FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Sx11
Staff
Staff

Description

 

This article describes how to make Cisco ASA ports visible on GUI when the integration is successful but the Interfaces are not available in Port View.

 

Scope

 

FortiNAC Cisco ASA integration.

 

Solution

 

To retrieve information from the ASA appliance Ports following commands need to be ran from FortiNAC CLI:

 

dumpports -ip x.x.x.x      <---- Replace with ASA IP.

 

A snmpwalk can be also performed from FortiNAC CLI to retrieve iftable information from ASA.

 

snmpwalk -c <communityString> -v1 <ipaddress> 1.3.6.1.2.1.2 ( 1.3.6.1.2.1.2 is the OID for Cisco ASA iftable)

 

- In FortiNAC there is an attribute named PortID that exists for each interface.

- It is value for ethernet interfaces should be equals to the port's suffix for this device. This information can be verified from the output of dumpports -ip x.x.x.x.

- If the PortID is set to -1 on the interfaces, it will rendering them invisible on the GUI.

 

Example:

 

port[8] suffix = 2 Descrip = wgwregr.local.test asa_mgmt_plane attribute count = 16
DBID = 78351 Port Type = 6
Name = wgwregr.local.test
Label = IF#2
Phys Address = YY:YY:YY:YY:YY:YY
IP Address = X.X.X.X
Community Strings: ---------------
Name = 1.3.6.1.2.1.2.2.1.1 value = 2
Name = 1.3.6.1.2.1.2.2.1.3 value = 6
Name = 1.3.6.1.2.1.2.2.1.6 value = YY:YY:YY:YY:YY:YY
Name = 1.3.6.1.2.1.2.2.1.7 value = 1
Name = 1.3.6.1.2.1.2.2.1.8 value = 1
Name = 1.3.6.1.2.1.2.2.1.2 value = Adaptive Security Appliance 'asa_mgmt_plane' interface
Name = 1.3.6.1.2.1.2.2.1.22 value = 0.0
Name = 1.3.6.1.2.1.31.1.1.1.1 value = asa_mgmt_plane
Name = 1.3.6.1.2.1.31.1.1.1.18 value =
Name = ConnectionState value = 0
Name = DefaultVlanID value = -1
Name = CurrentVlanID value = -1
Name = UnRegVlanID value = -1
Name = PortID value = -1
Name = 1.3.6.1.2.1.4.20.1.1 value = null
Name = 1.3.6.1.2.1.4.20.1.3 value = null

 

In this example:

 

DBID = 78351

suffix = 2

Name = PortID value = -1

 

The database ID for this interface in FortiNAC is 78351.

Edit the attribute Name = PortID for this DBID in CLI in order to have it match the suffix.

 

In FortiNAC CLI enter:

 

device -dbid 78351 -setAttr -name PortID -value "2"

 

After that refresh the GUI. The expected result is to see Interface2 appearing on the GUI.

 

Other related documentation:

https://docs.fortinet.com/document/fortinac/9.2.0/cisco-asa-vpn-integration