Considerations
-
Includes Multiple VDOM/Split-Task VDOM support.
-
Includes FOS 7.2/7.3 support.
-
FortiNAC will frequently poll the FortiGate for L3 information. For details see Appendix.
-
FortiGate can only support one FSSO agent sending tags for a specific endpoint IP address. If there are multiple agents, the FortiGate entries will be overwritten when other FSSO agents send information for the same endpoint IP. Therefore, the following should be done prior to integration:
-
Identify any other FSSO agents that provide logon information for the same endpoints FortiNAC would be managing through the FortiGate. For additional information, see section Agent-based FSSO in the FortiOS 6.0.0 Handbook:
https://docs2.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso
-
-
For those agents, logon events must be blocked. See related KB article
Excluding IP addresses from SSO logon events
-
Develop a plan to make the appropriate modifications to existing firewall policies to accommodate FortiNAC as the SSO agent for the managed endpoint IP address scope.
-
Fabric connector connections and firewall policies can be configured at the Fortigate or the FortiManager. For the purposes of this document, a single Fortigate integration is being configured.
-
The FortiGate will remove all of the applicable SSO Logins when a Collector Agent (FortiNAC) has been disconnected for 300 seconds (5 minutes). This 5-minute period is internally hard set on the FortiGate and not configurable.