Requirements
FortiNAC
-
Supported Engine Version: 8.7.2 or greater
-
Recommended Engine Version: 8.8.8, 9.1.2 or greater
-
FOS 7.2/7.3 support: All 7.2 Versions
-
FOS 7.4 support: Version 7.2.4 or greater
-
Remote device must have either the FortiNAC Dissolvable or Persistent Agent
-
Supported FortiNAC Agent Version: 5.2.3 or greater
-
Recommended FortiNAC Agent Version: 5.2.6
-
Agent Supported Operating Systems:
-
-
Windows (not Windows CE)
-
MAC OS
-
Linux
-
Android
Note: FortiNAC doesn't have an app or agent for iOS. Therefore, iOS mobile devices cannot connect through VPN.
-
Dissolvable Agent can be downloaded as part of the VPN connection process from the Captive Portal
-
Persistent Agent can also be downloaded from the Captive Portal or pre-installed
-
Operating systems that cannot run a FortiNAC agent will always remain isolated when connecting to a VPN that is managed by FortiNAC
-
Remote device firewall settings must allow TCP 4568 (bi-directional) for agent communication with FortiNAC (eth0 for visibility, eth0 & eth1 for control).
FortiGate
-
Supported Firmware Version: 6.0.5 or greater.
-
Recommended Firmware Version: 6.4.9 or greater
-
SNMP community or account
-
Administrator account
-
Visibility only: System read access to all VDOMs
-
Control: System read/write access to all VDOMs
-
-
Syslog must be sourced from the IP address of the FortiGate device model in FortiNAC Inventory
-
IP address in FortiGate device model must be in the root or a VDOM that has full management access
-
VPN tunnel cannot be configured to use DHCP relay
-
Do not block port 8000 or 8013 between the FortiNAC eth0/port1 and the FortiGate
-
Build and Validate Test Configuration: Before integrating a device with FortiNAC, set the device up to ensure that it is working correctly.
-
Create new VPN environment identical to production environment.
-
Confirm that hosts can connect to the device and access the network.
-
-
Includes Multiple VDOM/Split-Task VDOM support.
-
Important: When SSL VPN Settings are applied via the FortiGate UI, all existing SSL VPN connections are disconnected, regardless of portal. Applying settings should be done during a Maintenance Window.
-
REST API users are disabled in FIPS-CC mode. Users must be enabled, however, this function is not available in all FortiOS versions.
-
Create Fabric Connector for each VDOM that FSSO should be sent.
-
Automated Captive Portal Detection: Devices that sense captive networks may trigger browsers during initial connection. To avoid this, automated captive portal detection must be disabled for VPN connections in FortiNAC. Instructions provided in section Disable Captive Network Assistant.
-
Split Tunnels: Whether or not split tunnel (certain traffic doesn't go over tunnel) or full tunnel (all traffic goes over tunnel) is configured is dependent upon the customer requirements.
-
Full tunnel: Browser automatically redirects to the VPN portal.
-
Split tunnel:
-
Browser does not automatically redirect to the VPN portal.
-
If using the Dissolvable Agent (DA), it is recommended to disable split-tunneling. This ensures automatic browser redirect in order to download the agent.
-
-
FortiNAC validates endstation after the tunnel is established. In order to do that, initial access is restricted. Once confirmed, restricted access is lifted. In full tunnel implementations, there will be interruption on applications that are running prior to connecting.
-
-
Windows machines: Recommended to disable browser popups on managed machines. See Disable Windows Browser Popups in the Appendix.
-
Remote clients connecting to the network through a FortiNAC-managed VPN cannot be connected to a local network that is also being managed by FortiNAC within the same management domain.
-
FortiGate can only support one FSSO agent sending tags for a specific endpoint IP address. If there are multiple agents, the FortiGate entries will be overwritten when other FSSO agents send information for the same endpoint IP. Therefore, the following should be done prior to integration:
-
Identify any other FSSO agents that provide logon information for the same endpoints FortiNAC would be managing through the FortiGate. For additional information, see section Agent-based FSSO in the FortiOS 6.0.0 Handbook:
https://docs2.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso
-
For those agents, logon events must be blocked. See related KB article Excluding IP addresses from FSSO logon events (Tip: Open in New Tab):
-
Develop plan to make appropriate modifications to existing firewall policies to accommodate FortiNAC as the FSSO agent for managed endpoint IP address scope.
-
-
L3 High Availability Consideration (Primary and Secondary server’s VPN Interface reside on different subnets): As of this writing, the FortiGate Firewall only supports two entries for DNS. Consequently, VPN clients are unable to access the captive portal pages after an appliance failover.
The workaround is to update the DNS server entry in the Firewall configuration from the Primary Server VPN interface IP address to the Secondary Server VPN interface. This change must be reverted after control is resumed to the Primary Server.
For information on the DNS configuration, refer to FortiGate documentation.