Fortinet black logo

Administration Guide

Settings

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:750390
Download PDF

Settings

The settings view provides access to global system configuration options, such as Aging properties to remove hosts and users from the database or email settings for emailing users and administrators.

The settings view is navigated using the tree control on the left side. The top level of the hierarchy represents the general configuration area, such as authentication or System Communication. These areas are used to group similar functions. When a top level option such as authentication is selected, the panel on the right contains a list of links to options that can be configured. For example, if authentication is selected, the links provided include: Google, LDAP and RADIUS, and roaming guests. These options are also displayed below authentication in the tree.

Use Flat View to list all of the options in alphabetical order instead of grouped in folders. Use + Expand All and - Collapse All at the top of the tree to open and close all of the folders. Click on the + symbol next to a folder to open it. Click on the - symbol to close the folder. Click on an option to display the corresponding configuration panel on the right.

Settings can be found in 4 different categories of the menu:

  • Users & Hosts

  • Network

  • Security Configuration

  • System

All settings can also be unified under System by enabling Unified Settings under System > Feature Visibility.

Users & Hosts Setting

Description

User/Host Management

Aging

Configure default settings to age users and hosts out of the database.

See Aging.

Allowed Hosts

Configure the default number of hosts that can be registered to a user.

See Allowed hosts.

Device Profiler

Enable or Disable creating rogues from DHCP packets heard on the network.

See Device profiler.

MAC Address Exclusion

Lists the MAC addresses that can be ignored by FortiNAC when they connect to the network. These addresses will not be treated as rogues and will be allowed on the production network.

See MAC address exclusion.

Network Setting

Description

Authentication

LDAP

Directories

RADIUS

RADIUS

Local RADIUS Server

Local RADIUS Server

Roaming Guests

Roaming guests

Control

Access Point Management

Provides the ability to manage hosts connected to hubs using DHCP as a means to control or restrict host access.

See Access point management.

Allowed Domains

Specify the domains and production DNS server that isolated hosts use to gain access to network locations.

See Allowed domains.

Quarantine

When quarantine VLAN Switching is set to Enable and the ports are in the Forced Remediation Group,FortiNAC switches unregistered hosts that are being scanned to the quarantine VLAN until the scan process is completed.

See Quarantine.

Identification

Device Types

Displays icons representing each device type in the system, and allows you to add, modify, and delete custom type icons.

NAT Detection

Enter the IP ranges where FortiNAC will allow NAT'd hosts. IP addresses outside this range could be NAT'd hosts and can generate an event and an alarm to notify the network administrator.

See NAT detection.

Rogue DHCP Server Detection

Monitors approved DHCP servers operation and detects rogue DHCP servers on the network using a dedicated interface on the FortiNAC appliance. It defines a scheduled task to run and search specific VLANs and discover all active entities serving IP addresses. This task compares the discovered DHCP servers against a list of authorized DHCP servers and triggers corresponding events when there is no match.

See Rogue DHCP server detection.

Vendor OUIs

Allows you to modify the vendor OUI database, which is used to determine whether or not a MAC address is valid or by device profiler to profile devices by OUI. The database is updated periodically through the Auto Definition update process.

See Vendor OUIs.

Network Device

Network Device

Set global properties that are specific to network devices and VLANs.

See Network device.

Security

Portal SSL

Enable or disable the use of SSL certificates in the Portal or for Agent server communications.

See Portal SSL.

Security Configuration > Agent Settings

Description

Persistent Agent

Agent Update

Enable Persistent Agent updates by operating system, schedule agent updates and add hosts to the list of Update Exceptions. You can update agents on both platforms simultaneously or separately.

See Global updates

Credential Configuration

Configure how credentials are verified for hosts who use the Persistent Agent.

See Credential configuration.

Security Management

Configure the FortiNAC server name of the server for Persistent Agent communication, enable or disable display notifications to the host, configure Header and footer text for the Persistent Agent authentication page and Status messages in the message box on the user's desktop.

See Security management.

Status Notifications

Configure how users are notified of their host status when the Persistent Agent contacts the FortiNAC server.

See Status notifications.

Transport Configuration

Configure TCP and UDP communication between the FortiNAC server and the Persistent Agent.

See Transport configurations

USB Detection

Use the USB Detection view allows to configure FortiNAC to be notified in the event that a USB device was plugged into a host on the network.

See USB detection.

System Setting

Description

Reports

Analytics

Configure the connection between the FortiNAC server and the cloud reporting Analytics server. This connection allows an agent on the FortiNAC server to push data for reporting to an external server based on a user-defined schedule.

See Reports.

System Communication

System Communication

Email Settings

Enter settings for your email server. This allows FortiNAC to send email to Administrators and network users.

See Email settings.

Firewall Tags

Configure Logical Network Firewall Tags

Fortinet FSSO Settings

Enable FortiNAC as a Fortinet Fabric Connector

Log Receivers

Configure a list of servers to receive event and alarm messages from FortiNAC.

See Log receivers.

Email/SMS Message Templates

Customization of SMS and E-Mail messages for Self-Registered and Pre-Registered Guests

Mobile Providers

Displays the default set of Mobile Providers included in the database. FortiNAC uses the Mobile Providers list to send SMS messages to guests and administrators. The list can be modified as needed.

See Mobile providers.

Patch Management

The Patch Management feature allows integration with Patch servers such as BigFix or PatchLink.

See Patch management.

Proxy Settings

Configure FortiNAC to direct web traffic to a proxy server in order to download OS updates and auto-definition updates.

SNMP

Set the SNMP protocol for devices that query FortiNAC for information. It is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.

See SNMP.

Syslog Files

Syslog Files that you create and store are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output and can be mapped to an Alarm and an Alarm action.

See Syslog management and Map events to alarms.

Trap MIB Files

Enter configurations to interpret SNMP trap MIB information sent from a device and associate it with events and alarms in FortiNAC.

See Trap MIB files and Map events to alarms.

Vulnerability Scanners

Configure and manage the connection to a Vulnerability Scanner, allowing FortiNAC to request and process scan results.

System Management

System Management

Database Archive

Set the age time for archived data files and configure the schedule for the Archive and Purge task.

See Database archive.

Database Backup/Restore

Schedule database backups, configure how many days to store local backups, and restore a database backup. Note that this restores backups on the FortiNAC server, not backups on a remote server.

See Backup or restore a database.

High Availability

Configuration for Primary and Secondary appliances for high availability. Saving changes to these settings restarts both the Primary and Secondary servers.

See High availability.

License Management

View or modify the license key for this server or an associated Application server.

See License management

NTP And Time Zone

Reset the time zone and NTP server for your FortiNAC appliances. Typically the time zone and NTP server are configured using the Configuration Wizard during the initial FortiNAC set up. Requires a server restart to take effect.

See NTP and time zone.

Power Management

Reboot or power off the FortiNAC server. In the case of a FortiNAC Control Server / Application Server pair, reboot or power off each server individually.

See Power management.

Remote Backup Configuration

Configure Scheduled Backups to use a remote server via FTP and/or SSH.

See Backup to a remote server.

System Backups

Create a backup of all system files that are used to configure FortiNAC.

See System backups.

Updates

Updates

Agent Packages

Displays a list of the Dissolvable Agent, Persistent Agent, and Passive Agentversions available on your FortiNAC appliance. Download new agents and add them to FortiNAC as they become available from Fortinet using Download. Download an Administrative template for GPO configuration to your PC from the FortiNACappliance using the links at the top of the view.

See Agent packages.

Operating System

Use operating system updates to download and install updates to the operating system on FortiNAC servers.

See Updating CentOS.

System

Use System Updates to configure download settings, download updates from Fortinet, install updates and view the updates log.

See System update.

Settings

The settings view provides access to global system configuration options, such as Aging properties to remove hosts and users from the database or email settings for emailing users and administrators.

The settings view is navigated using the tree control on the left side. The top level of the hierarchy represents the general configuration area, such as authentication or System Communication. These areas are used to group similar functions. When a top level option such as authentication is selected, the panel on the right contains a list of links to options that can be configured. For example, if authentication is selected, the links provided include: Google, LDAP and RADIUS, and roaming guests. These options are also displayed below authentication in the tree.

Use Flat View to list all of the options in alphabetical order instead of grouped in folders. Use + Expand All and - Collapse All at the top of the tree to open and close all of the folders. Click on the + symbol next to a folder to open it. Click on the - symbol to close the folder. Click on an option to display the corresponding configuration panel on the right.

Settings can be found in 4 different categories of the menu:

  • Users & Hosts

  • Network

  • Security Configuration

  • System

All settings can also be unified under System by enabling Unified Settings under System > Feature Visibility.

Users & Hosts Setting

Description

User/Host Management

Aging

Configure default settings to age users and hosts out of the database.

See Aging.

Allowed Hosts

Configure the default number of hosts that can be registered to a user.

See Allowed hosts.

Device Profiler

Enable or Disable creating rogues from DHCP packets heard on the network.

See Device profiler.

MAC Address Exclusion

Lists the MAC addresses that can be ignored by FortiNAC when they connect to the network. These addresses will not be treated as rogues and will be allowed on the production network.

See MAC address exclusion.

Network Setting

Description

Authentication

LDAP

Directories

RADIUS

RADIUS

Local RADIUS Server

Local RADIUS Server

Roaming Guests

Roaming guests

Control

Access Point Management

Provides the ability to manage hosts connected to hubs using DHCP as a means to control or restrict host access.

See Access point management.

Allowed Domains

Specify the domains and production DNS server that isolated hosts use to gain access to network locations.

See Allowed domains.

Quarantine

When quarantine VLAN Switching is set to Enable and the ports are in the Forced Remediation Group,FortiNAC switches unregistered hosts that are being scanned to the quarantine VLAN until the scan process is completed.

See Quarantine.

Identification

Device Types

Displays icons representing each device type in the system, and allows you to add, modify, and delete custom type icons.

NAT Detection

Enter the IP ranges where FortiNAC will allow NAT'd hosts. IP addresses outside this range could be NAT'd hosts and can generate an event and an alarm to notify the network administrator.

See NAT detection.

Rogue DHCP Server Detection

Monitors approved DHCP servers operation and detects rogue DHCP servers on the network using a dedicated interface on the FortiNAC appliance. It defines a scheduled task to run and search specific VLANs and discover all active entities serving IP addresses. This task compares the discovered DHCP servers against a list of authorized DHCP servers and triggers corresponding events when there is no match.

See Rogue DHCP server detection.

Vendor OUIs

Allows you to modify the vendor OUI database, which is used to determine whether or not a MAC address is valid or by device profiler to profile devices by OUI. The database is updated periodically through the Auto Definition update process.

See Vendor OUIs.

Network Device

Network Device

Set global properties that are specific to network devices and VLANs.

See Network device.

Security

Portal SSL

Enable or disable the use of SSL certificates in the Portal or for Agent server communications.

See Portal SSL.

Security Configuration > Agent Settings

Description

Persistent Agent

Agent Update

Enable Persistent Agent updates by operating system, schedule agent updates and add hosts to the list of Update Exceptions. You can update agents on both platforms simultaneously or separately.

See Global updates

Credential Configuration

Configure how credentials are verified for hosts who use the Persistent Agent.

See Credential configuration.

Security Management

Configure the FortiNAC server name of the server for Persistent Agent communication, enable or disable display notifications to the host, configure Header and footer text for the Persistent Agent authentication page and Status messages in the message box on the user's desktop.

See Security management.

Status Notifications

Configure how users are notified of their host status when the Persistent Agent contacts the FortiNAC server.

See Status notifications.

Transport Configuration

Configure TCP and UDP communication between the FortiNAC server and the Persistent Agent.

See Transport configurations

USB Detection

Use the USB Detection view allows to configure FortiNAC to be notified in the event that a USB device was plugged into a host on the network.

See USB detection.

System Setting

Description

Reports

Analytics

Configure the connection between the FortiNAC server and the cloud reporting Analytics server. This connection allows an agent on the FortiNAC server to push data for reporting to an external server based on a user-defined schedule.

See Reports.

System Communication

System Communication

Email Settings

Enter settings for your email server. This allows FortiNAC to send email to Administrators and network users.

See Email settings.

Firewall Tags

Configure Logical Network Firewall Tags

Fortinet FSSO Settings

Enable FortiNAC as a Fortinet Fabric Connector

Log Receivers

Configure a list of servers to receive event and alarm messages from FortiNAC.

See Log receivers.

Email/SMS Message Templates

Customization of SMS and E-Mail messages for Self-Registered and Pre-Registered Guests

Mobile Providers

Displays the default set of Mobile Providers included in the database. FortiNAC uses the Mobile Providers list to send SMS messages to guests and administrators. The list can be modified as needed.

See Mobile providers.

Patch Management

The Patch Management feature allows integration with Patch servers such as BigFix or PatchLink.

See Patch management.

Proxy Settings

Configure FortiNAC to direct web traffic to a proxy server in order to download OS updates and auto-definition updates.

SNMP

Set the SNMP protocol for devices that query FortiNAC for information. It is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.

See SNMP.

Syslog Files

Syslog Files that you create and store are used by FortiNAC to parse the information received from these external devices and generate an event. The event can contain any or all of the fields contained in the syslog output and can be mapped to an Alarm and an Alarm action.

See Syslog management and Map events to alarms.

Trap MIB Files

Enter configurations to interpret SNMP trap MIB information sent from a device and associate it with events and alarms in FortiNAC.

See Trap MIB files and Map events to alarms.

Vulnerability Scanners

Configure and manage the connection to a Vulnerability Scanner, allowing FortiNAC to request and process scan results.

System Management

System Management

Database Archive

Set the age time for archived data files and configure the schedule for the Archive and Purge task.

See Database archive.

Database Backup/Restore

Schedule database backups, configure how many days to store local backups, and restore a database backup. Note that this restores backups on the FortiNAC server, not backups on a remote server.

See Backup or restore a database.

High Availability

Configuration for Primary and Secondary appliances for high availability. Saving changes to these settings restarts both the Primary and Secondary servers.

See High availability.

License Management

View or modify the license key for this server or an associated Application server.

See License management

NTP And Time Zone

Reset the time zone and NTP server for your FortiNAC appliances. Typically the time zone and NTP server are configured using the Configuration Wizard during the initial FortiNAC set up. Requires a server restart to take effect.

See NTP and time zone.

Power Management

Reboot or power off the FortiNAC server. In the case of a FortiNAC Control Server / Application Server pair, reboot or power off each server individually.

See Power management.

Remote Backup Configuration

Configure Scheduled Backups to use a remote server via FTP and/or SSH.

See Backup to a remote server.

System Backups

Create a backup of all system files that are used to configure FortiNAC.

See System backups.

Updates

Updates

Agent Packages

Displays a list of the Dissolvable Agent, Persistent Agent, and Passive Agentversions available on your FortiNAC appliance. Download new agents and add them to FortiNAC as they become available from Fortinet using Download. Download an Administrative template for GPO configuration to your PC from the FortiNACappliance using the links at the top of the view.

See Agent packages.

Operating System

Use operating system updates to download and install updates to the operating system on FortiNAC servers.

See Updating CentOS.

System

Use System Updates to configure download settings, download updates from Fortinet, install updates and view the updates log.

See System update.