Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
khoffman
Staff
Staff

Created on ‎05-20-2024 10:56 AM Edited on ‎04-14-2025 02:17 AM By Moderator

Article Id 316108

Technical Tip: Connector based FSSO vs Fabric Based with FortiNAC

Description This article describes the technical differences between Connector Based FSSO (Legacy) and Fabric Based Dynamic Address Tags. 

FortiNAC supports provisioning access to endpoints using two different methods: connector-based and fabric-based.
Scope FortiNAC-F v7.2, v7,4 & FortiNAC v9.4.
Solution

Connector based FSSO and the Security Fabric Based SSO cannot be used together on the same firewall. This will cause instability when sending firewall tags.  

Connector-Based FSSO: Establish Security Fabric Connection (All Other Versions).
Technical Tip: Configure FortiNAC Tags with FortiOS 7.2.4 GA

 

  • FSSO.
  • Port 8000.
  • Tags include Username (If available), IP address, and Tag/Group information.
  • FortiNAC Debug: SSOManager.


FortiNAC logs (output.master) will show the following when sending an FSSO Tag.  
 

yams.SSOManager INFO :: 2023-12-15 07:45:23:734 :: #808 :: SSOManager.sendMessage sending message to 172.22.1.234 for client 7C:57:58:8A:1D:65, MSG=UserIDMessage[logon, mac=7C:57:58:8A:1D:65, ip=10.1.250.9, user=Pete, tags=[Registered Hosts, VPN Access, VPN_Auth]] 
 

FortiNAC logs (output.master) will show the following when removing an FSSO Tag. 

 

yams.SSOManager INFO :: 2023-12-15 07:45:24:509 :: #808 :: SSOManager.sendMessage sending message to 172.22.1.234 for client 7C:57:58:8A:1D:65, MSG=UserIDMessage[logoff, mac=7C:57:58:8A:1D:65, ip=10.1.250.9, user=Pete, tags=[Registered Hosts, VPN Access, VPN_Auth]] 

 

Fabric-Based (Dynamic Address Tags): Establish Security Fabric Connection (FortiNAC v9.2.2/FortiOS v7).
Technical Tip: How to quickly configure the security fabric with FortiNAC and FortiGate

 

  • Supported on FortiNAC version 9.2.2 and later and FOS v7 and later.
  • API Based.
  • Port 8013.
  • FortiNAC dynamically adds and removes IP addresses from Dynamic Address Tag Objects on the firewall.
  • FortiNAC Debug: SSOManager & SecurityFabricManager.

 

FortiNAC logs (output.master) will show the following when sending a Dynamic Address Tag.


yams.SSOManager INFO :: 2023-11-21 11:12:30:087 :: #606348 :: sendDynamicAddressUpdate(192.68.1.15) json = {"command_version":2,"commands":[{"command":"update","vdom":"root","addresses":[{"uuid":"VPN_AUTH","type":"ip","values":["10.40.14.1"]}]}],"serial":"FNVXCATM23000555","device_type":"fortinac"}

FortiNAC logs (output.master) will show the following when removing a Dynamic Address Tag.


yams.SSOManager INFO :: 2023-11-21 13:23:50:253 :: #606348 :: sendDynamicAddressUpdate(192.68.1.15) json = {"command_version":2,"commands":[{"command":"update","vdom":"root","addresses":[]}],"serial":"FNVXCATM23000555","device_type":"fortinac"}
837
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.