Considerations

• As of version 8.7.6 and 8.8.2, the use of Syslog is no longer recommended due to performance and scalability issues. Configure Device Detection traps instead. Syslog configuration information has been moved to the Appendix for reference.

• FortiGate versions 6.2.1 and below: FortiGate does not respond to RADIUS CoA unless the root VDOM is used (Bug ID 562861).

• FortiGate can only support one FSSO agent sending tags for a specific endpoint IP address. If there are multiple agents, the FortiGate entries will be overwritten when other FSSO agents send information for the same endpoint IP. Therefore, the following should be done prior to integration:

  • Identify any other FSSO agents that provide logon information for the same endpoints FortiNAC would be managing through the FortiGate. For additional information, see section Agent-based FSSO in the FortiOS 6.0.0 Handbook:

    https://docs2.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso

  • For those agents, logon events must be blocked. See related KB article

    Excluding IP addresses from FSSO logon events

    https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD45566

  • Develop a plan to make the appropriate modifications to existing firewall policies to accommodate FortiNAC as the FSSO agent for the managed endpoint IP address scope.

• FortiGate High Availability (HA): A number of deployment scenarios exist for FortiGate HA.

  • FortiNAC supports FortiGate HA configurations using a Virtual/Shared IP (VIP). The VIP is used to model the Fortigate in FortiNAC's Inventory.

  • FortiNAC currently does not support FortiGate HA configurations using a standalone IP (where Fortigate-A and FortiGate-B are modeled separately).

    For details on FortiGate HA reference

    https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/666376/high-availability

    https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/900885/ha-active-passive-cluster-setup

    https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/357558/ha-active-active-cluster-setup

• FortiNAC versions F7.2.5 and lower: When a FortiGate High Availability (HA) failover occurs, FortiNAC can no longer connect via SSH and credential validation fails. This is because the SSH fingerprint has changed for the modeled device.

  Workaround:

  1. Navigate to Network > Inventory and select the FortiGate’s Device Model.

  2. Click the Clear Known Hosts button under the Credentials tab.

  3. Click Validate Credentials to confirm FortiNAC can SSH to the FortiGate.