Configure FortiNAC
-
Create or modify Network Access Policy. A Network Access Policy match is required for the user-id to be sent to the Palo Alto.
-
Navigate to Policy & Objects > User/Host Profiles.
-
Create a User/Host Profile with the appropriate criteria to match.
-
Click Network Access.
-
Create a Logical Network or choose an existing one for the desired network to assign. For more details, refer to section Logical networks of the Administration Guide.
-
Create a Network Access Configuration that references the Logical Network.
-
Create a Network Access Policy that uses both the new User/Host Profile and Network Access Configuration
-
Adjust the rank of the Network Access Policy as appropriate
For more details, refer to section Network Access Policies of the Administration Guide.
-
-
Modify or create a device model for the firewall in the Topology view. The model must contain the IP address Palo Alto uses to receive and process SSO messages.
In the Administration UI, navigate to Network > Inventory.
Adding a Firewall Model
-
Right Click on the container desired to add the Firewall.
-
Select Add Device.
-
Input IP, SNMP, and SSH information.
-
Proceed to Existing Firewall Models instructions below.
Existing Firewall Models
-
Locate the firewall model in the tree.
-
Right-click the model and select Properties.
-
Configure using the table below.
SSO Agent Model Configuration
Field Definitions - Palo Alto Networks User Agent
Field
Definition
Name
Name of the device
Incoming Events
Select Not Applicable (unless model is already configured for Syslog).
SSO Agent
Select Palo Alto.
XML API Port
Port on the Palo Alto User Agent configured to receive messages from external devices. This port must match the XML API port configured on the Palo Alto User Agent.
Domain Name
Fully Qualified Domain Name for your network users' domain. This is sent with the logged in User ID to Palo Alto.
Use Integrated Agent
Palo Alto Integrated User-ID Agent: Check this box.
Windows User-ID Agent: Leave unchecked.
API Key
Palo Alto Integrated User-ID Agent: The authorization key that allows a user to send user mapping data to the firewall. Can be retrieved from the firewall manually, or by providing the credentials for an administrator account on the firewall when prompted via the Retrieve button.
Windows User-ID Agent: Not Applicable
Apply to Group
(Optional)
Select this check box to apply the Palo Alto SSO options only to the selected Host group in the drop-down list. If you do not select the check box, the SSO options are applied to all Host groups.
Role
(Optional)
The Role for this device. Available roles appear in the drop-down list.
Description
(Optional)
Description of the device entered by the Administrator.
Note
(Optional)
User specified notes about the device.
Contact Status Polling
(Optional)
Enable or disable contact status polling for the selected device.
Poll Interval
(Optional)
Determines how often the device should be polled for communication status. Time is stored in minutes.
Click the Model Configuration tab.
-
Locate the Logical Network by clicking Add Configuration button.
-
Add a firewall tag. Note the tag will not be sent to the firewall but is required in FortiNAC Configuration.
-
Click Save.