Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jnascimento
New Contributor

Created on ‎04-24-2024 02:13 PM

Can't ping from "Registration IP" to "Management Interface IP" of FortiNAC

Hello guys!
I'm deploying FortiNAC and facing a problem that I want to know if this proceed or not. The Registration Interface are providing IP by DHCP to new PCs correctly, but I'm trying to do simple ping from new PC with Registration IP to the Management IP of FortiNAC and this do not reply. But if I do ping from the FortiNAC to the same PC with Registration IP it gets replies. Is this normal behavior natively on FortiNAC? Or do I need to setup something to permit this ping replies?

Labels:
233
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to jnascimento

Created on ‎04-25-2024 03:26 AM

Firstly, this communication is not needed in the first place. Isolated host need to communicate only with the isolation interface of FNAC. Why does the isolated host need to reach the management IP of FNAC in this case?

Even if there is no firewall preventing this communication this may be a routing issue, FNAC has a route inserted to reach the isolated subnet through the isolation interface.

add routes.PNG

 

If this setup is running on new version of FNAC-F, by default all services are blocked and need to be allowed on interface level via CLI, more details here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

153
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎04-24-2024 02:41 PM

HI @jnascimento 

I guess this is due to to the firewall policies that you have set up, not to some FortiNAC behavior. And I think like this they are set up properly.

In fact when a PC is in registration VLAN it is isolated and shouldn't be able to ping something outside like FortiNAC mgmt IP, except some AV repo or Windows update for example.

However FortiNAC management can still access any VLAN in your network, including the isolation networks, in order to collect information for profiling, etc...

Hope this helps.

AEK
AEK
224
jnascimento
New Contributor
In response to AEK

Created on ‎04-24-2024 03:54 PM

Hi @AEK 

Thanks for your rapid reply. But firewall are permitting all access from one to other networks for this case, and I made this exately to avoid mistakes in troubleshooting. But the PC with IP from VLAN from Registration IP can´t ping to FortiNAC Interface Management IP. I want to know if this is default, and in case if I want to make this ping if it will need extra config in FortiNAC, like some check box to mark to permit ping etc.

207
0 Kudos
AEK
SuperUser
SuperUser
In response to jnascimento

Created on ‎04-24-2024 11:24 PM

I don't know about this default behavior of FNAC. But I just know that hosts in isolation should not be able to access anything (including FNAC mgmt) except some necessary repo (like AV, Win update and so). And I know that this should be denied at firewall level.

AEK
AEK
166
0 Kudos
ebilcari
Staff
Staff
In response to jnascimento

Created on ‎04-25-2024 03:26 AM

Firstly, this communication is not needed in the first place. Isolated host need to communicate only with the isolation interface of FNAC. Why does the isolated host need to reach the management IP of FNAC in this case?

Even if there is no firewall preventing this communication this may be a routing issue, FNAC has a route inserted to reach the isolated subnet through the isolation interface.

add routes.PNG

 

If this setup is running on new version of FNAC-F, by default all services are blocked and need to be allowed on interface level via CLI, more details here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
154
jnascimento
New Contributor
In response to ebilcari

Created on ‎04-27-2024 02:40 PM

Thanks, that's the point.

90
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.