Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff

Created on ‎02-16-2024 01:25 AM Edited on ‎03-14-2024 09:03 AM By Moderator

Article Id 298396

Technical Tip: Create FortiAnalyzer reports from FortiNAC data

Description

 

This article describes that since the product FortiNAC Analytics Reporting is discontinued, FortiAnalyzer is recommended as a reporting platform. These details are covered in the Administration guide.

 

Scope

 

FortiNAC, FortiAnalyzer.

 

Solution

 

  1. Enable and create an ADOM in FortiAnalyzer dedicated to FortiNAC.

 

adom.PNG

  1. Add the FortiAnalyzer in the FortiNAC as part of the Log Receivers:

 

add faz.PNG

 

  1. Add the FortiNAC in the FortiAnalyzer, part of the previously created ADOM:

 

add fnac.PNG

 

 

The FortiNAC status shown on FortiAnalyzer GUI:

 

status.PNG

 

 

The traffic is transferred using TCP port 514 and the content is encrypted, the output of the packet capture for an event:

 

execute tcpdump -i port1 host 10.5.21.115 and port 514 -vX
dropped privs to admin
tcpdump: listening on port1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:33:21.958977 IP (tos 0x0, ttl 64, id 25797, offset 0, flags [DF], proto TCP (6), length 74)
fnacf.eb.eu.50852 > faz.eb.eu.shell: Flags [P.], cksum 0x2be7 (incorrect -> 0x6be7), seq 2478534257:2478534291, ack 1671594507, win 852, length 34
0x0000: 4500 004a 64c5 4000 4006 aa3e 0a01 0232 E..Jd.@.@..>...2
0x0010: 0a05 1573 c6a4 0202 93bb 6e71 63a2 820b ...s......nqc...
0x0020: 5018 0354 2be7 0000 1703 0300 1d8e 563b P..T+.........V;
0x0030: 372c a04c 8a1a 0c77 5b8e 86a5 9ae5 f72e 7,.L...w[.......
0x0040: e893 358a 37b4 f49a a9b6 ..5.7.....
12:33:21.991130 IP (tos 0x0, ttl 60, id 9994, offset 0, flags [DF], proto TCP (6), length 129)
faz.eb.eu.shell > fnacf.eb.eu.50852: Flags [P.], cksum 0xbed4 (correct), seq 1:90, ack 34, win 25067, length 89
0x0000: 4500 0081 270a 4000 3c06 ebc2 0a05 1573 E...'.@.<......s
0x0010: 0a01 0232 0202 c6a4 63a2 820b 93bb 6e93 ...2....c.....n.
0x0020: 5018 61eb bed4 0000 1703 0300 5462 ce3d P.a.........Tb.=
0x0030: d679 a6fc c12c 3555 618b 3534 9d46 07c0 .y...,5Ua.54.F..
0x0040: dff1 40fe 0e6e 632c 796e c454 275d 0484 ..@..nc,yn.T']..
0x0050: f47f 0540 5695 4f4a cc07 2521 5638 5641 ...@V.OJ..%!V8VA
0x0060: 4fb1 84ed d226 fce3 fdff ad5f 4f1d 6155 O....&....._O.aU
0x0070: 3371 422e da79 46bd 2983 0019 72c2 1de1 3qB..yF.)...r...
0x0080: 3c <
12:33:21.991179 IP (tos 0x0, ttl 64, id 25798, offset 0, flags [DF], proto TCP (6), length 40)
fnacf.eb.eu.50852 > faz.eb.eu.shell: Flags [.], cksum 0x2bc5 (incorrect -> 0xcfd9), ack 90, win 852, length 0
0x0000: 4500 0028 64c6 4000 4006 aa5f 0a01 0232 E..(d.@.@.._...2
0x0010: 0a05 1573 c6a4 0202 93bb 6e93 63a2 8264 ...s......n.c..d
0x0020: 5010 0354 2bc5 0000 P..T+...

 

Event created in FortiNAC:

FNAC event.PNG

 

The same event triggers several syslog being sent in FortiAnalyzer containing extended information that will be used later on the reports:

 

faz logs.PNG

 

On later versions of FortiAnalyzer a Built-in template for FortiNAC is already included that can be run out of the box:

 

run report.PNG

This will generate a nicely formatted report that includes tables and charts that can be viewed as HTML or can be downloaded as PDF.

It will include information about endpoints and network devices that can also be used as a current picture of the network at a given time. It will include the connection status, location, and inventory details of the endpoints also the status of every port in the managed network device.

 

This report can be scheduled to run more frequently, for example, every 4 hours:

 

schedule.PNG

 

Troubleshooting communication:

 

The communication is handled by OFTP which is a Fortinet proprietary protocol. To check the message content of what FortiNAC send to FortiAnalyzer we can enable this debug and check the output master logs as follow:

 

diagnose debug plugin enable OFTPPlugin

 

diagnose tail -F output.master

 

yams.OFTPPlugin FINER :: 2024-03-14 16:31:27:796 :: #12947 :: sendLogMessage() Message [entries=[devid=FNVXCATM00000000 type=asset subtype=adapter action=update assetid=2 landscape=92023029761 connected=true enabled=true endpointid=2 mac=00:E0:4C:68:28:20 location="SAlone-240 port1 { port1 } " vendorname="REALTEK SEMICONDUCTOR CORP." accessval="512" containerid=74 portid=77 createtime="2024-03-14 16:31:27" date=2024-03-14 time=16:31:27 tz=UTC+01:00]]

yams.OFTPPlugin FINER :: 2024-03-14 16:31:27:799 :: #4585 :: sendLogMessage() Message [entries=[devid=FNVXCATM00000000 type=asset subtype=endpoint action=update assetid=2 landscape=92023029761 endpointtype="Rogue" connected=true enabled=true atrisk=false mdmmanaged=false createtime="2024-03-14 16:31:27" validfortime="2024-04-13 17:31:27" lastsuccessfulpoll="2024-03-14 16:31:27" offlinetime=1209600000 date=2024-03-14 time=16:31:27 tz=UTC+01:00]]

yams.OFTPPlugin FINER :: 2024-03-14 16:31:28:470 :: #452 :: sendLogMessage() Message [entries=[devid=FNVXCATM00000000 type=asset subtype=port action=update assetid=77 landscape=92023029761 name="SAlone-240" ip=10.5.32.51 mac=E0:23:FF:37:D3:0B deviceid=75 porttype=6 label="port1(primary)" curvlan=512 defvlan=511 regvlan=512 connstate="Rogue Host" adminstatus=1 operstatus=1 date=2024-03-14 time=16:31:28 tz=UTC+01:00]]

 

Similar content is shown under Log View in FortiAnalyzer:

 

asset events.png

 

Related documents:

196
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.