Fortinet black logo

Palo Alto Networks Integration

Home FortiNAC-F 7.2.0 Palo Alto Networks Integration
7.2.0
7.4.0
7.2.0

Control

Control

FortiNAC Settings

Isolation Interfaces

Configure the eth1 VPN isolation interface using Configuration Wizard.

High Availability: If High Availability is configured, access Configuration Wizard on the Secondary Server and make the same modifications. This ensures the domain value and the additional scopes are added properly in the event of a failover.

  1. Launch the Configuration Wizard by opening a browser and navigating to:

    https://<FortiNAC IP Address or hostname>:8443/

  2. Navigate to System > Configuration Wizard.

  3. Under the Steps column, click Virtual Private Network.

  4. Click the checkbox for Virtual Private Network Interface eth1.

  5. Configure the eth1 interface using the table below.

    Virtual Private Network Interface eth1

    Interface IPv4 Address

    IPv4 address for the VPN interface on eth1.

    Mask

    VPN interface subnet mask (IPv4).

    IPv4 Gateway

    Gateway IP address used by the VPN interface

    Interface IPv6 Address (optional)

    IPv6 address for the VPN interface on eth1.

    Interface IPv6 Mask in CIDR notation

    (optional)

    Subnet IPv6 mask for the VLAN interface in CIDR notation format (e.g., 64).

    Interface IPv6 Gateway(optional)

    IPv6 Gateway for the VLAN interface for eth1 when clients connect through this VLAN.

  6. Under Virtual Private Network Scopes, click Add.

  7. Configure using the table below.

    Label

    Desired name for VPN DHCP scope

    Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved.

    Gateway

    Default gateway for the client lease pool you are adding. Do not use the default gateway for eth1.

    Domain

    Must match the domain value configured in the Palo Alto.

    NOTE:

    • FortiNAC only answers SRV queries from connecting agents sourced from this domain. If FortiNAC is managing multiple VPN scopes, they must all use the same domain. See DNS File Entry Descriptions in the Appendix for details.

    • OS X, iOS, and some Linux systems may have communication issues if a .local suffix is used.

    Mask

    Subnet mask for the default gateway.

  8. Under Lease Pools click Add.

  9. Enter the IP Addresses for Start and End of the lease pool range for the VPN scope defined in the FortiGate Address Object.

  10. Click Add to save.

  11. Click Apply.

  12. Repeat steps 10 – 13 for additional VPN scopes as needed

  13. Click Summary when finished.

  14. Review the data on the Summary View to confirm the configured settings.

  15. Click Apply. The Configuration Wizard writes the data to the files on the appliances. This process may take several minutes to complete. When completed, the Results page appears.

  16. Review the Results. Errors are noted at the top of the Results page.

  17. Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.

    Example values:

    FortiNAC CA FQDN: Server01.Fortinet.com

    Eth0 (Management interface): 10.200.20.20

    Registration interface: 10.200.5.20

    Remediation interface: 10.200.5.21

    VPN interface: 10.200.5.22

    Eth1 GW: 10.200.5.1

    VPN DHCP range (SSL): 10.200.80.10- 10.200.80.99

    VPN DHCP range (IPSec): 10.200.80.100 – 10.200.80.200

  18. After committing the changes in Configuration Wizard, run the command ifconfig in the FortiNAC CLI to identify the sub-interfaces assigned to the isolation networks. If separate Control and Application Servers, access the CLI of the Application Server.

    > ifconfig

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet 10.200.20.20 netmask 255.255.255.0 broadcast 10.200.20.255

    eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet 10.200.5.20 netmask 255.255.255.0 broadcast 10.200.5.255

    inet6 fe80::20c:29ff:fe71:e423 prefixlen 64 scopeid 0x20<link>

    ether 00:0c:29:71:e4:23 txqueuelen 1000 (Ethernet)

    eth1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet 10.200.5.21 netmask 255.255.255.0 broadcast 10.200.5.255

    eth1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet 10.200.5.22 netmask 255.255.255.0 broadcast 10.200.5.255 << VPN

Proceed to Policy Based Routes.

Policy Based Routes

Configure policy-based routing. Policy-based routing ensures traffic is transmitted out the same interface it was received. This allows FortiNAC agents to communicate to FortiNAC through both the management (eth0) or VPN sub-interface depending on whether the endpoint is isolated or not.

Policy-based routing is configured on FortiNAC using the command: setupAdvancedRoute which is run from a FortiNAC CLI. This must be done for both Primary and Secondary Servers in High Availability Configurations. For details on policy-based routing and the script used for configuration, see Policy Based Routing in the Appendix.

Important: If High Availability is configured, execute the steps outlined in sections Isolation Interfaces and Policy Based Routes on the Secondary Server and make the same modifications. Otherwise, VPN will not work should a failover occur.

  1. Login to the CLI as root of the FortiNAC server (Application Server if separate Control and Application Servers)

  2. Run the script

    Important: The following instructions presume the script has not yet been run. If script has been run previously and are modifying or adding an interface, see Appendix for instructions.

    1. Type setupAdvancedRoute

    2. Type I to install

    3. Enter the gateway for each interface (eth0, eth1, etc) as prompted.

  3. Once script completes, verify configuration. Type

    ip rule show

    There should now be a rule listed for each interface and sub-interface configured:

    0: from all lookup local

    10: from <eth0 IP address> lookup eth0

    20: from <eth1 IP address> lookup eth1

    30: from <eth1:1 IP address> lookup eth1:1

    40: from <eth1:2 IP address> lookup eth1:2

    32766: from all main

    32767: from all default

    Example:

    >ip rule show

    0: from all lookup local

    10: from 10.200.20.20 lookup eth0

    20: from 10.200.5.20 lookup eth1

    30: from 10.200.5.21 lookup eth1:1

    40: from 10.200.5.22 lookup eth1:2

    32766: from all main

    32767: from all default

  4. Reboot appliance.

System Defined Uplink Count

Ensure the System Defined Uplink Count value is larger than the maximum number of VPN clients that could be online at the same time. Otherwise, the VPN virtual port in FortiNAC could be changed to an uplink. All clients would then be marked as offline and the FSSO tags removed, affecting network access. For details on setting this value, see System Defined Uplink Count in section Network device of the Administration Guide.

Authentication Server Settings

Before network access is permitted, rogue hosts connecting to the VPN must register with FortiNAC via the captive portal or Persistent Agent. If it is not desired to register unknown hosts connecting to the VPN, skip this step.

Configure FortiNAC to authenticate using either a RADIUS server or LDAP directory. Refer to the Administration Guide sections listed below for instructions. Depending upon the deployment, these components may already be configured.

  1. Define which authentication server type will be used (LDAP or RADIUS). See Portal configuration – Configure authentication credentials

  2. Configure the settings for the authentication server. Refer to the appropriate section:

    Configure RADIUS settings

    Directory configuration

Previous
Next

Control

FortiNAC Settings

Isolation Interfaces

Configure the eth1 VPN isolation interface using Configuration Wizard.

High Availability: If High Availability is configured, access Configuration Wizard on the Secondary Server and make the same modifications. This ensures the domain value and the additional scopes are added properly in the event of a failover.

  1. Launch the Configuration Wizard by opening a browser and navigating to:

    https://<FortiNAC IP Address or hostname>:8443/

  2. Navigate to System > Configuration Wizard.

  3. Under the Steps column, click Virtual Private Network.

  4. Click the checkbox for Virtual Private Network Interface eth1.

  5. Configure the eth1 interface using the table below.

    Virtual Private Network Interface eth1

    Interface IPv4 Address

    IPv4 address for the VPN interface on eth1.

    Mask

    VPN interface subnet mask (IPv4).

    IPv4 Gateway

    Gateway IP address used by the VPN interface

    Interface IPv6 Address (optional)

    IPv6 address for the VPN interface on eth1.

    Interface IPv6 Mask in CIDR notation

    (optional)

    Subnet IPv6 mask for the VLAN interface in CIDR notation format (e.g., 64).

    Interface IPv6 Gateway(optional)

    IPv6 Gateway for the VLAN interface for eth1 when clients connect through this VLAN.

  6. Under Virtual Private Network Scopes, click Add.

  7. Configure using the table below.

    Label

    Desired name for VPN DHCP scope

    Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved.

    Gateway

    Default gateway for the client lease pool you are adding. Do not use the default gateway for eth1.

    Domain

    Must match the domain value configured in the Palo Alto.

    NOTE:

    • FortiNAC only answers SRV queries from connecting agents sourced from this domain. If FortiNAC is managing multiple VPN scopes, they must all use the same domain. See DNS File Entry Descriptions in the Appendix for details.

    • OS X, iOS, and some Linux systems may have communication issues if a .local suffix is used.

    Mask

    Subnet mask for the default gateway.

  8. Under Lease Pools click Add.

  9. Enter the IP Addresses for Start and End of the lease pool range for the VPN scope defined in the FortiGate Address Object.

  10. Click Add to save.

  11. Click Apply.

  12. Repeat steps 10 – 13 for additional VPN scopes as needed

  13. Click Summary when finished.

  14. Review the data on the Summary View to confirm the configured settings.

  15. Click Apply. The Configuration Wizard writes the data to the files on the appliances. This process may take several minutes to complete. When completed, the Results page appears.

  16. Review the Results. Errors are noted at the top of the Results page.

  17. Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.

    Example values:

    FortiNAC CA FQDN: Server01.Fortinet.com

    Eth0 (Management interface): 10.200.20.20

    Registration interface: 10.200.5.20

    Remediation interface: 10.200.5.21

    VPN interface: 10.200.5.22

    Eth1 GW: 10.200.5.1

    VPN DHCP range (SSL): 10.200.80.10- 10.200.80.99

    VPN DHCP range (IPSec): 10.200.80.100 – 10.200.80.200

  18. After committing the changes in Configuration Wizard, run the command ifconfig in the FortiNAC CLI to identify the sub-interfaces assigned to the isolation networks. If separate Control and Application Servers, access the CLI of the Application Server.

    > ifconfig

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet 10.200.20.20 netmask 255.255.255.0 broadcast 10.200.20.255

    eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet 10.200.5.20 netmask 255.255.255.0 broadcast 10.200.5.255

    inet6 fe80::20c:29ff:fe71:e423 prefixlen 64 scopeid 0x20<link>

    ether 00:0c:29:71:e4:23 txqueuelen 1000 (Ethernet)

    eth1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet 10.200.5.21 netmask 255.255.255.0 broadcast 10.200.5.255

    eth1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet 10.200.5.22 netmask 255.255.255.0 broadcast 10.200.5.255 << VPN

Proceed to Policy Based Routes.

Policy Based Routes

Configure policy-based routing. Policy-based routing ensures traffic is transmitted out the same interface it was received. This allows FortiNAC agents to communicate to FortiNAC through both the management (eth0) or VPN sub-interface depending on whether the endpoint is isolated or not.

Policy-based routing is configured on FortiNAC using the command: setupAdvancedRoute which is run from a FortiNAC CLI. This must be done for both Primary and Secondary Servers in High Availability Configurations. For details on policy-based routing and the script used for configuration, see Policy Based Routing in the Appendix.

Important: If High Availability is configured, execute the steps outlined in sections Isolation Interfaces and Policy Based Routes on the Secondary Server and make the same modifications. Otherwise, VPN will not work should a failover occur.

  1. Login to the CLI as root of the FortiNAC server (Application Server if separate Control and Application Servers)

  2. Run the script

    Important: The following instructions presume the script has not yet been run. If script has been run previously and are modifying or adding an interface, see Appendix for instructions.

    1. Type setupAdvancedRoute

    2. Type I to install

    3. Enter the gateway for each interface (eth0, eth1, etc) as prompted.

  3. Once script completes, verify configuration. Type

    ip rule show

    There should now be a rule listed for each interface and sub-interface configured:

    0: from all lookup local

    10: from <eth0 IP address> lookup eth0

    20: from <eth1 IP address> lookup eth1

    30: from <eth1:1 IP address> lookup eth1:1

    40: from <eth1:2 IP address> lookup eth1:2

    32766: from all main

    32767: from all default

    Example:

    >ip rule show

    0: from all lookup local

    10: from 10.200.20.20 lookup eth0

    20: from 10.200.5.20 lookup eth1

    30: from 10.200.5.21 lookup eth1:1

    40: from 10.200.5.22 lookup eth1:2

    32766: from all main

    32767: from all default

  4. Reboot appliance.

System Defined Uplink Count

Ensure the System Defined Uplink Count value is larger than the maximum number of VPN clients that could be online at the same time. Otherwise, the VPN virtual port in FortiNAC could be changed to an uplink. All clients would then be marked as offline and the FSSO tags removed, affecting network access. For details on setting this value, see System Defined Uplink Count in section Network device of the Administration Guide.

Authentication Server Settings

Before network access is permitted, rogue hosts connecting to the VPN must register with FortiNAC via the captive portal or Persistent Agent. If it is not desired to register unknown hosts connecting to the VPN, skip this step.

Configure FortiNAC to authenticate using either a RADIUS server or LDAP directory. Refer to the Administration Guide sections listed below for instructions. Depending upon the deployment, these components may already be configured.

  1. Define which authentication server type will be used (LDAP or RADIUS). See Portal configuration – Configure authentication credentials

  2. Configure the settings for the authentication server. Refer to the appropriate section:

    Configure RADIUS settings

    Directory configuration

Previous
Next