Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-28-2018 03:01 AM Edited on ‎07-18-2024 05:30 AM By Community Manager

Article Id 198771

Technical Tip: Redirect the admin UI port 8080 HTTP to port 8443 HTTPS or disable 8080 entirely

Description

 
This article describes why the user should redirect the admin UI port 8080 HTTP to port 8443 HTTPS or disable 8080 entirely.
 
This issue is addressed in version 8.2.0.
 
Scope
 
FortiNAC versions prior to 8.2.0.


Solution

 
Workaround:  To redirect Admin UI port 8080 to secure port 8443, access the Network Sentry Server or Network Sentry Control Server and modify the /bsc/campusMgr/ui/ROOT/WEB-INF/web.xml file.
 
Change the 'NONE' value at the very bottom of the transport-guarantee section of the file to 'CONFIDENTIAL'.
 
Before:
 
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>ALL</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>
        NONE
      </transport-guarantee>
    </user-data-constraint>
  </security-constraint>
 
After:
 
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>ALL</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>
        CONFIDENTIAL
      </transport-guarantee>
    </user-data-constraint>
  </security-constraint>
 
Save the changes to the web.xml file.
 
Restart the tomcat-admin service:
 
service tomcat-admin restart
 
Note: This change must be done after every upgrade. Document the change in a file called README in the /bsc/campusMgrUpdates/ directory. If no file is currently present with that name, create a new file.
 
To disable the admin UI port 8080 entirely, access the Network Sentry Server or Network Sentry Control Server and modify the /bsc/services/tomcat-admin/conf/server.xml file.
 
Comment out the below section as follows:
 
Before:
 
    <Connector port="8080" redirectPort="8443"
               server="Apache"
               address="nac" />
 
After:
 
<!--     <Connector port="8080" redirectPort="8443"
               server="Apache"
               address="nac" />
-->
 
Save the changes to the server.xml file.
 
Restart the tomcat-admin service:
 
service tomcat-admin restart
 
Note: This change must be done after every upgrade. Document the change in a file called README in the /bsc/campusMgrUpdates/ directory. If no file is currently present with that name, create a new file.
 
This issue has been addressed in version 8.2.0.
 
Since the tomcat service has been merged with the NAC service with FortiNAC 9.4.X and FortiNAC -F, to disable the admin UI port 8080 entirely with FortiNAC 9.4.X and FortiNAC -F, follow the steps below:

  1. Execute the 'adminguitool show' command and check current configuration.

    1.png

  2. Disable insecure connection for AdminUI entirely by executing the 'adminguitool config 1 -insecure false' command.

    2.png
  3. Execute 'restartNAC' for the change to be implemented.

    Note: Since the 'restartNAC' command will restart all NAC processes, perform it during a maintenance window.
Labels:
2586
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.