Fortinet black logo

FortiGate VPN Integration

Home FortiNAC 9.4.0 FortiGate VPN Integration
9.4.0
9.4.0

Requirements

Requirements

FortiNAC

  • Supported Engine Version: 8.7.2 or greater

  • Recommended Engine Version: 8.8.8, 9.1.2 or greater

  • Multiple VDOM/Split-Task VDOM support: Version 8.8.8, 9.1.2 or greater

  • FOS 7.2/7.3 support: Version 9.1.7, 9.2.5, 9.4.0 or greater

  • FOS 7.4 support: Version 9.4.4, 7.2.4 or greater

  • Remote device must have either the FortiNAC Dissolvable or Persistent Agent

    • Supported FortiNAC Agent Version: 5.2.3 or greater

    • Recommended FortiNAC Agent Version: 5.2.6

    • Agent Supported Operating Systems:

    • Windows (not Windows CE)

    • MAC OS

    • Linux

    • Android

      Note: FortiNAC doesn't have an app or agent for iOS. Therefore, iOS mobile devices cannot connect through VPN.

    • Dissolvable Agent can be downloaded as part of the VPN connection process from the Captive Portal

    • Persistent Agent can also be downloaded from the Captive Portal or pre-installed

    • Operating systems that cannot run a FortiNAC agent will always remain isolated when connecting to a VPN that is managed by FortiNAC

    • Remote device firewall settings must allow TCP 4568 (bi-directional) for agent communication with FortiNAC (eth0 for visibility, eth0 & eth1 for control).

FortiGate

  • Support Firmware Version: 6.0.5 or greater.

  • Recommended Firmware Version:

    • 6.2: 6.2.8 or greater

    • 7.0: (if using post-login banner) Requires FortiNAC 8.8.8 or greater. See KB article 193514 for details

  • FortiNAC version 9.2.4 and lower: Enable FortiGate admin-https-ssl-versions tlsv1-2. Tlsv1-3 support added to FortiNAC version 9.2.5 and greater.

  • SNMP community or account

  • Administrator account

    • Visibility only: System read access to all VDOMs

    • Control: System read/write access to all VDOMs

  • Syslog must be sourced from the IP address of the FortiGate device model in FortiNAC Inventory

  • IP address in FortiGate device model must be in the root or a VDOM that has full management access

  • VPN tunnel cannot be configured to use DHCP relay

  • Do not block port 8000 or 8013 between the FortiNAC eth0 and the FortiGate

  • Build and Validate Test Configuration: Before integrating a device with FortiNAC, set the device up to ensure that it is working correctly.

    • Create new VPN environment identical to production environment.

    • Confirm that hosts can connect to the device and access the network.

Considerations

  • Important: When SSL VPN Settings are applied via the FortiGate UI, all existing SSL VPN connections are disconnected, regardless of portal. Applying settings should be done during a Maintenance Window.

  • REST API users are disabled in FIPS-CC mode. Users must be enabled, however, this function is not available in all FortiOS versions.

  • Create Fabric Connector for each VDOM that FSSO should be sent.

  • Automated Captive Portal Detection: Devices that sense captive networks may trigger browsers during initial connection. To avoid this, automated captive portal detection must be disabled for VPN connections in FortiNAC. Instructions provided in section Disable Captive Network Assistant.

  • Split Tunnels: Whether or not split tunnel (certain traffic doesn't go over tunnel) or full tunnel (all traffic goes over tunnel) is configured is dependent upon the customer requirements.

    • Full tunnel: Browser automatically redirects to the VPN portal.

    • Split tunnel:

      • Browser does not automatically redirect to the VPN portal.

      • If using the Dissolvable Agent (DA), it is recommended to disable split-tunneling. This ensures automatic browser redirect in order to download the agent.

    • FortiNAC validates endstation after the tunnel is established. In order to do that, initial access is restricted. Once confirmed, restricted access is lifted. In full tunnel implementations, there will be interruption on applications that are running prior to connecting.

  • Windows machines: Recommended to disable browser popups on managed machines. See Disable Windows Browser Popups in the Appendix.

  • Remote clients connecting to the network through a FortiNAC-managed VPN cannot be connected to a local network that is also being managed by FortiNAC within the same management domain.

  • FortiGate can only support one FSSO agent sending tags for a specific endpoint IP address. If there are multiple agents, the FortiGate entries will be overwritten when other FSSO agents send information for the same endpoint IP. Therefore, the following should be done prior to integration:

  • L3 High Availability Consideration (Primary and Secondary server’s VPN Interface reside on different subnets): As of this writing, the FortiGate Firewall only supports two entries for DNS. Consequently, VPN clients are unable to access the captive portal pages after an appliance failover.

    The workaround is to update the DNS server entry in the Firewall configuration from the Primary Server VPN interface IP address to the Secondary Server VPN interface. This change must be reverted after control is resumed to the Primary Server.

    For information on the DNS configuration, refer to FortiGate documentation.

Previous
Next

Requirements

FortiNAC

  • Supported Engine Version: 8.7.2 or greater

  • Recommended Engine Version: 8.8.8, 9.1.2 or greater

  • Multiple VDOM/Split-Task VDOM support: Version 8.8.8, 9.1.2 or greater

  • FOS 7.2/7.3 support: Version 9.1.7, 9.2.5, 9.4.0 or greater

  • FOS 7.4 support: Version 9.4.4, 7.2.4 or greater

  • Remote device must have either the FortiNAC Dissolvable or Persistent Agent

    • Supported FortiNAC Agent Version: 5.2.3 or greater

    • Recommended FortiNAC Agent Version: 5.2.6

    • Agent Supported Operating Systems:

    • Windows (not Windows CE)

    • MAC OS

    • Linux

    • Android

      Note: FortiNAC doesn't have an app or agent for iOS. Therefore, iOS mobile devices cannot connect through VPN.

    • Dissolvable Agent can be downloaded as part of the VPN connection process from the Captive Portal

    • Persistent Agent can also be downloaded from the Captive Portal or pre-installed

    • Operating systems that cannot run a FortiNAC agent will always remain isolated when connecting to a VPN that is managed by FortiNAC

    • Remote device firewall settings must allow TCP 4568 (bi-directional) for agent communication with FortiNAC (eth0 for visibility, eth0 & eth1 for control).

FortiGate

  • Support Firmware Version: 6.0.5 or greater.

  • Recommended Firmware Version:

    • 6.2: 6.2.8 or greater

    • 7.0: (if using post-login banner) Requires FortiNAC 8.8.8 or greater. See KB article 193514 for details

  • FortiNAC version 9.2.4 and lower: Enable FortiGate admin-https-ssl-versions tlsv1-2. Tlsv1-3 support added to FortiNAC version 9.2.5 and greater.

  • SNMP community or account

  • Administrator account

    • Visibility only: System read access to all VDOMs

    • Control: System read/write access to all VDOMs

  • Syslog must be sourced from the IP address of the FortiGate device model in FortiNAC Inventory

  • IP address in FortiGate device model must be in the root or a VDOM that has full management access

  • VPN tunnel cannot be configured to use DHCP relay

  • Do not block port 8000 or 8013 between the FortiNAC eth0 and the FortiGate

  • Build and Validate Test Configuration: Before integrating a device with FortiNAC, set the device up to ensure that it is working correctly.

    • Create new VPN environment identical to production environment.

    • Confirm that hosts can connect to the device and access the network.

Considerations

  • Important: When SSL VPN Settings are applied via the FortiGate UI, all existing SSL VPN connections are disconnected, regardless of portal. Applying settings should be done during a Maintenance Window.

  • REST API users are disabled in FIPS-CC mode. Users must be enabled, however, this function is not available in all FortiOS versions.

  • Create Fabric Connector for each VDOM that FSSO should be sent.

  • Automated Captive Portal Detection: Devices that sense captive networks may trigger browsers during initial connection. To avoid this, automated captive portal detection must be disabled for VPN connections in FortiNAC. Instructions provided in section Disable Captive Network Assistant.

  • Split Tunnels: Whether or not split tunnel (certain traffic doesn't go over tunnel) or full tunnel (all traffic goes over tunnel) is configured is dependent upon the customer requirements.

    • Full tunnel: Browser automatically redirects to the VPN portal.

    • Split tunnel:

      • Browser does not automatically redirect to the VPN portal.

      • If using the Dissolvable Agent (DA), it is recommended to disable split-tunneling. This ensures automatic browser redirect in order to download the agent.

    • FortiNAC validates endstation after the tunnel is established. In order to do that, initial access is restricted. Once confirmed, restricted access is lifted. In full tunnel implementations, there will be interruption on applications that are running prior to connecting.

  • Windows machines: Recommended to disable browser popups on managed machines. See Disable Windows Browser Popups in the Appendix.

  • Remote clients connecting to the network through a FortiNAC-managed VPN cannot be connected to a local network that is also being managed by FortiNAC within the same management domain.

  • FortiGate can only support one FSSO agent sending tags for a specific endpoint IP address. If there are multiple agents, the FortiGate entries will be overwritten when other FSSO agents send information for the same endpoint IP. Therefore, the following should be done prior to integration:

  • L3 High Availability Consideration (Primary and Secondary server’s VPN Interface reside on different subnets): As of this writing, the FortiGate Firewall only supports two entries for DNS. Consequently, VPN clients are unable to access the captive portal pages after an appliance failover.

    The workaround is to update the DNS server entry in the Firewall configuration from the Primary Server VPN interface IP address to the Secondary Server VPN interface. This change must be reverted after control is resumed to the Primary Server.

    For information on the DNS configuration, refer to FortiGate documentation.

Previous
Next