Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC 9.2.0 Administration Guide
    9.2.0
    9.4.0
    9.2.0
    9.1.0
    8.8.0
    8.7.0
    8.6.0
    8.5.2
    8.3.0

    Addresses

    Addresses

    1. Click System > Settings.

    2. Expand the System Communication folder.

    3. Select Addresses from the tree.

    Introduced in version 9.2, address objects and address group objects are used in the following firewall integrations:

    • FortiGate (SSO or VPN)

    These objects are used to determine which firewall should receive SSO messages for hosts connecting to the network. Group objects allow for control over the network ranges and scopes used to filter SSO messages to each firewall.

    Address objects can be created by subnet or by IP Range, then combined into address groups. The address groups can then be used within the Model Configuration view of the applicable device to define the scope to be managed. Groups are selected within the model using the SSO Addresses and VPN Addresses drop-down menus. See Model configuration.

    Object Auto-Population

    By default, the Addresses tables are empty. It is up to the administrator to define the IP address scopes desired for SSO functionality.

    Address and group objects will only auto-populate if SSO was configured prior to upgrading to version 9.2 or greater. This is to ensure previous SSO functionality is maintained:

    • Prior to version 9.2, FortiNAC created internal address lists for SSO functionality. The objects are created using the same rules upon upgrade.

    • These rules include reading the FortiGate interface IP scopes and VPN configurations to determine what addresses need to be created.

    • All changes to the objects after they are created must be made manually.

    • Changes take effect during the next endpoint evaluation. This occurs after the L2 poll of the device to which the affected endpoints are connected.

    Add or Modify Address Object

    Configure using the table below then click OK.

    Field

    Description

    Name

    Name of Address object

    Message Type

    Subnet or IP Range

    IP/Netmask

    Displays when Message Type Subnet is selected.

    Enter desired subnet and mask.

    Required Format: <IP address>/xx (CIDR)

    Example: 10.25.24.1/24

    IP Range

    Displays when Message Type IP Range is selected.

    Enter IP range

    <Starting IP address> – <Ending IP address>

    Example: 10.25.24.1 – 10.25.24.30

    Add or Modify Address Group

    Configure using the table below then click OK.

    Field Description
    Name Name of Address Group
    Members Select the drill down menu for existing Address objects or select to create a new address object. Multiple objects can be selected.

    Identify the Address Group Using a Specific Address Object

    Select the Address Object then select In Use above the Address table.

    Example Result:

    Address In Use

    The Address 'FGT-IT:root:VLAN-BYOD' is in use by the following:

    - Network Address Groups

    - SSOGRP:FGT-IT:root

    Identify the Device Model or VDOM Using a Specific Address Group

    Select the Address Object then select In Use above the Address table.

    Sending Tags for Non-local FortiGate Connections

    By default, FortiNAC does not send tags to subnets that do not terminate at that FortiGate.

    Example:

    • Address group: 192.168.10.x

    • Endpoint with IP address 192.168.10.85 connecting to a switch downstream of the FortiGate.

    • Endpoint with IP address 192.168.10.90 connecting to a port on the FortiGate.

    • Both endpoints send their traffic through the same FortiGate.

    Result: FortiNAC will send a tag to the FortiGate for 192.168.10.90 but not 192.168.10.85.

    To allow FortiNAC to send tags for endpoints not directly connected to the FortiGate, a CLI change is required. Use the global option tool to expand the scope.

    1. Login to the FortiNAC CLI as root.

    2. Type

      globaloptiontool -name sso.expand.scope -set true

      logout

    3. In the FortiNAC UI, navigate to Network > Inventory.

    4. Right-click on the FortiGate Device Model and select Resync Interfaces.

    Previous
    Next

    Addresses

    Addresses

    1. Click System > Settings.

    2. Expand the System Communication folder.

    3. Select Addresses from the tree.

    Introduced in version 9.2, address objects and address group objects are used in the following firewall integrations:

    • FortiGate (SSO or VPN)

    These objects are used to determine which firewall should receive SSO messages for hosts connecting to the network. Group objects allow for control over the network ranges and scopes used to filter SSO messages to each firewall.

    Address objects can be created by subnet or by IP Range, then combined into address groups. The address groups can then be used within the Model Configuration view of the applicable device to define the scope to be managed. Groups are selected within the model using the SSO Addresses and VPN Addresses drop-down menus. See Model configuration.

    Object Auto-Population

    By default, the Addresses tables are empty. It is up to the administrator to define the IP address scopes desired for SSO functionality.

    Address and group objects will only auto-populate if SSO was configured prior to upgrading to version 9.2 or greater. This is to ensure previous SSO functionality is maintained:

    • Prior to version 9.2, FortiNAC created internal address lists for SSO functionality. The objects are created using the same rules upon upgrade.

    • These rules include reading the FortiGate interface IP scopes and VPN configurations to determine what addresses need to be created.

    • All changes to the objects after they are created must be made manually.

    • Changes take effect during the next endpoint evaluation. This occurs after the L2 poll of the device to which the affected endpoints are connected.

    Add or Modify Address Object

    Configure using the table below then click OK.

    Field

    Description

    Name

    Name of Address object

    Message Type

    Subnet or IP Range

    IP/Netmask

    Displays when Message Type Subnet is selected.

    Enter desired subnet and mask.

    Required Format: <IP address>/xx (CIDR)

    Example: 10.25.24.1/24

    IP Range

    Displays when Message Type IP Range is selected.

    Enter IP range

    <Starting IP address> – <Ending IP address>

    Example: 10.25.24.1 – 10.25.24.30

    Add or Modify Address Group

    Configure using the table below then click OK.

    Field Description
    Name Name of Address Group
    Members Select the drill down menu for existing Address objects or select to create a new address object. Multiple objects can be selected.

    Identify the Address Group Using a Specific Address Object

    Select the Address Object then select In Use above the Address table.

    Example Result:

    Address In Use

    The Address 'FGT-IT:root:VLAN-BYOD' is in use by the following:

    - Network Address Groups

    - SSOGRP:FGT-IT:root

    Identify the Device Model or VDOM Using a Specific Address Group

    Select the Address Object then select In Use above the Address table.

    Sending Tags for Non-local FortiGate Connections

    By default, FortiNAC does not send tags to subnets that do not terminate at that FortiGate.

    Example:

    • Address group: 192.168.10.x

    • Endpoint with IP address 192.168.10.85 connecting to a switch downstream of the FortiGate.

    • Endpoint with IP address 192.168.10.90 connecting to a port on the FortiGate.

    • Both endpoints send their traffic through the same FortiGate.

    Result: FortiNAC will send a tag to the FortiGate for 192.168.10.90 but not 192.168.10.85.

    To allow FortiNAC to send tags for endpoints not directly connected to the FortiGate, a CLI change is required. Use the global option tool to expand the scope.

    1. Login to the FortiNAC CLI as root.

    2. Type

      globaloptiontool -name sso.expand.scope -set true

      logout

    3. In the FortiNAC UI, navigate to Network > Inventory.

    4. Right-click on the FortiGate Device Model and select Resync Interfaces.

    Previous
    Next