Description
This article describes an example of how to set up VPN session management for a FortiGate in FortiNAC using the Dissolvable Agent on the end host, along with key troubleshooting steps.
Scope
FortiNAC, Dissolvable Agent and FortiGate.
Solution
- Network design and IP Planning.
This is an example of a network diagram of FortiNAC deployment (L3 routed), FortiGate, and the IP of the VPN in the end host:
FortiNAC can apply these network configurations by following the steps in ConfigWizard. The example below shows the configuration for the isolation interface 'Layer 3 Virtual Private Network'.
Note:
The domain is important in this step because it is used by the agent in the end host to discover the FortiNAC server in its isolation port through DNS SRV records. 'VPN IP Subnets' can also be used instead of the standard scope since there is no actual DHCP service used in this case, the IPs for the end hosts are provided by FortiGate. This will just enable FortiNAC to respond to DNS requests that are coming from this subnet. Configuring an IP as a Gateway for the pool is required to complete the ConfigWizard but the IP itself is not relevant for this type of configuration.
The IP pool configuration [10.5.254.11-10.5.254.99] should match with the SSL-VPN configuration (Address Range) done in FortiGate as shown in step 2.
The services that need to be allowed for both ports at the interface level configuration, as shown below (in FortiNAC CLI):
config system interface
edit port1
set mode static
set ip 10.1.2.71/24
set allowaccess https-adminui nac-agent ping radius-acct radius-auth ssh syslog
edit port2
set mode static
set ip 0.0.0.0/0
set allowaccess dhcp dns http https nac-agent ping
The flow of actions is summarized in the following diagram:
-
SSL VPN configuration in the FortiGate.
This article assume that the FortiGate is added and is fully managed by FortiNAC (SNMP, SSH, API, syslog).
While configuring the standard SSLVPN parameters, the DNS server configuration is very important. The first server should be the production DNS server, and the second DNS server should be the isolation IP of FortiNAC. This configuration can be currently added only from the CLI, and then they are visible from the UI:
In the SSL VPN portal configuration (FNAC_SSL in this example), the DNS servers should also be configured the same as above, and also add the DNS suffix:
config vpn ssl web portal
edit "FNAC_SSL"
set tunnel-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
set dns-server1 10.1.1.10
set dns-server2 10.1.3.73
set dns-suffix "eb.eu"
The 'Tunnel Mode' configuration should have the 'Split tunneling' set as Disabled. More details are covered in this section of FortiGate VPN Integration guide.
If the environment doesn't have another RADIUS server, FortiNAC can be used also for VPN user authentication but this is not a requirement.
-
Firewall policies
In this simple example, only three firewall policies are used, in this order:
If the VPN host does not have a tag attached to it, only access to the FortiNAC isolation port is allowed (ID: 32). When the tag is available, the host will have access to internal resources (ID: 33) and internet access (ID: 35).
Note:
During initial configuration the tags may not be present in FortiGate. The policies can be created and after the first user gets registered the tags can be added later in the policy.
-
Endpoint compliance configuration in FortiNAC.
A User/Host profile is required to match only the VPN hosts by using specific attributes for this type of host and used in the Endpoint Compliance Policy:
A Scan needs to be included in this policy. In this example, the Scan is checking for the OS, the Antivirus from a list, and a custom scan that checks for a running process (notepad.exe). Custom scans are covered in more detail in this article: Technical Tip: Monitor Custom scans to ensure a quicker response to host compliance.
Note:
It is better to change the order of operations to 'Register, Then Scan' to have more visibility about the status of the end host.
After the host is registered, a Network Access policy is used to match the host and send the tag:
-
Steps and actions followed in the end host and FortiNAC.
After the VPN client is connected is, the end host will be able to reach only FortiNAC (DNS, HTTP/S and Agent 'TCP 4568'). The browser will detect the presence of the portal. If not detected, this action can be triggered by manually entering an URL in the browser.
In FortiNAC logs:
diagnose tail -f output.nessus
yams INFO :: 2025-05-05 14:55:45:093 :: #108 :: Remote IP = 10.5.254.11
ProbeObject = Probe
IP Address = 10.5.254.11
MAC Address = null
Device Id = 55
Interface Id = 57
User Name = gimi
Session Id = -1987295801
Time Captured = Mon May 05 14:43:08 CEST 2025
InetAddress = null
yams INFO :: 2025-05-05 14:55:45:093 :: #108 :: In VPN_Redirect.jsp
yams INFO :: 2025-05-05 14:55:45:093 :: #108 :: https://fnac74.eb.eu/
.
yams INFO :: 2025-05-05 14:55:45:100 :: #108 :: MAC = null
yams INFO :: 2025-05-05 14:55:45:100 :: #108 :: User Name in ProbeObject = gimi
yams INFO :: 2025-05-05 14:55:45:100 :: #108 :: No MAC address, so need to download agent
yams INFO :: 2025-05-05 14:55:45:100 :: #108 :: Redirecting to Agent Download page, index2.html (or VpnLogin.jsp if isNewJspPortal switch is true)
Agent is downloaded:
yams INFO :: 2025-05-05 15:02:56:962 :: #109 :: Remote User name = gimi
yams INFO :: 2025-05-05 15:02:56:962 :: #109 :: CampusMECBean.getPolicyForUser(): userId = gimi, device ID = 55, port ID = 57, webContext = vpn, nameEncoded = false
yams INFO :: 2025-05-05 15:02:56:962 :: #109 :: CampusMECBean.getPolicyForUser(): Creating Dummy HostRecord.
yams INFO :: 2025-05-05 15:02:56:979 :: #109 :: Policy Name = null
yams INFO :: 2025-05-05 15:02:56:980 :: #109 :: Policy Name = null
yams INFO :: 2025-05-05 15:02:56:980 :: #109 :: VPN user, policyName = SSL_VPN
yams INFO :: 2025-05-05 15:02:56:983 :: #109 :: agenTID = null
yams INFO :: 2025-05-05 15:02:56:986 :: #109 :: PushPersistentAgent.doGet() VPN Client so ignoring MAC address if given, and NOT doing IP->MAC
yams INFO :: 2025-05-05 15:02:56:986 :: #109 :: PushPersistentAgent.doGet() -- No HostRecord found. Creating dummy rogue HostRecord
yams INFO :: 2025-05-05 15:02:56:986 :: #109 :: Using dummy IP: 10.5.254.11
yams INFO :: 2025-05-05 15:02:57:025 :: #109 :: Found AgentUUID: b8a94e0a-91b9-4f83-9fba-601b04d8fe20 for host: null
yams INFO :: 2025-05-05 15:02:57:033 :: #109 :: Resolved Request for Meta AgentID: b8a94e0a-91b9-4f83-9fba-601b04d8fe20 for Platform: Windows to AgentID: 29bc181b-97a4-4d45-82c2-b2fc45e61248
yams INFO :: 2025-05-05 15:02:57:036 :: #109 :: agentUUID = 29bc181b-97a4-4d45-82c2-b2fc45e61248
yams INFO :: 2025-05-05 15:02:57:036 :: #109 :: Required agent = AgentDescriptor [agentID=29bc181b-97a4-4d45-82c2-b2fc45e61248, appStoreURL=null, configEncrypted=true, filename=7.6.1.0016-NetworkSentry-WINDOWS-DISSOLVABLE.exe, minServerVersion=null, name=FortiNAC Dissolvable Agent, offset=0, outputFileName=FortiNAC Dissolvable Agent.exe, platform=Windows, typeStr=DISSOLVABLE, vendor=[NetworkSentry], version=7.6.1.0016, fileSize=6187576]
yams INFO :: 2025-05-05 15:02:57:036 :: #109 :: PushPersistentAgent -- Agent Cache Hit. 29bc181b-97a4-4d45-82c2-b2fc45e61248
Agent runs and performs the Scan of the end host:
yams INFO :: 2025-05-05 15:06:17:131 :: #112 :: Looking up hr DissolvableAgentResponse
UserName:[]
Agent Version:[7.6.1.0016]
OS:[Windows 10 Pro 6.3 22H2 10.0.19045.5737]
Platform:[WINDOWS]
HostName:[Win10-HyperV]
UUID:[9B7C93F0-B6EE-41DD-8278-6B8EB4B168D0]
Domain:[]
NovellUser:[]
Interfaces:
MacDescription:
ID = -1
MAC = 00:14:38:00:01:23 <-- Physical MAC address that is used to register the host
...
yams INFO :: 2025-05-05 15:09:00:353 :: #106 :: SMAReport setting AgentStatus to SCAN_SUCCESS
Now the host appears as registered and is matching the Network Access Policy that is used to send the tag:
The tag with the host's IP populated is sent to the FortiGate:
-
Troubleshooting.
Detailed troubleshooting methods and logs are shown also in this article: Troubleshooting Tip: Troubleshooting FortiGate VPN integrations managed by FortiNAC.
- The portal is not showing, so the agent can not be downloaded.
Verify that the VPN adapter in the end host is using the private DNS servers configured in the SSL-VPN settings. Make sure that no policy in the firewall allows communication to the production DNS server (yet), but only to the FortiNAC isolation interface.
Verify that the portal is using a valid SSL certificate that validates the configured FQDN and is trusted by the end host. From FortiNAC UI, Portal -> Portal SSL:
-
The agent is not able to discover FortiNAC
The agent will create a DNS SRV query (using the DNS suffix) of the network to find the IP of FortiNAC. Since FortiNAC is the only valid DNS server in the network, it will respond with the isolation IP as shown below (filter dns.qry.type == 33):
-
The agent is asking for credentials to register the host.
When the VPN is connected using a username (example: local to FortiGate) that is not found in the FortiNAC or remote directories, the Agent will prompt the user to enter their credentials:
-
The end host is failing the Scan.
In this example, the host does not have the required process running (notepad.exe) and as a result is not considered compliant:
The host appear as registered but is shown as 'At-Risk' state. This makes the host not matching the Network Access policy and the tag is not sent to FortiGate. The host has still limited access in the network.
After the user opens Notepad and rescan the host, the host status changes to normal, the network access policy matches, and the tag is sent to the FortiGate.
-
The tag is not being sent.
Verify the SSL VPN subnet is configured in the model Configuration and the logical network is pointing to the tag:
Related articles:
