Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Sx11
Staff
Staff

Created on ‎02-15-2024 08:56 AM Edited on ‎02-16-2024 12:52 AM By Community Manager

Article Id 299208

Troubleshooting Tip: FortiNAC Manager fails synchronization when CA has enabled proxy settings for all protocols

Description

 

This article describes how to resolve the synchronization issue after enabling the FortiNAC control Manager proxy configuration.

 

Scope

 

FortiNAC-M, FortiNAC, SQUID.

 

Solution

 

The Control Manager proxy configuration limits the FortiNAC servers under management to download package, system, and other signature updates only through the Manager. FortiNAC-M, in this case, uses 'squid', which is an open-source proxy server.

This is useful in environments where the customer does not want to allow internet access to FortiNAC servers.

 

Steps to apply the configuration are provided in the guide below:

Control Manager Proxy - FortiNAC document.

 

In some scenarios, it may be necessary to enable 'Use HTTP Proxy settings for all protocols'.

If enabled, the HTTP Proxy configuration will be used for both HTTPS and FTP Proxy communication.

 

Figure 1. Proxy Configuration on FortiNAC CA (server)Figure 1. Proxy Configuration on FortiNAC CA (server)

 

However, enabling this function will impact the FortiNAC synchronization configuration due to the squid configuration file /etc/squid/squid.conf containing ACLs for specific ports.

The following errors will be presented if the Synchronization is attempted:

 

Figure 2. Synchronization FailureFigure 2. Synchronization Failure

 

To fix the issue, add the following ports to /etc/squid/squid.conf using vim or any other editor of choice.

Using the nano editor in the FortiNAC CLI, make sure all the following ACL entries in bold are added:

 

nano /etc/squid/squid.conf

 

acl SSL_ports port 8443
acl SSL_ports port 443
acl Safe_ports port 1050
acl Safe_ports port 5555
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

 

After editing the file:

 

Press 'Ctrl+O' to write and save the changes.

Press 'enter' to confirm.

Press 'Ctrl+X' to exit the editor.

 

An explanation of all open ports in FortiNAC is provided in this section of the administration guide.

 

Related articles:

Troubleshooting Tip: Unable to add servers to the FortiNAC Manager .

Technical Tip: FortiNAC Control Manager function and Global objects .

FortiNAC Manager - FortiNAC documentation.

157
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.