Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
dodsonj
Staff
Staff

Created on ‎08-12-2024 09:21 AM Edited on ‎08-13-2024 12:27 AM By Community Manager

Article Id 332301

Technical Tip: FortiGate-FortiNAC NetFlow Integration

Description

This article explains how to enable Network Flow on the FortiGate to forward session information to the FortiNAC for use in a Device Profiling Rule.

 

FortiGate supports both Network Flow and Session Polling. In some instances, it may be more beneficial to enable Network Flow instead of Session Polling to reduce the scope of the session information forwarded by the FortiGate to the FortiNAC. This is achieved by enabling NetFlow only on those FortiGate interfaces and directions of interest.

 

This article uses an Xbox Series X that communicates with Microsoft servers by using UDP port 3544 as an example. However, the methodology below may still be used for other types of endpoint devices that may communicate over unique ports to specific servers. For example, mobile phones managed by an MDM not supported by FortiNAC, or OT controlled by ICS not detected by FortiGuard.

 

It is not necessary to enable FortiGate Session Polling.
Scope FortiGate, FortiNAC-F.
Solution

FortiGate:

 

To configure NetfFlow on the the FortiGate:

 

In the CLI of the FortiGate, for firmware versions 7.2.8 or 7.4.2 and later, enter the following commands:

 

config system netflow

config collectors

edit <number>

set collector-ip <fortinac-port1-ip-address>

set source-ip <fortigate-modelled-ip-address>

end

end

 

config system interface

edit <name>

set netflow-sampler both

next

end

 

For other firmware versions, enter the following commands:

 

config system netflow

set collector-ip <fortinac-port1-ip-address>

set source-ip <fortigate-modelled-ip-address>

end

 

FGT1.PNG

 

config system interface

edit <name>

set netflow-sampler <both | rx | tx>

next

end

 

FGT2.PNG

 

FortiNAC:

 

On the CLI of the FortiNAC, to allow NetFlow traffic in the FortiNAC interface, enter the following commands:

 

config system interface

edit port1

set allowaccess <protocol x> netflow <protocol y>

next

end

 

INTERFACE.PNG

 

To verify that NetFlow traffic is received on the FortiNAC interface, enter the following command:

 

execute tcpdump -vi port1 port 2055

 

On the FortiNAC GUI, navigate to Users & Hosts -> Network Sessions and identify the session of interest:

 

RECORD1.PNG

 

RECORD2.PNG

 

Right-click the session of interest and select Create Device Profiling Rule. Enter the necessary information under the General tab and verify the information under the Methods tab:

 

DPR1.PNG

 

DPR2.PNG

 

Navigate to Users & Hosts -> Endpoint Fingerprints and identify the endpoint fingerprint(s) of interest:

 

FINGER1.PNG

 

Right-click the fingerprint of interest, select Test Device Profiling Rule, select the name of the Device Profiling Rule, and select OK:

 

TEST1.PNG

 

TEST2.PNG

 

Navigate to Users & Hosts -> Device Profiling Rules and select Run:

 

DPR3.PNG

 

Navigate to Users & Hosts -> Endpoint Fingerprints and verify that the endpoint device is profiled:

 

FINGER3.PNG

 

Continue to configure a User/Host Profile, Network Access Policy, and Model Configurations as appropriate for the profiled endpoint device.
153
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.