Fortinet white logo
Fortinet white logo

Administration Guide

Virtualized Devices

Virtualized Devices

The Virtualized Devices tab in the right pane displays all the virtual domains (VDOMs). Virtualized Devices will be accessible from the top-level of Inventory and from each container.

From this view, customers have the option to select multiple VDOMs at once for editing. Right clicking the device will provide options for Model Configuration, Add Virtualized Devices to Groups, and Set Model Configuration. To learn more about these options, see Model configuration.

Modify Multiple Virtualized Devices

  1. Click Network > Inventory.
  2. In the Virtualized Devices tab, Ctrl-click or Shift-click to select the devices you wish to modify.
  3. Right click the selected devices and select Set Model Configurations.

    The number of devices you selected to be modified will show next to Add Configuration Category.

  4. Select the Configuration Categories to modify from the drop down menu off Add Configuration Category. See Model configuration for more details.

Group Virtualized Devices

  1. Navigate to Network > Inventory.
  2. In the Virtualized Devices tab, Ctrl-click or Shift-click to select the devices you wish to group.
  3. Right click the selected devices and select Add Virtualized Devices to Groups.
  4. Select or create a group to add the devices to. Click OK.

Send SSO Tag/Group Data to a FGT

FNAC supports the ability to send SSO tag/group data to one or more FortiGates for a variety of scenarios, including:

  1. Hosts that appear as detected devices on a FortiGate wired interface.
  2. Hosts that have a wired connection to a FortiLink FSW managed by a FortiGate.
  3. Hosts that have wireless connections to a FortiGate through a FortiAP.
  4. Hosts that have a VPN connection to a FortiGate.
  5. Hosts that are connected anywhere in the network to a network device managed by FNAC.
  6. Hosts that are running a FortiNAC Persistent Agent which is communicating to FNAC but are otherwise not seen by FNAC as connected to any managed network device.

    Note: For scenario 6, the host must belong to a group that is selected in the "Connect Hosts in Group when Agent Connects" option. The group is not used by the other scenarios.

Setting up the SSO tag/group data
  • Hosts for which you want to send SSO must belong in a group and the group must be selected to enable the new capability.

  1. Navigate to System > Groups
  2. Create or Modify a group and add to it the hosts you wish to send SSO.

  3. Navigate to System > Settings > Persistent Agent > Properties.
  4. Select the group that was populated with your hosts under Connect Hosts in Group when Agent Connects.

    Note: This step is for hosts that are running a FortiNAC Persistent Agent which is communicating to FNAC but are otherwise not seen by FNAC as connected to any managed network device.

  5. Navigate to Policy & Objects > User/Host Profiles and create a new User/Host profile and add your group to the Who/What by Group setting. You may add other criteria as desired to filter the hosts you wish to include.

  6. Navigate to Policy & Objects > Network Access > Logical Networks or Network > Logical Networks. Create a new Logical Network.
  7. Navigate to Policy & Objects > Network Access > Configurations. Create a new Network Access Configuration using the new Logical Network.

  8. Create a new Network Access Policy using the new Network Access Configuration and new User/Host Profile.
  9. Navigate to Network > Inventory. Select the FortiGate device to which you want to send SSO. Click the Virtualized Devices Tab for the Fortigate Device.

  10. Choose the VDOM value you want to configure. Double click or click Model Configuration to open a new window with settings to create or choose tags to send to the FGT for the given Logical Network created for your Network Access Policy.

Importing tag/groups into FortiGate
  • FNAC must exist as a fabric connector on each FGT to which you want to integrate with SSO.

  1. Navigate to Security Fabric > Fabric Connectors.

  2. Either create or edit the FortiNAC Tags object, and select the Refresh button. It may take several Refresh attempts but should result in importing all the Host group and tag information created within FNAC. You should see the values from the View button.

  3. Enable a setting on each FGT model within FNAC to force SSO data to be sent to that FGT. The setting must be configured from a command shell on the FNAC appliance. The device command can be used to show or set values. Use the command to set a “ForceSSO” attribute to “true” on the FGT models:device -ip 10.12.234.101 -setAttr -name ForceSSO -value true

    Note: This configuration is deprecated. See Addresses for creating network address objects and group objects for preferred configurations.

    The FortiNAC tags connector under Security Fabric > Fabric Connectors is deprecated in FortiOS 7.0.4 and later. For upgrade support, the FSSO FortiNAC user type can still be configured in the CLI.

    CLI example

    config user fsso

    edit "NACKY-NAC"

    set type fortinac

    set server "192.168.20.8"

    set password ENC r6Iz+hGTDzZMVYL95QX8lO/97skiXNZwPGoA0MrPWyi7iNRWlKLGQtTena9IPprqRks2LWarkQzDXuAgLncdhVLut3tf2NYgIB9gFxnmn0xALL5qNjN120kLBSazg3n4XWXzsaKFcJD1FbE5a5djZMFaGjKcy+NPwLqTliEE8OfAFJWb1P7sf4pvaBZ15j7nJATBsw==

    next

    end

    FortiOS 7.0.4 and later can communicate with FortNAC over REST API once FortiNAC is authorized into the Security Fabric.

    See FortiNAC security fabric authorization for more details about authorization.

    See Replace FSSO-based FortiNAC tag connector with REST API for more information about FortiGate dynamic firewall addresses for FortiNAC tags.

Virtualized Devices

Virtualized Devices

The Virtualized Devices tab in the right pane displays all the virtual domains (VDOMs). Virtualized Devices will be accessible from the top-level of Inventory and from each container.

From this view, customers have the option to select multiple VDOMs at once for editing. Right clicking the device will provide options for Model Configuration, Add Virtualized Devices to Groups, and Set Model Configuration. To learn more about these options, see Model configuration.

Modify Multiple Virtualized Devices

  1. Click Network > Inventory.
  2. In the Virtualized Devices tab, Ctrl-click or Shift-click to select the devices you wish to modify.
  3. Right click the selected devices and select Set Model Configurations.

    The number of devices you selected to be modified will show next to Add Configuration Category.

  4. Select the Configuration Categories to modify from the drop down menu off Add Configuration Category. See Model configuration for more details.

Group Virtualized Devices

  1. Navigate to Network > Inventory.
  2. In the Virtualized Devices tab, Ctrl-click or Shift-click to select the devices you wish to group.
  3. Right click the selected devices and select Add Virtualized Devices to Groups.
  4. Select or create a group to add the devices to. Click OK.

Send SSO Tag/Group Data to a FGT

FNAC supports the ability to send SSO tag/group data to one or more FortiGates for a variety of scenarios, including:

  1. Hosts that appear as detected devices on a FortiGate wired interface.
  2. Hosts that have a wired connection to a FortiLink FSW managed by a FortiGate.
  3. Hosts that have wireless connections to a FortiGate through a FortiAP.
  4. Hosts that have a VPN connection to a FortiGate.
  5. Hosts that are connected anywhere in the network to a network device managed by FNAC.
  6. Hosts that are running a FortiNAC Persistent Agent which is communicating to FNAC but are otherwise not seen by FNAC as connected to any managed network device.

    Note: For scenario 6, the host must belong to a group that is selected in the "Connect Hosts in Group when Agent Connects" option. The group is not used by the other scenarios.

Setting up the SSO tag/group data
  • Hosts for which you want to send SSO must belong in a group and the group must be selected to enable the new capability.

  1. Navigate to System > Groups
  2. Create or Modify a group and add to it the hosts you wish to send SSO.

  3. Navigate to System > Settings > Persistent Agent > Properties.
  4. Select the group that was populated with your hosts under Connect Hosts in Group when Agent Connects.

    Note: This step is for hosts that are running a FortiNAC Persistent Agent which is communicating to FNAC but are otherwise not seen by FNAC as connected to any managed network device.

  5. Navigate to Policy & Objects > User/Host Profiles and create a new User/Host profile and add your group to the Who/What by Group setting. You may add other criteria as desired to filter the hosts you wish to include.

  6. Navigate to Policy & Objects > Network Access > Logical Networks or Network > Logical Networks. Create a new Logical Network.
  7. Navigate to Policy & Objects > Network Access > Configurations. Create a new Network Access Configuration using the new Logical Network.

  8. Create a new Network Access Policy using the new Network Access Configuration and new User/Host Profile.
  9. Navigate to Network > Inventory. Select the FortiGate device to which you want to send SSO. Click the Virtualized Devices Tab for the Fortigate Device.

  10. Choose the VDOM value you want to configure. Double click or click Model Configuration to open a new window with settings to create or choose tags to send to the FGT for the given Logical Network created for your Network Access Policy.

Importing tag/groups into FortiGate
  • FNAC must exist as a fabric connector on each FGT to which you want to integrate with SSO.

  1. Navigate to Security Fabric > Fabric Connectors.

  2. Either create or edit the FortiNAC Tags object, and select the Refresh button. It may take several Refresh attempts but should result in importing all the Host group and tag information created within FNAC. You should see the values from the View button.

  3. Enable a setting on each FGT model within FNAC to force SSO data to be sent to that FGT. The setting must be configured from a command shell on the FNAC appliance. The device command can be used to show or set values. Use the command to set a “ForceSSO” attribute to “true” on the FGT models:device -ip 10.12.234.101 -setAttr -name ForceSSO -value true

    Note: This configuration is deprecated. See Addresses for creating network address objects and group objects for preferred configurations.

    The FortiNAC tags connector under Security Fabric > Fabric Connectors is deprecated in FortiOS 7.0.4 and later. For upgrade support, the FSSO FortiNAC user type can still be configured in the CLI.

    CLI example

    config user fsso

    edit "NACKY-NAC"

    set type fortinac

    set server "192.168.20.8"

    set password ENC r6Iz+hGTDzZMVYL95QX8lO/97skiXNZwPGoA0MrPWyi7iNRWlKLGQtTena9IPprqRks2LWarkQzDXuAgLncdhVLut3tf2NYgIB9gFxnmn0xALL5qNjN120kLBSazg3n4XWXzsaKFcJD1FbE5a5djZMFaGjKcy+NPwLqTliEE8OfAFJWb1P7sf4pvaBZ15j7nJATBsw==

    next

    end

    FortiOS 7.0.4 and later can communicate with FortNAC over REST API once FortiNAC is authorized into the Security Fabric.

    See FortiNAC security fabric authorization for more details about authorization.

    See Replace FSSO-based FortiNAC tag connector with REST API for more information about FortiGate dynamic firewall addresses for FortiNAC tags.