Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tagayev
New Contributor II

Created on ‎08-12-2024 05:36 AM

Best Practices for Integrating FortiNAC Cluster with AD, Security Fabric, and Other Systems

 

Hello Fortinet Community,

I’m seeking advice on configuring the network setup shown in the attached image.

 

NAC.jpg

 

Here’s the scenario:

 

  • Two large sites (HQ1 and HQ2) and several small sites, all with FortiGate firewalls, connected in a Security Fabric. HQ1’s FortiGate is the fabric root.
  • FortiNAC Setup: A FortiNAC Manager with two control units located in HQ1 and HQ2. No HA.
  • HQ1 hosts the primary domain controller, and HQ2 hosts the secondary.

Given this setup, I have several questions:

  1. Should only the FortiNAC Manager integrate with Active Directory, or should the control units also be integrated?
  2. For the Security Fabric, is integrating the FortiNAC Manager with the Fabric Root sufficient, or should the control units also be integrated?
  3. How should the Email server, EMS, and FortiAnalyzer be integrated? Is it sufficient to connect only the FortiNAC Manager, or should all control units be included?

Unfortunately, I haven’t found clear documentation on these integrations. I’d appreciate any guidance or best practices the community can share.

 

Thanks in advance for your help!

FortiNAC 

Labels:
506
0 Kudos
2 Solutions
ebilcari
Staff
Staff

Created on ‎08-13-2024 07:18 AM Edited on ‎08-13-2024 07:25 AM

In simple words, the manager has more like an 'orchestrator' role and is not directly related to the communications of the CAs. Every CA should be configured to directly communicate with the other nodes. For security fabric integration, each CA need to connect to the root FGT, other articles related to EMS and FAZ .

You can read more about in the Manager guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

420
ebilcari
Staff
Staff
In response to tagayev

Created on ‎08-14-2024 12:45 AM

I'm not quite sure if any thing changes if Global Object Synchronization is enabled but the three of these integration should be handled by each CA. Even though they can also be configured in the manager they have different functions, like shown here for LDAP (for admin user only). The event and logs are specific to the manager so the CA events are needed to be sent directly to FAZ. EMS integration is a bit different, the deployment options are shown here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

372
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎08-13-2024 07:18 AM Edited on ‎08-13-2024 07:25 AM

In simple words, the manager has more like an 'orchestrator' role and is not directly related to the communications of the CAs. Every CA should be configured to directly communicate with the other nodes. For security fabric integration, each CA need to connect to the root FGT, other articles related to EMS and FAZ .

You can read more about in the Manager guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
421
tagayev
New Contributor II

Created on ‎08-13-2024 07:59 AM

Thank you very much @ebilcari for the clarification!

I now understand that each CA needs to connect to the Fabric Root, moreover as I see only the CAs have this setting enabled.

Regarding AD, EMS, and FAZ, I see that both the Manager and CAs have configuration options. What I'm trying to understand is whether only the CAs need to be integrated with AD, EMS, and FAZ. If that's the case, why are these settings available on the Manager?

Additionally, what happens if both the Manager and CAs are integrated with these services?

 

I appreciate your insights!

407
0 Kudos
ebilcari
Staff
Staff
In response to tagayev

Created on ‎08-14-2024 12:45 AM

I'm not quite sure if any thing changes if Global Object Synchronization is enabled but the three of these integration should be handled by each CA. Even though they can also be configured in the manager they have different functions, like shown here for LDAP (for admin user only). The event and logs are specific to the manager so the CA events are needed to be sent directly to FAZ. EMS integration is a bit different, the deployment options are shown here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
373
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.