Configure FortiNAC

Create or modify Network Access Policy. A Network Access Policy match is required for the user-id to be sent to the Palo Alto.
1. Navigate to Policy & Objects > User/Host Profiles.
2. Create a User/Host Profile with the appropriate criteria to match.
3. Click Network Access.
4. Create a Logical Network or choose an existing one for the desired network to assign. For more details, refer to section Logical networks of the Administration Guide.
5. Create a Network Access Configuration that references the Logical Network.
6. Create a Network Access Policy that uses both the new User/Host Profile and Network Access Configuration
7. Adjust the rank of the Network Access Policy as appropriate
  
  For more details, refer to section Network Access Policies of the Administration Guide.
Modify or create a device model for the firewall in the Topology view. The model must contain the IP address Palo Alto uses to receive and process SSO messages.

In the Administration UI, navigate to Network > Inventory.

Adding a Firewall Model

Right Click on the container desired to add the Firewall.
Select Add Device.
Input IP, SNMP, and SSH information.
Proceed to Existing Firewall Models instructions below.

Existing Firewall Models

Locate the firewall model in the tree.
Right-click the model and select Properties.

Configure using the table below.

SSO Agent Model Configuration

Field Definitions - Palo Alto Networks User Agent

Field	Definition
Name	Name of the device
Incoming Events	Select Not Applicable (unless model is already configured for Syslog).
SSO Agent	Select Palo Alto.
XML API Port	Port on the Palo Alto User Agent configured to receive messages from external devices. This port must match the XML API port configured on the Palo Alto User Agent.
Domain Name	Fully Qualified Domain Name for your network users' domain. This is sent with the logged in User ID to Palo Alto.
Use Integrated Agent	Palo Alto Integrated User-ID Agent: Check this box. Windows User-ID Agent: Leave unchecked.
API Key	Palo Alto Integrated User-ID Agent: The authorization key that allows a user to send user mapping data to the firewall. Can be retrieved from the firewall manually, or by providing the credentials for an administrator account on the firewall when prompted via the Retrieve button. Windows User-ID Agent: Not Applicable
Apply to Group (Optional)	Select this check box to apply the Palo Alto SSO options only to the selected Host group in the drop-down list. If you do not select the check box, the SSO options are applied to all Host groups.
Role (Optional)	The Role for this device. Available roles appear in the drop-down list.
Description (Optional)	Description of the device entered by the Administrator.
Note (Optional)	User specified notes about the device.
Contact Status Polling (Optional)	Enable or disable contact status polling for the selected device.
Poll Interval (Optional)	Determines how often the device should be polled for communication status. Time is stored in minutes.

Click the Model Configuration tab.

Locate the Logical Network by clicking Add Configuration button.
Add a firewall tag. Note the tag will not be sent to the firewall but is required in FortiNAC Configuration.
Click Save.

Create or modify Network Access Policy. A Network Access Policy match is required for the user-id to be sent to the Palo Alto.
1. Navigate to Policy & Objects > User/Host Profiles.
2. Create a User/Host Profile with the appropriate criteria to match.
3. Click Network Access.
4. Create a Logical Network or choose an existing one for the desired network to assign. For more details, refer to section Logical networks of the Administration Guide.
5. Create a Network Access Configuration that references the Logical Network.
6. Create a Network Access Policy that uses both the new User/Host Profile and Network Access Configuration
7. Adjust the rank of the Network Access Policy as appropriate
  
  For more details, refer to section Network Access Policies of the Administration Guide.
Modify or create a device model for the firewall in the Topology view. The model must contain the IP address Palo Alto uses to receive and process SSO messages.

In the Administration UI, navigate to Network > Inventory.

Adding a Firewall Model

Right Click on the container desired to add the Firewall.
Select Add Device.
Input IP, SNMP, and SSH information.
Proceed to Existing Firewall Models instructions below.

Existing Firewall Models

Locate the firewall model in the tree.
Right-click the model and select Properties.

Configure using the table below.

SSO Agent Model Configuration

Field Definitions - Palo Alto Networks User Agent

Field	Definition
Name	Name of the device
Incoming Events	Select Not Applicable (unless model is already configured for Syslog).
SSO Agent	Select Palo Alto.
XML API Port	Port on the Palo Alto User Agent configured to receive messages from external devices. This port must match the XML API port configured on the Palo Alto User Agent.
Domain Name	Fully Qualified Domain Name for your network users' domain. This is sent with the logged in User ID to Palo Alto.
Use Integrated Agent	Palo Alto Integrated User-ID Agent: Check this box. Windows User-ID Agent: Leave unchecked.
API Key	Palo Alto Integrated User-ID Agent: The authorization key that allows a user to send user mapping data to the firewall. Can be retrieved from the firewall manually, or by providing the credentials for an administrator account on the firewall when prompted via the Retrieve button. Windows User-ID Agent: Not Applicable
Apply to Group (Optional)	Select this check box to apply the Palo Alto SSO options only to the selected Host group in the drop-down list. If you do not select the check box, the SSO options are applied to all Host groups.
Role (Optional)	The Role for this device. Available roles appear in the drop-down list.
Description (Optional)	Description of the device entered by the Administrator.
Note (Optional)	User specified notes about the device.
Contact Status Polling (Optional)	Enable or disable contact status polling for the selected device.
Poll Interval (Optional)	Determines how often the device should be polled for communication status. Time is stored in minutes.

Click the Model Configuration tab.

Locate the Logical Network by clicking Add Configuration button.
Add a firewall tag. Note the tag will not be sent to the firewall but is required in FortiNAC Configuration.
Click Save.