ClearPass integration for dynamic address objects
ClearPass Policy Manager (CPPM) can gather information about the statuses of network hosts, for example, the latest patches or virus infections. Based on this information, CPPM send the IP addresses and current states, such as Healthy or Infected, to the FortiGate.
On the FortiGate, the IP addresses received from CPPM are added to a dynamic firewall address with the clearpass-spt subtype. This address can be used in any policy that supports dynamic addresses, such as Firewall or SSL-VPN policies.
In this example, you create two dynamic IP addresses that are used in two firewall policies (deny and allow). One policy allows traffic (host state = Healthy), and the other denies traffic (host state = Infected). When CPPM sends the information, the IP addresses are assigned according to their host state: Healthy or Infected.
You can then verify that traffic from the Infected host is denied access by the deny policy, and traffic from the Healthy host is allowed access by the allow policy.
Create a REST API administrator
A REST API administrator is required to generate an authorization token for REST API messages, and to limit hosts that can send REST API messages to the FortiGate.
To create a REST API administrator in the GUI:
-
Go to System > Administrators.
-
Click Create New > REST API Admin.
-
Configure the Username and other information as needed.
-
Disable PKI Group.
-
In the Trusted Hosts field, enter 10.1.100.0/24.
For this example, an administrator profile called clearpass was created with full read/write access. See Administrator profiles for details.
-
Click OK.
The New API key pane opens.
The API key is the REST API authorization token that is used in REST API messages sent by CPPM to the FortiGate.
-
Copy the API key to a secure location. A new key can be generated if this one is lost or compromised.
-
Click Close.
To create a REST API administrator in the CLI:
config system api-user edit "cpi-back" set accprofile "clearpass" config trusthost edit 1 set ipv4-trusthost 10.1.100.0 255.255.255.0 next end next end
execute api-user generate-key cp-api New API key: 0f1HxGHh9r9p74k7qgfHNH40p51bjs NOTE: The bearer of this API key will be granted all access privileges assigned to the api-user cp-api.
Create dynamic IP addresses with the clearpass subtype
Two dynamic IP addresses are required, one for the allow policy, and the other for the deny policy.
To create the dynamic IP addresses:
config firewall address edit "cppm" set type dynamic set sub-type clearpass-spt set clearpass-spt healthy set comment '' set visibility enable set associated-interface '' set color 0 next edit "cppm-deny" set type dynamic set sub-type clearpass-spt set clearpass-spt infected set comment '' set visibility enable set associated-interface '' set color 0 next end
Create firewall policies
Two firewall policies are required, one to accept traffic (cppm-allow), and the other to deny traffic (cppm-deny).
To create the firewall policies in the GUI:
-
Go to Policy & Objects > Firewall Policy.
-
Configure the allow policy:
-
Click Create New.
-
Enter a name for the policy.
-
Set Source set to cppm.
-
Set Action to ACCEPT.
-
Configure the remaining settings as needed.
-
Click OK.
-
-
Configure the deny policy:
-
Click Create New.
-
Enter a name for the policy.
-
Set Source set to cppm-deny.
-
Set Action to DENY.
-
Configure the remaining settings as needed.
-
Click OK.
-
To create the firewall policies in the CLI:
config firewall address edit "cppm" set type dynamic set sub-type clearpass-spt set clearpass-spt healthy set comment '' set visibility enable set associated-interface '' set color 0 next edit "cppm-deny" set type dynamic set sub-type clearpass-spt set clearpass-spt infected set comment '' set visibility enable set associated-interface '' set color 0 next end
Verification
Go to Log & Report > Forward Traffic to review traffic logs and ensure that traffic is allowed or denied as expected.
To verify that FortiGate addresses are assigned correctly, enter the following:
# diagnose firewall dynamic list List all dynamic addresses: cppm-deny: ID(141) ADDR(10.1.100.188) cppm: ID(176) ADDR(10.1.100.185) ADDR(10.1.100.186)