Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Endpoint connector - FortiNAC

Dynamic address definitions originating from FortiNAC can be imported to FortiGate as FSSO objects and used in firewall policies. Changes on the FortiNAC are dynamically reflected on the FortiGate.

This example assumes that the FortiGate and FortiNAC are in the same network segment. If layer 3 routers or firewalls are in between them, ensure that traffic on port 8000 is not blocked.

Configuring the FortiNAC

On FortiNAC, local groups and users can be created, and they can be imported from remote servers, such as AD LDAP and RADIUS servers. Local firewall tags, used in FortiNAC policies, are also supported.

Before creating the FortiNAC connector on the FortiGate, FSSO must be enabled:

Groups and firewall tags that will be monitored and accessed by the FortiGate must be added to a network access policy on the FortiNAC:

Configuring the FortiGate

To configure the FortiNAC connector in the GUI:
  1. Go to Security Fabric > Fabric Connectors and click Create New.
  2. In the SSO/Identity section, click FortiNAC.

  3. Enter a name for the connector in the Name field, such as Fortinac-connector-1.
  4. Enter the FortiNAC device's IP address and password in the Primary Server IP fields.
  5. Click Apply & Refresh.

    All host groups, firewall tags, and some default system groups will be pushed to the FortiGate from the FortiNAC.

  6. Click View.

    The Collector Agent Group Filters pane opens, showing the information pushed from FortiNAC. These objects can be used to create FSSO user groups.

  7. Click OK.
To configure the FortiNAC connector in the CLI:
config user fsso
    edit "Fortinac-connector-1"
        set server "172.18.60.204"
        set password XXXXXXXXXXXXXXXX
        set type fortinac
    next
end
To create an FSSO user group using imported FortiNAC groups and tags as members in the GUI:
  1. Go to User & Device > User Groups.
  2. Click Create New.
  3. In the Name field, enter a name for the group, such as Fortinac-fsso-group.
  4. For Type, select Fortinet Single Sign-On (FSSO).
  5. In the Members field, click +. The Select Entries pane appears. The groups and tags pulled from the FortiNAC are shown.
  6. Select the desired groups.

  7. Click OK.

    The group can now be used in identity based firewall policies.

To create an FSSO user group using imported FortiNAC groups and tags as members in the CLI:
config user group
    edit "Fortinac-fsso-group"
        set group-type fsso-service
        set authtimeout 0
        set http-digest-realm ''
        set member "GROUP1" "GROUP2" "TEST-TAG1"
    next
end​​​​​​​​​​​​​​
To use the user/group creation wizard to create a new SSO group with the FortiNAC groups and firewall tags:
  1. Go to User & Device > User Definition and click Create New.

  2. For the User Type, select FortiNAC User, then click Next.
  3. For the Fabric Device, select the FortiNAC connector , then select the Tags.

  4. Click Next.
  5. Either add the selected groups/tags to an existing SSO group, or create a new group:
    • To add to an existing SSO group, click Choose Existing, and then select a group.

    • To create a new group, click Create New, and then enter a name for the group.

  6. Click Next.
  7. Go to User & Device > User Groups and verify that the created groups are listed with the correct members.

Endpoint connector - FortiNAC

Dynamic address definitions originating from FortiNAC can be imported to FortiGate as FSSO objects and used in firewall policies. Changes on the FortiNAC are dynamically reflected on the FortiGate.

This example assumes that the FortiGate and FortiNAC are in the same network segment. If layer 3 routers or firewalls are in between them, ensure that traffic on port 8000 is not blocked.

Configuring the FortiNAC

On FortiNAC, local groups and users can be created, and they can be imported from remote servers, such as AD LDAP and RADIUS servers. Local firewall tags, used in FortiNAC policies, are also supported.

Before creating the FortiNAC connector on the FortiGate, FSSO must be enabled:

Groups and firewall tags that will be monitored and accessed by the FortiGate must be added to a network access policy on the FortiNAC:

Configuring the FortiGate

To configure the FortiNAC connector in the GUI:
  1. Go to Security Fabric > Fabric Connectors and click Create New.
  2. In the SSO/Identity section, click FortiNAC.

  3. Enter a name for the connector in the Name field, such as Fortinac-connector-1.
  4. Enter the FortiNAC device's IP address and password in the Primary Server IP fields.
  5. Click Apply & Refresh.

    All host groups, firewall tags, and some default system groups will be pushed to the FortiGate from the FortiNAC.

  6. Click View.

    The Collector Agent Group Filters pane opens, showing the information pushed from FortiNAC. These objects can be used to create FSSO user groups.

  7. Click OK.
To configure the FortiNAC connector in the CLI:
config user fsso
    edit "Fortinac-connector-1"
        set server "172.18.60.204"
        set password XXXXXXXXXXXXXXXX
        set type fortinac
    next
end
To create an FSSO user group using imported FortiNAC groups and tags as members in the GUI:
  1. Go to User & Device > User Groups.
  2. Click Create New.
  3. In the Name field, enter a name for the group, such as Fortinac-fsso-group.
  4. For Type, select Fortinet Single Sign-On (FSSO).
  5. In the Members field, click +. The Select Entries pane appears. The groups and tags pulled from the FortiNAC are shown.
  6. Select the desired groups.

  7. Click OK.

    The group can now be used in identity based firewall policies.

To create an FSSO user group using imported FortiNAC groups and tags as members in the CLI:
config user group
    edit "Fortinac-fsso-group"
        set group-type fsso-service
        set authtimeout 0
        set http-digest-realm ''
        set member "GROUP1" "GROUP2" "TEST-TAG1"
    next
end​​​​​​​​​​​​​​
To use the user/group creation wizard to create a new SSO group with the FortiNAC groups and firewall tags:
  1. Go to User & Device > User Definition and click Create New.

  2. For the User Type, select FortiNAC User, then click Next.
  3. For the Fabric Device, select the FortiNAC connector , then select the Tags.

  4. Click Next.
  5. Either add the selected groups/tags to an existing SSO group, or create a new group:
    • To add to an existing SSO group, click Choose Existing, and then select a group.

    • To create a new group, click Create New, and then enter a name for the group.

  6. Click Next.
  7. Go to User & Device > User Groups and verify that the created groups are listed with the correct members.