Technical Tips: Configure FortiNAC and FortiGate Automation-Stitch

Hawada1 · ‎12-23-2021

Description

This article describes how to configure Automation Stitches to Quarantine illegitimate devices

Scope

FortiNAC v8.7.x-8.8.0, FortiOS v6.4.0 and above

Solution

Requirements:

FortiNAC appliances to be installed with licenses that include additional certificates. This type of license was introduced on January 1st 2020.
FortiNAC version 8.7.x - 8.8.0: FortiGate devices must be running FortiOS 6.4.0 or higher.
FortiNAC version 8.8.1 and higher: FortiGate devices must be running FortiOS 6.4.2 or higher.

Add FortiNAC to the Security Fabric:

In the FortNAC Administration UI, navigate to Network > Service Connectors.
Click Create New.
Click Security Fabric Connection.
Enter the following values and save: IP: Root FortiGate IP address Port: 8013
Refer to the FortiOS Administration Guide to complete configuration: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/264311/fortinac
Authorize FortiNAC on the root FortiGate.
Verify connection status.
Login to FortiNAC Administration UI from the FortiGate.

To authorize the FortiNAC on the root FortiGate in the GUI:

Go to Security Fabric > Fabric Connectors.
The FortiNAC device will be highlighted in the topology list in the right panel with the status Waiting for Authorization.
Click on the highlighted FortiNAC and select Authorize.

Configure the Fortigate till step 4 and the FortiNAC is added to the security Fabric:
https://docs.fortinet.com/document/fortigate/7.0.3/administration-guide/264311

https://docs.fortinet.com/document/fortigate/7.0.3/administration-guide/188426/fortinac-quarantine-a...

Test the Fortigate rest API if it is working as expected open a new browser tab and enter the below link, it should show the below result successful result:

https://<fgt-ip>/api/v2/cmdb/system/automation-stitch/<automation-stitch-name>?access_token=<enter-t...

example:
{

"http_method":"GET",

"revision":"xxxxxxxxxxxxx",

"results":[

{

"name":"FNACHost", ß--------my stitch name

"q_origin_key":"FNACHost",

"description":"",

"status":"enable",

"trigger":"FNACHost",

"actions":[

{

"id":1,

"q_origin_key":1,

"action":"FNAC Compromised Host_quarantine-fortinac",

"delay":0,

"required":"disable"

},

{

"id":2,

"q_origin_key":2,

"action":"FNAC Compromised Host_email",

"delay":0,

"required":"disable"

}

],

"destination":[

]

}

],

"vdom":"root",

"path":"system",

"name":"automation-stitch",

"mkey":"FNACHost",

"status":"success",

"http_status":200,

"serial":"xxxxxxxxxxxxx",

"version":"v7.0.3",

"build":237

}

Make sure the switch is a member of the Physical Address Filtering group under System > Groups.

The switch must belong to the Physical Address Filtering group. It doesn't need to be part of the U/H Profile policy.
Important: If the switch is not part of the Physical Address Filtering group FNAC ignore disabled host/adapters.

On a Linux PC accessible by the FortiGate, create a curl request to trigger the automation stitch:

hawada@Kali:~# curl -k -X POST -H 'Authorization: Bearer <fgt-api-token>' --data '{ "srcip": "<ip-address-of-the-pc-you-need-to-disable>", "mac":"<mac-address-of-the-pc-you-need-to-disable>" }'

https://<fgt-ip>:<port>/api/v2/monitor/system/automation-stitch/webhook/<stitch-name>

In FortiNAC, the Host View shows the status of the client PC. It is quarantined and its MAC address is disabled.

Note: The switch port will remain UP, but the devices will be moved to Deadend VLAN, so make sure the “Deadend” VLAN is configured in the switch Model Configuration.