Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Palo Alto Networks Integration

    Home FortiNAC-F 7.2.0 Palo Alto Networks Integration
    7.2.0
    7.4.0
    7.2.0

    Appendix

    Appendix

    VPN Integration - How it Works

    FortiNAC controls network access by leveraging Dynamic Address Groups on the Palo Alto. Network access is restricted for VPN users by default when users connect. Access is only modified if the user successfully authenticates, runs an appropriate FortiNAC agent and passes any required compliance checks. Once the user and host are identified and verified to be in compliance with the organization's prescribed policies, network access restrictions can be lifted. FortiNAC sends group and/or tag information to the Palo Alto to adjust the user's network access according to the rules established in both FortiNAC and the Palo Alto by the administrator.

    Session Data Components

    • User ID (collected syslog and API from the Palo Alto)

    • Remote IP address for the remote user connection (collected via syslog and API from the Palo Alto and from the FortiNAC agent)

    • Device IP and MAC address (collected via FortiNAC agent)

    FortiNAC Modeling of the Palo Alto

    In order for the Palo Alto VPN sessions to be managed by FortiNAC, the Palo Alto must be modeled in Inventory. This enables the following to operate properly:

    • Syslog

    • Agent communication

    • XML API communication

    • Identification of the VPN tunnels to be managed by FortiNAC

    The following occurs when a device connects to a Palo Alto VPN managed by FortiNAC:

    1. The remote user authenticates using the Palo Alto Global Protect client.

    2. If authentication is successful, Palo Alto establishes a session and sends a syslog message to FortiNAC containing user, IP, and other session information.

    3. PaloAlto firewall rules exist to restrict all network access from the VPN interface and remote IP address range configured for VPN connections. The rules only allow access to FortiNAC isolation interface. DNS rules exist on the FortiNAC to resolve all queries to its isolation interface.

    4. Devices without a FortiNAC agent: while restricted, all user HTTP requests are redirected to a VPN captive portal on FortiNAC. The portal page indicates that the user is currently restricted and, based upon administrator policy, can allow users to download and run a FortiNAC agent.

      Note: Until a FortiNAC agent executes, all VPN sessions that satisfy the Palo Alto firewall rules created for containment remain isolated. Devices that sense captive networks may trigger browsers while restricted.

    5. Once an FortiNAC agent executes and successfully communicates with the Palo Alto, FortiNAC correlates information from the agent with data from Palo Alto to determine the host and adapter being used for the connection. It then updates the connection status of the host/adapter and triggers policy lookup and firewall tags are applied.

    6. If the host/adapter is compliant with all necessary policies, FortiNAC tag information is sent to Palo Alto which affects which Palo Alto firewall rules control the session.

    7. On disconnect, the Palo Alto sends syslog to notify FortiNAC of session termination.

    8. The host connection is terminated in FortiNAC which triggers firewall tag updates to Palo Alto to remove any tag/group information.

    9. Default VPN firewall rules once again become effective.

    • IP Address Range = 10.200.80.100-10.200.80.200

    • DNS Servers:

      • Primary= Production DNS IP

      • Secondary= FortiNAC eth1 VPN IP

    Previous
    Next

    Appendix

    Appendix

    VPN Integration - How it Works

    FortiNAC controls network access by leveraging Dynamic Address Groups on the Palo Alto. Network access is restricted for VPN users by default when users connect. Access is only modified if the user successfully authenticates, runs an appropriate FortiNAC agent and passes any required compliance checks. Once the user and host are identified and verified to be in compliance with the organization's prescribed policies, network access restrictions can be lifted. FortiNAC sends group and/or tag information to the Palo Alto to adjust the user's network access according to the rules established in both FortiNAC and the Palo Alto by the administrator.

    Session Data Components

    • User ID (collected syslog and API from the Palo Alto)

    • Remote IP address for the remote user connection (collected via syslog and API from the Palo Alto and from the FortiNAC agent)

    • Device IP and MAC address (collected via FortiNAC agent)

    FortiNAC Modeling of the Palo Alto

    In order for the Palo Alto VPN sessions to be managed by FortiNAC, the Palo Alto must be modeled in Inventory. This enables the following to operate properly:

    • Syslog

    • Agent communication

    • XML API communication

    • Identification of the VPN tunnels to be managed by FortiNAC

    The following occurs when a device connects to a Palo Alto VPN managed by FortiNAC:

    1. The remote user authenticates using the Palo Alto Global Protect client.

    2. If authentication is successful, Palo Alto establishes a session and sends a syslog message to FortiNAC containing user, IP, and other session information.

    3. PaloAlto firewall rules exist to restrict all network access from the VPN interface and remote IP address range configured for VPN connections. The rules only allow access to FortiNAC isolation interface. DNS rules exist on the FortiNAC to resolve all queries to its isolation interface.

    4. Devices without a FortiNAC agent: while restricted, all user HTTP requests are redirected to a VPN captive portal on FortiNAC. The portal page indicates that the user is currently restricted and, based upon administrator policy, can allow users to download and run a FortiNAC agent.

      Note: Until a FortiNAC agent executes, all VPN sessions that satisfy the Palo Alto firewall rules created for containment remain isolated. Devices that sense captive networks may trigger browsers while restricted.

    5. Once an FortiNAC agent executes and successfully communicates with the Palo Alto, FortiNAC correlates information from the agent with data from Palo Alto to determine the host and adapter being used for the connection. It then updates the connection status of the host/adapter and triggers policy lookup and firewall tags are applied.

    6. If the host/adapter is compliant with all necessary policies, FortiNAC tag information is sent to Palo Alto which affects which Palo Alto firewall rules control the session.

    7. On disconnect, the Palo Alto sends syslog to notify FortiNAC of session termination.

    8. The host connection is terminated in FortiNAC which triggers firewall tag updates to Palo Alto to remove any tag/group information.

    9. Default VPN firewall rules once again become effective.

    • IP Address Range = 10.200.80.100-10.200.80.200

    • DNS Servers:

      • Primary= Production DNS IP

      • Secondary= FortiNAC eth1 VPN IP

    Previous
    Next