Fortinet white logo
Fortinet white logo

Cookbook

ClearPass integration for dynamic address objects

ClearPass integration for dynamic address objects

ClearPass Policy Manager (CPPM) can gather information about the statuses of network hosts, for example, the latest patches or virus infections. Based on this information, CPPM send the IP addresses and current states, such as Healthy or Infected, to the FortiGate.

On the FortiGate, the IP addresses received from CPPM are added to a dynamic firewall address with the clearpass-spt subtype. This address can be used in any policy that supports dynamic addresses, such as Firewall or SSL-VPN policies.

In this example, you create two dynamic IP addresses that are used in two firewall policies (deny and allow). One policy allows traffic (host state = Healthy), and the other denies traffic (host state = Infected). When CPPM sends the information, the IP addresses are assigned according to their host state: Healthy or Infected.

You can then verify that traffic from the Infected host is denied access by the deny policy, and traffic from the Healthy host is allowed access by the allow policy.

Create a REST API administrator

A RESET API administrator is required to generate an authorization token for REST API messages, and to limit hosts that can send REST API messages to the FortiGate.

To create a REST API administrator in the GUI:
  1. Go to System > Administrators.
  2. Click Create New > REST API Admin.
  3. Configure the Username and other information as needed.
  4. Disable PKI Group.
  5. In the Trusted Hosts field, enter 10.1.100.0/24.

    For this example, an administrator profile called clearpass was created with full read/write access. See Administrator profiles for details.

  6. Click OK.

    The New API key pane opens.

    The API key is the REST API authorization token that is used in REST API messages sent by CPPM to the FortiGate.

  7. Copy the API key to a secure location. A new key can be generated if this one is lost or compromised.
  8. Click Close.
To create a REST API administrator in the CLI:
config system api-user
    edit "cpi-back"
        set accprofile "clearpass"
        config trusthost
            edit 1
                set ipv4-trusthost 10.1.100.0 255.255.255.0
            next
        end
    next
end
execute api-user generate-key cp-api 
    New API key: 0f1HxGHh9r9p74k7qgfHNH40p51bjs
    NOTE: The bearer of this API key will be granted all access privileges assigned to the api-user cp-api.

Create dynamic IP addresses with the clearpass subtype

Two dynamic IP addresses are required, one for the allow policy, and the other for the deny policy.

To create the dynamic IP addresses:
config firewall address
    edit "cppm"
        set uuid 62a180c0-cb36-51e9-6e70-4a2034d82179
        set type dynamic
        set sub-type clearpass-spt
        set clearpass-spt healthy 
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
    next
    edit "cppm-deny"
        set uuid b318e962-cb36-51e9-7a34-74a34cf3bf0b
        set type dynamic
        set sub-type clearpass-spt
        set clearpass-spt infected
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
    next
end

Create firewall policies

Two firewall policies are required, one to accept traffic (cppm-allow), and the other to deny traffic (cppm-deny).

To create the firewall policies in the GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Configure the allow policy:
    1. Click Create New.
    2. Enter a name for the policy.
    3. Set Source set to cppm.
    4. Set Action to ACCEPT.
    5. Configure the remaining settings as needed.

    6. Click OK.
  3. Configure the deny policy:
    1. Click Create New.
    2. Enter a name for the policy.
    3. Set Source set to cppm-deny.
    4. Set Action to DENY.
    5. Configure the remaining settings as needed.

    6. Click OK.
To create the firewall policies in the CLI:
config firewall address
    edit "cppm"
        set uuid 62a180c0-cb36-51e9-6e70-4a2034d82179
        set type dynamic
        set sub-type clearpass-spt
        set clearpass-spt healthy 
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
    next
    edit "cppm-deny"
        set uuid b318e962-cb36-51e9-7a34-74a34cf3bf0b
        set type dynamic
        set sub-type clearpass-spt
        set clearpass-spt infected
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
    next
end

Verification

Go to Log & Report > Forward Traffic to review traffic logs and ensure that traffic is allowed or denied as expected.

To verify that FortiGate addresses are assigned correctly, enter the following CLI command:

# diagnose firewall dynamic list
List all dynamic addresses:
cppm-deny: ID(141)
        ADDR(10.1.100.188)

cppm: ID(176)
        ADDR(10.1.100.185)
        ADDR(10.1.100.186)

ClearPass integration for dynamic address objects

ClearPass integration for dynamic address objects

ClearPass Policy Manager (CPPM) can gather information about the statuses of network hosts, for example, the latest patches or virus infections. Based on this information, CPPM send the IP addresses and current states, such as Healthy or Infected, to the FortiGate.

On the FortiGate, the IP addresses received from CPPM are added to a dynamic firewall address with the clearpass-spt subtype. This address can be used in any policy that supports dynamic addresses, such as Firewall or SSL-VPN policies.

In this example, you create two dynamic IP addresses that are used in two firewall policies (deny and allow). One policy allows traffic (host state = Healthy), and the other denies traffic (host state = Infected). When CPPM sends the information, the IP addresses are assigned according to their host state: Healthy or Infected.

You can then verify that traffic from the Infected host is denied access by the deny policy, and traffic from the Healthy host is allowed access by the allow policy.

Create a REST API administrator

A RESET API administrator is required to generate an authorization token for REST API messages, and to limit hosts that can send REST API messages to the FortiGate.

To create a REST API administrator in the GUI:
  1. Go to System > Administrators.
  2. Click Create New > REST API Admin.
  3. Configure the Username and other information as needed.
  4. Disable PKI Group.
  5. In the Trusted Hosts field, enter 10.1.100.0/24.

    For this example, an administrator profile called clearpass was created with full read/write access. See Administrator profiles for details.

  6. Click OK.

    The New API key pane opens.

    The API key is the REST API authorization token that is used in REST API messages sent by CPPM to the FortiGate.

  7. Copy the API key to a secure location. A new key can be generated if this one is lost or compromised.
  8. Click Close.
To create a REST API administrator in the CLI:
config system api-user
    edit "cpi-back"
        set accprofile "clearpass"
        config trusthost
            edit 1
                set ipv4-trusthost 10.1.100.0 255.255.255.0
            next
        end
    next
end
execute api-user generate-key cp-api 
    New API key: 0f1HxGHh9r9p74k7qgfHNH40p51bjs
    NOTE: The bearer of this API key will be granted all access privileges assigned to the api-user cp-api.

Create dynamic IP addresses with the clearpass subtype

Two dynamic IP addresses are required, one for the allow policy, and the other for the deny policy.

To create the dynamic IP addresses:
config firewall address
    edit "cppm"
        set uuid 62a180c0-cb36-51e9-6e70-4a2034d82179
        set type dynamic
        set sub-type clearpass-spt
        set clearpass-spt healthy 
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
    next
    edit "cppm-deny"
        set uuid b318e962-cb36-51e9-7a34-74a34cf3bf0b
        set type dynamic
        set sub-type clearpass-spt
        set clearpass-spt infected
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
    next
end

Create firewall policies

Two firewall policies are required, one to accept traffic (cppm-allow), and the other to deny traffic (cppm-deny).

To create the firewall policies in the GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Configure the allow policy:
    1. Click Create New.
    2. Enter a name for the policy.
    3. Set Source set to cppm.
    4. Set Action to ACCEPT.
    5. Configure the remaining settings as needed.

    6. Click OK.
  3. Configure the deny policy:
    1. Click Create New.
    2. Enter a name for the policy.
    3. Set Source set to cppm-deny.
    4. Set Action to DENY.
    5. Configure the remaining settings as needed.

    6. Click OK.
To create the firewall policies in the CLI:
config firewall address
    edit "cppm"
        set uuid 62a180c0-cb36-51e9-6e70-4a2034d82179
        set type dynamic
        set sub-type clearpass-spt
        set clearpass-spt healthy 
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
    next
    edit "cppm-deny"
        set uuid b318e962-cb36-51e9-7a34-74a34cf3bf0b
        set type dynamic
        set sub-type clearpass-spt
        set clearpass-spt infected
        set comment ''
        set visibility enable
        set associated-interface ''
        set color 0
    next
end

Verification

Go to Log & Report > Forward Traffic to review traffic logs and ensure that traffic is allowed or denied as expected.

To verify that FortiGate addresses are assigned correctly, enter the following CLI command:

# diagnose firewall dynamic list
List all dynamic addresses:
cppm-deny: ID(141)
        ADDR(10.1.100.188)

cppm: ID(176)
        ADDR(10.1.100.185)
        ADDR(10.1.100.186)