Fortinet black logo

Administration Guide

Transport configurations

Transport configurations

Packet Transport Configurations define the methods of communication available between FortiNAC and the Persistent Agent. Each Packet Transport Configuration is defined with a unique Name and a unique combination of Bind Address, Port, and Transport Type. If no Bind Address is specified, all addresses are bound for the supplied Port. The supplied port must be in the range of 1024 to 49151 and not already in use by another service within the operating system. If the Transport Type is TCP, a TLS Service Configuration must be defined to secure the communication. Changes made to Packet Transport Configurations do not take effect immediately. The enabled configurations will begin listening when the Persistent Agent services are reloaded or FortiNAC is restarted.

TLS Service Configurations define the certificate, TLS Protocols, and Ciphers used for secure communication. The certificate can be uploaded using the certificate Management view. By checking "Automatically Update Ciphers and Protocols on Upgrade," the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

Packet transport settings

Field

Definition

Enabled

If true, a listener will be created for this configuration on the next load of the Persistent Agent services.

Name

Unique name used to identify the configuration.

Bind Address

An optional IPv4 or IPv6 to use when listening for packets. If no address is provided, all addresses are used.

Port

The port this configuration should open a socket using. System and Dynamic ports may not be used. Valid values are in the range of 1024 to 49151.

TLS Configuration

The selected configuration for security communication with the Persistent Agent. Only TCP transports use a TLS configuration.

Transport Type

The communication protocol, either TCP or UDP, to use when communication with the Persistent Agent.

Maximum Incoming Packets to Queue

The maximum number of unprocessed packets from the Persistent Agent to retain. Any packets received while the queue is full will be discarded.

Read Idle Timeout

The maximum amount of time, in seconds, without receiving from the agent before closing the connection.

Write Idle Timeout

The maximum amount of time, in seconds, before the server will send a packet to the agent to ensure the connection is still open.

Use Native Transport (Experimental)

Use native libraries for Sockets and TLS when possible. Enable this experimental feature only if recommended.

Last Modified By

User name of the last user to modify the configuration.

Last Modified Date

Date and time of the last modification to this configuration.

Right click options

Modify

Modify the selected Packet Transport Configuration.

Delete

Deletes the selected Packet Transport Configuration.

Reload Services

Closes any existing sockets in the Persistent Agent server and creates a new series of sockets using the enabled Packet Transport Configurations. All unprocessed packets in the existing queues are dropped, allowing the Persistent Agent server to resume communication from a clean state.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

TLS service settings

Field

Definition

Automatically Update Ciphers and Protocols on Upgrade

If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

Name

Unique name used to identify the configuration.

Ciphers

The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

TLS Protocol

The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

Certificate Alias

Select the certificate to use when securing communication. Certificates may be uploaded using the certificate management view.

See Certificate management.

Last Modified By

User name of the last user to modify the group.

Last Modified Date

Date and time of the last modification to this group.

Right click options

Modify

Modify the selected TLS Service Configuration.

Delete

Deletes the selected TLS Service Configuration.

In Use

Provides a list of Packet Transport Configurations that currently reference the selected TLS Service Configuration.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Add or modify packet transport configuration

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Transport Configuration from the tree.
  4. To modify a record: Select a Packet Transport Configuration record from the table and click Modify.
  5. To add a new record: Click Add at the bottom of the upper panel.
  6. Use the Settings for the Persistent Agent Transport Configuration topic to enter the Packet Transport Configuration information.
  7. Click OK to save.

After adding or modifying a Packet Transport Configuration, the services will continue to use the previous configuration until a reload is requested or FortiNAC is restarted.

Delete packet transport configuration

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Transport Configuration from the tree.
  4. Select a Packet Transport Configuration record from the table
  5. Click Delete at the bottom of the panel.
  6. Click Yes on the confirmation message.

Add or modify TLS service configuration

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Transport Configuration from the tree.
  4. To modify a record: Select a TLS Service Configuration record from the table and click Modify.
  5. To add a new record: Click Add at the bottom of the lower panel.
  6. Use the Settings for the Persistent Agent Transport Configuration topic to enter the TLS Service Configuration information.
  7. Click OK to save.

After adding or modifying a TLS Service Configuration, the Packet Transport Configuration services will continue to use the previous configuration until a reload is requested or FortiNAC is restarted.

Delete TLS service configuration

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Transport Configuration from the tree.
  4. Select a TLS Service Configuration record from the table
  5. Click Delete at the bottom of the panel.
  6. If one or more Packet Transport Configurations are associated with the TLS Service Configuration, you will not be able to delete it.
  7. Click Yes on the confirmation message.

Transport configurations

Transport configurations

Packet Transport Configurations define the methods of communication available between FortiNAC and the Persistent Agent. Each Packet Transport Configuration is defined with a unique Name and a unique combination of Bind Address, Port, and Transport Type. If no Bind Address is specified, all addresses are bound for the supplied Port. The supplied port must be in the range of 1024 to 49151 and not already in use by another service within the operating system. If the Transport Type is TCP, a TLS Service Configuration must be defined to secure the communication. Changes made to Packet Transport Configurations do not take effect immediately. The enabled configurations will begin listening when the Persistent Agent services are reloaded or FortiNAC is restarted.

TLS Service Configurations define the certificate, TLS Protocols, and Ciphers used for secure communication. The certificate can be uploaded using the certificate Management view. By checking "Automatically Update Ciphers and Protocols on Upgrade," the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

Packet transport settings

Field

Definition

Enabled

If true, a listener will be created for this configuration on the next load of the Persistent Agent services.

Name

Unique name used to identify the configuration.

Bind Address

An optional IPv4 or IPv6 to use when listening for packets. If no address is provided, all addresses are used.

Port

The port this configuration should open a socket using. System and Dynamic ports may not be used. Valid values are in the range of 1024 to 49151.

TLS Configuration

The selected configuration for security communication with the Persistent Agent. Only TCP transports use a TLS configuration.

Transport Type

The communication protocol, either TCP or UDP, to use when communication with the Persistent Agent.

Maximum Incoming Packets to Queue

The maximum number of unprocessed packets from the Persistent Agent to retain. Any packets received while the queue is full will be discarded.

Read Idle Timeout

The maximum amount of time, in seconds, without receiving from the agent before closing the connection.

Write Idle Timeout

The maximum amount of time, in seconds, before the server will send a packet to the agent to ensure the connection is still open.

Use Native Transport (Experimental)

Use native libraries for Sockets and TLS when possible. Enable this experimental feature only if recommended.

Last Modified By

User name of the last user to modify the configuration.

Last Modified Date

Date and time of the last modification to this configuration.

Right click options

Modify

Modify the selected Packet Transport Configuration.

Delete

Deletes the selected Packet Transport Configuration.

Reload Services

Closes any existing sockets in the Persistent Agent server and creates a new series of sockets using the enabled Packet Transport Configurations. All unprocessed packets in the existing queues are dropped, allowing the Persistent Agent server to resume communication from a clean state.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

TLS service settings

Field

Definition

Automatically Update Ciphers and Protocols on Upgrade

If true, the settings for both Ciphers and TLS Protocols will become managed by FortiNAC. Upon upgrade, the system will automatically configure the TLS Service Configuration to the latest recommended Ciphers and Protocols.

Name

Unique name used to identify the configuration.

Ciphers

The Cipher Suite to use when encoding messages using TLS. At least one Cipher must be selected. Ciphers must be supported by both client and server, so disabling Ciphers may prevent some Persistent Agents from communicating.

TLS Protocol

The list of TLS Protocols to allow by the server. At least one TLS Protocol must be selected. TLS Protocols must be supported by both client and server, so disabling Protocols may prevent some Persistent Agents from communicating.

Certificate Alias

Select the certificate to use when securing communication. Certificates may be uploaded using the certificate management view.

See Certificate management.

Last Modified By

User name of the last user to modify the group.

Last Modified Date

Date and time of the last modification to this group.

Right click options

Modify

Modify the selected TLS Service Configuration.

Delete

Deletes the selected TLS Service Configuration.

In Use

Provides a list of Packet Transport Configurations that currently reference the selected TLS Service Configuration.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Add or modify packet transport configuration

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Transport Configuration from the tree.
  4. To modify a record: Select a Packet Transport Configuration record from the table and click Modify.
  5. To add a new record: Click Add at the bottom of the upper panel.
  6. Use the Settings for the Persistent Agent Transport Configuration topic to enter the Packet Transport Configuration information.
  7. Click OK to save.

After adding or modifying a Packet Transport Configuration, the services will continue to use the previous configuration until a reload is requested or FortiNAC is restarted.

Delete packet transport configuration

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Transport Configuration from the tree.
  4. Select a Packet Transport Configuration record from the table
  5. Click Delete at the bottom of the panel.
  6. Click Yes on the confirmation message.

Add or modify TLS service configuration

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Transport Configuration from the tree.
  4. To modify a record: Select a TLS Service Configuration record from the table and click Modify.
  5. To add a new record: Click Add at the bottom of the lower panel.
  6. Use the Settings for the Persistent Agent Transport Configuration topic to enter the TLS Service Configuration information.
  7. Click OK to save.

After adding or modifying a TLS Service Configuration, the Packet Transport Configuration services will continue to use the previous configuration until a reload is requested or FortiNAC is restarted.

Delete TLS service configuration

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Transport Configuration from the tree.
  4. Select a TLS Service Configuration record from the table
  5. Click Delete at the bottom of the panel.
  6. If one or more Packet Transport Configurations are associated with the TLS Service Configuration, you will not be able to delete it.
  7. Click Yes on the confirmation message.