Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Sx11
Staff
Staff

Created on ‎11-04-2022 05:41 AM

Article Id 228916

Technical Tip: FortiNAC Control Manager function and Global objects

Description

 

This article describes how FortiNAC-M manages server nodes (FortiNAC-CA) and explains the concept of Global Objects.

 

Scope

 

FortiNAC-M, FortiNAC-CA

 

Solution

 

FortiNAC Control Manager is used to add individual FortiNAC servers to provide scaling in large environments and centralized management.

 

The FortiNAC Control Manager ensures the following:

  • All Servers (Pods) are on the same version. (Different versions are not supported.)
  • Upgrades are performed from the Manager and pushed to all servers.
  • Licenses are pushed dynamically from the Manager to all servers.
  • Administration is simplified even in large environments.
  • Servers can be accessed in Local View and synchronized or deleted. Adding or removing servers will not impact their operation. Both instances of a High Availability (HA) server can be automatically added in the FortiNAC Control Manager by adding only the Shared IP.

 

The FortiNAC Control Manager does not have a network inventory view. This is because there are no port objects in its database.

 

The FortiNAC Control Manager holds a repository of:

  • Accounts 
  • Hosts
  • Adapters

These records are propagated to other FortiNAC servers through varying methods. See documentation for more information: https://docs.fortinet.com/document/fortinac/8.5.0/control-manager/674974/server-synchronization

 

Global Objects

 

Global objects are elements configured in the FortiNAC Control Manager.

 

These include:

  • Device profiling rules
  • Policies (NAC,EPC..)
  • Guest/Contractor Templates
  • Groups

Everything configured on a specific FortiNAC CA server is controlled only on that server, which is considered a Local Object.

Each FortiNAC CA server that is added to a FortiNAC Control Manager will inherit the Global Objects configured on the manager. These Objects are tagged as "Global" in each server so the user is able to differentiate between them and Local Objects.

 

Notes:

 

- Device Profiling Rules can be ranked in the FortiNAC Control Manager.

- NAC policies can only be ranked on each FortiNAC CA server.

- Policies in each FortiNAC CA server can leverage Global Objects such as groups and user/host profiles.

 

Related documentation:

https://docs.fortinet.com/document/fortinac/8.5.0/control-manager/379834/fortinac-control-manager

Upgrade in Control Manager environments:

https://docs.fortinet.com/document/fortinac/9.1.0/upgrade-instructions-and-considerations/365276/net...

Upgrade guide:

https://docs.fortinet.com/document/fortinac/9.1.0/os-and-software-upgrade

 

Other related KBs:

https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Unable-to-add-servers-to-the-Control-...

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Control-Manager-license-file-prevents-licen...

https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Network-Control-Manager-Server-List-panel-t...

https://community.fortinet.com/t5/FortiNAC/Technical-Note-NCM-communication-issues-with-systems-acro...

453
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.