FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff
Article Id 288186
Description

 

This article provides some useful commands introduced in the new version of FortiNAC running NAC-OS.

These are new commands that are used frequently and were not present in the previous versions of FortiNAC running CentOS.

 

Scope

 

FortiNAC.

 

Solution

 

CLI timeout:

The new version of FortiNAC will have a default console idle timeout of 45 minutes. This is more than enough for normal procedures but during troubleshooting sessions when the logs/captures need to be checked in the background or saved to a file, this can cause problems:

 

config system global
    set admin-idle-timeout 99 <----- A value in minutes between 1-480, that will log the admin out after this time.

end

 

Allowing services on the port level:

The services need to be added in port configuration, as FortiNAC services will otherwise not listen to or respond to the requests. The list contains:

 

dhcp                DHCP (UDP ports 67, 68, 546, 547) [Portal and Management]

dns                 DNS (TCP/UDP port 53) [Portal]

fsso                FSSO (TCP port 8000) [Management]

http                HTTP (TCP port 80) [Portal]

http-adminui        Admin UI HTTP (TCP port 8080) [Management]

https               HTTPS (TCP port 443) [Portal]

https-adminui       Admin UI HTTPS (TCP port 8443) [Management]

nac-agent           FortiNAC Agent (TCP port 4568) [Portal]

nac-ipc             NAC IPC (TCP ports 1050, 5555, 30000-64000) [Management]

netflow             NetFlow (UDP port 2055) [Management]

ping                Ping (ICMP) [Management]

radius              RADIUS (TCP/UDP port 1812) [Management]

radius-acct         RADIUS Accounting (TCP/UDP port 1813) [Management]

radius-local        Local RADIUS (TCP/UDP port 1645) [Management]

radius-local-radsec Local RADIUS RadSec (TCP/UDP port 2083) [Management]

snmp                SNMP (UDP ports 161 and 162) [Management]

ssh                 SSH (TCP port 22) [Management]

syslog              Syslog (UDP port 53) [Management]

 

Usually, these are some of the services that have to be enabled on the Management (port1) and Portal (port2) interface, for example:

 

config system interface
    edit port1
        set allowaccess ping ssh snmp dhcp syslog https-adminui nac-agent radius-local
    next
    edit port2

        set allowaccess https ping http dns dhcp nac-agent
    next

end

 

Changing credentials or creating another test account for CLI access (only):

 

config system admin

  edit admin2

  set password s0mesecurepasswörd

end

 

Checking master logs without entering the shell:

 

diagnose tail output.master -F
total processed = 0
#######################################################################
yams.Yams INFO :: 2023-12-07 15:23:32:370 :: #478 :: MasterLoader Max Memory (KBytes) 1,962,496 Free Memory (KBytes) 1,751,766 Threads: 509 Up Time: 24 Days 4 Hours 10 Minutes 39 Seconds Time Zone: CET (UTC+0100)
yams.SSOManager INFO :: 2023-12-07 15:23:48:068 :: #389 :: SSOManager.syncMessagesWithAdapters checking 0 SSO devices
yams.Yams INFO :: 2023-12-07 15:24:02:369 :: #478 :: MasterLoader Max Memory (KBytes) 1,962,496 Free Memory (KBytes) 1,731,350 Threads: 509 Up Time: 24 Days 4 Hours 11 Minutes 9 Seconds Time Zone: CET (UTC+0100)

 

Enabling/disabling debugs:

 

diagnose debug plugin enable SnmpV1
diagnose debug plugin list-debug-enabled
Loader | Name | Debug
__________________________|______________________________|_____________________
44 MasterLoader |SnmpV1 |true
__________________________|______________________________|_____________________

diagnose debug plugin disable SnmpV1

 

Running a packet capture:

 

execute tcpdump -i port2 host 10.1.3.11 and port 53
dropped privs to admin
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on port2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:37:41.646717 IP win10-ffm.eb.eu.56052 > fortinac.eb.eu.domain: 1+ PTR? 50.2.1.10.in-addr.arpa. (40)
15:37:41.657806 IP win10-ffm.eb.eu.56053 > fortinac.eb.eu.domain: 2+ A? fortinet.com.eb.eu. (36)
15:37:41.678251 IP win10-ffm.eb.eu.56054 > fortinac.eb.eu.domain: 3+ AAAA? fortinet.com.eb.eu. (36)

If more information is needed, add the '-v' for RADIUS attributes. For example:

 

execute tcpdump -i port1 host 10.1.2.1 and port 1812 -v
dropped privs to admin
tcpdump: listening on port1, link-type EN10MB (Ethernet), snapshot length 262144 bytes


15:33:17.803174 IP (tos 0x0, ttl 64, id 48689, offset 0, flags [none], proto UDP (17), length 82)
_gateway.20493 > fortinac.eb.eu.radius: RADIUS, length: 54
Access-Request (1), id: 0x04, Authenticator: 3a5d0aa86a9a3da8b8d4142e59186ee9
NAS-Identifier Attribute (32), length: 4, Value: FW
User-Name Attribute (1), length: 12, Value: gimi@eb.eu
User-Password Attribute (2), length: 18, Value:
15:33:17.856751 IP (tos 0x0, ttl 64, id 44117, offset 0, flags [none], proto UDP (17), length 48)
fortinac.eb.eu.radius > _gateway.20493: RADIUS, length: 20
Access-Accept (2), id: 0x04, Authenticator: 96375d501bcdb07542ccb14d32fd5c0c

 

If the output needs to be saved in a file:

 

execute tcpdump -i port1 host 10.0.0.2 and port 514 -v -w /home/admin/log.pcap
dropped privs to admin
tcpdump: listening on port1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Got 0
Got 1
Got 2

 

Exporting/Importing files:

There are three available tools to be used for this function: TFTP, FTP, and SCP. The easiest way to set up a new file transfer server, similar to any network device is the use of an external TFTP server.

For common file transfers like backup and restore there are dedicated commands that can be used without entering the shell like:

 

fnacf # execute backup config tftp backup-04 eb.eu

fnacf # execute restore ...

 

For another type of files like certificates, log files or packet captures it is needed to first enter the shell, the directory where the administrator has full rights is: /home/admin

Importing a file into FortiNAC (a root CA certificate in this case):

 

fnacf # execute enter-shell
fnacf:~$ pwd
/home/admin
fnacf:~$ tftp -gr ca.eb.eu.crt eb.eu
fnacf:~$ ll
4 -rwxr-xr-x 1 admin admin 1667 Feb 4 10:24 ca.eb.eu.crt*

4 -rw-r--r-- 1 admin admin 352 Dec 7 15:58 log.pcap

 

in case when a SCP server is used the command is:

 

fortinac:~$ scp admin@eb.eu:/ca.eb.eu.crt .

admin@www.eb.eu's password:

ca.eb.eu.crt       100% 1667   137.6KB/s   00:00

 

Exporting files from FortiNAC (different examples):

 

fortinac:~$ tftp -pr log.pcap eb.eu

--

fnacf:~$ cd /bsc/backups/database/

fnacf:/bsc/backups/database$ tftp -pr FortiNAC_DataBase_BackUp_2024_02_04_00_01_46_fnacf.gz eb.eu

--

fortinac:~$ scp text.txt admin@www.eb.eu:/

admin@www.eb.eu's password:

text.txt              100%    7     1.0KB/s   00:00

 

Advanced commands that are available after entering shell:

 

execute enter-shell
fortinac:~$ device -ip 10.1.2.1 <- In the shell mode, some usual/old FortiNAC commands can be run.
************************* FW [10.1.2.1] *************************
Landscape = 92023029761 00:15:6D:00:00:01
Pollable = true, Poll interval = 10 Minutes
Type = 1.3.6.1.4.1.12356.101.1.80005
Group = 1.3.6.1.4.1.12356
MAC = null
Protocol = SnmpV1
Description = The FW
IP = 10.1.2.1

 

Useful information for FortiNAC-VM and licensing:

 

get system status
Version: FortiNAC-HyperV v7.2.4,build0094,231026 (GA)
Serial-Number: FNVM....
License Status: Valid

 

get hardware status
Model Name: FortiNAC-HyperV
UUID: 78c.....
MAC: 00:15:6D:00:00:01
CPU: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz
Number of CPU Cores: 4
RAM: 16384 MB
Hard Disk: 1929 MB /data, 100204 MB /storage


get system license
EFFECTIVE:
serial = FNVM....
type = NetworkControlApplicationServer
level = PRO
count = 100000
expiration = 365 days
expired = false
mac = 00:15:6D:00:00:01
uuid = 78c.... <----- Should match the same information as the output of hardware status to be valid.

 

Related articles:

Technical Tip: Run tcpdump in FNAC-F and save capture as a file.

Technical Tip: FileTransfer with TFTP for FortiNAC-F.