Fortinet black logo

VMware Deployment Guide

Home FortiNAC-F 7.2.0 VMware Deployment Guide

Overview

7.2.0
7.4.0
7.2.0
Copy Link
Copy Doc ID 293115c2-549a-11ed-9d74-fa163e15d75b:598623
Download PDF

Overview

This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library. This installation guide is the first step in the deployment.

Virtual Appliance (VM) Part Numbers

Part Number

Description

FNC-MX-VM

Control Manager

FNC-CAX-VM

Control and Application Server (CA)

Requirements

  • VMware

    • The VM Guest is built with Virtual Hardware Version 7. This makes the guest compatible with ESXi 4.x and above.

    • Deployment of the OVA has been tested and verified with vCenter 6.5 and above.

  • ESX Server Hardware

    • The requirements for the ESX server used to host the FortiNAC Virtual Machine will vary greatly depending on many different factors. Factors include:

      • The number of other Virtual Machines that are running on the same server

      • The load those VMs place on the server

      • The number of devices, hosts and users on your network that are to be managed by FortiNAC

    • Note: vSphere Fault Tolerance is not supported as a High Availability solution. Refer to the “Performance Best Practices for VMware vSphere” document on the VMware web site for additional information.

  • Virtual appliance settings will vary depending on the underlying hardware being used for the hosting server. The ideal result is to yield a virtual environment where the average load does not exceed the Total GHz Rating of CPU Resources Allocated.

    Determine the appropriate parameters for the virtual environment. It is recommended they be comparable to those of hardware-based FortiNAC appliances. Refer to the following tables in the FortiNAC Data Sheet:

    • Hardware Server Sizing - Hardware server part number most appropriate for the target environment

    • Specifications - Details regarding the applicable part number

    • VM Server Resource Sizing - Suggested values for memory and CPU to allocate for the virtual appliance

    • The current OVA provided by Fortinet is built using VM Virtual Machine Hardware Version 7 for OVA compatibility with ESXi4.x and later. VM Virtual Machine Hardware Version 7 restricts the number of vCPU to 8.

      If host machine is running ESXi5.x or later on robust hardware, then the VM Virtual Machine Hardware Version can be upgraded. Once upgraded, the number of vCPU can be increased. Refer to the following article for more information (note that the article is not controlled by Fortinet and may have changed):

      Upgrading a virtual machine to the latest hardware version (multiple versions) (1010675)

      https://kb.vmware.com/s/article/1010675

  • Adapters

    • Version 7.2.5 and greater: The recommended adapter type is VMXNET 3 (default). Note the following:

      • Older VMs used E1000 as the pre-set adapter type. The recommended type is VMXNET 3 for better network performance. To change the adapter type on existing VM deployments, see vendor documentation.

      • All adapters on the VM should be set to the same adapter type (e.g port1 and port2 both set to VMXNET 3). Otherwise, unexpected behavior may occur.

      • Important: License key is created based upon port1 MAC address and UUID. If either component no longer matches the license key, the key will no longer be valid and management processes will not start. Therefore:

        • Ensure MAC address is set statically.

        • If deleting and re-adding or modifying Network Adapter 1 (port1), configure the same MAC address used by the adapter previously.

        • If the same MAC address cannot be configured, a new key must be installed. For instructions, see Update Keys Due to UUID/MAC Change in the License Upgrade Guide.

        • Network Adapter 2 (port2) can be deleted and re-added without affecting the license key.

Considerations

In versions 7.x and greater, FortiNAC doesn't have any ports open by default. In previous versions, this was not the case. As features are configured, ports must also be added to the allowaccess list in order for the feature to work.

Operating System and Open Ports

FortiNAC-F series appliances use the FortiNAC-OS operating system. Limited TCP/UDP ports are open by default for security purposes. This was not the case for FortiNAC appliances using the CentOS operating system.

Virtual appliances do not have any TCP/UDP ports listening by default. Opening additional ports requires the use of the "set allowaccess" command in the appliance CLI.

The configuration steps provided include opening ports for the applicable features and functions covered in this guide. As more features are configured, additional access must be enabled using the "set allowaccess" command via the appliance CLI. For details, see Open Ports in the FortiNAC Administration Guide.

The best practice is to keep the number of open ports to a minimum, and block all other ports. If there is a need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.

Previous
Next

Overview

This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library. This installation guide is the first step in the deployment.

Virtual Appliance (VM) Part Numbers

Part Number

Description

FNC-MX-VM

Control Manager

FNC-CAX-VM

Control and Application Server (CA)

Requirements

  • VMware

    • The VM Guest is built with Virtual Hardware Version 7. This makes the guest compatible with ESXi 4.x and above.

    • Deployment of the OVA has been tested and verified with vCenter 6.5 and above.

  • ESX Server Hardware

    • The requirements for the ESX server used to host the FortiNAC Virtual Machine will vary greatly depending on many different factors. Factors include:

      • The number of other Virtual Machines that are running on the same server

      • The load those VMs place on the server

      • The number of devices, hosts and users on your network that are to be managed by FortiNAC

    • Note: vSphere Fault Tolerance is not supported as a High Availability solution. Refer to the “Performance Best Practices for VMware vSphere” document on the VMware web site for additional information.

  • Virtual appliance settings will vary depending on the underlying hardware being used for the hosting server. The ideal result is to yield a virtual environment where the average load does not exceed the Total GHz Rating of CPU Resources Allocated.

    Determine the appropriate parameters for the virtual environment. It is recommended they be comparable to those of hardware-based FortiNAC appliances. Refer to the following tables in the FortiNAC Data Sheet:

    • Hardware Server Sizing - Hardware server part number most appropriate for the target environment

    • Specifications - Details regarding the applicable part number

    • VM Server Resource Sizing - Suggested values for memory and CPU to allocate for the virtual appliance

    • The current OVA provided by Fortinet is built using VM Virtual Machine Hardware Version 7 for OVA compatibility with ESXi4.x and later. VM Virtual Machine Hardware Version 7 restricts the number of vCPU to 8.

      If host machine is running ESXi5.x or later on robust hardware, then the VM Virtual Machine Hardware Version can be upgraded. Once upgraded, the number of vCPU can be increased. Refer to the following article for more information (note that the article is not controlled by Fortinet and may have changed):

      Upgrading a virtual machine to the latest hardware version (multiple versions) (1010675)

      https://kb.vmware.com/s/article/1010675

  • Adapters

    • Version 7.2.5 and greater: The recommended adapter type is VMXNET 3 (default). Note the following:

      • Older VMs used E1000 as the pre-set adapter type. The recommended type is VMXNET 3 for better network performance. To change the adapter type on existing VM deployments, see vendor documentation.

      • All adapters on the VM should be set to the same adapter type (e.g port1 and port2 both set to VMXNET 3). Otherwise, unexpected behavior may occur.

      • Important: License key is created based upon port1 MAC address and UUID. If either component no longer matches the license key, the key will no longer be valid and management processes will not start. Therefore:

        • Ensure MAC address is set statically.

        • If deleting and re-adding or modifying Network Adapter 1 (port1), configure the same MAC address used by the adapter previously.

        • If the same MAC address cannot be configured, a new key must be installed. For instructions, see Update Keys Due to UUID/MAC Change in the License Upgrade Guide.

        • Network Adapter 2 (port2) can be deleted and re-added without affecting the license key.

Considerations

In versions 7.x and greater, FortiNAC doesn't have any ports open by default. In previous versions, this was not the case. As features are configured, ports must also be added to the allowaccess list in order for the feature to work.

Operating System and Open Ports

FortiNAC-F series appliances use the FortiNAC-OS operating system. Limited TCP/UDP ports are open by default for security purposes. This was not the case for FortiNAC appliances using the CentOS operating system.

Virtual appliances do not have any TCP/UDP ports listening by default. Opening additional ports requires the use of the "set allowaccess" command in the appliance CLI.

The configuration steps provided include opening ports for the applicable features and functions covered in this guide. As more features are configured, additional access must be enabled using the "set allowaccess" command via the appliance CLI. For details, see Open Ports in the FortiNAC Administration Guide.

The best practice is to keep the number of open ports to a minimum, and block all other ports. If there is a need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.

Previous
Next