FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff
Description This article describes how to configure Automation Stitches to Quarantine illegitimate devices
Scope FortiNAC v8.7.x-8.8.0, FortiOS v6.4.0 and above
Solution

Requirements:

  • FortiNAC appliances to be installed with licenses that include additional certificates. This type of license was introduced on January 1st 2020.
  • FortiNAC version 8.7.x - 8.8.0: FortiGate devices must be running FortiOS 6.4.0 or higher.
  • FortiNAC version 8.8.1 and higher: FortiGate devices must be running FortiOS 6.4.2 or higher.

Add FortiNAC to the Security Fabric:

  1. In the FortNAC Administration UI, navigate to Network > Service Connectors.
  2. Click Create New.
  3. Click Security Fabric Connection.
  4. Enter the following values and save: IP: Root FortiGate IP address Port: 8013
    Refer to the FortiOS Administration Guide to complete configuration: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/264311/fortinac
  5. Authorize FortiNAC on the root FortiGate.
  6. Verify connection status.
  7. Login to FortiNAC Administration UI from the FortiGate.

To authorize the FortiNAC on the root FortiGate in the GUI:

  1. Go to Security Fabric > Fabric Connectors.
  2. The FortiNAC device will be highlighted in the topology list in the right panel with the status Waiting for Authorization.
  3. Click on the highlighted FortiNAC and select Authorize.
Hawada1_0-1640294554557.png

Configure the Fortigate till step 4 and the FortiNAC is added to the security Fabric:
https://docs.fortinet.com/document/fortigate/7.0.3/administration-guide/264311

https://docs.fortinet.com/document/fortigate/7.0.3/administration-guide/188426/fortinac-quarantine-a...



Test the Fortigate rest API if it is working as expected open a new browser tab and enter the below link, it should show the below result successful result:

https://<fgt-ip>/api/v2/cmdb/system/automation-stitch/<automation-stitch-name>?access_token=<enter-t...

example:
{

  "http_method":"GET",

  "revision":"xxxxxxxxxxxxx",

  "results":[

    {

      "name":"FNACHost",    ß--------my stitch name

      "q_origin_key":"FNACHost",

      "description":"",

      "status":"enable",

      "trigger":"FNACHost",

      "actions":[

        {

          "id":1,

          "q_origin_key":1,

          "action":"FNAC Compromised Host_quarantine-fortinac",

          "delay":0,

          "required":"disable"

        },

        {

          "id":2,

          "q_origin_key":2,

          "action":"FNAC Compromised Host_email",

          "delay":0,

          "required":"disable"

        }

      ],

      "destination":[

      ]

    }

  ],

  "vdom":"root",

  "path":"system",

  "name":"automation-stitch",

  "mkey":"FNACHost",

  "status":"success",

  "http_status":200,

  "serial":"xxxxxxxxxxxxx",

  "version":"v7.0.3",

  "build":237

}


Make sure the switch is a member of the Physical Address Filtering group under System > Groups.
Hawada1_1-1640294619273.png

 

The switch must belong to the Physical Address Filtering group. It doesn't need to be part of the U/H Profile policy.
Important: If the switch is not part of the Physical Address Filtering group FNAC ignore disabled host/adapters.


On a Linux PC accessible by the FortiGate, create a curl request to trigger the automation stitch:

hawada@Kali:~# curl -k -X POST -H 'Authorization: Bearer <fgt-api-token>' --data '{ "srcip": "<ip-address-of-the-pc-you-need-to-disable>", "mac":"<mac-address-of-the-pc-you-need-to-disable>" }'

https://<fgt-ip>:<port>/api/v2/monitor/system/automation-stitch/webhook/<stitch-name>

Hawada1_2-1640294664803.png

In FortiNAC, the Host View shows the status of the client PC. It is quarantined and its MAC address is disabled.

Hawada1_3-1640294695994.png


Note:
  The switch port will remain UP, but the devices will be moved to Deadend VLAN, so make sure the “Deadend” VLAN is configured in the switch Model Configuration.


Hawada1_4-1640294730585.png

 

 

Contributors