Hello guys!
I'm deploying FortiNAC and facing a problem that I want to know if this proceed or not. The Registration Interface are providing IP by DHCP to new PCs correctly, but I'm trying to do simple ping from new PC with Registration IP to the Management IP of FortiNAC and this do not reply. But if I do ping from the FortiNAC to the same PC with Registration IP it gets replies. Is this normal behavior natively on FortiNAC? Or do I need to setup something to permit this ping replies?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Firstly, this communication is not needed in the first place. Isolated host need to communicate only with the isolation interface of FNAC. Why does the isolated host need to reach the management IP of FNAC in this case?
Even if there is no firewall preventing this communication this may be a routing issue, FNAC has a route inserted to reach the isolated subnet through the isolation interface.
If this setup is running on new version of FNAC-F, by default all services are blocked and need to be allowed on interface level via CLI, more details here.
HI @jnascimento
I guess this is due to to the firewall policies that you have set up, not to some FortiNAC behavior. And I think like this they are set up properly.
In fact when a PC is in registration VLAN it is isolated and shouldn't be able to ping something outside like FortiNAC mgmt IP, except some AV repo or Windows update for example.
However FortiNAC management can still access any VLAN in your network, including the isolation networks, in order to collect information for profiling, etc...
Hope this helps.
Hi @AEK
Thanks for your rapid reply. But firewall are permitting all access from one to other networks for this case, and I made this exately to avoid mistakes in troubleshooting. But the PC with IP from VLAN from Registration IP can´t ping to FortiNAC Interface Management IP. I want to know if this is default, and in case if I want to make this ping if it will need extra config in FortiNAC, like some check box to mark to permit ping etc.
I don't know about this default behavior of FNAC. But I just know that hosts in isolation should not be able to access anything (including FNAC mgmt) except some necessary repo (like AV, Win update and so). And I know that this should be denied at firewall level.
Firstly, this communication is not needed in the first place. Isolated host need to communicate only with the isolation interface of FNAC. Why does the isolated host need to reach the management IP of FNAC in this case?
Even if there is no firewall preventing this communication this may be a routing issue, FNAC has a route inserted to reach the isolated subnet through the isolation interface.
If this setup is running on new version of FNAC-F, by default all services are blocked and need to be allowed on interface level via CLI, more details here.
Thanks, that's the point.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.