPR – Run it
Back to Device Profiling Rules, you should see your new DPR in the list (usually at the bottom). Click the “Run” button, click Yes to evaluate rogues in the
database. After hitting OK, check out the Rogue Evaluation Queue Size.
Table of Contents 56
DPR: Methods are important
By combining Methods, we can profile different types of devices based on available
information. A detailed description of each device type is listed below.
https://docs.fortinet.com/document/fortinac/9.2.0/administrat
ion-guide/29753/adding-a-rule
We will spend time in the POC profiling many of your devices. Many will be easy, some will
be a challenge. We will discuss why…
Table of Contents 57
DPR: Tools to help Profile
In the adapter or host view, R-Click a device and use the Run NMAP Scan or Run FortiGuard
IoT Scan and see if there is any interesting information
NMAP sometimes will show open ports, device types that we can use
in the profiling process.
Table of Contents 58
DPR: Filters for Hosts/Adapters
Table of Contents 59
FortiNAC POC
SNMP Examples
60
Visibility: Network Devices Topology – Add Devices Cisco SNMPv3 Auth
snmp-server user FortiMD5 FortiNAC v3 auth md5 FortiNAC2021 priv aes 256 FortiNAC2021
snmp-server user FortiSHA FortiNAC v3 auth SHA FortiNAC2021 priv aes 256 FortiNAC2021 Debug your SNMP Session:
debug snmp requests
snmp-server group FortiNAC v3 auth read FortiNAC write FortiNAC notify FortiNAC
snmp-server group FortiNAC v3 auth context vlan- match prefix read FortiNAC notify FortiNAC
terminal monitor
snmp-server view FortiNAC iso included
snmp-server view FortiNAC system included
snmp-server view FortiNAC interfaces included
Table of Contents 61
Visibility: Network Devices Topology – Add Devices Cisco SNMPv3 AuthPriv
snmp-server user FortiSHA-DES FortiNAC v3 auth SHA FortiNAC2021 priv des FortiNAC2021
Debug your SNMP Session:
snmp-server group FortiNAC v3 auth read FortiNAC write FortiNAC notify FortiNAC debug snmp requests
snmp-server group FortiNAC v3 auth context vlan- match prefix read FortiNAC notify FortiNAC
snmp-server view FortiNAC iso included
terminal monitor
snmp-server view FortiNAC system included
snmp-server view FortiNAC interfaces included
Table of Contents 62
Visibility: Network Devices Topology – Add Devices Cisco SNMPv3 Auth-Privacy Examples
1. snmp-server user FortiSHA FortiNAC v3 auth SHA FortiNAC2021 priv AES FortiNAC2021
2. snmp-server user FortiSHA-3DES FortiNAC v3 auth SHA FortiNAC2021 priv DES FortiNAC2021
3. snmp-server user FortiSHA-DES FortiNAC v3 auth SHA FortiNAC2021 priv DES FortiNAC2021
1 2 3
Table of Contents 63
Visibility: Network Devices Topology – Cisco SNMP Traps
FortiNAC can use SNMP Traps to enhance visibility with real-time updates of switch information. This is especially useful for older Cisco switches that do not support RADIUS requests very
well.
SNMP Traps can be sent independently of the SNMP Discover protocols. So even if you modeled the switch with SNMP v3, you can send traps with SNMP v2c or v3.
Table of Contents 65
Visibility: Network Devices Topology – Add Devices Meraki Switch SNMPv3 Auth-Privacy Examples
Table of Contents 66
FortiNAC Network Devices Topology – Add Devices Cisco ASA ASDM & CLI SNMPv3 Examples
snmp-server group FortiNAC v3 priv
snmp-server user FortiNAC FortiNAC v3 encrypted auth sha <passwd> priv aes 128 <passwd>
snmp-server user-list FortiNAC-Grp username FortiNAC
snmp-server host NW-Mgmt 172.16.50.6 poll version 3 FortiNAC
snmp-server location UnderGroundBunker
snmp-server contact Jeff Reed
Table of Contents 67
FortiNAC Network Devices Topology – Add Cisco WLC SNMPv3 Examples
Table of Contents 68
FortiNAC Network Devices Topology – Add Aruba IAP SNMPv3 Examples
Table of Contents 69
FortiNAC Network Devices Topology – Add HP ProCurve CLI SNMPv3 Examples
Step1 – Enable SNMPv3 and go through the wizard Step2 – Disable the Initial User and create your privileged user
HP2530(config)# snmpv3 enable HP2530(config)# snmpv3 user FortiNAC auth md5 ******** priv des ********
SNMPv3 Initialization process. HP2530(config)# snmpv3 group managerpriv user FortiNAC sec-model ver3
Creating user 'initial'
HP2530(config)# no snmpv3 user initial
Authentication Protocol: MD5
HP2530(config)# sh snmpv3 user
Enter authentication password: ******
Privacy protocol is DES Status and Counters - SNMP v3 Global Configuration Information
Enter privacy password: ****** User Name Auth. Protocol Privacy Protocol
-------------------------------- ---------------- ----------------
User 'initial' has been created FortiNAC MD5 CBC DES
Would you like to create a user that uses SHA? [y/n] n
User creation is done. SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] n
Table of Contents 70
FortiNAC Network Devices Topology – Add HP ProCurve CLI SNMPv3 Traps
Step1 – Enable SNMPv3 and go through the wizard Step2 – Disable the Initial User and create your privileged user
HP2530(config)# snmpv3 enable HP2530(config)# snmpv3 user FortiNAC auth md5 ******** priv des ********
SNMPv3 Initialization process. HP2530(config)# snmpv3 group managerpriv user FortiNAC sec-model ver3
Creating user 'initial'
HP2530(config)# no snmpv3 user initial
Authentication Protocol: MD5
HP2530(config)# sh snmpv3 user
Enter authentication password: ******
Privacy protocol is DES Status and Counters - SNMP v3 Global Configuration Information
Enter privacy password: ****** User Name Auth. Protocol Privacy Protocol
-------------------------------- ---------------- ----------------
User 'initial' has been created FortiNAC MD5 CBC DES
Would you like to create a user that uses SHA? [y/n] n
User creation is done. SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] n
Table of Contents 71
FortiNAC POC – Advanced Topics
Fortigate Initial Discovery, Tweaks and converting to Read-
only API Access
72
Fortigate: Interface Prep
1. Choose your management interface
2. Ensure PING, SSH, HTTPS and SNMP are enabled
3. Make sure you firewall rules/policies allows access
Table of Contents 73
Fortigate: SNMP
1. Under System->SNMP
1. Make sure your SNMP Agent is enabled
2. Create a v2 or v3 SNMP community
3. Add FortiNAC’s management IP as an IP host allows to query SNMP
Table of Contents 74
Fortigate: Add to Inventory
1. R-Click a contain and click Add Device
2. Chose your preferred SNMP protocol and enter the SNMP Settings
3. Configure the CLI settings
4. Always Validate Credentials
Table of Contents 75
Fortigate: Results
1. It make takes a few minutes and a browser refresh to see the Virtualized Devices tab
2. If you are managing switches and APs, those should also come into view
Table of Contents 76
Fortigate Session Polling
1. R-click the Fortigate, select Firewall Session Polling
2. Enable at 30min frequency and hit the Poll Now button
Table of Contents 77
Fortigate: Session Results
1. Wait 5 minutes
2. Check Users & Hosts->Fortigate Sessions and make sure your firewall has session information
Table of Contents 78
Fortigate: L2 & L3 Groups
1. R-click Fortigate and select Group Membership
2. Makes sure L3 and all L2 groups are checked
Table of Contents 79
Fortigate: Test Device Mappings
1. R-click Fortigate and select Test Device Mapping
2. Should show L2, L3 and VLAN information
Table of Contents 80
Fortigate: API Read-Only Access
Add API Read-Only Access to Fortigate
API keys increases accuracy of some transactions.
1. Create a REST APRI ADMIN Administrator account on the Fortigate
2. Copy the API Key that is created by the process
3. SSH to the FortiNAC CLI, set the Fortigate’s attribute to use an APITOKEN
1. device -ip 203.0.2.126 -setAttr -name APIToken -value "r5kpQy5rt0pGywjb439ftmhp7Qm3rr"
Table of Contents 81
FortiNAC POC – Advanced Topics
Using your company's DHCP Server for Isolation Networks
82
Using your company's DHCP Server for Isolation Networks Part 1
Using your company’s DHCP server may be an easier path to success, especially in a POC. This makes FortiNAC just the DNS server in remote isolation
networks.
1. Enable Each interface (Registration, Remediation, Dead End you need in the design
2. Assign an IP/Mask/GW – same rules apply here, must be in different subnet than Eth0.
3. Add Remote Isolation Subnets – These are the subnets where YOUR DHCP server provides the
Table of Contents 83
Using your company's DHCP Server for Isolation Networks Part 2
The Config Wizard will create static routes eliminating any loops in the routing on eth0 and eth1.
1. Go to Summary, Apply
Table of Contents 84
Using your company's DHCP Server for Isolation Networks Part 3
The Config Wizard will create static routes eliminating any loops in the routing on eth0 and eth1.
1. After the Apply, Reboot
**You will see errors before you reboot that validates you did not create scopes. Ignore those errors. **
Table of Contents 85
Using your company's DHCP Server for Isolation Networks Part 4
Create DHCP Scopes on your company DHCP server.
1. The Router for the scope is the L3 gateway for the devices/hosts in Isolation subnet
2. DNS server is FortiNAC’s Eth1 IP address.
3. Repeat for all Remediation, DEAD End etc.
Table of Contents 86
Using your company's DHCP Server for Isolation Networks Part 5
Send a copy of the DHCP Request to FortiNAC’s Eth0 Management IP. DHCP Fingerprinting in Isolation network is an integral part of FortiNAC’s visibility.
See examples below
Table of Contents 87
FortiNAC POC – Advanced Topics
Social Media For Captive Portal Using LinkedIn
88
FortiNAC Social Networking for Guest Portal
How It works:
• FortiNAC uses an API integration with the various Social
Media sites
• Facebook, Google, LinkedIn, Outlook, twitter and Yahoo
are available options
• Usually, you are logging into the social media sites
developer account and creating an app.
• The app will provide an “App ID” or “Client ID” and a
“Secret”
• These are configured in the FortiNAC Portal
Configuration->Global->Settings
• One of the pages in the captive portal is configured for
Social Networking authentication
• When a user selects the link for Social Networking in the
captive portal, the Social Media Networks are displayed
for them to choose.
• When the user properly authenticated with their Social
Media Account, normal processing of the captive portal
occurs
Table of Contents 89
FortiNAC Social Networking (LinkedIn) for Guest Portal
How It works:
• Login into https://www.linkedin.com/developers
• Select My Apps and +Create App
Table of Contents 90
FortiNAC Social Networking (LinkedIn) for Guest Portal
• Enter App Name
• LinkedIn Requires a Company
Page
• Add your Company Logo
• Add the FQDN of the
FortiNAC application
appliance
• You will be presented your
Client ID and Client Secret.
(Also available later by
clicking your app, go to the
Auth tab.)
• Add the authorized redirect
URL on the authtab.
Table of Contents 91
FortiNAC Social Networking (LinkedIn) for Guest Portal
• Navigate to FortiNAC Portal
Configuration
• Open Global->Settings
• Choose one of the 3 options
(Standard, Custom, Game)
• Click the “Enable LinkedIn
Auth” button
• Fill in Client ID and Client
Secret.
• Apply to save
Table of Contents 92
FortiNAC Social Networking (LinkedIn) for Guest Portal
• Navigate to FortiNAC Portal
Configuration
• Under Registration->Login
Menu
• Choose the page you selected
for “Social” authentication
which was Custom in this
example.
• Change any text for the
customer situation
• Apply to save
Table of Contents 93
FortiNAC Social Networking (LinkedIn) for Guest Portal
• Navigate to FortiNAC Portal Configuration
• Under Registration->Custom Login & Custom Login Form, change any text for the customer situation
• Apply to save
Table of Contents 94
FortiNAC Social Networking (LinkedIn) for Guest Portal
Table of Contents 95
FortiNAC Social Networking (LinkedIn) for Guest Portal
Table of Contents 96
FortiNAC Social Networking (LinkedIn) for Guest Portal
Table of Contents 97
FortiNAC POC – Advanced Topics
98
FortiNAC Device Profiling – OT Example
Table of Contents 99
FortiNAC Device Profiling – OT Example
When the Network Access policy is enforces, the PLC device is in VLAN 127 and receives an IP in that DHCP Scope (from the
Fortigate in this design). FortiNAC is not the DHCP server for production networks.
110
FortiNAC RADIUS Server
FortiNAC has two RADIUS processes called “Proxy” and “Local Service”
• Proxy can be used for MAC Address Bypass (MAC) without any need to proxy requests and it will proxy EAP requests
to another RADIUS server (something like Microsoft NPS, FortiAuthenticator etc.)
• Local Service has all the components you need to manage RADIUS connections like MAB, EAP-TLS and PEAP (and
more) all within FortiNAC
• Traditional RADIUS authentication ports 1812 or 1645 can be defined on either service, but you cannot assign the
same port number to Proxy and Local Service at the same time.
https://docs.fortinet.com/document/fortinac/8.8.0/wifi-802-1x-based-network-using-fortinac-local-radius-server
https://docs.fortinet.com/document/fortinac/8.8.0/wireless-integration-overview
https://docs.fortinet.com/document/fortinac/8.8.0/aruba-and-alcatel-wireless-controllers-integration
https://docs.fortinet.com/document/fortinac/8.8.0/aruba-instant-ap-wireless-integration
https://docs.fortinet.com/document/fortinac/8.8.0/aerohive-wireless-access-points-integration
https://docs.fortinet.com/document/fortinac/8.8.0/cisco-wireless-controller-integration
https://docs.fortinet.com/document/fortinac/8.8.0/mist-wireless-device-integration
118
FortiNAC RADIUS Auth for FortiSwitch Ports
FortiNAC support for RADIUS Switch Authentication is easy for switches that provide easy config for RADIUS Support. Two
great examples are Meraki and FortiSwitch. Please reference the integration guides below for details on the specific
integration instructions. In this guide, the switch is in FortiLink mode controlled by a Fortigate.
• https://docs.fortinet.com/document/fortinac/9.1.0/fortiswitch-integration
• Make sure you complete the prior section in this guide, RADIUS Server Initial Config
FWF61E #
• Use tcpdump host <switch-ip> and port 3799 –vv to see CoA in action
142
FortiOS6 Syslog Parser
https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/353748/security-event-parsers
comma
srcip
dstip
type
subtype
virusid
virus
level
147
FortiAP – Fortigate Wireless Controller
MAB & Bridged Mode
148
FortiAP Access Control - MAC Authentication
This guide will focus on using FortiNAC for MAC-Based Access Control, see latest on the docs site.
https://docs.fortinet.com/document/fortinac/9.2.0/fortigate-endpoint-management-integration-guide
**Assumption is the Fortigate Wi-Fi controller is already in the FortiNAC Inventory**
MAC Authentication Bypass is an effective process for Wi-Fi access control for devices lacking a supplicant. This
method works with both OPEN and PSK SSIDs. Pre-Shared Keys offer additional privacy but also extra
administration providing the PSK to users.
Testing for this guide was completed with a Fortigate 61E running v6.4.8 b1914 and a FortiAP Wall Jack running
v6.2 B281
149
FortiAP Access Control - MAC Authentication
FortiNAC RADIUS Review – For my lab, I have the Local RADIUS listening on RADIUS Port 1645 and Proxy RADIUS
listening on 1812. RADIUS Accounting is on port 1813. Both Local and Proxy will authenticate MAC-Auth without need
for another RADIUS server. This lab example will be using the Local RADIUS process.
150
FortiAP Access Control - MAC Authentication
Fortigate RADIUS Review – Created a RADIUS server named “FortiNAC-1645” where FortiNAC’s management IP is the
RADIUS server. Several settings need to be set via CLI, reference the document at the beginning of this guide for details.
151
FortiAP Access Control - MAC Authentication
Modify your Fortigate’s Model Configuration. On the Virtualized Devices Tab, double-click the VDOM you are
configuring. In this example I have the standard “root” VDOM. A new tab will open, set the RADIUS settings, Secret,
Source-IP of the Fortigate and select a Server Config and set the Default RADIUS Attribute Group to RFC_VLAN.
152
FortiAP Access Control - MAC Authentication
Back on the Fortigate, open the RADIUS server, a test will happen immediately. Or press the “Test Connectivity” button.
Don’t proceed until you have a successful test! This confirms your basic settings are complete.
153
FortiAP Access Control - MAC Authentication
Create a new SSID – But wait… what’s the difference between Tunnel Mode and Bridge Mode?
When using a Tunnel interface on an SSID, all traffic is CAPWAP tunneled to the Fortigate. The VLAN ID for FNAC Policy is
added by default as you add interfaces.
154
FortiAP Access Control - MAC Authentication
Create a new SSID – Start simple and test!
155
FortiAP Access Control - MAC Authentication
Keeping testing!
156
FortiAP Access Control - MAC Authentication
Change settings to use FortiNAC for
Authentication
157
FortiAP Access Control - MAC Authentication
Configure the SSID Configuration in
FortiNAC
158
FortiAP Access Control - MAC Authentication
Ready to test!!
159
Meraki iPSK Integration
160
Meraki iPSK Access Control Use Cases
This guide will focus on using FortiNAC v8.8 for MAC-Based Identity PSK Network Access Control.
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication
**Meraki access point software needs to be MR 26.5 or better to have access to iPSK**
** Assumes general knowledge of navigating around FortiNAC **
Business Case #1 Business Case #2
IT director in manufacturing wants to control IT director in healthcare wants to control what
what devices can connect to an SSID on his devices can connect to an SSID on his Meraki
Meraki Access Points. His RF experts Access Points. His RF experts recommend as few
recommend as few SSIDs as possible to keep SSIDs as possible to keep the Wi-Fi environment
the Wi-Fi environment as efficient as possible. as efficient as possible. None of the devices are
None of the devices are capable of 802.1x. She capable of 802.1x however auditors said all
needs encryption of data due to financial risk traffic must be encrypted.
audit recommendations.
Solution:
Solution: Using FortiNAC v8.8, manage the list of
Using FortiNAC v8.8, manage the list of approved devices, by MAC Address and utilize
approved devices, by MAC Address and utilize Meraki IPSK and Group Policies to use just a
Meraki Group Policies to use just a single SSID single SSID encrypted with WPA2-PSK
encrypted with WPA2-PSK
161
Configure Hosts Device Type
FortiNAC can identify a device type through various methods
• Manually Add host as a device using the hosts MAC Address (rarely used)
• Import devices from a Mobile Device Manager (InTune, Airwatch, FortClient EMS etc)
• Use Device Profiling to determine device type (most popular)
162
Create Host Profiles for your device Types
163
Create Logical Networks
164
Create Manufacturing Network Access Policy
165
Create Healthcare Network Access Policy
166
Create Meraki iPSK SSID
Network->Wireless->SSIDs->Rename, Edit Settings
167
Edit SSID RADIUS Settings
168
Create Meraki Network Wide Group Policies
VLAN 127 & 126 need to be tagged/trunked on switch
ports where Access Points connect to network
169
Add Meraki AP to Topology
170
Add Meraki Group Policies and RADIUS Secret
171
Resync Interfaces and they show up in model view
172
Set ‘Local RADIUS Server” to Respond
173
Set Meraki AP Model Config
174
Validate with tcpdump from FortiNAC CLI (SSH w/root user)
When successfully connecting your Healthcare device to the Meraki iPSK SSID, you enter the PSK password that matches
the Tunnel-Password attribute created in the Meraki AP Model Config.
Use packet capture to verify the Access-Accept includes the Filter-ID (Meraki Group Policy) and the Tunnel-Password (iPSK
Password).
➢ tcpdump -i eth0 port 1812 –vv
➢ or
➢ tcpdump -i eth0 host 172.16.154.119 and port 1812 –vv
175
FortiNAC POC – Advanced Topics
Fortigate Security Fabric Integration
176
Fortigate Security Fabric Integration
https://docs.fortinet.com/document/fortinac/9.1.0/fortigate-endpoint-management-integration-guide
This section assumes the Fortigate is already added to the network inventory following the Fortigate
Endpoint Integration Guide referenced above. In my example, we’ll use my Fortigate FWF61-E.
https://youtu.be/wOPElLP1-jg
189
FortiNAC VM/Appliance Isolation Reference Design
https://youtu.be/wOPElLP1-jg
Classic Networking
Office Locations Legend
18 Carlisle PA
19 Austin TX Microsoft DHCP and
20 Phoenix AZ DNS servers and
21 Anchorage AK FortiNAC Virtual
22 Burnaby BC Appliance located in
23 Ottawa ON the datacenter at an
24 Mexico City MX undisclosed location.
• Isolate Rogue Devices: Any device that is not a corporate asset shall be placed
into an isolation network with appropriate controls to self-identify via captive Registration or Forced-
portal or automatically profile if it matches an existing company device Registration
fingerprint.
• Isolate Devices At-Risk: All corporate computers shall have company approved
AV installed, EDR services validated as running and company approved OS
security and critical updates applied. Any computer not meeting those Remediation, Forced-
requirements will be isolated and the reason of isolated communicated to both Remediation or
the Service Desk and the user on the computer. Quarantine
• Disable devices that have an indication of compromise: IoT devices that look to
be MAC-Spoofed, Devices that have failed a vulnerability scan or devices that Dead End
access malicious sites on the internet shall be isolated into a separate VLAN that
has no access to the rest of the organization.
Another important change at each site, on the L3 interfaces, a DHCP relay will be
added for the existing production subnets to send a copy of DHCP requests to
FortiNAC’s Management interface (to facilitate DHCP Fingerprinting), and the
isolation networks will have DHCP relayed to their respective FortiNAC isolation IP.
Using their vast Excel skills, Classic Networking engineers quickly built three CSV files appropriate for an import.
ScopeLabel,VLAN ID,Gateway,Mask,Domain,Lease Pool Start-End IP
204
FortiNAC Demo Licensed Expired… now what?
License expiration is on the License Information dashboard widget
https://kb.fortinet.com/kb/microsites/microsite.do
Example documents
• Sample Explanation of Services from FortiNAC Pro Services Team
• Sample Implementation Report
• https://docs.fortinet.com/document/fortinac/9.1.0/deployment-guide
• https://docs.fortinet.com/document/fortinac/9.1.0/hardware-and-vm-install-guides
• https://docs.fortinet.com/document/fortinac/9.1.0/open-ports
General Overview Videos from the NAC Team Videos from Rick Leclerc, Fortinet Security Architect
• Greg’s FortiNAC General Overview (27+mins) • FortiNAC Least Privilege Access Matrix Video (9:34mins)
• Rob’s FortiNAC General Overview (23+mins) • FortiNAC Elevator Pitch Video (3:48 mins)
• FortiNAC FortiAnalyzer Integration Video (6:38mins)
• FortiNAC Discovery Video (10:38)
• FortiNAC Brute Force (7:24)
• FortiNAC MAC-Spoof-Attack (8:30)
Miscellaneous FortiNAC Videos • FortiNAC Endpoint Classification (16:50)
• Fortilink NAC without FortiNAC (6:46)
• FortiNAC Appliance Overview (2:36mins)
• FortiNAC Manager Overview (4:11mins)
• FortiNAC LDAP Integration (5:18mins)
• FortiNAC Captive Portal (9:19 mins)
• PRO License Automated Security Response (about 10mins)
• FortiNAC Guest-BYOD-Contractor Onboarding (26+mins)
• Catching Domain Machines in the Captive Portal (4+mins)
• Camera Profiling (1+min)
• Managing Device Firewall Policy using FSSO (6+mins)