FortiNAC is a Network Access control solution Server that is available in both Hardware and Virtual Machine (VM). Its main function is to detect who and what is connecting to the network and then enforce control based on selected criteria.

As with all servers, it can be vulnerable to exposed services, new vulnerabilities, bad administration, and a lack of continuous monitoring of its operability.

The following points provide recommendations and insights to improve the security posture of FortiNAC.

1. Disable services that are not in use.

FortiNAC can enforce control in multiple ways, and multiple solutions or designs can be leveraged to reach a certain goal.

Depending on the needed ports, protocols, and services, the administrators should first identify what is needed and what should be disabled.

Services can be enabled/disabled for port1 and port2 through CLI:

naclab1 # show system interface
config system interface
    edit port1
        set ip 10.10.10.6/24
        set allowaccess http https-adminui nac-agent nac-ipc netflow ping radius radius-acct radius-local radius-local-radsec snmp ssh
    next
    edit port2
        set allowaccess dhcp dns http https nac-agent ping
    next
end

Note: It is not recommended to configure the IP address of port2 via CLI.  The configuration of Port2 is related to isolation and needs to be performed through the FortiNAC GUI (configWizard).

In the above example, there is a large number of services enabled.

Some of them are important and required for Management purposes and network discovery. However, other services might not be required.

Example: The user is using the Persistent agent to register endpoints and enforce control through CLI. There is no RADIUS configuration in the network infrastructure.

In this case, the NAC-agent (TCP port 4568) is required, but there is no need to leave any related RADIUS services enabled:

• radius
• radius-acct
• radius-local
• radius-local-radsec

Different services might have vulnerabilities that can be exploited if left available (listening state). In this step, it is imperative to identify the needed services for FortiNAC to do its duty and then disable everything else that is not required. This will result in a reduced Attack Surface.

Firewall policies should also be in place to deny unused services through the management port.

Firewall logs provide detailed information regarding traffic towards FortiNAC-specific services. These can be analyzed and used to detect any malicious activity.

In FortiNAC, it is possible to check port statistics and information about transmission errors. Although not a direct indication of exploit attempts, these should be checked by the network team in case there are errors on relevant interface counters.

diagnose hardware deviceinfo nic port1

Name: port1

Driver: hv_netvsc

Version: N/A

Bus: b3dXXX-ZZZZ-YYYYYYY

Hwaddr: 00:15:5d:XX:XX:XX

State: up

Link: up

Mtu: 1500

Speed: 10000full

Rx packets: 5864

Rx bytes: 966861

Rx dropped: 0

Rx compressed: 0

Rx errors: 0

  Rx Length err: 0

  Rx Buf overflow: 0

  Rx Crc err: 0

  Rx Frame err: 0

  Rx Fifo overrun: 0

  Rx Missed packets: 0

Tx packets: 6568

Tx bytes: 12865145

Tx dropped: 0

Tx compressed: 0

Tx errors: 0

  Tx Aborted err: 0

  Tx Carrier err: 0

  Tx Fifo overrun: 0

  Tx Heartbeat err: 0

  Tx Window err: 0

Multicasts: 619

Collisions: 0

Check the following documentation for more details on services and ports.

• List of Services and their ports
• Open ports and their function

2. Update FortiNAC software to the latest versions.

The latest versions of FortiNAC will also include the latest security patches for NACOS and its applications. Before upgrading, it is important to check the release notes and verify the 'Known Issues' in case an engineering report (ID) might impact the environment.

Other important sections are: Upgrade path, Compatibility, Upgrade considerations, Pre-Upgrade procedures, and hardware support for appliance versions. 

Many companies might have restrictions on communication-related to downloading OS updates and auto-definition updates. In an environment where a FortiNAC Manager is available, it is possible to configure proxy settings where the Manager will direct web traffic to a proxy server to download OS updates and auto-definition updates.

Administrators should frequently check for advisories concerning FortiNAC and other Fortinet Products. These advisories are provided by the Fortinet Product Security Incident Response Team (PSIRT) and contain the solution for patching the vulnerabilities.

PSIRT Advisories

3. Backups and VM snapshots.

Having a Backup plan is crucial when dealing with severe cases where FortiNAC services cannot be fixed or restored properly. 

• Backups should be securely stored in a remote location: Remote Backups. Ideally, these can be 2 different locations to ensure availability in case one of these locations is compromised or down (remote site + cloud location).
• Use a secure method such as Remote backup configuration.
• Keep VM snapshots to easily restore services in case of issues caused by upgrades or configuration changes 
• Keep a document with specific steps and procedures on how to restore FortiNAC when the system is corrupted and unresponsive, which might require the administrator to Factory reset the server. The following article can be used as an example when building the system restore procedure: Technical Tip: FortiNAC-F system restore procedure.
• The recovery procedure should be tested during a maintenance window, and the steps documented on each change. This will ensure the proper steps are included when a real incident occurs.
• Using the Scheduling Backups, define a Backup plan on how often these should be executed and when to purge local backups.
• Use hashing algorithms to validate backup file integrity. 
• Secure backups through encryption and use Firewall policies to limit access to only responsible users needing that type of access.
• Manually uploaded files or images should also be backed up manually through a TFTP or SSH server. These files could be custom-created web pages stored in /bsc/Registration/registration/site that are used to redirect hosts when they fail Custom scans.

Check this document: Backup and Restore (FortiNAC-OS) for more details.

4. Log Monitoring Servers.

• Configure external logging to capture system events or be alerted for specific events that could be an indication of compromise.
• External logging will also release FortiNAC resources to focus on control functions instead of internal logging.
• FortiSIEM, FortiAnalyzer, or any other Syslog server can be integrated with FortiNAC for log monitoring.

FortiAnalyzer Device Integration

Troubleshooting Tip: Syslog messages not being sent to syslog server

• It is suggested to use a centralized logging solution that can correlate logs from multiple sources and alert or act based on any supported device. FortiSIEM integration guide.
• Frequently check Audit logs for changes applied by Administrators and Event logs to identify other performance or system issues.
• Create Alerts in FortiNAC for important functions not working. 

An example could be creating an Alert when the Automatic backup feature is not working. This will get the attention of the Administrator to check and fix the remote backup failure.

Related Event names:

Database Backup Failure

Systems Backup Failure

List of event and alarms

5. TLS Certificates for secure communication.

Where possible, use TLS certificates for secure communication between the Client and servers.

This can be applied in multiple services, such as:

• LDAPS for Directory Communication
• Secure FortiNAC targets 

It is important to use the latest and most secure algorithms when issuing root Certificate Authorities that will issue the Client and Server Certificates.

Example: RADIUS service will fail when the Certificates are issued using weak algorithms such as MD5 or SHA1.

Error: tls: (TLS) Failed reading certificate file "radius/raddb/certs/certificatetest.pem": error:XXX:SSL routines:SSL_CTX_use_certificate:ca md too weak

The following SSL/TLS versions are considered vulnerable and should not be used:

• SSL v2
• SSL v3
• TLS 1.0
• TLS 1.1

This article explains the usage and core concepts of Certificates: Technical Tip: SSL/TLS and the use of Digital Certificates

Following external guides from Microsoft and Digicert, provide requirements and best practices for Certificates.

• EAP_TLS requirements
• TLS best practices

6. Performance Issues due to a lack of administration.

If FortiNAC is left unchecked and not properly monitored, it can result in performance issues or worse: the System becoming unresponsive, leading to a self-inflicted Denial of Service.

Examples could be SSH/SNMP/REST API failures against network devices or service connectors, which will consume FortiNAC CPU time and memory usage. This will result in delays for specific features such as Polling or VLAN changes.

In large deployments, network administrators in branch offices might remove devices or make changes to the network without informing FortiNAC Administrators.

FortiNAC will still keep polling and requesting information from those Network inventory devices as long as they are added to the Database.

The following article provides the steps to identify such issues and resolve performance issues:

Technical Tip: Performance issue and some general recommendations

7. Restrictions on Administrative Users.

When provisioning Administrator Accounts, it is recommended to apply the principle of least privilege. 

By using Administrative profiles, it is possible to limit each account to perform only the tasks that their job role expects and nothing more.

The same concept should be applied to all types of accounts.

Additional recommendations include:

• Use strong Passwords.
• Delete unused accounts (Delete an administrator) or disable them if deletion is not accepted by Company policies.
• Apply Role-based access(RBAC) for Users: Technical Tip: Assign Roles based on User LDAP Directory Attributes.

8. Auditing/Checking the FortiNAC configuration.

The following documentation provides a list of configuration steps that Administrators can leverage to audit the FortiNAC settings and features.

• Requirements Task list
• Prerequisite Checklist (Printable Version)

Related documents:

• FortiNAC data sheet
• Technical Tip: Comprehensive guide for a simple FortiNAC deployment
• Technical Tip: Performance issue and some general recommendations
• Technical Tip: Event-based monitoring and auditing of FortiNAC configuration changes by admins 
• Technical Tip: FortiNAC general troubleshooting guide
• Technical Tip: Upgrade FortiNAC-F through the CLI
• Technical Tip: Useful CLI commands in FortiNAC-OS for troubleshooting
• Technical Tip: How to export DataBase backup from FortiNAC-F
• Backup and Restore (FortiNAC-OS)