100% found this document useful (1 vote)
3K views211 pages

FortiNAC v9.2 Getting Started Guide Partner

The document provides guidance for successfully completing a proof of concept (POC) with FortiNAC. It outlines a template for defining success criteria, such as installing the virtual appliance, configuring basic settings, enabling network visibility features, and testing control capabilities. Notes emphasize the network access and credentials required from the customer to complete the POC, including DHCP relay configuration, SNMP/SSH access to network devices, and an LDAP service account. Tips are provided to save time, such as ensuring the FortiNAC management interface can access devices and using password managers for credential storage.

Uploaded by

Rico
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
3K views211 pages

FortiNAC v9.2 Getting Started Guide Partner

The document provides guidance for successfully completing a proof of concept (POC) with FortiNAC. It outlines a template for defining success criteria, such as installing the virtual appliance, configuring basic settings, enabling network visibility features, and testing control capabilities. Notes emphasize the network access and credentials required from the customer to complete the POC, including DHCP relay configuration, SNMP/SSH access to network devices, and an LDAP service account. Tips are provided to save time, such as ensuring the FortiNAC management interface can access devices and using password managers for credential storage.

Uploaded by

Rico
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 211

FortiNAC v9.

2 POC
A Guide to POC Success

May 2022 Update

1
FortiNAC Proof Of Concept – Table of Contents
Before You Begin
Success Criteria Template Visibility - Network Inventory SNMP EXTRAS Other Sections
Important Notes Uplink Threshold SNMP Examples Using your company's DHCP Server for Isolation Networks
More Notes Network Inventory & Containers Cisco SNMPv3 Auth Social Media For Captive Portal
Reference Guides & Videos Add NW Device Manually Cisco SNMPv3 AuthPriv Device Profiling Example – OT Environment
NW Discovery Cisco SNMPv3 Example RADIUS Server Initial Config
VM Appliance Installation Results & Ports tab Cisco SNMP Traps RADIUS for FortiSwitch Ports
v9.X Internet Access Other tabs Fortigate SNMPv3 Auth-Privacy FortiOS6 Syslog Parser
Azure Notes Polling for IP Meraki Switch SNMPv3 Auth-Privacy Fortigate Security Fabric Integration
VM Download Adapters view Cisco ASA ASDM & CLI SNMPv3 L3 Isolation Reference Design
Import to Hypervisor Visibility Tips Cisco WLC SNMPv3 FortiNAC VM/Appliance Isolation Reference Example
VMware Notes Endpoint Fingerprints Aruba IAP SNMPv3 Additional Reference Material
Configure FortiNAC Management IP Service Connectors HP ProCurve CLI SNMPv3
Initial Login Basic Device Profiling Rules HP ProCurve CLI SNMPv3 Traps Wireless Integrations
Setup Wizard Basics FortiAP w/Fortigate Controller (MAB)
Register License How to Start Meraki iPSK Integration
Fortigate Details
Registration Of Your Appliance Example - TV
Interface Prep
Get the License File Test it
SNMP
Import License File Run it
Add to Inventory
Create Credentials Methods
Results
Tools
Change CLI Credentials? Session Polling
Filters for Hosts/Adapters
Customer Tasks Session Results
Test CLI root Access L2 & L3 Groups
Basic Network Test Device Mappings
Skip to Summary API Read-Only Access
Reboot
GUI Access
LDAP 1, LDAP 2 & LDAP Test
Add System Admins
Email Settings
Admin Time-out New or Changed Links
System Settings
Update Firmware CTRL-Click to Follow Links
Backups

2
Before You Begin Your FortiNAC POC
Let’s do some planning and discussion before we start!

3
FortiNAC Proof Of Concept – Success Criteria Template
Typical Success Criteria for a FortiNAC POC
Virtual Appliance: Installation and basic configuration
• Customer was able to install FortiNAC FNC-CA-VM on their platform of choice
• Customer was able to work through the start-up wizard and the “configWizard” with a little help from this guide and documentation links
• Customer was able to configure basic LDAP integration, email notification, review remote back-up options and begin the process of adding network devices in the Network Inventory
Visibility (for all locations in the scope of the POC.)
• Customer enabled NMAP and FortiGuard IoT as part of the start-up wizard and is sending copies of their DHCP requests to FortiNAC’s eth0 Management Address
• Customer was able to effectively add all of their network inventory into FortiNAC’s network inventory
• A host database was populated with MAC Address, IP and “location” (switch port, wireless interface)
• Endpoint Fingerprints show suggested device types
• MDM integration was performed where applicable, depending on customer’s applications (Intune, JAMF, GSuite etc.)
• Device profiling of at least 3 different device types (usually IP Phones, printers, cameras) and customer understands the process well enough to continue building device profiles on their own.
• Domain computers were registered with MDM, WMI or the FortiNAC Agent or both and the customer understands the difference between the three
• Created Filters in Adapters/Hosts views to look for specific device types and customer has the knowledge to build them on their own.
Control
• Created Host Profiles for device types we created in Visibility phase and customer understands how a host profile is used in policies and can build one on their own
• Created several NAC policies and customer understands how to build them on their own.
• Review Port Groups and Port Level Group Membership for Forced Registration, Forced Remediation, Forced Reset Default and Role Based Access.
• Created a POC Port Group and added one or more switch ports to this group.
• Discussed SNMP Traps vs RADIUS for switch ports and customer understands how a NAC policy is triggered.
• Customer understands the difference between manual Layer-2 polling and triggered MAC notification and why we might manually poll in a POC.
• Customer provided a device (laptop, printer, camera etc. ) we can use for testing on a switch port.
• NAC policies were successfully tested on the switch ports in the POC Port Group.
• Customer created a test SSID that uses RADIUS MAB and configured FortiNAC to manage network access and successfully tested one or more device types connecting to one SSID.
Other Discussion Topics
• Professional Services installation vs. POC installation
• Captive Portal and onboarding options for customer BYOD, Guest, Contractor etc.
• Discuss Certificates and where they are applied in an installation
• Answer any open questions
• Schedule reference call when POC didn’t cover every possible angle of installation
• Schedule executive summary if required by the customer

Table of Contents 4
FortiNAC Proof Of Concept – Important Notes
Getting Prepared – Customer Requirements Eth0 & Eth1 in a POC
Virtual Machine Config Eth0 is the Management address, Eth1 is for applications (DHCP, DNS, Portal etc.). Start
• 4vCPU – 12G of RAM – 100G disk space (we can load thin/dynamic except the POC with no Eth1 networks configured.
Azure for POC, but not for production)
• Two Ethernet Interfaces (included with basic machine image)
• Use your Password Manager to save your FortiNAC password changes!! Time Saving Tips
• LDAP Service Account that has BIND access to the directory 1. FortiNAC’s eth0 IP Address needs to have access to the network devices. Much
Visibility for Wired Networks and Most Wireless LAN Controllers time has been wasted on POC calls fixing ACLs and Firewall policies to allow PING,
• DHCP Relayed to FortiNAC (IP Helpers sent to FortiNAC Mgmt IP). If you SNMP, SSH, HTTPS access to various firewalls, routers, switches and wireless
already forward DHCP requests to a DHCP Server, add FortiNAC to the list. systems. Please be prepared!
• SNMP Read-Only access & SSH Access for Layer2/3 devices & WLC 2. FortiNAC needs management access of the network devices. Most of the time its
• Optional: SNMP MAC Traps sent to FortiNAC (can configure after first R/W SNMP and full SSH access (Cisco Level-15). Without it we usually do not have
session) a successful POC.
• API Keys for some products (Meraki, MIST etc) 3. We need a Service-Account for LDAP access. It does not have to be an
administrator account. If you use your personal account and your password
Control For Wired Networks
changes, LDAP look-up breaks on FortiNAC.
• SNMP R/W Access & SSH Access for Layer2/3 devices (non-Radius
4. There are several credentials associated to FortiNAC access. DO NOT FORGET
control) PASSWORDS!
• SNMP MAC Traps sent to FortiNAC Eth0 interface (Management IP)
• At least two VLANs on the switch for Role Based changes, one for each
role. Appliance Access to Updates
• Create at least one new VLAN for a sample Isolation
• Prepare some wired devices connected to switch for testing; Find a test 1. FortiNAC v9.2 uses CentOS yum repositories located at fnac-updates.fortinet.net
port or two (currently redirects to updates.bradfordnetworks.com)
Control For Wireless Networks 2. The access could be blocked by company Proxy, be prepared to work with your CSE
• Test SSID that is exclusive to FortiNAC testing to allow access.
• At least two Interfaces (VLANs, Roles) for Role Based changes 3. Default access is set to FTP but that can be changed after the appliance CLI is
available.
• Wireless Device able to see test SSID
4. Proxy for yum updates is only completed in the CLI while proxy access to system
Email me with questions along the way. Screen shots are helpful updates can be managed in the GUI in System Settings.

5
Table of Contents
FortiNAC Proof Of Concept – More Notes
Prior to First Online Session Customer Will: Many features that seem simple require ample discussion, planning and configuration
that are normally completed by the FortiNAC installation engineers. In order to keep
Review this Guide with your Fortinet/Partner SE our POC focused and successful we try to stay on track with specific features and
• Finalize Success Criteria (Slide 2 is template) scope.
VM Install
We have many reference accounts that will talk to you about their production usage of
• Appliance Import/Install to Hypervisor FortiNAC to make sure you understand how advanced features work in a similar
• Configure Linux VM via Hypervisor Console environment
• Register FortiNAC Evaluation License
• License the FortiNAC Appliance POC FAQs
• Run through this start up guide as far as possible
• Test CLI by SSH’ing to FortiNAC using CLI root account. Q. After the POC, is my FortiNAC fully Installed?
A. Absolutely not. The POC is aimed at showing specific features and we do not
perform a full installation.
FortiNAC Basics
• Add Authentication – LDAP (Active Directory) Integration Q. Can I give you access to my network and let you work unattended?
• Add Sys Admin Users with AD credentials A. Absolutely not. In addition to the testing of certain functions, this is also a
knowledge transfer opportunity. I will not do the driving for a POC, just the navigating.
• Configure Email notifications
Q. If I check the box to POC every single feature, will you.
Prepare for Visibility Session A. Probably not. The intent is to show you some great value but it’s not aimed at
• Build your Network Inventory having a fully functional system. We have customer references that can show you a
fully functional system.
• Add as many network devices as possible
Q. Can I use my POC for a full production test?
Email me with questions along the way. Screen shots are A. See Q #1, this is not a fully functional system. But sure, if you want to put a partially
installed system with no support into production that is an option.
helpful

6
Table of Contents
FortiNAC Proof Of Concept Reference Guides & Videos
General FortiNAC Documentation
FortiNAC | Fortinet Documentation Library

Deployment and Install Guides


https://docs.fortinet.com/document/fortinac/9.2.0/deployment-guide
https://docs.fortinet.com/document/fortinac/9.1.0/hardware-and-vm-install-guides

V9.2 Release Notes


Release Notes | FortiNAC 9.2.0 | Fortinet Documentation Library

Greg’s FortiNAC Videos


https://www.youtube.com/channel/UCjGRWVFUxNsY6Xfq4YN1GLw

Jeff’s FortiNAC Videos


https://www.youtube.com/channel/UCATKZBUODzUwduI1yJDF71w

Table of Contents 7
FortiNAC POC
VM Appliance Installation

Greg Genta’s video describes how to set up the FortiNAC OVA Appliance for VMware. This
video is now deprecated because it shows the start up wizard prior to v9.2, but still worth
watching. https://www.youtube.com/watch?v=aoyf6N05iIU

FortiNAC install guide for all appliance Types (AWS, Azure, Hyper-V, KVM, VMware and HW
https://docs.fortinet.com/document/fortinac/9.1.0/hardware-and-vm-install-guides

8
Appliance Installation: v9.X Internet Access
FortiNAC v9.x runs on CentOS 7.7 and uses YUM for some FortiNAC module installs/updates and all CentOS updates. The updates are stored on
a Fortinet repository. Host name for the updates is fnac-updates.fortinet.net (currently redirects to updates.bradfordnetworks.com).
!! Default protocol to access the repositories is FTP
Without Internet access, a new install of FortiNAC will result in missing modules and not something we should use in a POC.

To change the protocol for repository access, SSH to the FortiNAC CLI. Use an editor like vi or nano or WINSCP.
• Cd /etc/yum.repos.d
• Edit bradford.repo
• Change 4 FTP instances to https or http
Check connectivity with yum repolist -v

If FortiNAC access is through your proxy, for YUM updates: To configure access for FortiNAC system updates, in the GUI
· Edit /etc/yum.conf System->Settings->System Communication->Proxy Settings
· Set (add) environment variable
• proxy=http://<Proxy-Server-IP-Address>:<Proxy-Port>
· if proxy credentials are needed, add these lines
• proxy_username={Proxy-User-Name}
• proxy_password={Proxy-Password}

Table of Contents 9
Appliance Installation Azure Notes
This example assumes you are deploying FNAC to an existing VNET
#SET PARAMETERS − MODIFY THESE VALUES TO MATCH YOUR ENVIRONMENT
with an existing Subnet. Also, the fixed-size disk image must be $mySubscrip = "9acc4558−b556−5558−9a54−b46d555906ae4"
uploaded to your Azure Blob Storage Account and be available. If that $myRG = "RG_FNAC"
is not the case, please create those objects before running this script. $myLoc = "eastus"
Update parameters with your company’s real world values. $myVNET = "VNET_FNA"
$pathToFixedSizeDiskBlob="https:ƒƒfstorage.blob.core.windows.netƒmydisksƒfortinac−8.6.0.320_fixed.vh
NOTE: the commands leverage the AZ module in leu of the legacy d"
$nacSubnet="SUBNET_FNAC"
AzureRM module.
$nacVMName="VM_FNAC"
https://azure.microsoft.com/en-us/blog/azure-powershell-cross-
platform-az-module-replacing-azurerm/ az configure −−defaults location=$myLoc group=$myRG az account set −−subscription $mySubscrip

You can download a standard HyperV FortiNAC image from the #CREATE RESOURCE GROUP FOR FNAC
download directory and convert to fixed disk using QEMU as az group create −−name $myRG
described here:
#CREATE DISK FOR FNAC
https://docs.fortinet.com/document/fortinac/hardware/azure-
az disk create −−name DISK_FNAC−LAB−01−OS −−source $pathToFixedSizeDiskBlob
deployment-guide?model=all
#DEPLOY VM FOR FNAC
Or az vm create −−name VM_FNAC−LAB−02 −−os−type linux −−attach−os−disk DISK_FNAC−LAB−01−OS
−−vnet−name
Download a pre-pared Azure Fix-Disk Image, use this link: $myVNET −−subnet $nacSubnet
fortinac-8.6.0.320-FIXED.vhd.zip
#UNSET PARAMETERS #SET PARAMETERS
https://fortinet.egnyte.com/dl/of7KcZSq4p/fortinac-8.6.0.320-
$mySubscrip = ""
FIXED.vhd.zip_ $myRG = ""
Password: FortiNAC-Fixed-Disk-Image $myLoc = ""
**Run OS and FortiNAC updates soon as it is online** $myVNET = ""
Un-Zip the download and load into your Azure Blob. Follow the $pathToFixedSizeDiskBlob=""
example script on the right. $nacSubnet=""
$nacVMName=""
Skip ahead to where you can access the FortiNAC GUI since Azure will
auto-assign an IP to your FortiNAC Appliance
Table of Contents 10
Appliance Installation: VM Download
FortiNAC VM Image Download
Please log into Fortinet Support and then hit the download
link:
https://support.fortinet.com/Download/FirmwareImages.as
px to download the Virtual Appliance image.
- Select Product: FortiNac from drop down list
- Select Download tab
- Navigate to 9.2,3
- Download proper image version (OVA, VHD, AWS etc) for
your hypervisor

If you have an issue downloading from the Fortinet support site,


download one of these images:
• VMware
• HyperV

If you don’t have a Fortinet support account,


work with your local SE to get registered.
https://support.fortinet.com/cred/#/sign-up

Table of Contents 11
Appliance Installation: Import to Hypervisor
Greg’s video shows this process in great detail for VMware. https://www.youtube.com/watch?v=aoyf6N05iIU

Resource requirements for POC:


• 4 vCPU
• 8G RAM
• 100G image (load thin or dynamic if
needed for POC)
• Two Network Adapters
• Start with eth1 not connected

**Production Sizing**
Network Size Target Environment vCPU Memory Disk
Up to 2,000 Small 4 16G 100G
Up to 10,000 Medium 12 24G 100G
Up to 15,000 Large 20 32G 100G
Up to 25,000 X-Large 36 96G 100G

Table of Contents 12
Appliance Installation: VMware Notes
FortiNAC OVA is compatible with VM Version 7 to support customers with older ESC Hosts. That version
is limited to 8 vCPUs. Upgrade to your highest “VM Compatibility” so ESX can better support FortiNAC
requirements.

Table of Contents 13
Appliance Installation: Configure FortiNAC Management IP via Hyperviser Console
• Start Guest VM, access FortiNAC’s CLI through hypervisor console
• Login to the FortiNAC CLI using the following credentials:
• User name = admin Password = admin
• Apply an IP address to eth0 to use as FortiNAC’s management IP
• sudo configIP <ip addr> <mask> <default gateway>
• Example: sudo configIP 192.168.5.244 255.255.255.0 192.168.5.1
• The system runs a script for several seconds to configure the new settings
• Reboot FortiNAC: sudo reboot
• Log back into the hypervisor console
• To confirm that the IP address for eth0 has been set correctly,
• ip addr show
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state
UP group default qlen 1000
FortiNAC CLI Basics
link/ether 00:0c:29:21:2e:a5 brd ff:ff:ff:ff:ff:ff • FortiNAC programs are in the /bsc directories
inet 192.168.5.244/24 brd 192.168.5.255 scope global eth0 • CampusManager = original product name
• PING <default gateway> to verify connectivity • YAMS = Yet Another Management System
• AZURE does not allow you to set the IP via a hypervisor console. See Azure
instructions. Did You Know? Mike Gadoury lived in Bradford NH,
he started Bradford Software Consulting (hence the
/bsc)

Table of Contents 14
Appliance Installation: Initial Login
After reboot wait 3-4 mins…
1.Navigate to your appliance https://<fortinac-ip>:8443/
2.Login with root/YAMS

If you see a System Processes Down message


instead of the login box after 10 minutes of
trying, check here for troubleshooting,
cat /bsc/logs/output.processManager
This file will show why the process is not starting

Table of Contents 15
Appliance Installation: Setup Wizard
1. Accept License Agreement

2. Note your UUID and MAC Address, these


will be required for product registration
(next few slides)

Table of Contents 16
Appliance Installation: Server Register License

Your Fortinet team has submitted an “ITF” In your support portal:


request that goes through an internal approval • Asset ->
process. When approved, you will receive an • Register/Activate
email from [email protected]
that contains a PDF with instructions to register
and download the FortiNAC VM.

Enter registration code

Table of Contents 17
Appliance Installation: Registration Of Your Appliance
On Support Portal
• Continue your FortiNAC product registration
• Enter the UUID & MAC Address
• Select a partner and click Next
• Agree to all of the check-boxes along the way

Table of Contents 18
Appliance Installation: Get the License File
When finished registering license, go back into your FortiNAC Product and “Get the
License File” – Select the FortiNAC License file (not the Bradford Sentry)

Table of Contents 19
Appliance Installation: Import License File
Import the downloaded FortiNAC License File, click Next

Table of Contents 20
Appliance Installation: Create Credentials
Enter a new User ID and Password to use when logging root/YAMS will be deleted
into the GUI and create CLI root password (duplicate to after this step for GUI access
CLI admin too)

a. Required in Passwords
i. At least 8 characters
ii. A lowercase letter
iii. An uppercase letter
iv. A number
v. A symbol ! @ # % ^ * ? _ ~ -
b. NOT permitted in Passwords:
i. ( ) ` $ & + | \ { } [ ] ; : " ' < > , . / =
ii. NOTE: Spaces are NOT permitted in passwords.

Select the Guided Installation, it will create a


series of Tasks that will help us walk through
the set up of the product to gain visibility as
quickly as possible.

Table of Contents 21
Appliance Installation: Change CLI Credentials?
If you ever need to change the CLI Passwords, it will be
in the Administrators menu option.

a. Required in Passwords
i. At least 8 characters
ii. A lowercase letter
iii. An uppercase letter
iv. A number
v. A symbol ! @ # % ^ * ? _ ~ -
b. NOT permitted in Passwords:
i. ( ) ` $ & + | \ { } [ ] ; : " ' < > , . / =
ii. NOTE: Spaces are NOT permitted
in passwords.

Table of Contents 22
Appliance Installation: Setup Wizard - Customer Tasks
For the POC, visibility is very important to the process and DHCP Fingerprinting, FortiGuard
IoT service and NMAP scanning is a big part of the process. PING the blue options from FortiNAC CLI
The URL for the API to which FortiNAC must connect to query IoT data.
The possible servers are:
Anycast:
globaldevquery.fortinet.net
usdevquery.fortinet.net
eudevquery.fortinet.net
AWS:
globaldevquery2.fortinet.net
usdevquery2.fortinet.net
eudevquery2.fortinet.net

The URL for the API to which FortiNAC must connect to send IoT data.
The possible servers are:
Anycast:
globaldevcollect.fortinet.net
usdevcollect.fortinet.net
eudevcollect.fortinet.net
AWS:
globaldevcollect2.fortinet.net
usdevcollect2.fortinet.net
eudevcollect2.fortinet.net

**Please take the time to set up DHCP Relay to FortiNAC’s eth1 IP address**
Cisco examples HP/Aruba example Fortigate example
(config)# interface ethernet0/0 (config)# vlan 5
(config-if)# ip address 192.168.100.1 255.255.255.0 (vlan-5)# ip address 192.168.5.1 255.255.255.0
(config-if)# ip helper-address 10.55.11.3 -> Microsoft DHCP Server (vlan-5)# ip helper-address 10.55.11.3 -> Microsoft DHCP Server
(config-if)# ip helper-address 10.55.12.50-> FortiNAC eth1
(vlan-5)# ip helper-address 10.55.12.50-> FortiNAC Eth1
(config)# interface vlan5
(config-if)# ip address 192.168.5.1 255.255.255.0
(config-if)# ip helper-address 10.55.11.3 -> Microsoft DHCP Server
(config-if)# ip helper-address 10.55.12.50-> FortiNAC eth1

Table of Contents 23
Appliance Installation: Stop and Test CLI root Access !!!
Don’t keep going if you cannot SSH to FortiNAC’s eth0 management interface using the CLI root credentials.
You just set the root CLI password – make sure it works properly or you will have to reinstall the VM.

Table of Contents 24
Appliance Installation: Config Wizard Basic Network
Configure the Basic Network, * indicates required items. NTP is very important.

Table of Contents 25
Appliance Installation: Config Wizard: Skip to Summary
Skip to Summary, hit the Apply button. Then hit OK at the pop-up and wait
for Applying Settings (browser tabs spins indicating its working).

Table of Contents 26
Appliance Installation: Config Wizard: Reboot
Hit the Reboot button.

Table of Contents 27
Appliance Installation: Initial Web Interface (GUI) Access
https://<fortinac-ip>:8443/gui

Use the Admin GUI credentials you just created

Table of Contents 28
Appliance Installation: LDAP Integration Step 1
Add Directory
1. Network->Settings->Authentication->LDAP
2. Use the Add button at the bottom
3. Config settings for your closest AD Domain Controller

Table of Contents 29
Appliance Installation: LDAP Integration Step 2
Add Directory
1. **MAC Address can be any 6 sets of digits like 01:02:03:04:05:06**
2. Add Service Account in UPN format (ex- [email protected])
3. ALWAYS “Validate Credentials” – Don’t move forward if it fails
4. Accept User Attributes and Group Attributes default settings.
5. Search Branches: use your top-level DC=company,DC=com for now; we
can filter down later.
6. Select Groups: shows list of groups and users. DO NOT SELECT ANY
GROUPS YET. Click OK, go to next slide to test.

4
6
5

Table of Contents 30
Appliance Installation: LDAP Integration – Test via Preview
1. Select your authentication server
2. Use the Preview button at the top
3. In the Filter To box, enter your AD user ID
4. Hit Search
5. Results should show first and last name and other details configured in AD.
6. Click cancel or OK to exit

Table of Contents 31
Appliance Installation Add LDAP System Admins
1. User & Hosts-
>Administrators
2. Click Add at bottom
3. Enter User ID, click OK
button
4. Should say “This User ID
was found in the
directory”
5. Change Admin Profile:
to System
Administrator
6. Make sure there is an
email address
7. Repeat for all FortiNAC
Sys Admins

Table of Contents 32
Appliance Installation: Configure Email Settings
1. System->Settings-> System Communications->Email Settings
2. Fill in fields appropriate to your organization
3. Test Email
4. Save Settings

Table of Contents 33
Appliance Installation: Admin Time-out

Default Admin time-out on the


GUI is 5mins. Adjust that to your
preference by updating the
System Administrator Profile.

**Note: takes affect next login

Table of Contents 34
Appliance Installation: Settings
By enabling Unified Settings…

By default, you can see appliance setting in System->Settings,


Network->Settings and Users & Hosts -> Settings

…you can see all the


settings in one
location, System-
>Settings. (This is my
preference)

Table of Contents 35
Appliance Installation: Update Firmware
#1 - Configure Product and Distribution Directories #3 Download latest v9.2.X
• Product Distribution Directory: Version_9_2 #4 Install version you just downloaded
• Agent Distribution Directory: Agent_5
#2 Save Settings Follow as the updates are applied. Wait 5 mins and log back in.

Table of Contents 36
Appliance Installation: Backups *Please*
FortiNAC has a default backup, Database Backup
and Database Archiving schedule

--FortiNAC does not have a default Remote


Backup Configuration.

If you are not taking snap-shots, you may lose all


data if the VM crashes and is not salvageable!!

Configure the Remote Backup settings if you are


not using snap-shots please.

Table of Contents 37
FortiNAC POC
Visibility: Network Inventory

38
Visibility: Network Discovery – Uplink Threshold
FortiNAC learns your network and
will create uplinks to other network
devices. Two main methods:
1. A MAC-Address for another
managed switch is found on a
switch port. We mark that as a
“Learned Uplink”.
2. More than XX number of
devices on a ports. By default,
the number is 20 but that is too
low when we initially perform
the network discovery. Too
many ports will be configured
for “Threshold Uplinks”.

Configure Network->Settings-
>Network Device->System Defined
Uplink Count to 2000 to prevent any
mis-labeled uplinks during the POC.

Table of Contents 39
Visibility: Network Inventory & Containers
The Network Inventory view is the key to visibility of your network
• R-Click “Customer” and change to Appliance or Company Name
• R-Click appliance/company name “add container”
• Create as many containers as you want. These can be floors, buildings, cities, countries, regions etc.
• See next page to add devices

Table of Contents 40
Visibility: Add Network Device Manually
• R-Click a container, “Add Device”
• IP Address must be PING-able from FortiNAC
• Use SNMP v1, v2c, or v3; FortiNAC almost always needs Read-Write access
• Enter SSH credentials; FortiNAC needs root or level-15 type access
• “Enable Password:” only when you actually type enable while logging in
• ALWAYS USE “Validate Credentials” BEFORE HITTING OK! Do not proceed
until you have success with both SNMP and CLI

Misc Notes
• Watch out for ACLs and FW Policies!! PING/SSH from FortiNAC CLI to test Add as many devices as you want. I perform this on full
• Fortigates need PING, SNMP, HTTPS and SSH enabled on Mgmt Interface and production networks all the time, no control is enabled by
FortiNAC added to System->SNMP users default. The more network devices we add, the better
• MIST Wireless, Meraki Switches & MRs have special needs you’ll understand visibility.
• Most WLCs only need SNMP Read-Only and SSH access

Table of Contents 41
Visibility: Add Network Device via Discovery
Practice using the manual
device method, then move to
Discovery for larger amounts of
network devices.

Input your IP Range, SNMP (v1,


v2c, v3), CLI credentials and
confirm Discovery to start.

Discovery Progress

Table of Contents 42
Visibility: Network Inventory Results & Ports tab
After adding devices to
your containers, there
is a lot of good
information almost
immediately.

Table of Contents 43
Visibility: Network Inventory Results & Other tabs
Element tab is some of Model Configuration to be covered
the information we more in “Control” section
discovered

System tab is SNMP


information

Polling tab shows


recurring timing of
PING and L2, as well as
last success and
attempted polls

Table of Contents 44
Visibility: Polling for IP Addresses
To add IP Address info to your database, select your devices that have interesting
ARP like firewalls, switches with SVIs etc. and enable L3 polling.

You should now see a L3


section in your polling tab

Table of Contents 45
Visibility: Adapters view of the dynamic database
In the Adapters view, you should see IP Address, Physical Address, Vendor Name, Location etc. By selecting the
column headers, you can add or remove columns. You can slide columns left or right to align them to a different view.
Any devices without an IP might not have the L3 device set up for polling.

Table of Contents 46
Visibility: Tips for better visibility
Make sure the Active method and FortiGuard
method is enabled

Send a copy of DHCP requests to FortiNAC’s


Management address (Eth0). Zoom in for
details on various network devices

Table of Contents 47
Visibility: Endpoint Fingerprints
FortiNAC’s Fingerprints view is the result of the various tools running in the background. The tools are listed as
“Source” on the far right. The results need validated and ranked, but very nice view of your network in the beginning.

Table of Contents 48
FortiNAC POC
Service Connectors

49
Service Connectors: Many Options
FortiNAC’s Service Connectors offer integrations with other services. MDM servers are a great way
to synchronize an existing database of your devices with FortiNAC.

EMS Integration:
https://docs.fortinet.com/document/fortinac/9.
2.0/forticlient-ems-device-integration

All Other MDMDs:


https://docs.fortinet.com/document/fortinac/9.
2.0/third-party-mdm-device-integration

Table of Contents 50
FortiNAC POC
Basic Device Profiling Rules
(DPR)

51
DPR: Device Profiling Basics
FortiNAC’s Device Profiling Rules (DPR) are used to confirm a device type (Endpoint Fingerprints are suggestions). DPRs are mostly used
for IoT and OT devices. One good use case for WMI polling is for your corporate, domain-joined computers. The goal is to identify
hosts/adapters as a specific device type (shown in the Name column).** Changing a rogue device to a Device Type does nothing other
than provide clearer visibility into your database. It DOES NOT initiate any policy changes**

Table of Contents 52
DPR: New DPR – How to Start

You can select and modify any number of the


default DPRs that come with the initial set up.

You can find a device type (by filtering device Type), select
all the lines, R-Click and select Create Device Profiling Rule

Table of Contents 53
DPR: New DPR – Television Example
On the previous slide, we selected all the
Television examples and created a new DPR.
The General tab is mostly blank by default. On the Methods tab, FortiNAC added the vendor MAC Address info (OUI) and the DHCP
parameters

Hit the OK Button to save it.

Click Enabled, name it, Check box for


Automatic, select a Type

Table of Contents 54
DPR: New DPR – Test it

Back to the filtered list on Endpoint Fingerprints, r-click one of the lines and select Test Device Profiling Rule. The rule should match.

Table of Contents 55
DPR: New DPR – Run it
Back to Device Profiling Rules, you should see your new DPR in the list (usually at the bottom). Click the “Run” button, click Yes to evaluate rogues in the
database. After hitting OK, check out the Rogue Evaluation Queue Size.

Table of Contents 56
DPR: Methods are important
By combining Methods, we can profile different types of devices based on available
information. A detailed description of each device type is listed below.

https://docs.fortinet.com/document/fortinac/9.2.0/administrat
ion-guide/29753/adding-a-rule

We will spend time in the POC profiling many of your devices. Many will be easy, some will
be a challenge. We will discuss why…

Table of Contents 57
DPR: Tools to help Profile
In the adapter or host view, R-Click a device and use the Run NMAP Scan or Run FortiGuard
IoT Scan and see if there is any interesting information

NMAP sometimes will show open ports, device types that we can use
in the profiling process.

Table of Contents 58
DPR: Filters for Hosts/Adapters

After profiling a device, create a filter for use


with Hosts/Adapters.
1. Click the Create button in the search list
2. Name the filter, usually click Shared
3. On the Host tab, set Device Type to
match your device profiling rule
4. You can add the Registered Device
option to see only registered devices.
Otherwise you will see devices that are
rogues but Endpoint Fingerprints
suggest they this device type too.

Table of Contents 59
FortiNAC POC
SNMP Examples

60
Visibility: Network Devices Topology – Add Devices Cisco SNMPv3 Auth
snmp-server user FortiMD5 FortiNAC v3 auth md5 FortiNAC2021 priv aes 256 FortiNAC2021
snmp-server user FortiSHA FortiNAC v3 auth SHA FortiNAC2021 priv aes 256 FortiNAC2021 Debug your SNMP Session:
debug snmp requests
snmp-server group FortiNAC v3 auth read FortiNAC write FortiNAC notify FortiNAC
snmp-server group FortiNAC v3 auth context vlan- match prefix read FortiNAC notify FortiNAC
terminal monitor
snmp-server view FortiNAC iso included
snmp-server view FortiNAC system included
snmp-server view FortiNAC interfaces included

Table of Contents 61
Visibility: Network Devices Topology – Add Devices Cisco SNMPv3 AuthPriv
snmp-server user FortiSHA-DES FortiNAC v3 auth SHA FortiNAC2021 priv des FortiNAC2021
Debug your SNMP Session:
snmp-server group FortiNAC v3 auth read FortiNAC write FortiNAC notify FortiNAC debug snmp requests
snmp-server group FortiNAC v3 auth context vlan- match prefix read FortiNAC notify FortiNAC
snmp-server view FortiNAC iso included
terminal monitor
snmp-server view FortiNAC system included
snmp-server view FortiNAC interfaces included

Table of Contents 62
Visibility: Network Devices Topology – Add Devices Cisco SNMPv3 Auth-Privacy Examples
1. snmp-server user FortiSHA FortiNAC v3 auth SHA FortiNAC2021 priv AES FortiNAC2021
2. snmp-server user FortiSHA-3DES FortiNAC v3 auth SHA FortiNAC2021 priv DES FortiNAC2021
3. snmp-server user FortiSHA-DES FortiNAC v3 auth SHA FortiNAC2021 priv DES FortiNAC2021

1 2 3

Table of Contents 63
Visibility: Network Devices Topology – Cisco SNMP Traps
FortiNAC can use SNMP Traps to enhance visibility with real-time updates of switch information. This is especially useful for older Cisco switches that do not support RADIUS requests very
well.

SNMP Traps can be sent independently of the SNMP Discover protocols. So even if you modeled the switch with SNMP v3, you can send traps with SNMP v2c or v3.

On the cisco switch, we like to see MAC-Notification traps on switch ports:


interface FastEthernet0/2
switchport access vlan 199
switchport mode access
switchport voice vlan 200
snmp trap mac-notification change added
snmp trap mac-notification change removed
spanning-tree portfast

Add these global commands:


mac address-table notification change
mac address-table notification mac-move
mac address-table notification threshold

snmp-server enable traps snmp linkdown linkup coldstart warmstart


snmp-server enable traps mac-notification change move threshold

To send SNMP v1/2c traps:


snmp-server host <FortiNAC Mgmt IP> <Any Community String> (We ignore community string, set it for anything you want)
Eaxmple:
snmp-server host 172.16.50.7 FortiNAC01
snmp-server host 172.17.50.9 FortiNAC02

To send SNMP v3 traps


snmp-server host 172.16.50.7 traps version 3 auth FortiSHA mac-notification
Table of Contents 64
Visibility: Network Devices Topology – Add Devices Fortigate SNMPv3 Auth-Privacy Examples

Table of Contents 65
Visibility: Network Devices Topology – Add Devices Meraki Switch SNMPv3 Auth-Privacy Examples

Table of Contents 66
FortiNAC Network Devices Topology – Add Devices Cisco ASA ASDM & CLI SNMPv3 Examples
snmp-server group FortiNAC v3 priv
snmp-server user FortiNAC FortiNAC v3 encrypted auth sha <passwd> priv aes 128 <passwd>
snmp-server user-list FortiNAC-Grp username FortiNAC
snmp-server host NW-Mgmt 172.16.50.6 poll version 3 FortiNAC
snmp-server location UnderGroundBunker
snmp-server contact Jeff Reed

Table of Contents 67
FortiNAC Network Devices Topology – Add Cisco WLC SNMPv3 Examples

Table of Contents 68
FortiNAC Network Devices Topology – Add Aruba IAP SNMPv3 Examples

Table of Contents 69
FortiNAC Network Devices Topology – Add HP ProCurve CLI SNMPv3 Examples

Step1 – Enable SNMPv3 and go through the wizard Step2 – Disable the Initial User and create your privileged user
HP2530(config)# snmpv3 enable HP2530(config)# snmpv3 user FortiNAC auth md5 ******** priv des ********
SNMPv3 Initialization process. HP2530(config)# snmpv3 group managerpriv user FortiNAC sec-model ver3
Creating user 'initial'
HP2530(config)# no snmpv3 user initial
Authentication Protocol: MD5
HP2530(config)# sh snmpv3 user
Enter authentication password: ******
Privacy protocol is DES Status and Counters - SNMP v3 Global Configuration Information
Enter privacy password: ****** User Name Auth. Protocol Privacy Protocol
-------------------------------- ---------------- ----------------
User 'initial' has been created FortiNAC MD5 CBC DES
Would you like to create a user that uses SHA? [y/n] n
User creation is done. SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] n

HP2530(config)# sh snmpv3 user


Status and Counters - SNMP v3 Global Configuration Information
User Name Auth. Protocol Privacy Protocol
-------------------------------- ---------------- ----------------
initial MD5 CBC DES

Table of Contents 70
FortiNAC Network Devices Topology – Add HP ProCurve CLI SNMPv3 Traps

Step1 – Enable SNMPv3 and go through the wizard Step2 – Disable the Initial User and create your privileged user
HP2530(config)# snmpv3 enable HP2530(config)# snmpv3 user FortiNAC auth md5 ******** priv des ********
SNMPv3 Initialization process. HP2530(config)# snmpv3 group managerpriv user FortiNAC sec-model ver3
Creating user 'initial'
HP2530(config)# no snmpv3 user initial
Authentication Protocol: MD5
HP2530(config)# sh snmpv3 user
Enter authentication password: ******
Privacy protocol is DES Status and Counters - SNMP v3 Global Configuration Information
Enter privacy password: ****** User Name Auth. Protocol Privacy Protocol
-------------------------------- ---------------- ----------------
User 'initial' has been created FortiNAC MD5 CBC DES
Would you like to create a user that uses SHA? [y/n] n
User creation is done. SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmpv3 restricted-access')? [y/n] n

HP2530(config)# sh snmpv3 user


Status and Counters - SNMP v3 Global Configuration Information
User Name Auth. Protocol Privacy Protocol
-------------------------------- ---------------- ----------------
initial MD5 CBC DES

Table of Contents 71
FortiNAC POC – Advanced Topics
Fortigate Initial Discovery, Tweaks and converting to Read-
only API Access

72
Fortigate: Interface Prep
1. Choose your management interface
2. Ensure PING, SSH, HTTPS and SNMP are enabled
3. Make sure you firewall rules/policies allows access

Table of Contents 73
Fortigate: SNMP
1. Under System->SNMP
1. Make sure your SNMP Agent is enabled
2. Create a v2 or v3 SNMP community
3. Add FortiNAC’s management IP as an IP host allows to query SNMP

Make sure you hit


the Apply button!

Table of Contents 74
Fortigate: Add to Inventory
1. R-Click a contain and click Add Device
2. Chose your preferred SNMP protocol and enter the SNMP Settings
3. Configure the CLI settings
4. Always Validate Credentials

Table of Contents 75
Fortigate: Results
1. It make takes a few minutes and a browser refresh to see the Virtualized Devices tab
2. If you are managing switches and APs, those should also come into view

Table of Contents 76
Fortigate Session Polling
1. R-click the Fortigate, select Firewall Session Polling
2. Enable at 30min frequency and hit the Poll Now button

Table of Contents 77
Fortigate: Session Results
1. Wait 5 minutes
2. Check Users & Hosts->Fortigate Sessions and make sure your firewall has session information

Table of Contents 78
Fortigate: L2 & L3 Groups
1. R-click Fortigate and select Group Membership
2. Makes sure L3 and all L2 groups are checked

Table of Contents 79
Fortigate: Test Device Mappings
1. R-click Fortigate and select Test Device Mapping
2. Should show L2, L3 and VLAN information

Table of Contents 80
Fortigate: API Read-Only Access
Add API Read-Only Access to Fortigate
API keys increases accuracy of some transactions.
1. Create a REST APRI ADMIN Administrator account on the Fortigate
2. Copy the API Key that is created by the process
3. SSH to the FortiNAC CLI, set the Fortigate’s attribute to use an APITOKEN
1. device -ip 203.0.2.126 -setAttr -name APIToken -value "r5kpQy5rt0pGywjb439ftmhp7Qm3rr"

Table of Contents 81
FortiNAC POC – Advanced Topics
Using your company's DHCP Server for Isolation Networks

82
Using your company's DHCP Server for Isolation Networks Part 1
Using your company’s DHCP server may be an easier path to success, especially in a POC. This makes FortiNAC just the DNS server in remote isolation
networks.
1. Enable Each interface (Registration, Remediation, Dead End you need in the design
2. Assign an IP/Mask/GW – same rules apply here, must be in different subnet than Eth0.
3. Add Remote Isolation Subnets – These are the subnets where YOUR DHCP server provides the

Table of Contents 83
Using your company's DHCP Server for Isolation Networks Part 2

The Config Wizard will create static routes eliminating any loops in the routing on eth0 and eth1.
1. Go to Summary, Apply

Table of Contents 84
Using your company's DHCP Server for Isolation Networks Part 3

The Config Wizard will create static routes eliminating any loops in the routing on eth0 and eth1.
1. After the Apply, Reboot
**You will see errors before you reboot that validates you did not create scopes. Ignore those errors. **

Table of Contents 85
Using your company's DHCP Server for Isolation Networks Part 4
Create DHCP Scopes on your company DHCP server.
1. The Router for the scope is the L3 gateway for the devices/hosts in Isolation subnet
2. DNS server is FortiNAC’s Eth1 IP address.
3. Repeat for all Remediation, DEAD End etc.

Table of Contents 86
Using your company's DHCP Server for Isolation Networks Part 5
Send a copy of the DHCP Request to FortiNAC’s Eth0 Management IP. DHCP Fingerprinting in Isolation network is an integral part of FortiNAC’s visibility.
See examples below

Table of Contents 87
FortiNAC POC – Advanced Topics
Social Media For Captive Portal Using LinkedIn

88
FortiNAC Social Networking for Guest Portal
How It works:
• FortiNAC uses an API integration with the various Social
Media sites
• Facebook, Google, LinkedIn, Outlook, twitter and Yahoo
are available options
• Usually, you are logging into the social media sites
developer account and creating an app.
• The app will provide an “App ID” or “Client ID” and a
“Secret”
• These are configured in the FortiNAC Portal
Configuration->Global->Settings
• One of the pages in the captive portal is configured for
Social Networking authentication
• When a user selects the link for Social Networking in the
captive portal, the Social Media Networks are displayed
for them to choose.
• When the user properly authenticated with their Social
Media Account, normal processing of the captive portal
occurs

Table of Contents 89
FortiNAC Social Networking (LinkedIn) for Guest Portal
How It works:
• Login into https://www.linkedin.com/developers
• Select My Apps and +Create App

Table of Contents 90
FortiNAC Social Networking (LinkedIn) for Guest Portal
• Enter App Name
• LinkedIn Requires a Company
Page
• Add your Company Logo
• Add the FQDN of the
FortiNAC application
appliance
• You will be presented your
Client ID and Client Secret.
(Also available later by
clicking your app, go to the
Auth tab.)
• Add the authorized redirect
URL on the authtab.

Table of Contents 91
FortiNAC Social Networking (LinkedIn) for Guest Portal
• Navigate to FortiNAC Portal
Configuration
• Open Global->Settings
• Choose one of the 3 options
(Standard, Custom, Game)
• Click the “Enable LinkedIn
Auth” button
• Fill in Client ID and Client
Secret.
• Apply to save

Table of Contents 92
FortiNAC Social Networking (LinkedIn) for Guest Portal
• Navigate to FortiNAC Portal
Configuration
• Under Registration->Login
Menu
• Choose the page you selected
for “Social” authentication
which was Custom in this
example.
• Change any text for the
customer situation
• Apply to save

Table of Contents 93
FortiNAC Social Networking (LinkedIn) for Guest Portal
• Navigate to FortiNAC Portal Configuration
• Under Registration->Custom Login & Custom Login Form, change any text for the customer situation
• Apply to save

Table of Contents 94
FortiNAC Social Networking (LinkedIn) for Guest Portal

• Navigate to FortiNAC Portal


• https://<FortiNAC FQDN>/registration/index-
registration.jsp
• Use another browser or Private window to
prevent getting disconnected from Admin
interface
• Verify wording of main login page
• Click your custom login option

Table of Contents 95
FortiNAC Social Networking (LinkedIn) for Guest Portal

• All of the available Social options, based on


what you selected under Global->Settings
• Click Sign in with LinkedIn

Table of Contents 96
FortiNAC Social Networking (LinkedIn) for Guest Portal

• A new window will pop up with the LinkedIn


logo and you are signing into the LinkedIn site
• This says Welcome Back because I was already
through the process once.
• After successful authentication, portal process
will continue.

Table of Contents 97
FortiNAC POC – Advanced Topics

Device Profiling Example – OT Environment

98
FortiNAC Device Profiling – OT Example

• In this example we will


describe how to find the
PLC device, ensure its
always in the correct L2
segment on a switch
and managed OT
Firewall policy.
• In the diagram, we see
the ISFW – the Fortigate
30D, the Scada Historian
and several switches
and PLC devices
• Note: The PLC device
communicates to the
SCADA historian over
TCP ports 502, 3060,
4124 & 7721

Table of Contents 99
FortiNAC Device Profiling – OT Example

• Port 4 of this Cisco


Switch is a Schneider
Electric vendor OUI
device.
• Through DHCP
Fingerprinting we see
hostname and
Operating System.
• Because this PLC is
downstream from the
Fortigate, the Fortigate
also sees the hostname
and operating system.

Table of Contents 100


FortiNAC Device Profiling – OT Example

• Device Profiling Rule is created to search for


PLC devices in the FortiNAC database.
• In Registration Settings, a custom device icon
was created.

Table of Contents 101


FortiNAC Device Profiling – OT Example

• Four unique testing “Methods” were


selected. Refer back to OT diagram in the
beginning of this section for the IP and ports
of the SCADA Historian.
• Vendor OUI is Schneider Electric – This
matches the hardware vendor of the PLC
• Fortigate method captures the host name and
OS from session details.
• Network Traffic – as seen by the Fortigate,
filters on TCP port 3060 between the PLC and
SCADA Historian in the date center
• TCP port probe validates TCP port 3060 is
open on the PLC device as expected.

When all of these are TRUE, the device in the


database is converted from a Rogue to a PLC
Device

Table of Contents 102


FortiNAC Device Profiling – OT Example

• A Network Access policy was


developed for PLC Devices
• The User/Host Profile is a filter
looking into the FortiNAC
database for a specific set of
characteristics. In this case,
Device = PLC
• The Network Access Config
indicated the action. In this case
the PLC device should be
moved to the Manufacturing
Logical Network.

**Logical Networks could indicate


VLANs on a switch or a wireless
interface.

Table of Contents 103


FortiNAC Device Profiling – OT Example

• The Model Configuration of the


Cisco switch was configured to
use VLAN 127 for the
Manufacturing Logical Network.

Table of Contents 104


FortiNAC Device Profiling – OT Example

• All of the Cisco switch ports are


in a Port Group called
2960Ports.
• That group is nested under
Managed Ports
• That group is nested under Role
Based Access

That means all of the Cisco switch


ports will participate in Network
Access policies

Table of Contents 105


FortiNAC Device Profiling – OT Example
A very simple process is added to notify FortiNAC when a device connects
to the switch (or is disconnected)
• Two mac-notification commands added to every port.
• The snmp-server is configured to send traps to both primary and
secondary FortiNAC appliances.
• Three additional global commands at the bottom.

By adding these commands, FortiNAC is immediately updating the host


database. But policy is not enforces until the ports are in Role Based
Access and Model Configuration is completed.

Table of Contents 106


FortiNAC Device Profiling – OT Example

When the Network Access policy is enforces, the PLC device is in VLAN 127 and receives an IP in that DHCP Scope (from the
Fortigate in this design). FortiNAC is not the DHCP server for production networks.

Table of Contents 107


FortiNAC Device Profiling – OT Example

• With Security Fabric integration, FortiNAC updates the Firewall Users


with the IP address of the PLC and sends two tags – Manufacturing and
PLC

Table of Contents 108


FortiNAC Device Profiling – OT Example
• A firewall policy can be created that only allows verified (By
FortiNAC) PLC devices access to the SCADA Historian using the
known protocols for that communication.

Table of Contents 109


FortiNAC POC – RADIUS Server Initial Config

110
FortiNAC RADIUS Server
FortiNAC has two RADIUS processes called “Proxy” and “Local Service”
• Proxy can be used for MAC Address Bypass (MAC) without any need to proxy requests and it will proxy EAP requests
to another RADIUS server (something like Microsoft NPS, FortiAuthenticator etc.)
• Local Service has all the components you need to manage RADIUS connections like MAB, EAP-TLS and PEAP (and
more) all within FortiNAC
• Traditional RADIUS authentication ports 1812 or 1645 can be defined on either service, but you cannot assign the
same port number to Proxy and Local Service at the same time.

Table of Contents 111


FortiNAC RADIUS Server
• For the POC, we can set up the Local Service for basic RADIUS policy. Create a new default configuration at the
bottom of the page.
• Choose your EAP Types required for EAP Authentication
• In the TLS Config, define your certificate for EAP-TLS and verify the other settings

Table of Contents 112


FortiNAC RADIUS Server
You are now ready for basic testing of RADIUS-based policies. I strongly suggest starting out with basic
MAC Address Bypass (MAB) on a test SSID or switch port. Understand the combination of a NAC
Process along with RADIUS before you progress to EAP-Based RADIUS Authentication.

https://docs.fortinet.com/document/fortinac/8.8.0/wifi-802-1x-based-network-using-fortinac-local-radius-server

https://docs.fortinet.com/document/fortinac/8.8.0/wireless-integration-overview
https://docs.fortinet.com/document/fortinac/8.8.0/aruba-and-alcatel-wireless-controllers-integration
https://docs.fortinet.com/document/fortinac/8.8.0/aruba-instant-ap-wireless-integration
https://docs.fortinet.com/document/fortinac/8.8.0/aerohive-wireless-access-points-integration
https://docs.fortinet.com/document/fortinac/8.8.0/cisco-wireless-controller-integration
https://docs.fortinet.com/document/fortinac/8.8.0/mist-wireless-device-integration

Table of Contents 113


FortiNAC RADIUS Server PEAP Authentication
Join FortiNAC to your domain for PEAP Authentication
https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/670285/local-winbind-configuration

Table of Contents 114


FortiNAC RADIUS Server
Troubleshooting Tips
1. Go back and read the step by step guides
2. Retype your RADIUS secrets (use copy-paste from notepad to eliminate typos)
3. Check the RADIUS Service Log or Server Log for the red errors, fix those.
4. Show Flagged Errors Only

Table of Contents 115


FortiNAC RADIUS Server
Troubleshooting with tcpdump
1. Make sure RADIUS requests are actually arriving at FortiNAC’s eth0 interface
2. See if FortiNAC is sending a response
3. Remember the RADIUS handshake can be good, but if FortiNAC’s policy does not allow access,
an Access-Denied might be sent.

tcpdump port 1645 and host 172.16.253.30 –vv

• Where 1645 is your authentication port


(could be 1812)
• 172.16.253.30 is the NAS device we expect
RADIUS packets from
• -vv is a good level of detail

Table of Contents 116


FortiNAC RADIUS Server
Troubleshooting with RadiusManager CLI debug
1. Enable by typing nacdebug -name RadiusManager true
2. Output goes to the master log file located in /bsc/logs. Tail output.master searching for RadiusManager debug
messages that might indicate a configuration problem
1. tail -f output.master | grep yams.RadiusManager

Table of Contents 117


FortiNAC POC – Advanced Topics
RADIUS for FortiSwitch Ports
RADIUS authentication for FortiSwitch ports is a good alternative to
SNMP Link-Up and SYSLOG notification

118
FortiNAC RADIUS Auth for FortiSwitch Ports
FortiNAC support for RADIUS Switch Authentication is easy for switches that provide easy config for RADIUS Support. Two
great examples are Meraki and FortiSwitch. Please reference the integration guides below for details on the specific
integration instructions. In this guide, the switch is in FortiLink mode controlled by a Fortigate.

• https://docs.fortinet.com/document/fortinac/9.1.0/fortiswitch-integration
• Make sure you complete the prior section in this guide, RADIUS Server Initial Config

Table of Contents 119


FortiNAC RADIUS Auth for FortiSwitch Ports
In order to reduce complexity and ensure success, your FortiLink IP Range should be a route-able IP range in your
network. The default 169.*.*.* range does not successfully send RADIUS request packets to FortiNAC. If you can,
perform this configuration before discovery in Network Inventory. If you already discovered your FortiSwitch, change
the DHCP Scope, reboot the switches and make sure you Resync Interfaces on the Fortigate so FortiNAC can learn the
new FortiLink IP range.

**Don’t forget Firewall policy to


allow RADIUS to/from FortiLink
IP’s to FortiNAC’s management
address. This includes either
RADIUS port 1812 or 1645 and
COA (port 3799) from FortiNAC
to FortiLink IP**

Table of Contents 120


FortiNAC RADIUS Auth for FortiSwitch Ports
Verify FortiNAC has the correct IP addresses for the FortiSwitches in your design. The Element tab on each FortiSwitch
shows the IP Address FortiNAC expects the in the RADIUS Request. Any other IP for the RADIUS is sent, FortiNAC will
Reject it.

Table of Contents 121


FortiNAC RADIUS Auth for FortiSwitch Ports
• Modify the VDOM Model Config
• Set RADIUS Mode to Local
• Set RADIUS Secret
• Set Source IP of this VDOM
• Select Server Config and RFC_VLAN for the Attribute
Group

Table of Contents 122


FortiNAC RADIUS Auth for FortiSwitch Ports
Add FortiNAC as a RADIUS server in the Fortigate
• NAS IP ignored, but you can set it to the IP of the Fortigate management interface
• Use the same RADIUS secret set earlier in FortiNAC’s Model Config for this VDOM
• Using Fortigate CLI, configure some addition parameters (in purple)(items in Green came from the GUI config)
• The source-ip parameter is the interface of the Fortigate we are using in FortiNAC network Inventory

FWF61E # config user radius


edit "FortiNAC01-1645"
set server "172.16.50.9"
set secret “your-secret here”
set nas-ip 192.0.2.1
set acct-interim-interval 60
set radius-coa enable
set radius-port 1645
set source-ip "192.0.2.1"
set password-renewal disable
config accounting-server
edit 1
set status enable
set server "172.16.50.9"
set secret “your-secret here”
set source-ip "192.0.2.1"
next
end
next
end

Table of Contents 123


FortiNAC RADIUS Auth for FortiSwitch Ports

Verify RADIUS Connectivity in the FortiGate


• Fortigate sends a test RADIUS authentication for a user “test01”
• That user usually does not exist, FortiNAC sends an Access-Reject, which is the correct
response
• Connection status should be “Successful”. If not, go back to the prier slides and verify
steps.
• Use FortiNAC CLI tcpdump host 192.0.2.1 and port 1645 –vv to see this process

Table of Contents 124


FortiNAC RADIUS Auth for FortiSwitch Ports
Create a Firewall User Group using the FortiNAC RADIUS server as the Remote Server.

Table of Contents 125


FortiNAC RADIUS Auth for FortiSwitch Ports
Add these switch-controller specific commands to the Fortigate

FWF61E # config switch-controller security-policy local-access

FWF61E (local-access) # edit default

FWF61E (default) # append mgmt-allowaccess radius-acct

FWF61E (default) # append internal-allowaccess radius-acct

FWF61E (default) # end

FWF61E #

Table of Contents 126


FortiNAC RADIUS Auth for FortiSwitch Ports
Apply the new security policy to your test ports
WiFi-Switch Controller • Make sure Allowed VLANs includes any VLANs you need for your VLAN
• Create a FortiSwitch Security Policy using MAC Authentication assignments
bypass and the FortiNAC Firewall User Group from last slide. • Native VLAN is not required here, I set it to Registration to look nice, but
• Optionally set Auth Fail VLAN and EAP pass-through it is not required to be set to anything specific

Table of Contents 127


FortiNAC RADIUS Auth for FortiSwitch Ports
WiFi-Switch Controller Apply the new security policy to your test ports
• Create a FortiSwitch Security Policy using MAC Authentication • Make sure Allowed VLANs includes any VLANs you need for your VLAN
bypass and the FortiNAC Firewall User Group from last slide. assignments
• Optionally set Auth Fail VLAN and EAP pass-through (EAP is an • Native VLAN is not required here, I set it to Registration to look nice, but
advanced topic, don’t enable unless you have EAP configured on it is not required to be set to anything specific
FortiNAC.

Table of Contents 128


FortiNAC RADIUS Auth for FortiSwitch Ports
For the VDOM we are testing, set your VLANs for all the various policies you will be using in Role Based Access

Table of Contents 129


FortiNAC RADIUS Auth for FortiSwitch Ports
In the FortiNAC Network Inventory, set the Server Config and Shared Secret for each switch.

Table of Contents 130


FortiNAC RADIUS Auth for FortiSwitch Ports
Create a Port-Group for your test ports. These ports need to be in Role Based Access group membership and
Forced Registration (for POC Testing). You can see I selected ports 13-22 on my FortiSwitch. In this view, I am
selecting the ports from the Fortigate, not the actual switch (a little counter intuitive).

Table of Contents 131


FortiNAC RADIUS Auth for FortiSwitch Ports
**I like to create a port group called Managed Ports Nest Managed Ports under Forced Registration and
and then nest the port groups I want to managed Role Based Access
there.

Forced Registration ports will allow Rogue Device Isolation


Role Based Access ports will allow NAC Policies like Printer,
Camera associated with Logical Networks.

Table of Contents 132


FortiNAC RADIUS Auth for FortiSwitch Ports
Testing methods and verifying what happens under the hood: RADIUS RESPONSE
• Connect a device to the test ports
• Use tcpdump to validate your expectations
• Use tcpdump host 172.16.31.2 and port 1645 -vv

Table of Contents 133


FortiNAC RADIUS Auth for FortiSwitch Ports
RADIUS Accounting and CoA is also happening in the background
• Use tcpdump host <switch-ip> and port 1813 –vv to see accounting data

• Use tcpdump host <switch-ip> and port 3799 –vv to see CoA in action

Table of Contents 134


FortiNAC RADIUS Troubleshooting
Set the Service Log Level to “High”, FortiNAC Server Log Debug to “Enabled” and include the
NAC Debug.

Table of Contents 135


FortiNAC RADIUS Troubleshooting
Service Status shows if the service up or not. Check here first if
your service status is not “Running’

Table of Contents 136


FortiNAC RADIUS Troubleshooting
Service Log is the same data in /var/log/radius.log. A lot of great detail here. Check the box on
the upper right to just show the flagged errors.

Table of Contents 137


FortiNAC RADIUS Troubleshooting
Server Log shows how FortiNAC’s policy engine processes the RADIUS requests and will show
the logical network and the details of what is sent as a result of the policy.

Table of Contents 138


FortiNAC RADIUS Auth for FortiSwitch Ports
Something really important to understand… The switch configuration is NOT changed using the RADIUS method (it is
changed with SNMP and Syslog methods). Even though the raspberry Pi is now sending traffic on VLAN 119, the Native
VLAN was not changed.

Table of Contents 139


FortiNAC RADIUS Auth for FortiSwitch Ports
A BONUS to this design is the ability to manage devices connected to an unsupported device downstream from a
FortiSwitch port. Even a small FortiSwitch can assign different VLANs for 20 devices on the dumb switch. Just a
reminder, everything on the dumb switch would be in the same broadcast domain. The VLAN Assignment for the
various devices happens at the packet level when they enter the FortiSwitch port.

Table of Contents 140


FortiNAC RADIUS Auth for FortiSwitch Ports
Follow up Actions:
• Develop an IP-Phone policy to place the IP Phones in the Voice VLAN
• Create another FortiSwitch Security Policy similar to the MAB policy and also enable EAP.
• Create a duplicate FortiNAC RADIUS server but change the authentication port to 1645 and follow the integration
guide for 802.1X using the local RADIUS server

Table of Contents 141


FortiNAC POC – Advanced Topics
Adding FortiOS6 Syslog Parser

142
FortiOS6 Syslog Parser
https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/353748/security-event-parsers

1. Add a Security Event Parser

Table of Contents 143


FortiOS6 Syslog Parser
https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/353748/security-event-parsers

2. Set the Data Fields


Format CSV Delimiter Tag Delimiter Source IP Column Destination IP Column Type Column Subtype Column Threat ID Column Description Column Severity Column
Tag/Value ' = srcip dstip type subtype virusid virus level

comma

srcip
dstip
type
subtype
virusid
virus
level

Table of Contents 144


FortiOS6 Syslog Parser
https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/353748/security-event-parsers

2. Set the Severity Mappings


EMERGENCY 10
NOTICE 3
INFORMATION 1
ERROR 9
ALERT 7
WARNING 5
CRITICAL 8

Table of Contents 145


FortiOS6 Syslog Parser
https://docs.fortinet.com/document/fortinac/9.2.0/administration-guide/353748/security-event-parsers

2. On your Fortigate, Element tab, Set Incoming Events to Security Events.


Make sure the IP Address on the element tab is the same as the source-ip of the syslog packets

Table of Contents 146


FortiNAC POC – Wireless Integrations

147
FortiAP – Fortigate Wireless Controller
MAB & Bridged Mode

148
FortiAP Access Control - MAC Authentication
This guide will focus on using FortiNAC for MAC-Based Access Control, see latest on the docs site.
https://docs.fortinet.com/document/fortinac/9.2.0/fortigate-endpoint-management-integration-guide
**Assumption is the Fortigate Wi-Fi controller is already in the FortiNAC Inventory**

MAC Authentication Bypass is an effective process for Wi-Fi access control for devices lacking a supplicant. This
method works with both OPEN and PSK SSIDs. Pre-Shared Keys offer additional privacy but also extra
administration providing the PSK to users.

Testing for this guide was completed with a Fortigate 61E running v6.4.8 b1914 and a FortiAP Wall Jack running
v6.2 B281

149
FortiAP Access Control - MAC Authentication
FortiNAC RADIUS Review – For my lab, I have the Local RADIUS listening on RADIUS Port 1645 and Proxy RADIUS
listening on 1812. RADIUS Accounting is on port 1813. Both Local and Proxy will authenticate MAC-Auth without need
for another RADIUS server. This lab example will be using the Local RADIUS process.

150
FortiAP Access Control - MAC Authentication
Fortigate RADIUS Review – Created a RADIUS server named “FortiNAC-1645” where FortiNAC’s management IP is the
RADIUS server. Several settings need to be set via CLI, reference the document at the beginning of this guide for details.

151
FortiAP Access Control - MAC Authentication
Modify your Fortigate’s Model Configuration. On the Virtualized Devices Tab, double-click the VDOM you are
configuring. In this example I have the standard “root” VDOM. A new tab will open, set the RADIUS settings, Secret,
Source-IP of the Fortigate and select a Server Config and set the Default RADIUS Attribute Group to RFC_VLAN.

152
FortiAP Access Control - MAC Authentication

Back on the Fortigate, open the RADIUS server, a test will happen immediately. Or press the “Test Connectivity” button.
Don’t proceed until you have a successful test! This confirms your basic settings are complete.

153
FortiAP Access Control - MAC Authentication
Create a new SSID – But wait… what’s the difference between Tunnel Mode and Bridge Mode?

When using a Tunnel interface on an SSID, all traffic is CAPWAP tunneled to the Fortigate. The VLAN ID for FNAC Policy is
added by default as you add interfaces.

When using a Bridge mode SSID, Wi-Fi


client data is tagged into the L2 switch
where the AP is connected. The L2
switch needs to have the VLAN created
and trunked/tagged into the AP.

154
FortiAP Access Control - MAC Authentication
Create a new SSID – Start simple and test!

• Create a new SSID


• Assign to a test FortiAP
• KISS -> use an OPEN security mode and
assign an optional VLAN ID (my example
198).
• **OPEN Security mode needs to be enabled in the
Fortigate Feature Visibility**
• Connect Wi-Fi client: did you get an IP
in VLAN 198? If not, fix all that network
plumbing before you proceed.

** FortiNAC is not involved in the Auth


process yet, stay focused on basic wireless
and wired fundamentals**

155
FortiAP Access Control - MAC Authentication
Keeping testing!

• Change Security Mode to WPA2 (or


WPA3) and assign simple passphrase
• Connect Wi-Fi client: did you get an IP
in VLAN 198? If not, fix all that network
plumbing before you proceed.
• Test all the VLANs you intended to use
with FortiNAC

** FortiNAC is still not involved in the Auth


process yet, stay focused on basic wireless
and wired fundamentals**

156
FortiAP Access Control - MAC Authentication
Change settings to use FortiNAC for
Authentication

• Enable Client MAC Address Filtering,


chose your FortiNAC RADIUS server.
• Enable Dynamic VLAN assignement
• Set Optional VLAN back to 0 (zero).

157
FortiAP Access Control - MAC Authentication
Configure the SSID Configuration in
FortiNAC

• Resync Interfaces on the Fortigate to


see the new SSID and VLANs
• Edit the SSID config
• Use Custom Settings
• Set RADIUS Mode to Local
• Set to “Enforce”, any policy you
want to use on this SSID
• Set the “Access Value” to the
In bridge mode, you normally won’t have the VLANs appropriate VLAN for that policy.
defined on the Fortigate unless you are using
FortiSwitches as your distribution layer. But with
FortiNAC, you need to create VLANs on the Fortigate
as place-holders, so they show as options in the drop-
down Access Value lists.

158
FortiAP Access Control - MAC Authentication

Ready to test!!

• From FortiNAC CLI run this command:


tcpdump host <fortigate ip> and port 1645
• Connect a wireless client to your test
SSID.
• You should see an Access-Request and
an Access-Accept.
• If not troubleshoot FortiNAC Policies
and RADIUS services.

• Test with Rogue devices and any other


devices you have profiled. The VLAN ID
should match your Access-Values

159
Meraki iPSK Integration

160
Meraki iPSK Access Control Use Cases
This guide will focus on using FortiNAC v8.8 for MAC-Based Identity PSK Network Access Control.
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication

**Meraki access point software needs to be MR 26.5 or better to have access to iPSK**
** Assumes general knowledge of navigating around FortiNAC **
Business Case #1 Business Case #2
IT director in manufacturing wants to control IT director in healthcare wants to control what
what devices can connect to an SSID on his devices can connect to an SSID on his Meraki
Meraki Access Points. His RF experts Access Points. His RF experts recommend as few
recommend as few SSIDs as possible to keep SSIDs as possible to keep the Wi-Fi environment
the Wi-Fi environment as efficient as possible. as efficient as possible. None of the devices are
None of the devices are capable of 802.1x. She capable of 802.1x however auditors said all
needs encryption of data due to financial risk traffic must be encrypted.
audit recommendations.
Solution:
Solution: Using FortiNAC v8.8, manage the list of
Using FortiNAC v8.8, manage the list of approved devices, by MAC Address and utilize
approved devices, by MAC Address and utilize Meraki IPSK and Group Policies to use just a
Meraki Group Policies to use just a single SSID single SSID encrypted with WPA2-PSK
encrypted with WPA2-PSK

161
Configure Hosts Device Type
FortiNAC can identify a device type through various methods
• Manually Add host as a device using the hosts MAC Address (rarely used)
• Import devices from a Mobile Device Manager (InTune, Airwatch, FortClient EMS etc)
• Use Device Profiling to determine device type (most popular)

Verify your devices


match the device type
for the managed
access requirements

162
Create Host Profiles for your device Types

Policy->Policy Configuration-> User/Host Profiles.

163
Create Logical Networks

164
Create Manufacturing Network Access Policy

165
Create Healthcare Network Access Policy

166
Create Meraki iPSK SSID
Network->Wireless->SSIDs->Rename, Edit Settings

167
Edit SSID RADIUS Settings

168
Create Meraki Network Wide Group Policies
VLAN 127 & 126 need to be tagged/trunked on switch
ports where Access Points connect to network

169
Add Meraki AP to Topology

170
Add Meraki Group Policies and RADIUS Secret

171
Resync Interfaces and they show up in model view

172
Set ‘Local RADIUS Server” to Respond

Uncheck the box for the native


RADIUS server so it does not
respond to requests.

Then enable the Local RADIUS


Server and input your RADIUS
port (see other slides for initial
RADIUS setup

173
Set Meraki AP Model Config

In the Meraki iPSK solution, the PSK


used by the end user has to match
the Tunnel-Password in order for the
user to authenticate to the SSID

Optionally, you can use the


Access Value as the password

174
Validate with tcpdump from FortiNAC CLI (SSH w/root user)

When successfully connecting your Healthcare device to the Meraki iPSK SSID, you enter the PSK password that matches
the Tunnel-Password attribute created in the Meraki AP Model Config.
Use packet capture to verify the Access-Accept includes the Filter-ID (Meraki Group Policy) and the Tunnel-Password (iPSK
Password).
➢ tcpdump -i eth0 port 1812 –vv
➢ or
➢ tcpdump -i eth0 host 172.16.154.119 and port 1812 –vv

175
FortiNAC POC – Advanced Topics
Fortigate Security Fabric Integration

176
Fortigate Security Fabric Integration
https://docs.fortinet.com/document/fortinac/9.1.0/fortigate-endpoint-management-integration-guide
This section assumes the Fortigate is already added to the network inventory following the Fortigate
Endpoint Integration Guide referenced above. In my example, we’ll use my Fortigate FWF61-E.

Table of Contents 177


Fortigate Security Fabric Integration
Enable FSSO Communications and set the Password. This password is similar to the concept of a
RADIUS Secret and will be used in FortiNAC and Fortigate.

Table of Contents 178


Fortigate Security Fabric Integration
Create a new fabric connector in the Fortigate. 6.2 versions offered a FortiNAC option, newer
versions you can just use the FSSO Agent on Windows AD.

Table of Contents 179


Fortigate Security Fabric Integration
Enter a name, FortiNAC’s management name or IP, and the same secret password configured in
FortiNAC.

Table of Contents 180


Fortigate Security Fabric Integration
FortiNAC expects the FSSO packets to be sourced from the same IP we used to discover and add the
Fortigate to the Network Inventory. Only available via the Fortigate CLI, set the source-ip to match
the IP of the Fortigate in FortiNAC. Check the Element tab to be sure.

Table of Contents 181


Fortigate Security Fabric Integration
Press the Apply & Refresh Button, it may take 2-3 attempts over 5-10 seconds until you see the
Users/Groups go from zero to less than 10 on the initial configuration.

Table of Contents 182


Fortigate Security Fabric Integration
On FortiNAC, in System Communications, verify the internal subnets are referenced in the Addresses
list.

Table of Contents 183


Fortigate Security Fabric Integration
On FortiNAC, in System Communications, verify the Address Group named SSOGRP:<Your Fortigate-Name
shows the addresses from previous slide.

Table of Contents 184


Fortigate Security Fabric Integration
On FortiNAC Network Inventory for your Fortigate, edit the VDOM Model Configuration

1. Make sure the SSO Addresses


is using the SSOGRP for your
Fortigate IP Addresses
2. Set the VDOM Source IP,
usually same as the one we
set with source-ip on the
Fortigate.
Table of Contents 185
Fortigate Security Fabric Integration
As you build Logical Networks for NAC Policies, Add those as Firewall tags and click the Send Groups button. Go
Back to the Firewall and press the Apply & Refresh button again, and these new User Groups – Tags – Should
show up in the Users/Groups list. Other FortiNAC Host groups will show up in the Users/Groups lists.

Table of Contents 186


Fortigate Security Fabric Integration
When you start applying NAC Policies, FortiNAC will send FSSO Users/Groups to the Fortigate. You can see
devices connected to my Cisco switch that were managed by FortiNAC Policies. Those devices show up in the
Firewall User Monitor (Show All FSSO Logins) along with users (Tom Edison and Jeff Reed in this example).

Table of Contents 187


Fortigate Security Fabric Integration

You can use the FortiNAC


Users/Groups in Firewall Policies. In
this example, the DoorAlarm Policy
shows where any IP address can
access the DoorAlarmServers & Door
AlarmSvc, but only if FortiNAC
confirms that it’s a real door alarm.
Rererence Device Profiling where
FortiNAC uses multiple processes to
validate something is a door alarm.

Table of Contents 188


FortiNAC v9.2 POC
L3 Isolation Reference Design

Greg Genta’s video describes how to set up the FortiNAC Isolation


networks. Well worth the 15mins!

https://youtu.be/wOPElLP1-jg

189
FortiNAC VM/Appliance Isolation Reference Design

Greg Genta’s video describes how to set


up the FortiNAC Isolation networks. Well
worth the 15mins!

https://youtu.be/wOPElLP1-jg

Table of Contents 190


FortiNAC VM/Appliance Isolation Example
This exampled utilizes my fictitious
company, Classic Networking, and
shows the tasks related to Isolation
interface configuration.

Classic Networking
Office Locations Legend
18 Carlisle PA
19 Austin TX Microsoft DHCP and
20 Phoenix AZ DNS servers and
21 Anchorage AK FortiNAC Virtual
22 Burnaby BC Appliance located in
23 Ottawa ON the datacenter at an
24 Mexico City MX undisclosed location.

Table of Contents 191


FortiNAC VM/Appliance Isolation Example

The network team maintains


a master spreadsheet of the
VLANs and IP Schemes for
each location. Classic
Networking has standardized
on several VLANs and IP
Ranges for all their sites with
some room for expansion.

Table of Contents 192


FortiNAC VM/Appliance Isolation Example

Classic Networking uses


Microsoft DHCP servers and
has Super Scopes for each
location with the defined
scopes for each location

Table of Contents 193


FortiNAC VM/Appliance Isolation Example
Classic Networking installed FortiNAC in their Datacenter on a VMware ESX server. The
management interface is 172.16.50.4 and sits in the ETH0 vSwitch (VLAN 50) and the Isolation
networks will be in a different subnet, 172.16.51.X in the ETH1 vSwitch (VLAN51).

Table of Contents 194


FortiNAC VM/Appliance Isolation Example
Classic Networking CISO has asked the security and networking teams to develop a
process to reduce cybersecurity risk by adding these tasks to their NAC
implementation: FortiNAC Isolation Terms

• Isolate Rogue Devices: Any device that is not a corporate asset shall be placed
into an isolation network with appropriate controls to self-identify via captive Registration or Forced-
portal or automatically profile if it matches an existing company device Registration
fingerprint.
• Isolate Devices At-Risk: All corporate computers shall have company approved
AV installed, EDR services validated as running and company approved OS
security and critical updates applied. Any computer not meeting those Remediation, Forced-
requirements will be isolated and the reason of isolated communicated to both Remediation or
the Service Desk and the user on the computer. Quarantine
• Disable devices that have an indication of compromise: IoT devices that look to
be MAC-Spoofed, Devices that have failed a vulnerability scan or devices that Dead End
access malicious sites on the internet shall be isolated into a separate VLAN that
has no access to the rest of the organization.

Table of Contents 195


FortiNAC VM/Appliance Isolation Example
FortiNAC’s eth1 interface is configured for the isolation networks. The eth1 subnet is
172.16.51.X in the data center. Three IP Addresses are configured for Registration
(172.16.51.41), Remediation (172.16.51.42) and Dead End (172.16.51.43).

These address assignments do not need to be contiguous IPs

Table of Contents 196


FortiNAC VM/Appliance Isolation Example
Each company location requires a dedicated VLAN for
Registration, Quarantine and Dead End isolation networks.
Using their IP Planning spreadsheet, Classic Networking
selected three of the planned expansion VLANs/Subnets for
this purpose.

Another important change at each site, on the L3 interfaces, a DHCP relay will be
added for the existing production subnets to send a copy of DHCP requests to
FortiNAC’s Management interface (to facilitate DHCP Fingerprinting), and the
isolation networks will have DHCP relayed to their respective FortiNAC isolation IP.

Table of Contents 197


FortiNAC VM/Appliance Isolation Example
Next Step is to add the DHCP Scopes for the isolation
networks via the FortiNAC Config Wizard. Classic
Networking has seven sites with three new scopes per
site. Someone on the team can go through and add
them manually or import (see next slide)

Table of Contents 198


FortiNAC VM/Appliance Isolation Example

Using their vast Excel skills, Classic Networking engineers quickly built three CSV files appropriate for an import.
ScopeLabel,VLAN ID,Gateway,Mask,Domain,Lease Pool Start-End IP

Table of Contents 199


FortiNAC VM/Appliance Isolation Example
Import your CSV’s for each Isolation interface

Table of Contents 200


FortiNAC VM/Appliance Isolation Example
Results!

Table of Contents 201


FortiNAC VM/Appliance Isolation Example
For each office location and each remote network, FortiNAC will automatically add a static route statement to
ensure packets coming from isolation networks are coming in eth1 and going back out eth1.

Table of Contents 202


FortiNAC VM/Appliance Isolation Example
After hitting the Apply button on the summary page, the config files will be updated and the system is ready for
reboot.
THIS COMPLETES THE ISOLATION INTERFACE SET UP!

Table of Contents 203


FortiNAC v9.2 POC
Additional Material

204
FortiNAC Demo Licensed Expired… now what?
License expiration is on the License Information dashboard widget

When the license expires and there is still value to be


shown with a POC, work with the sales team or your SE to
request another demo license.
1. Register the new license – see beginning of this guide
for details
2. Log into FortiNAC and go to System->Config Wizard and
use the Obtain a license key URL to get your MAC
Address and UUID
3. Download the new license file and upload in Config
Wizard.
4. Confirm Basic Network as before-> Summary->Apply->
Reboot.
Table of Contents 205
FortiNAC KB Articles

https://kb.fortinet.com/kb/microsites/microsite.do

Change IP address for FortiNAC management interfaces


https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD44137

macOS agents are not natively compatible with M1 processor


https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD52992

Application Server Operating System updates fail


https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD53149

Table of Contents 206


Appendix A Documentation
FortiNAC Engineering has developed extensive documentation over the years. Start here for all process documents:
https://docs.fortinet.com/product/fortinac

Table of Contents 207


FortiNAC Professional Services
Professional Services is not required, but its highly recommended to have an
experienced deployment engineer assist with your installation. FortiNAC Pro
Services from Fortinet or services from your partner are available options.

Example documents
• Sample Explanation of Services from FortiNAC Pro Services Team
• Sample Implementation Report
• https://docs.fortinet.com/document/fortinac/9.1.0/deployment-guide
• https://docs.fortinet.com/document/fortinac/9.1.0/hardware-and-vm-install-guides
• https://docs.fortinet.com/document/fortinac/9.1.0/open-ports

Kate and John run the


FortiNAC Professional
Services Team

CONFIDENTIAL Table of Contents 208


Appendix B Sample Professional Services 5-session Engagement
FortiNAC Configuration and Visibility – Working Session One (Remote/Onsite X Automated Response Working Session Four (Remote/Onsite X days) -
days) Pro
•Appliance configuration Primary and Secondary •Security device integrations
•Integration with AD servers •Security policy development
•Apply certificates for appliances •Validation of security policies
•System communication for notification (email servers)
•HA configuration and validation – Primary/Secondary Go Live Working Session Five (Remote/Onsite X days)
•Network discovery •Go Live support for enforcement at designated regional locations:
•Agent package preparation •Wrap Up
•Review Plan and Status
Endpoint Classification Working Session Two (Remote/Onsite X days) •Transition and Next Steps
•Device profiling
•Re-profiling of devices on connect FortiNAC Professional Services is NOT required to fully
•Agent policies for device and user tracking
deploy FortiNAC, however, an experienced installer is
Policy Development and Enforcement Working Session Three (Remote/Onsite X highly recommended! A pre-sales POC engagement
days) skips steps, cuts corners and keeps a limited scope.
•Policy Development
•Network Access Normally we can upgrade your POC appliance to a
•Endpoint Compliance - audit only with notification production appliance as part of their services.
•Scan on connect for devices with agent
•Portal development for unknown Guest device onboarding FortiNAC Professional Services DOES NOT MAKE
•Events for notification
•Syslog of Events to SIEM CHANGES TO THE CUSTOMER NETWORK. CUSTOMER
•Validation of enforcement at designated pilot location(s) SHOULD ADD TIME TO MAKE THOSE CHANGES
THEMSELVES OR WITH A PARTNER.
Table of Contents 209
FortiNAC Video Library
Below are some of the videos we put together to demonstrate various aspects of FortiNAC. You can view these independently or
continue reading through this presentation where there are more video links regarding specific features.

General Overview Videos from the NAC Team Videos from Rick Leclerc, Fortinet Security Architect
• Greg’s FortiNAC General Overview (27+mins) • FortiNAC Least Privilege Access Matrix Video (9:34mins)
• Rob’s FortiNAC General Overview (23+mins) • FortiNAC Elevator Pitch Video (3:48 mins)
• FortiNAC FortiAnalyzer Integration Video (6:38mins)
• FortiNAC Discovery Video (10:38)
• FortiNAC Brute Force (7:24)
• FortiNAC MAC-Spoof-Attack (8:30)
Miscellaneous FortiNAC Videos • FortiNAC Endpoint Classification (16:50)
• Fortilink NAC without FortiNAC (6:46)
• FortiNAC Appliance Overview (2:36mins)
• FortiNAC Manager Overview (4:11mins)
• FortiNAC LDAP Integration (5:18mins)
• FortiNAC Captive Portal (9:19 mins)
• PRO License Automated Security Response (about 10mins)
• FortiNAC Guest-BYOD-Contractor Onboarding (26+mins)
• Catching Domain Machines in the Captive Portal (4+mins)
• Camera Profiling (1+min)
• Managing Device Firewall Policy using FSSO (6+mins)

Table of Contents 210

You might also like