A new REST API in both FortiNAC and FortiOS is used by FortiNAC to send user logon and logoff information to the FortiGate. The new FortiNAC tag dynamic firewall address type is used to store the device IP, FortiNAC firewall tags, and FortiNAC group information sent from FortiNAC by the REST API when user logon and logoff events are registered.
The FortiNAC tags connector under Security Fabric > Fabric Connectors is deprecated. For upgrade support, the FSSO FortiNAC user type can still be configured in the CLI.
In the following example, the user connecting to the network will be required to first log on to the FortiNAC. When the login succeeds, the logon information is synchronized to the FortiGate using the REST API. The FortiGate updates the dynamic firewall address object with the user and IP information of the user device. This firewall address is used in firewall policies to dynamically allow network access for authenticated users, thereby allowing SSO for the end user.
This example assumes the following:
- The FortiGate is the Security Fabric root device (refer to Configuring the root FortiGate and downstream FortiGates for more information).
- The FortiNAC is running version 9.2.2 (or later), and it is connected to the Security Fabric (refer to FortiNAC for more information).
- Firewall tags and groups have been assigned in FortiNAC to the registered FortiGate (refer to Virtualized Devices for more information). Unlike firewall tags, which are simple labels that can be configured on FortiNAC, firewall groups can be local, built-in, user-defined, or remote user groups imported from a remote server used for user authentication. Only groups that the user of the current logon event belongs to are sent to the FortiGate. Firewall tags are sent for all user authentication.
- Trigger two user logon events on the FortiNAC.
- In FortiOS, go to Policy & Objects > Addresses, and expand the FortiNAC Tag (IP Address) section to view the newly created dynamic firewall address objects. The dynamic firewall addresses matching the current user logon status on FortiNAC have the current IP address of user devices. The addresses without matching user logons are marked with a red exclamation mark (!).
- Go to Policy & Objects > Firewall Policy and click Create New or edit an existing policy. FortiNAC tag dynamic firewall address an be used as source or destination addresses.
- Configure the settings as needed, then click OK. In this policy, traffic can only pass if it originates from any of the mapped IP addresses (10.1.100.184 and 10.1.100.185); other traffic cannot pass.
- Hover over the address in the policy, then in the tooltip, click View Matched Addresses.
- Have one of the users log off from the FortiNAC.
- In FortiOS, go to Policy & Objects > Addresses and verify the FortiNAC Tag addresses. A user logged off from 10.1.100.184, so now only 10.1.100.185 is mapped to the dynamic firewall objects.
All firewall policies using those objects are automatically updated.
Go to Policy & Objects > Firewall Policy . Hover over the address in the policy, then in the tooltip, click View Matched Addresses.
The firewall policy was automatically updated so that traffic from 10.1.100.184 can no longer pass, and only traffic from 10.1.100.185 can pass.