Fortinet black logo

Palo Alto Networks Integration

Home FortiNAC-F 7.2.0 Palo Alto Networks Integration
7.2.0
7.4.0
7.2.0

Validate Control

Validate Control

  1. Open two CLI windows to FortiNAC (login as root).

  2. In one window, enable debug and begin packet capture.

    CentOS:

    nacdebug –name RemoteAccess true

    nacdebug –name PaloAlto true

    tf /bsc/campusMgr/master_loader/output.master | grep -i "<client MAC address>"

    Example:

    tf output.master | grep -i "00:21:70:D1:92:77"

    FortiNAC-OS:

    diagnose debug plugin enable RemoteAccess

    diagnose debug plugin enable PaloAlto

    execute enter-shell

    tf /bsc/campusMgr/master_loader/output.master | grep -i "<client MAC address>"

    Example:

    tf output.master | grep -i "00:21:70:D1:92:77"

  3. Connect VPN client and establish tunnel.

  4. Once VPN tunnel is established, in the other window type:

    CentOS:

    RemoteAccess -remoteIP <client VPN IP>

    Example:

    > RemoteAccess -remoteIP 172.16.196.10


    FortiNAC-OS:

    execute enter-shell

    RemoteAccess -remoteIP <client VPN IP>

    Example:

    > RemoteAccess -remoteIP 172.16.196.10

    Working example output:

    IP Address = 172.16.196.10 ß client VPN IP (collected from syslog)

    MAC Address = 24:77:03:07:E6:18 ßclient MAC Address (collected from agent)

    Device Id = 6965

    Interface Id = 6985

    User Name = test ß user ID (collected from syslog)

    Session Id = -44718900

    Time Captured = Thu Nov 11 14:01:34 EST 2021

    InetAddress = null

If MAC Address is missing, see KB article MAC address not detected over VPN for troubleshooting instructions.

  1. Review the output in the first window to confirm tags are sent to the Palo Alto.

    Example:

    Client VPN IP: 172.16.196.10

    Client MAC address = 24:77:03:07:E6:18

    Firewall Tags = VPN-Authorized

    yams.SSOManager FINER :: 2021-11-11 15:50:08:801 :: SSOManager.remMessageFromQueue message removed UserIDMessage[logon, mac=24:77:03:07:E6:18, ip=172.16.196.10, user=test, tags=[VPN-Authorized]] for key 24:77:03:07:E6:18

    If either the wrong tags or no tags were sent, see KB article Troubleshooting network access for Palo Alto VPN.

In the Palo Alto, verify the client has the appropriate policy applied and the host is granted access to the appropriate networks.

Previous
Next

Validate Control

  1. Open two CLI windows to FortiNAC (login as root).

  2. In one window, enable debug and begin packet capture.

    CentOS:

    nacdebug –name RemoteAccess true

    nacdebug –name PaloAlto true

    tf /bsc/campusMgr/master_loader/output.master | grep -i "<client MAC address>"

    Example:

    tf output.master | grep -i "00:21:70:D1:92:77"

    FortiNAC-OS:

    diagnose debug plugin enable RemoteAccess

    diagnose debug plugin enable PaloAlto

    execute enter-shell

    tf /bsc/campusMgr/master_loader/output.master | grep -i "<client MAC address>"

    Example:

    tf output.master | grep -i "00:21:70:D1:92:77"

  3. Connect VPN client and establish tunnel.

  4. Once VPN tunnel is established, in the other window type:

    CentOS:

    RemoteAccess -remoteIP <client VPN IP>

    Example:

    > RemoteAccess -remoteIP 172.16.196.10


    FortiNAC-OS:

    execute enter-shell

    RemoteAccess -remoteIP <client VPN IP>

    Example:

    > RemoteAccess -remoteIP 172.16.196.10

    Working example output:

    IP Address = 172.16.196.10 ß client VPN IP (collected from syslog)

    MAC Address = 24:77:03:07:E6:18 ßclient MAC Address (collected from agent)

    Device Id = 6965

    Interface Id = 6985

    User Name = test ß user ID (collected from syslog)

    Session Id = -44718900

    Time Captured = Thu Nov 11 14:01:34 EST 2021

    InetAddress = null

If MAC Address is missing, see KB article MAC address not detected over VPN for troubleshooting instructions.

  1. Review the output in the first window to confirm tags are sent to the Palo Alto.

    Example:

    Client VPN IP: 172.16.196.10

    Client MAC address = 24:77:03:07:E6:18

    Firewall Tags = VPN-Authorized

    yams.SSOManager FINER :: 2021-11-11 15:50:08:801 :: SSOManager.remMessageFromQueue message removed UserIDMessage[logon, mac=24:77:03:07:E6:18, ip=172.16.196.10, user=test, tags=[VPN-Authorized]] for key 24:77:03:07:E6:18

    If either the wrong tags or no tags were sent, see KB article Troubleshooting network access for Palo Alto VPN.

In the Palo Alto, verify the client has the appropriate policy applied and the host is granted access to the appropriate networks.

Previous
Next