Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ndumaj
Staff
Staff

Created on ‎11-02-2023 05:14 AM Edited on ‎11-02-2023 05:16 AM By Community Manager

Article Id 281627

Technical Tip: Configuring and troubleshooting Firewall TAGs between FortiGate and FortiNAC-F or legacy FortiNAC

Description This article describes how to configure and troubleshoot Firewall TAGs between FortiGate and FortiNAC-F, or legacy FortiNAC.
Scope

FortiGate and FortiNAC-F/FortiNACOS or legacy FortiNAC.
Solution
  1. Log in to the FortiNAC GUI and go to System -> Settings -> System Communication Fortinet FSSO Settings.
  2. Ensure that the 'Enable FSSO Communication' box is checked and fill in the 'Password' field (see the example below):


FNACOS FSSO.png

 

  1. Create 'Firewall Tags':

 

Friewall Tags.png

 

  1. Go to the 'Topology' view, select the FortiGate, select the 'Virtualized Devices' tab, and select the VDOM to enable 'Firewall Tags'. Then, enter the tag that was created in the previous step and select 'Submit Query':


Friewall Tags2.png

 

  1. Add a FortiNAC Fabric Connector on the FortiGate:


FGT.1png.png

 

  1. Select 'Refresh' and select 'View':


FGT2.png

 

If the tag that was created on FortiNAC is visible, use these tags in the firewall policies.

 

Note:

Starting from FortiOS 7.2.4 GA, no option will be visible to add FortiNAC from the FortiGate GUI under Security Fabric -> Fabric Connectors.

However, it is still possible to configure the FSSO tags via CLI:

 

  • It is necessary to define via the CLI and set the type FortiNAC.
  • Set the FSSO setting 'group-poll-interval' > 0.
  • This will trigger the tagging exchange and they appear in the Users section of Firewall policies.


config user fsso

edit FNACLatest

set type fortinac

set server <FNAC-IP>

set password <fsso-password>

set group-poll-interval 1

end

After configuring FSSO via the CLI, enable the following debugs to make it possible to see the TAGs being exchanged between FortiGate and FortiNAC: 

 

diag debug app authd -1
diag debug console timestamp enable
diag debug enable


The following output will appear, showing that FortiNAC has exchanged the tags with FortiGate (only a bunch of the Tags that have been exchanged are shown).


debug1.png

 

Under Policy & Objects -> Firewall Policy, create a new policy.


FGT3.png

 

  1. Enable the FSSO on FortiNACOS/FortiNAC-F via CLI:

 

config system interface

edit  port1

set allowaccess dns ssh snmp syslog https-adminui radius radius-acct radius-local netflow radius-local-radsec fsso http http-adminui https nac-agent nac-ipc ping

end

 

If the service is not enabled on the FortiNACOS/FortiNAC-F interface in the FortiGate debugging, the following log message will appear, where 'FNACTAGS' is the name of the FSSO connector on FortiGate:

 

2023-10-04 14:31:43 disconnect_server_only[FNACTAGS]: disconnecting
 

Troubleshooting:

 

  1. To verify whether a TAG has been applied to a host and sent to FortiGate, use the following commands on FortiGate:

 

diagnose debug authd fsso list
diag fire auth list | grep -A 7 x.x.x.x <- Replace x.x.x.x with the IP address from the host.
diag debug auth fsso list | grep x.x.x.x <- Replace x.x.x.x with the IP address from the host.

 

  1. Force the FSSO Tag to be sent from FortiNAC to FortiGate to work around cases where the VLAN is terminating on a Layer 3 device other than the FortiGate:

     For legacy FortiNAC environments, run the following:


device -ip <IPaddress> -setAttr -name ForceSSO -value true

 

For FortiNAC-F environments, run the following:

 

execute enter-shell
device -ip <IPaddress> -setAttr -name ForceSSO -value true

 

  1. Enable the following debug options and send the Putty session output to TAC support.

For legacy FortiNAC environments, run the following commands:

 

nacdebug -name DeviceInterface true
nacdebug -name SSOManager true
Device -ip <IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"

For FortiNAC-F environments, run the following commands:

 

execute enter-shell
nacdebug -name DeviceInterface true
nacdebug -name SSOManager true
Device -ip <IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"

 

  1. Reproduce the issue. Update the ticket with the timestamps and Username.

  2. After reproducing the issue, run the following command:


grab-log-snapshot

The script will collect and zip a large number of files.
This will take several minutes.
The resulting zip file (log-snapshot-<hostname>-<timestamp>.tar.gz) is located in /tmp directory.
See article 190755  How to get a debug log report from FortiNAC.

 

*Note: To export FortiNAC-F grab-snapshot-logs, generate and download them from the GUI by referring to Technical Tip: How to get a debug log report from FortiNAC.

 

  1. Disable debugging:

For legacy FortiNAC environments, run the following:

 

nacdebug -name DeviceInterface false
nacdebug -name SSOManager false
Device -ip <FGT IPaddress> -delAttr -name DEBUG -value "ForwardingInterface TelnetServer"

 

For FortiNAC-F environments, run the following:

 

execute enter-shell
nacdebug -name DeviceInterface false
nacdebug -name SSOManager false
Device -ip <FGT IPaddress> -delAttr -name DEBUG -value "ForwardingInterface TelnetServer"

 

Related documents:

Endpoint connector - FortiNAC.

FortiNAC Device Model and Configuration.
FortiGate Endpoint Management Integration.
951
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.