OT Security
OT Service Connector allows you to configure the connection or integration between FortiNAC and an Operational Technology (OT) security system. FortiNAC and the OT security system work together sharing data via an API to secure the network. FortiNAC leverages the data in the OT security system’s database and registers hosts using that data as they connect to the network.
The OT Service Connector is configurable on the FortiNAC Manager or the individual managed FortiNAC servers. Choose the appropriate option based upon which FortiNAC servers require the OT host record information.
Option 1
Requirement: All servers managed by FortiNAC Manager require OT host record information.
Configuration: Configure the OT Service Connector on the FortiNAC Manager. No other configuration is required.
Behavior: The Manager copies all OT host record information to the servers after each OT poll.
Benefit: Provides a single point of contact for the OT security system. Reduces the overall number of queries the OT security system has to process.
Option 2
Requirement: Only certain FortiNAC servers require OT host record information.
Configuration: Configure the OT Service Connector on the FortiNAC servers requiring the data.
Behavior: The OT security server is polled by each FortiNAC server configured with the OT Service Connector.
|
Proxy communication is not supported. |
Supported vendors
• Nozomi
• Claroty
For more information about supported vendors, refer to the Third Party OT Security Device Integration reference manual in the Fortinet Documentation Library
Settings
|
Field |
Definition |
|---|---|
|
Name |
Name of the connection configuration for the connection between an OT security system and FortiNAC. |
|
Request URL |
The URL for the API to which FortiNAC must connect to request data. This will be a unique URL based on your OT security system. |
|
User ID |
User name of the account used by FortiNAC to log into the OT security system when requesting data. |
|
Password |
Password for the account used by FortiNAC to log into the OT security system when requesting data. This field displays only when adding a new service connection configuration. It is not displayed in the table of OT security systems. |
|
Enable Automatic Registration Polling |
If enabled, FortiNAC will automatically poll the OT security system for information |
|
Automatic Registration Polling Interval |
Indicates how often FortiNAC should poll the system for information when Automatic Registration Polling is enabled. Interval can be set for Days, Hours or Minutes. |
|
Remove Hosts Deleted |
If enabled, when FortiNAC polls the OT security system, it deletes hosts from the FortiNAC database if they have been removed from the system. |
|
Poll OT Assets Only |
Only poll Claroty assets with class type of OT. FortiNAC host records for other class types like IT will not be created. |
|
Poll Approved Assets Only |
Only poll Claroty assets that have an approved value of “true.” FortiNAC host records will not be created for Claroty assets with a “false” or non-existent approved value. |
|
Enable On Demand Registration |
If enabled, when an unknown host reaches the captive portal, FortiNAC queries the OT security system for information about that host. If the host exists in the OT security system, it is registered in FortiNAC using the data from the OT security system. |
|
Revalidate Health Status On Connect |
If enabled, when the host connects to the network FortiNAC queries the OT security system to determine if the host is compliant with OT security system policies. This setting is disabled by default. When enabled, the OT security system may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency. |
|
Compliance Level |
None: Claroty assets will not be evaluated for OT compliance in FortiNAC.
Medium, High or Critical: Claroty assets with a Medium risk_level 1, High risk_level 1 or Critical risk_level 3 will be marked as not MDM compliant in FortiNAC.
High or Critical: Claroty assets with a High risk_level 1 or Critical risk_level 3 will be marked as not MDM compliant in FortiNAC.
Critical Only: Claroty assets with a Critical risk_level 3 will be marked as not MDM compliant in FortiNAC.
|
|
Disable Hostname Verification |
If enabled, SSL Hostname Verification will be disabled. |
|
Right click options |
|
|
Delete |
Deletes the OT Service. |
|
Edit |
Opens the Modify OT Service dialog. |
|
Buttons |
|
|
Create New |
Opens the Add OT Service dialog. |
|
Edit |
Opens the Modify OT Service dialog. |
|
Delete |
Deletes the OT Service. |
Add or modify MDM service
1. Go to Network > Service Connectors.
2. Select Create New and select a vendor or Edit an existing OT security system.
3. Use the settings for the OT Services to enter the OT Service information.
4. Click OK to save.
|
|
The Revalidate Health Status On Connect and Update Applications settings are disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. |
|
|
Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency. |
Delete MDM service
1. Go to Network > Service Connectors.
2. Select an OT Service record from the table.
3. Click Delete at the top of the view.
4. Click Yes on the confirmation message.