FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 190017

Description


This article describes the integration with FortiGate. In this integration, API access is used for the following functions:

  • Reading MAC Address Tables (L2 Poll).
  • Reading IP Tables (L3 Poll).
  • Reading VLANs.
  • Switching VLANs.
  • Populating the Network inventory with the FortiSwitch and FortiAP it manages.

 

If the API communication is not working properly, these functions will fail.

 

Scope

 

FortiNAC.

Solution

 

From the CLI, run the below command to verify that the FortiGate can be accessed via API:
 
curl -ki -H "Content-Type: application/json" -X POST https://<FortiGate IP>/logincheck?username=<userid>&secretkey=<password>
 
The response should look similar to the following:


> HTTP/1.1 200 OK
Date: Fri, 04 Oct 2019 12:50:02 GMT
Server:
Set-Cookie: APSCOOKIE_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: VDOM_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: CENTRAL_MGMT_OVERRIDE_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: EDIT_HISTORY_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: FILE_DOWNLOADING_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: csrftoken_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: ccsrftoken_1504669070="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Set-Cookie: ccsrftoken="0%260"; path=/; expires=Thu, 16-Oct-1969 12:50:02 GMT; secure; SameSite=Strict
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=15552000
X-UA-Compatible: IE=Edge

 
If there is no response from FortiGate:
 
  1. Verify the API port used in the FortiGate model (443 by default) matches the value in the FortiGate configuration. 
  • In the FortiGate UI, navigate to System -> Settings. The HTTPS port is listed under Administration Settings.
  • In FortiNAC, the port can be verified by running the following command from CLI:

 

device -ip <FortiGate IP> | grep -i "API_Port"
 
In FortiNAC-OS:
 
execute enter-shell
device -ip <FortiGate IP> | grep -i "API_Port"

 

FortiGate is accessed via CLI to determine the API port in use. The model is then updated dynamically. If ports do not match, ensure the account used in the FortiGate model applies to both SSH access as well as REST API. The API port discovery process can be seen in the output.master logs like shown in the example below:
 
yams INFO :: 2025-01-01 01:01:01:111 :: #15468 :: https-jsse-nio-0.0.0.0-8443-exec-103 Fortigate.getAPIPort result =
get system global | grep admin-sport
admin-sport : 443
management-port-use-admin-sport: disable
 
Note:
In the older version of FortiNAC (v8.x), if the FortiGate is using a different port for API access, the port may not be automatically discovered. Change the port in the model to match using the following command from the CLI:
 
device -ip <FortiGate IP> -setAttr -name API_Port -value <Port value>
 
If the port needs to be set manually in FortiNAC-OS, run the following command:
 

execute enter-shell
device -ip 10.20.30.1 -SetAttr -name API_Port -value 4443


Note:
The admin user account must have read/write access to all VDOMs. To create or view user accounts, navigate to System -> Administrators in the FortiGate UI.
 
  1. If API ports match, verify the port is not getting blocked somewhere in the network.
To validate the communication, follow the steps:
  • Verify credentials are correct. In the Administration UI, navigate to Network Devices -> Topology.
  • Select the Credentials tab for the FortiGate model.
  • Select Validate Credentials.

 

If this results in the following message: 'SNMP connect succeeded. However device failed to connect using CLI credentials; the credentials may be wrong, or the communication through the API is not successful.
 
Using a REST API token is recommended for this integration. The steps are shown in this article: Technical Tip: How to configure & use API token to communicate with FortiGate.
The API token can also be added through CLI:

 

device -ip <FortiGate IP> -SetAttr -name APIToken -value <API Key>

On FortiNAC-OS, run the following command:


execute enter-shell

$ device -ip <FortiGate IP> -SetAttr -name APIToken -value <API Key>

 

  3. If the API call is still failing, check if HTTPS is enabled specifically on the FortiGate interface to which the API call is being made.

 

FortiGate# show system interface port<>
    edit "port<>"   <----- The specific port to which API calls are to be made.
        set ip <FortiGate-IP> 
        set allowaccess ping https ssh fgfm <--- Should have https enabled, else API calls fail to this FortiGate-IP.

        ...
    next
end


Related documents:

FortiGate endpoint management integration guide

FortiGate Endpoint Management Integration
Technical Tip: How to configure & use API token to communicate with FortiGate