Fortinac Ordering Guide: Easy Steps & FAQs

This ordering guide is a quick reference to the most commonly selected support services for enterprise customers⁚ Premium⁚ dedicated 24x7x365 support for each product and service. Elite⁚ premium plus higher SLA and extended end of engineering support (E-EoES). Includes automated monitoring under the FortiCare Elite Monitoring Portal.

Introduction

<br />

This document provides a comprehensive guide to ordering FortiNAC, Fortinet’s network access control solution. FortiNAC enhances the Fortinet Security Fabric by providing visibility, control, and automated response for all devices connecting to the network. This guide will walk you through the key stages of FortiNAC deployment, from defining network environment size to configuring remediation and enforcement policies.

FortiNAC Overview

FortiNAC is Fortinet’s network access control solution that enhances the Security Fabric with visibility, control, and automated response for all devices connecting to the network. It provides protection against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events. FortiNAC allows you to implement microsegmentation policies and change configurations on switches and wireless products from 95 vendors.

Ordering Guide

Ordering Guides for Fortinet Products and Solutions. Products. Delivering unprecedented performance and unrivaled security. Secure Access for the hybrid workforce with superior user experience. Proactive threat disruption across the entire attack lifecycle. Seamlessly enable security for converged IT/OT ecosystems.

Support Services

FortiNAC Deployment Stages

FortiNAC deployment can be seen as a configuration in 6 stages⁚ Define network environment size and choose the correct licensing; Define network requirements/Configuration Wizard; Establish Visibility; Define Registration Methods; Define Remediation and Enforcement; Monitoring and Reporting.

Stage 1⁚ Define Network Environment Size and License Type

License Types

License Verification

In FortiNAC running CentOS, it is possible to check the license level from the CLI⁚ show license . In FortiNAC-F, the license level and license status can be checked with⁚ show system license. It is also important for administrators to understand how Endpoint Licenses are consumed because if licenses run out, new Hosts (rogues) connecting to the network will not be able to register and gain access.

Endpoint License Consumption

FortiNAC supports 2 license types⁚ PLUS, and PRO. The customer should be aware of which features are desired and understand which license level supports them. Page 10 of the FortiNAC datasheet will provide the necessary information. It is also important for administrators to understand how Endpoint Licenses are consumed because if licenses run out, new Hosts (rogues) connecting to the network will not be able to register and gain access.

Network Environment Size

FortiNAC defines the size of the environment based on the total switch port count, not the total number of devices. Ports in the network total number of switch ports maximum number of concurrent wireless connections. Depending on the network environment size, the customer should increase VM resources (CPU, Memory, Storage) based on the number of ports in the network. Failing to respect the necessary sizing will result in FortiNAC having performance issues, such as being slow to enforce control (changing VLAN), having slow GUI operation, or not being able to access the GUI at all.

VM Server Resource Sizing

The VM Server Resource Sizing section on Page 14 of the FortiNAC data sheet provides the necessary information. In FortiNAC running CentOS , it is possible to collect sizing information from the CLI⁚ Technical Tip⁚ Performance issue and some general recommendations provide further details and recommendations related to performance. Stage 2. Define Network requirements/Configuration Wizard.

Stage 2⁚ Define Network Requirements/Configuration Wizard

At this point, access the configuration wizard to apply the full configuration , including the network type and isolation subnets. Any further changes in terms of routing or system configuration are all performed through the Configuration Wizard. Do not make routing or Interface IP address changes through CLI or shell. Everything is done automatically by reapplying the Configuration Wizard each time a change is required.

Configuration Wizard

The Configuration Wizard will allow you to apply the full configuration of the FortiNAC appliance, including the network type and isolation subnets. It is the primary tool for configuring FortiNAC. Any further changes in terms of routing or system configuration should be made through the Configuration Wizard. Do not make routing or Interface IP address changes through CLI or shell. Everything is done automatically by reapplying the Configuration Wizard each time a change is required.

Isolation Network

As isolation network DHCP scopes are configured, static routes are automatically created for those networks, specifying the gateway for the corresponding port2 interface or sub-interface. It is recommended to use an L3 Network -> Layer 3 network⁚ Routed Network with multiple scopes for each isolation network. This way, it will be possible to scale and add Branch office networks when the network expands. FortiNAC is not an Inline solution but can sit on the edge and manage all sites.

Network Configuration Example

The L3 Isolation Network is a shared state that includes all other separate states (registration, remediation …). So for a simple deployment, only an isolation network will be required with defined scopes, which FortiNAC can provide with DHCP, DNS, and captive services, depending on the host state. This is known as state-based control. See the diagram on page 73 of the deployment guide for an example of the necessary configuration.

Stage 3⁚ Establish Visibility

The Visibility stage is when FortiNAC collects information for all endpoints in the network such as connected Switch ports, SSID, AP, VLAN, etc. To establish visibility, the customer should initially perform the following⁚ Adding Network Devices, Endpoint Learning Methods, FortiGate Integration, Polling Network Devices, Directory Integration.

Adding Network Devices

To add network devices, the customer needs to have an SNMP account with R/W privileges and CLI credentials. FortiNAC uses SNMP, CLI, and a REST API (in some supported models) to model devices and read information from them to learn connected endpoints. Example with FortiGate integration⁚ Right-click the container and select Add Device.

Endpoint Learning Methods

FortiNAC can learn endpoints in the following ways⁚ Link up/link down traps sent by the switch. Configuring link up/link down in scenarios with FortiGate-FortiSwitch (FortiLink Mode) requires that the link traps appear to be sourced from the managing FortiGate, not the FortiSwitch directly. This is accomplished by enabling NAT in the applicable firewall policy on the FortiGate. See pages 25-27 of the FortiSwitch integration guide for details.

FortiGate Integration

FortiGate-FortiNAC integrations provide the ability to improve and optimize polling by using a REST API. The API key allows FortiNAC to bypass the need to authenticate every time it connects, improving performance. For this, it is necessary to create a REST API admin in FortiGate and then include the API key in the respective model configuration in FortiNAC.

Polling Network Devices

Manual/scheduled polling can be checked for the respective network device under Network -> Inventory -> Select device -> Polling; FortiGate-FortiNAC integrations provide the ability to improve and optimize polling by using a REST API. The API key allows FortiNAC to bypass the need to authenticate every time it connects, improving performance. For this, it is necessary to create a REST API admin in FortiGate and then include the API key in the respective model configuration in FortiNAC.

Directory Integration

Integration with the directory can be used to authenticate remote users. See the following documents for the steps⁚ FortiManager 6.4.4 Administrator Guide Active Directory Integration LDAP Integration RADIUS Integration TACACS Integration

Stage 4⁚ Define Registration Methods

Once a host is learned from FortiNAC, it will be marked with the Rogue(?) host state. This means that FortiNAC has not yet categorized or profiled this device as a known device type and will keep it in the isolation subnet/registration VLAN. This way, FortiNAC will not allow access without first acknowledging what kind of device it is dealing with. There are multiple methods to register devices depending on the scenario and customer requirements.

Registration Methods

The most commonly used methods are provided below⁚ This method is beneficial in OT environments and for registering IoT headless devices that have no user associated with them. FortiNAC will then use the MAC address as the primary identifier for this device. During the registration process, the user will need to specify the device type and its associated policy.

Device Registration via DHCP

The DHCP option 43 can be used to register endpoints. When a device requests an IP address via DHCP, FortiNAC can leverage option 43 to send a registration request. The host will then be registered and moved from the Rogue state into the defined state. The user will need to configure option 43 in the DHCP server and define the appropriate state in FortiNAC.

Device Registration via MAC Address

This method is commonly used when registering devices with a known MAC address. The user will need to define the MAC address in FortiNAC, and the corresponding state to which it will be moved. When a device with a matching MAC address connects to the network, FortiNAC will identify it and move it from the Rogue state into the defined state.

Device Registration via Certificate

This method is primarily used when registering devices with a digital certificate. FortiNAC will verify the certificate presented by the device and move it to the appropriate state based on the certificate’s validity. It is a secure method as it relies on digital signatures and certificates issued by a trusted Certificate Authority.

Device Registration via User Authentication

This method requires users to authenticate themselves before gaining access to the network. FortiNAC will authenticate the user credentials against a configured directory service. If the authentication is successful, the device will be moved to its assigned state, enabling network access. This method is particularly useful for BYOD scenarios and in environments where strong user authentication is required.

Device Registration via FortiToken

FortiToken is a two-factor authentication method that utilizes a physical token to verify user identity. In this registration method, users are required to enter a unique code generated by the FortiToken device, along with their username and password. This additional layer of security ensures that only authorized users can access the network, enhancing overall security posture.

Stage 5⁚ Define Remediation and Enforcement

FortiNAC provides a comprehensive set of remediation and enforcement methods to address security risks and vulnerabilities. These methods include policy-based actions like VLAN changes, firewall rules, and access control lists. FortiNAC also enables quarantine zones for isolating compromised devices, preventing further network spread of threats. By implementing these strategies, administrators can effectively mitigate risks, improve network security, and ensure ongoing protection.

Remediation and Enforcement Methods

FortiNAC offers a range of remediation and enforcement methods to address security risks and vulnerabilities. These methods include policy-based actions like VLAN changes, firewall rules, and access control lists. FortiNAC also enables quarantine zones for isolating compromised devices, preventing further network spread of threats. These strategies help administrators effectively mitigate risks, improve network security, and ensure ongoing protection.

FortiNAC Remediation Policies

FortiNAC remediation policies are a crucial component of its security strategy, enabling administrators to define actions taken against non-compliant or risky devices. These policies can be configured to automatically remediate security issues, such as changing VLANs, blocking access, or quarantining devices. By establishing these policies, organizations can proactively address potential threats and maintain a secure network environment.

FortiNAC Enforcement Actions

FortiNAC enforcement actions are the automated responses triggered by remediation policies. These actions can range from simple actions like changing VLANs to more complex actions like quarantining devices or blocking network access. By implementing these enforcement actions, FortiNAC ensures that security policies are consistently enforced, minimizing the risk of unauthorized access and malicious activity within the network.

FortiNAC Quarantine Zones

FortiNAC quarantine zones serve as isolated network segments where compromised or suspicious devices are placed to prevent them from spreading malware or accessing critical resources. These zones are configurable, allowing administrators to define specific network access restrictions for quarantined devices based on their risk level and security posture. FortiNAC’s quarantine zones provide a robust mechanism for containing threats and mitigating potential security risks within the network.

Stage 6⁚ Monitoring and Reporting

FortiNAC’s robust monitoring and reporting capabilities provide valuable insights into the network’s security posture. Administrators can leverage real-time dashboards and customizable reports to track endpoint compliance, identify potential threats, analyze security trends, and generate audit trails. The platform’s comprehensive reporting features enable informed decision-making, proactive threat mitigation, and compliance with industry regulations.

FortiNAC Monitoring Features

FortiNAC provides real-time visibility into network activity, allowing administrators to monitor endpoint compliance, detect anomalies, and track user behavior. The platform offers a comprehensive suite of monitoring features, including device health checks, security posture assessments, and detailed activity logs. These features empower administrators to proactively identify and address potential security risks, ensuring a robust and secure network environment.

FortiNAC Reporting Capabilities

FortiNAC offers comprehensive reporting capabilities that provide valuable insights into network security posture. These reports cover various aspects, including endpoint compliance, vulnerability assessments, user activity, and security events. Administrators can leverage these reports to identify trends, assess risk levels, and make data-driven decisions to enhance network security and compliance.

FortiNAC Dashboards

FortiNAC provides a set of interactive dashboards that offer real-time visibility into network security status. These dashboards present key performance indicators (KPIs) and visualizations that allow administrators to quickly identify potential security threats, assess endpoint compliance, and monitor network activity. The dashboards are customizable, enabling users to tailor them to their specific needs and security priorities.

FortiNAC Alerts

FortiNAC offers a comprehensive alerting system that notifies administrators of critical security events and network anomalies. These alerts can be configured based on specific conditions, such as endpoint non-compliance, unauthorized device access, or suspicious network traffic patterns. Alerts are delivered through various channels, including email, SMS, and system logs, ensuring prompt notification and rapid response to potential security threats.