Fortinet black logo

FortiNAC Deployment Guide

Home FortiNAC-F 7.2.0 FortiNAC Deployment Guide
7.2.0
7.2.0

Overview

Overview

The information contained in this document provides the steps necessary for deploying a new FortiNAC appliance in a network. It applies to the products listed in the chart below.

For a general overview of FortiNAC and its functionality, refer to the Concept Guide.

Product

Description

Name: FortiNAC-Manager-eXtended-VM

SKU: FNC-MX-VM

FortiNAC Manager next-gen Virtual Server

Name: FortiNAC-Control-and-Application-eXtended-VM

SKU: FNC-CAX-VM

FortiNAC Control and Application next-gen Virtual Server

This guide references other documents located in the Fortinet Document Library as necessary for more detailed information or instruction.

Important: Steps are cumulative and should be executed in the specified order.

Deployment Procedure Overview

  1. Appliance Installation - Build virtual appliances.

  2. SSL Certificates - Generate and install SSL certificates on all appliances.

  3. High Availability - Optional. Configure FortiNAC appliances to operate in Active/Passive mode.

  4. FortiNAC Manager - Optional. Configure FortiNAC Manager to manage multiple appliances at various sites.

  5. Software Upgrade - Upgrade appliance(s) to the latest FortiNAC software version.

  6. System Settings - Configure system level settings in the Administration UI.

  7. Network Visibility - Configure FortiNAC to communicate with the wired infrastructure devices in order to gather basic information about connecting endpoints.

  8. Endpoint Visibility - Establish trust with connecting endpoints.

  9. Endpoint Compliance - Ensure that connecting computers comply with endpoint posture assessment requirements.

  10. Control - Configure FortiNAC to automatically provision the appropriate network access to connecting endpoints.

Terminology

Term

Definition

FortiNAC Management Interface

Configured on the port1 interface of the appliance.

Functions:

  • Access to the Administration UI (interface where FortiNAC components and configurations are viewed/modified)

  • Network infrastructure communication for network visibility and control

  • SNMP trap receiver

  • DHCP traffic receiver from production network for fingerprinting

  • FortiCloud communication (software updates/License entitlements/IoT data collection)

  • Server communication (environments using High Availability and/or FortiNAC Manager)

  • Fortinet Dissolvable and Persistent Agent communication for production network

“Isolation” VLAN

Used for network segmentation of unknown and untrusted endpoints. Provides limited network access

Available "isolation" VLANs include:

  • Isolation

  • Registration

  • Remediation

  • Dead End

  • Virtual Private Network (VPN)

  • Authentication

  • Access Point Management

FortiNAC Service Network Interface

Configured on the port2 interface of the appliance. Serves DHCP, DNS and the Captive Portal to the “isolation” VLANs

FortiNAC Service Network VLAN

VLAN where the FortiNAC Service Network Interface resides in L3 Network Configurations. For more information, see Determine FortiNAC Service Configuration (Network Type) in the Appendix

Requirements

The Requirements Task List in the Appendix outline the requirements that must be in place in order for that specific step to be completed. The length of time it takes to complete deployment is dependent upon each customer, their requirements and time constraints. Customers can complete all requirements prior to deployment, or during the deployment as time permits for those requirements not needed until later steps.

Open Ports

FNC-CAX and FNC-MX products: The FortiNAC software runs on top of the FortiNAC-OS operating system. For security purposes, FortiNAC-OS does not have any open (listening) TCP/UDP ports configured by default. Access must be configured using the "set allowaccess" command via the appliance CLI. The ports that must be enabled depend upon the features required.

For a complete listing of required open ports, see Open ports in the Administration Guide.

Previous
Next

Overview

The information contained in this document provides the steps necessary for deploying a new FortiNAC appliance in a network. It applies to the products listed in the chart below.

For a general overview of FortiNAC and its functionality, refer to the Concept Guide.

Product

Description

Name: FortiNAC-Manager-eXtended-VM

SKU: FNC-MX-VM

FortiNAC Manager next-gen Virtual Server

Name: FortiNAC-Control-and-Application-eXtended-VM

SKU: FNC-CAX-VM

FortiNAC Control and Application next-gen Virtual Server

This guide references other documents located in the Fortinet Document Library as necessary for more detailed information or instruction.

Important: Steps are cumulative and should be executed in the specified order.

Deployment Procedure Overview

  1. Appliance Installation - Build virtual appliances.

  2. SSL Certificates - Generate and install SSL certificates on all appliances.

  3. High Availability - Optional. Configure FortiNAC appliances to operate in Active/Passive mode.

  4. FortiNAC Manager - Optional. Configure FortiNAC Manager to manage multiple appliances at various sites.

  5. Software Upgrade - Upgrade appliance(s) to the latest FortiNAC software version.

  6. System Settings - Configure system level settings in the Administration UI.

  7. Network Visibility - Configure FortiNAC to communicate with the wired infrastructure devices in order to gather basic information about connecting endpoints.

  8. Endpoint Visibility - Establish trust with connecting endpoints.

  9. Endpoint Compliance - Ensure that connecting computers comply with endpoint posture assessment requirements.

  10. Control - Configure FortiNAC to automatically provision the appropriate network access to connecting endpoints.

Terminology

Term

Definition

FortiNAC Management Interface

Configured on the port1 interface of the appliance.

Functions:

  • Access to the Administration UI (interface where FortiNAC components and configurations are viewed/modified)

  • Network infrastructure communication for network visibility and control

  • SNMP trap receiver

  • DHCP traffic receiver from production network for fingerprinting

  • FortiCloud communication (software updates/License entitlements/IoT data collection)

  • Server communication (environments using High Availability and/or FortiNAC Manager)

  • Fortinet Dissolvable and Persistent Agent communication for production network

“Isolation” VLAN

Used for network segmentation of unknown and untrusted endpoints. Provides limited network access

Available "isolation" VLANs include:

  • Isolation

  • Registration

  • Remediation

  • Dead End

  • Virtual Private Network (VPN)

  • Authentication

  • Access Point Management

FortiNAC Service Network Interface

Configured on the port2 interface of the appliance. Serves DHCP, DNS and the Captive Portal to the “isolation” VLANs

FortiNAC Service Network VLAN

VLAN where the FortiNAC Service Network Interface resides in L3 Network Configurations. For more information, see Determine FortiNAC Service Configuration (Network Type) in the Appendix

Requirements

The Requirements Task List in the Appendix outline the requirements that must be in place in order for that specific step to be completed. The length of time it takes to complete deployment is dependent upon each customer, their requirements and time constraints. Customers can complete all requirements prior to deployment, or during the deployment as time permits for those requirements not needed until later steps.

Open Ports

FNC-CAX and FNC-MX products: The FortiNAC software runs on top of the FortiNAC-OS operating system. For security purposes, FortiNAC-OS does not have any open (listening) TCP/UDP ports configured by default. Access must be configured using the "set allowaccess" command via the appliance CLI. The ports that must be enabled depend upon the features required.

For a complete listing of required open ports, see Open ports in the Administration Guide.

Previous
Next