FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff
Article Id 205638
Description This article show the steps to retrieve FortiGate address ranges by FortiNAC.
Scope Prerequisites:
1) FortiGate version 6.4 and above.
2) FortiAnalyzer.
3) FortiNAC running version 9.2.x and above.
Solution

Note that addresses are only read from FortiGates that have Fabric Connectors configured for FortiNAC.

If no such Fabric Connectors exist, no addresses will be read and created.

 

This is only done once for each FortiGate, so once the addresses are created for a FortiGate, changes to that FortiGate do not affect changes to the existing address objects.


All changes to the address objects after they are initialized must be made manually.

To Keep FortiNAC aware of the SSO and VPN addresses removed and created on FortiGate, it is necessary to configure the Fabric connector between FortiGate and FortiNAC.

 

Prerequisites:
1) FortiGate version 6.4 and above.
2) FortiAnalyzer.
3) FortiNAC running version 9.2.x and above.

Add FortiNAC to the Security Fabric:

 

1) In the FortNAC Administration UI, navigate to Network > Service Connectors.

2) Select 'Create New'.

3) Select 'Security Fabric Connection'.

4) Enter the following values and save: IP: Root FortiGate IP address Port: 8013.


Refer to the FortiOS Administration Guide to complete configuration: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/264311/fortinac

 

1) Authorize FortiNAC on the root FortiGate.

2) Verify connection status.

3) Login to FortiNAC Administration UI from the FortiGate.

 

Hawada1_0-1645866636049.png

To authorize the FortiNAC on the root FortiGate GUI:

 

1) Enable 'Security Fabric Connection' under the FortiGate interface that will participate in the Fabric config.

2) Go to Security Fabric -> Fabric Connectors.

3) The FortiNAC will be highlighted in the topology list in the right panel with the status Waiting for Authorization.

4) Select on the highlighted FortiNAC and select Authorize.

 

Hawada1_1-1645866667733.png
Hawada1_2-1645866684770.png


After authorizing the FortiGate adds the FortiNAC by its hostname:

 

Hawada1_3-1645866721923.png

On FortiNAC the Fabric Connection should show Connected (it is necessary to check it from inside by editing the Service Connector.)

 

Hawada1_4-1645866743890.png


Important:
The first time each FortiGate is accessed by FortiNAC, as the system starts, FortiNAC will automatically populate the address and address group tables using the same process in previous versions of FortiNAC. In order to expand the scope of FortiGates to which SSO messages should be sent for those direct connections, an option can be configured.

This can be done with the command (run from the FNAC command shell):


> globaloptiontool -name sso.expand.scope -set true.

 

Hawada1_5-1645866815993.png

 

Now on FortiNAC go to Addresses:

 

1) Select System -> Settings.

2) Expand the System Communication folder.

3) Select Addresses from the tree.

 

The SSL-VPN Address scope used in the SSL-VPN Portals as a Source IP Pools populated in FortiNAC.


Image for illustration from FortiGate:

Hawada1_6-1645866900860.png


Image for illustration from FortiNAC:

 

Hawada1_7-1645866944204.png


Important Note.

If the Address ranges retrieved by FortiNAC after initial Fabric Connector configuration is deleted, FortiNAC will not retrieve those addresses anymore and the only way to add them again is by typing/adding them manually.