Description
This article describes how to make Cisco ASA ports visible on GUI when the integration is successful but the Interfaces are not available in Port View.
Scope
FortiNAC Cisco ASA integration.
Solution
To retrieve information from the ASA appliance Ports following commands need to be ran from FortiNAC CLI:
dumpports -ip x.x.x.x <---- Replace with ASA IP.
A snmpwalk can be also performed from FortiNAC CLI to retrieve iftable information from ASA.
snmpwalk -c <communityString> -v1 <ipaddress> 1.3.6.1.2.1.2 ( 1.3.6.1.2.1.2 is the OID for Cisco ASA iftable)
- In FortiNAC there is an attribute named PortID that exists for each interface.
- It is value for ethernet interfaces should be equals to the port's suffix for this device. This information can be verified from the output of dumpports -ip x.x.x.x.
- If the PortID is set to -1 on the interfaces, it will rendering them invisible on the GUI.
Example:
port[8] suffix = 2 Descrip = wgwregr.local.test asa_mgmt_plane attribute count = 16
DBID = 78351 Port Type = 6
Name = wgwregr.local.test
Label = IF#2
Phys Address = YY:YY:YY:YY:YY:YY
IP Address = X.X.X.X
Community Strings: ---------------
Name = 1.3.6.1.2.1.2.2.1.1 value = 2
Name = 1.3.6.1.2.1.2.2.1.3 value = 6
Name = 1.3.6.1.2.1.2.2.1.6 value = YY:YY:YY:YY:YY:YY
Name = 1.3.6.1.2.1.2.2.1.7 value = 1
Name = 1.3.6.1.2.1.2.2.1.8 value = 1
Name = 1.3.6.1.2.1.2.2.1.2 value = Adaptive Security Appliance 'asa_mgmt_plane' interface
Name = 1.3.6.1.2.1.2.2.1.22 value = 0.0
Name = 1.3.6.1.2.1.31.1.1.1.1 value = asa_mgmt_plane
Name = 1.3.6.1.2.1.31.1.1.1.18 value =
Name = ConnectionState value = 0
Name = DefaultVlanID value = -1
Name = CurrentVlanID value = -1
Name = UnRegVlanID value = -1
Name = PortID value = -1
Name = 1.3.6.1.2.1.4.20.1.1 value = null
Name = 1.3.6.1.2.1.4.20.1.3 value = null
In this example:
DBID = 78351
suffix = 2
Name = PortID value = -1
The database ID for this interface in FortiNAC is 78351.
Edit the attribute Name = PortID for this DBID in CLI in order to have it match the suffix.
In FortiNAC CLI enter:
device -dbid 78351 -setAttr -name PortID -value "2"
After that refresh the GUI. The expected result is to see Interface2 appearing on the GUI.
Other related documentation:
https://docs.fortinet.com/document/fortinac/9.2.0/cisco-asa-vpn-integration
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.