Fortinet white logo
Fortinet white logo

Administration Guide

Settings

Settings

The Settings View provides access to global system configuration options, such as Aging properties to remove hosts and users from the database or email settings for emailing users and administrators.

The Settings View is navigated using the tree control on the left side. The top level of the hierarchy represents the general configuration area, such as Authentication or System Communication. These areas are used to group similar functions. When a top level option such as Authentication is selected, the panel on the right contains a list of links to options that can be configured. For example, if Authentication is selected, the links provided include: Google, LDAP and RADIUS, and Roaming Guests. These options are also displayed below Authentication in the tree.

Use the Flat View button above the tree to list all of the options in alphabetical order instead of grouped in folders. Use the + Expand All and - Collapse All buttons at the top of the tree to open and close all of the folders. Click on the + symbol next to a folder to open it. Click on the - symbol to close the folder. Click on an option to display the corresponding configuration panel on the right.

Options

Option

Description

Authentication

Google

Use Google to configure the connection to authenticate using a Google account.

See Google authentication

LDAP

Configure the connection with one or more LDAP directories for user authentication.

See Directories and Configuration.

RADIUS

Set up RADIUS servers for authentication.

See RADIUS.

Roaming Guests

Set up a list of local domains. Users with login credentials that contain domains outside the list are treated as Roaming Guests.

See Roaming guests.

Control

Access Point Management

Provides the ability to manage hosts connected to hubs using DHCP as a means to control or restrict host access.

See Access point management.

Allowed Domains

Specify the domains and Production DNS Server that isolated hosts use to gain access to network locations.

See Allowed domains.

Quarantine

When Quarantine VLAN Switching is set to Enable and the ports are in the Forced Remediation Group,FortiNAC switches unregistered hosts that are being scanned to the Quarantine VLAN until the scan process is completed.

See Quarantine.

Identification

NAT Detection

Enter the IP ranges where FortiNAC will allow NAT'd hosts. IP addresses outside this range could be NAT'd hosts and can generate an event and an alarm to notify the network administrator.

See NAT detection.

Rogue DHCP Server Detection

Monitors approved DHCP servers operation and detects rogue DHCP servers on the network using a dedicated interface on the (Undefined variable: User_Guide.ProductAbbrev) appliance. It defines a scheduled task to run and search specific VLANs and discover all active entities serving IP addresses. This task compares the discovered DHCP servers against a list of authorized DHCP servers and triggers corresponding events when there is no match.

See Rogue DHCP server detection.

Vendor OUIs

Allows you to modify the Vendor OUI database, which is used to determine whether or not a MAC address is valid or by Device Profiler to profile devices by OUI. The database is updated periodically through the Auto Definition update process.

See Vendor OUIs.

Network Device

Network Device

Set global properties that are specific to network devices and VLANs.

See Network device.

Persistent Agent

Agent Update

Enable Persistent Agent updates by Operating System, schedule agent updates and add hosts to the list of Update Exceptions. You can update agents on both platforms simultaneously or separately.

See Global updates

Credential Configuration

Configure how credentials are verified for hosts who use the Persistent Agent.

See Credential configuration.

Security Management

Configure the FortiNAC server name of the server for Persistent Agent communication, enable or disable display notifications to the host, configure Header and footer text for the Persistent Agent Authentication page and Status messages in the message box on the user's desktop.

See Security management.

Status Notifications

Configure how users are notified of their host status when the Persistent Agent contacts the FortiNAC server.

See Status notifications.

Reports

Local Reporting

Set record limits for reports to prevent the server from being overloaded.

See Reports.

Analytics

Configure the connection between the FortiNAC server and the cloud reporting Analytics server. This connection allows an agent on the FortiNAC server to push data for reporting to an external server based on a user-defined schedule.

See Reports.

Security

Portal SSL

Enable or disable the use of SSL Certificates in the Portal or for Agent server communications.

See Portal SSL.

System Communication

Email Settings

Enter settings for your email server. This allows FortiNAC to send email to Administrators and network users.

See Email settings.

Log Receivers

Configure a list of servers to receive event and alarm messages from FortiNAC.

See Log receivers.

MDM Services

Configure one or more Mobile Device Management (MDM) servers that integrate with FortiNAC.

See MDM services.

Mobile Providers

Displays the default set of Mobile Providers included in the database. FortiNAC uses the Mobile Providers list to send SMS messages to guests and administrators . The list can be modified as needed.

See Mobile providers.

Patch Management

The Patch Management feature allows integration with Patch servers such as BigFix or PatchLink.

See Patch management.

Proxy Settings

Configure FortiNAC to direct web traffic to a proxy server in order to download OS updates and auto-definition updates.

SNMP

Set the SNMP protocol for devices that query FortiNAC for information. It is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.

See SNMP.

Syslog Files

Syslog Files that you create and store are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output and can be mapped to an Alarm and an Alarm action.

See Syslog management and Map events to alarms.

Trap MIB Files

Enter configurations to interpret SNMP trap MIB information sent from a device and associate it with events and alarms in FortiNAC.

See Trap MIB files and Map events to alarms.

System Management

Database Archive

Set the age time for archived data files and configure the schedule for the Archive and Purge task.

See Database archive.

Database Backup/Restore

Schedule database backups, configure how many days to store local backups, and restore a database backup. Note that this restores backups on the FortiNAC server, not backups on a remote server.

See Backup/restore a database.

High Availability

Configuration for Primary and Secondary appliances for High Availability. Saving changes to these settings restarts both the Primary and Secondary servers.

See High availability.

License Management

View or modify the license key for this server or an associated Application server.

See License management

NTP And Time Zone

Reset the time zone and NTP server for your FortiNAC appliances. Typically the time zone and NTP server are configured using the Configuration Wizard during the initial appliance set up. Requires a server restart to take effect.

See NTP and time zone.

Power Management

Reboot or power off the FortiNAC server. In the case of a FortiNAC Control Server / Application Server pair, reboot or power off each server individually.

See Power management.

Remote Backup Configuration

Configure Scheduled Backups to use a remote server via FTP and/or SSH.

See Backup to a remote server.

System Backups

Create a backup of all system files that are used to configure FortiNAC.

See System backups.

Updates

Agent Packages

Displays a list of the Dissolvable, Persistent and Passive Agent versions available on your (Undefined variable: User_Guide.ProductFamily) appliance. Download new agents and add them to FortiNAC as they become available from Fortinet using the Download button. Download an Administrative template for GPO configuration to your PC from the (Undefined variable: User_Guide.ProductFamily)appliance using the links at the top of the view.

See Agent packages.

Operating System

Use Operating System Updates to download and install updates to the operating system on FortiNAC servers.

See Updating CentOS.

System

Use System Updates to configure download settings, download updates from Fortinet, install updates and view the updates log.

See System update.

User/Host Management

Aging

Configure default settings to age users and hosts out of the database.

See Aging.

Allowed Hosts

Configure the default number of hosts that can be registered to a user.

See Allowed hosts.

Device Profiler

Enable or Disable creating rogues from DHCP packets heard on the network.

See Device profiler.

MAC Address Exclusion

Lists the MAC addresses that can be ignored by FortiNAC when they connect to the network. These addresses will not be treated as rogues and will be allowed on the production network.

See MAC address exclusion.

Settings

Settings

The Settings View provides access to global system configuration options, such as Aging properties to remove hosts and users from the database or email settings for emailing users and administrators.

The Settings View is navigated using the tree control on the left side. The top level of the hierarchy represents the general configuration area, such as Authentication or System Communication. These areas are used to group similar functions. When a top level option such as Authentication is selected, the panel on the right contains a list of links to options that can be configured. For example, if Authentication is selected, the links provided include: Google, LDAP and RADIUS, and Roaming Guests. These options are also displayed below Authentication in the tree.

Use the Flat View button above the tree to list all of the options in alphabetical order instead of grouped in folders. Use the + Expand All and - Collapse All buttons at the top of the tree to open and close all of the folders. Click on the + symbol next to a folder to open it. Click on the - symbol to close the folder. Click on an option to display the corresponding configuration panel on the right.

Options

Option

Description

Authentication

Google

Use Google to configure the connection to authenticate using a Google account.

See Google authentication

LDAP

Configure the connection with one or more LDAP directories for user authentication.

See Directories and Configuration.

RADIUS

Set up RADIUS servers for authentication.

See RADIUS.

Roaming Guests

Set up a list of local domains. Users with login credentials that contain domains outside the list are treated as Roaming Guests.

See Roaming guests.

Control

Access Point Management

Provides the ability to manage hosts connected to hubs using DHCP as a means to control or restrict host access.

See Access point management.

Allowed Domains

Specify the domains and Production DNS Server that isolated hosts use to gain access to network locations.

See Allowed domains.

Quarantine

When Quarantine VLAN Switching is set to Enable and the ports are in the Forced Remediation Group,FortiNAC switches unregistered hosts that are being scanned to the Quarantine VLAN until the scan process is completed.

See Quarantine.

Identification

NAT Detection

Enter the IP ranges where FortiNAC will allow NAT'd hosts. IP addresses outside this range could be NAT'd hosts and can generate an event and an alarm to notify the network administrator.

See NAT detection.

Rogue DHCP Server Detection

Monitors approved DHCP servers operation and detects rogue DHCP servers on the network using a dedicated interface on the (Undefined variable: User_Guide.ProductAbbrev) appliance. It defines a scheduled task to run and search specific VLANs and discover all active entities serving IP addresses. This task compares the discovered DHCP servers against a list of authorized DHCP servers and triggers corresponding events when there is no match.

See Rogue DHCP server detection.

Vendor OUIs

Allows you to modify the Vendor OUI database, which is used to determine whether or not a MAC address is valid or by Device Profiler to profile devices by OUI. The database is updated periodically through the Auto Definition update process.

See Vendor OUIs.

Network Device

Network Device

Set global properties that are specific to network devices and VLANs.

See Network device.

Persistent Agent

Agent Update

Enable Persistent Agent updates by Operating System, schedule agent updates and add hosts to the list of Update Exceptions. You can update agents on both platforms simultaneously or separately.

See Global updates

Credential Configuration

Configure how credentials are verified for hosts who use the Persistent Agent.

See Credential configuration.

Security Management

Configure the FortiNAC server name of the server for Persistent Agent communication, enable or disable display notifications to the host, configure Header and footer text for the Persistent Agent Authentication page and Status messages in the message box on the user's desktop.

See Security management.

Status Notifications

Configure how users are notified of their host status when the Persistent Agent contacts the FortiNAC server.

See Status notifications.

Reports

Local Reporting

Set record limits for reports to prevent the server from being overloaded.

See Reports.

Analytics

Configure the connection between the FortiNAC server and the cloud reporting Analytics server. This connection allows an agent on the FortiNAC server to push data for reporting to an external server based on a user-defined schedule.

See Reports.

Security

Portal SSL

Enable or disable the use of SSL Certificates in the Portal or for Agent server communications.

See Portal SSL.

System Communication

Email Settings

Enter settings for your email server. This allows FortiNAC to send email to Administrators and network users.

See Email settings.

Log Receivers

Configure a list of servers to receive event and alarm messages from FortiNAC.

See Log receivers.

MDM Services

Configure one or more Mobile Device Management (MDM) servers that integrate with FortiNAC.

See MDM services.

Mobile Providers

Displays the default set of Mobile Providers included in the database. FortiNAC uses the Mobile Providers list to send SMS messages to guests and administrators . The list can be modified as needed.

See Mobile providers.

Patch Management

The Patch Management feature allows integration with Patch servers such as BigFix or PatchLink.

See Patch management.

Proxy Settings

Configure FortiNAC to direct web traffic to a proxy server in order to download OS updates and auto-definition updates.

SNMP

Set the SNMP protocol for devices that query FortiNAC for information. It is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.

See SNMP.

Syslog Files

Syslog Files that you create and store are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output and can be mapped to an Alarm and an Alarm action.

See Syslog management and Map events to alarms.

Trap MIB Files

Enter configurations to interpret SNMP trap MIB information sent from a device and associate it with events and alarms in FortiNAC.

See Trap MIB files and Map events to alarms.

System Management

Database Archive

Set the age time for archived data files and configure the schedule for the Archive and Purge task.

See Database archive.

Database Backup/Restore

Schedule database backups, configure how many days to store local backups, and restore a database backup. Note that this restores backups on the FortiNAC server, not backups on a remote server.

See Backup/restore a database.

High Availability

Configuration for Primary and Secondary appliances for High Availability. Saving changes to these settings restarts both the Primary and Secondary servers.

See High availability.

License Management

View or modify the license key for this server or an associated Application server.

See License management

NTP And Time Zone

Reset the time zone and NTP server for your FortiNAC appliances. Typically the time zone and NTP server are configured using the Configuration Wizard during the initial appliance set up. Requires a server restart to take effect.

See NTP and time zone.

Power Management

Reboot or power off the FortiNAC server. In the case of a FortiNAC Control Server / Application Server pair, reboot or power off each server individually.

See Power management.

Remote Backup Configuration

Configure Scheduled Backups to use a remote server via FTP and/or SSH.

See Backup to a remote server.

System Backups

Create a backup of all system files that are used to configure FortiNAC.

See System backups.

Updates

Agent Packages

Displays a list of the Dissolvable, Persistent and Passive Agent versions available on your (Undefined variable: User_Guide.ProductFamily) appliance. Download new agents and add them to FortiNAC as they become available from Fortinet using the Download button. Download an Administrative template for GPO configuration to your PC from the (Undefined variable: User_Guide.ProductFamily)appliance using the links at the top of the view.

See Agent packages.

Operating System

Use Operating System Updates to download and install updates to the operating system on FortiNAC servers.

See Updating CentOS.

System

Use System Updates to configure download settings, download updates from Fortinet, install updates and view the updates log.

See System update.

User/Host Management

Aging

Configure default settings to age users and hosts out of the database.

See Aging.

Allowed Hosts

Configure the default number of hosts that can be registered to a user.

See Allowed hosts.

Device Profiler

Enable or Disable creating rogues from DHCP packets heard on the network.

See Device profiler.

MAC Address Exclusion

Lists the MAC addresses that can be ignored by FortiNAC when they connect to the network. These addresses will not be treated as rogues and will be allowed on the production network.

See MAC address exclusion.