Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Fortinet Security Fabric/FSSO Integration

    Home FortiNAC-F 7.2.0 Fortinet Security Fabric/FSSO Integration
    7.2.0
    7.2.0

    Unknown Location Endpoint Management

    Unknown Location Endpoint Management

    (Available in version 9.1.2)

    FortiNAC has now extended its Zero Trust Network Access (ZTNA) capabilities to allow for a need-to-know application access, based on the connection / communication from the FortiNAC Persistent Agent. This new feature allows the endpoint to be connected to a network that is not being managed by the FortiNAC server.

    Use Cases

    The following is a few use cases / examples that can be managed by this new feature. The feature allows for all policy assignment based Who What, Where, When.

    • Remote office: If a customer has outsourced the management of their remote offices but wants to allow for a ZTNA across these offices. FortiNAC will not be managing the network infrastructure at the remote offices. The customer has places a FortiGate in line to their application servers. FortiNAC will manage the access across the FGT based on the communication of the PA.

    • VPN Connections: Employees that are working from home and are accessing the corporate network via a VPN. The VPN can be any vendor. The customer has a FGT in line to their application servers. FortiNAC will manage the access across the FGT based on the communication of the PA.

    • Virtual Environments: The customer has a virtual environment, and the virtual hosts have the FortiNAC PA. The customer has a FGT in line to their application servers. FortiNAC will manage the access across the FGT based on the communication of the PA

    Requirements

    • FortiNAC Software Engine Version 9.1.2 or greater

    • Persistent Agent version 5.2.6 or greater installed on endpoint

    • Persistent Agent communication with FortiNAC over TCP only (secure communication)

    • Endpoint is in the appropriate group: Added a setting to allow the admin to assign a group that will be populated with endpoints, that are allowed to participate in this new feature.

    • Network infrastructure is not being managed by FortiNAC: The network infrastructure, where the endpoint is connecting is not managed by FortiNAC. If the network is managed by FortiNAC, VPN, wired, wireless than the normal ZTNA on network policies are applied.

    Considerations

    • Endpoint moving from a FortiNAC managed network to a non-managed VPN connection:

      • VPN needs to support a full tunnel

      • Traffic cannot be passed via the FortiNAC managed network infrastructure

    • The endpoints have to be registered and in the group before the agent connects. If the endpoint is unregistered and a registration process happens that the endpoint needs to be added to the group and disconnect and reconnect to the network.

    Configuration

    1. In FortiNAC UI, navigate to System > Groups. Create or determine a Host Group that will contain the hosts for which FSSO will be sent.

      Graphical user interface, application Description automatically generated

    2. Navigate to Security Configuration > Agent Settings > Security Management.

      In the drop-down menu next to Connect Hosts in Group when Agent Connects, add the host group that will contain the endpoints participating in this new functionality.

      Graphical user interface, text, application, email Description automatically generated

    3. Navigate to Transport Configuration. Ensure UDP is disabled and TCP is enabled.

      Graphical user interface, application, Word Description automatically generated

      Navigate to Policy & Objects > User/Host Profiles and click Add.

    4. Create a new User/Host profile and add the new host group to the Who/What by Group setting. Add other criteria as desired. Click OK.



    5. Click Network Access and click Add.

    6. Create a Network Access configuration and Logical Network and select it along with the new User/Host profile to create a Network Access policy. Click OK.


    7. Navigate to Network > Inventory. Select the FortiGate device to which SSO messaging will be sent and select the Virtualized Devices tab.

    8. Choose the VDOM value to configure and either double click or right-click and select Model Configuration.


    9. Create/choose the tags to send to the FortiGate for the given Logical Network created for the Network Access policy.




    10. In FortiGate, ensure a FortiNAC Fabric connector is created.


    11. Import tags to FortiGate. Either create or edit the FortiNAC Tags object, and select the Refresh button.

      Note: It may take several Refresh attempts but should result in importing all the Host group and tag information created within FNAC. You should see the values from the View button.


    12. Enable a setting on each FortiGate model within FortiNAC to force SSO messaging to be sent to that FortiGate. Login to the FortiNAC CLI as root and run the following command for each FortiGate that will be sent SSO messaging for the endpoints:

      device -ip <FortiGate IP address in Topology> -setAttr -name ForceSSO -value true

      This sets the “ForceSSO” attribute to “true” on the FortiGate model.

      Example:

      > device -ip 10.12.234.101 ************************* FG80EPTK19001624 ************************* Landscape = 345050232673 00:50:56:98:B7:61 Pollable = true, Poll interval = 10 Minutes Type = 1.3.6.1.4.1.12356.101.1.841 Group = 1.3.6.1.4.1.12356 MAC = null Protocol = SnmpV1 Description = VPN FGT IP = 10.12.234.101 State = Active Status = Established DBID = 656 Attribute Count = 28 Name = SnmpVersion value = 1 length = 1 Name = FirmwareVersion value = Fortigate36000 length = 14 Name = SupportsVirtualization value = true length = 4 Name = RemoteAccessDevice value = 1 length = 1

      <…>

      Name = MgmtVDOM value = 673 length = 3 Name = ForceSSO value = true length = 4 << Attribute enabledCommunity Strings: ******** *****************************************************************

    Previous
    Next

    Unknown Location Endpoint Management

    Unknown Location Endpoint Management

    (Available in version 9.1.2)

    FortiNAC has now extended its Zero Trust Network Access (ZTNA) capabilities to allow for a need-to-know application access, based on the connection / communication from the FortiNAC Persistent Agent. This new feature allows the endpoint to be connected to a network that is not being managed by the FortiNAC server.

    Use Cases

    The following is a few use cases / examples that can be managed by this new feature. The feature allows for all policy assignment based Who What, Where, When.

    • Remote office: If a customer has outsourced the management of their remote offices but wants to allow for a ZTNA across these offices. FortiNAC will not be managing the network infrastructure at the remote offices. The customer has places a FortiGate in line to their application servers. FortiNAC will manage the access across the FGT based on the communication of the PA.

    • VPN Connections: Employees that are working from home and are accessing the corporate network via a VPN. The VPN can be any vendor. The customer has a FGT in line to their application servers. FortiNAC will manage the access across the FGT based on the communication of the PA.

    • Virtual Environments: The customer has a virtual environment, and the virtual hosts have the FortiNAC PA. The customer has a FGT in line to their application servers. FortiNAC will manage the access across the FGT based on the communication of the PA

    Requirements

    • FortiNAC Software Engine Version 9.1.2 or greater

    • Persistent Agent version 5.2.6 or greater installed on endpoint

    • Persistent Agent communication with FortiNAC over TCP only (secure communication)

    • Endpoint is in the appropriate group: Added a setting to allow the admin to assign a group that will be populated with endpoints, that are allowed to participate in this new feature.

    • Network infrastructure is not being managed by FortiNAC: The network infrastructure, where the endpoint is connecting is not managed by FortiNAC. If the network is managed by FortiNAC, VPN, wired, wireless than the normal ZTNA on network policies are applied.

    Considerations

    • Endpoint moving from a FortiNAC managed network to a non-managed VPN connection:

      • VPN needs to support a full tunnel

      • Traffic cannot be passed via the FortiNAC managed network infrastructure

    • The endpoints have to be registered and in the group before the agent connects. If the endpoint is unregistered and a registration process happens that the endpoint needs to be added to the group and disconnect and reconnect to the network.

    Configuration

    1. In FortiNAC UI, navigate to System > Groups. Create or determine a Host Group that will contain the hosts for which FSSO will be sent.

      Graphical user interface, application Description automatically generated

    2. Navigate to Security Configuration > Agent Settings > Security Management.

      In the drop-down menu next to Connect Hosts in Group when Agent Connects, add the host group that will contain the endpoints participating in this new functionality.

      Graphical user interface, text, application, email Description automatically generated

    3. Navigate to Transport Configuration. Ensure UDP is disabled and TCP is enabled.

      Graphical user interface, application, Word Description automatically generated

      Navigate to Policy & Objects > User/Host Profiles and click Add.

    4. Create a new User/Host profile and add the new host group to the Who/What by Group setting. Add other criteria as desired. Click OK.



    5. Click Network Access and click Add.

    6. Create a Network Access configuration and Logical Network and select it along with the new User/Host profile to create a Network Access policy. Click OK.


    7. Navigate to Network > Inventory. Select the FortiGate device to which SSO messaging will be sent and select the Virtualized Devices tab.

    8. Choose the VDOM value to configure and either double click or right-click and select Model Configuration.


    9. Create/choose the tags to send to the FortiGate for the given Logical Network created for the Network Access policy.




    10. In FortiGate, ensure a FortiNAC Fabric connector is created.


    11. Import tags to FortiGate. Either create or edit the FortiNAC Tags object, and select the Refresh button.

      Note: It may take several Refresh attempts but should result in importing all the Host group and tag information created within FNAC. You should see the values from the View button.


    12. Enable a setting on each FortiGate model within FortiNAC to force SSO messaging to be sent to that FortiGate. Login to the FortiNAC CLI as root and run the following command for each FortiGate that will be sent SSO messaging for the endpoints:

      device -ip <FortiGate IP address in Topology> -setAttr -name ForceSSO -value true

      This sets the “ForceSSO” attribute to “true” on the FortiGate model.

      Example:

      > device -ip 10.12.234.101 ************************* FG80EPTK19001624 ************************* Landscape = 345050232673 00:50:56:98:B7:61 Pollable = true, Poll interval = 10 Minutes Type = 1.3.6.1.4.1.12356.101.1.841 Group = 1.3.6.1.4.1.12356 MAC = null Protocol = SnmpV1 Description = VPN FGT IP = 10.12.234.101 State = Active Status = Established DBID = 656 Attribute Count = 28 Name = SnmpVersion value = 1 length = 1 Name = FirmwareVersion value = Fortigate36000 length = 14 Name = SupportsVirtualization value = true length = 4 Name = RemoteAccessDevice value = 1 length = 1

      <…>

      Name = MgmtVDOM value = 673 length = 3 Name = ForceSSO value = true length = 4 << Attribute enabledCommunity Strings: ******** *****************************************************************

    Previous
    Next