Overview

The information in this document provides guidance for configuring FortiAnalyzer to integrate with FortiNAC. This document details the items that must be configured.

What it Does

FortiAnalyzer is a platform providing Centralized Logging, Analysis, and Reporting. This provides the following benefits:

Delivers increased knowledge of security events throughout the network
Minimizes the effort required to scrutinize and maintain policies
Minimizes the effort required to identify attack patterns to help fine-tune organizational policies

Default templates are available for report generation:

CTAP FortiNAC Version

Endpoint Distribution by Vendor (example below)

Endpoint Distribution by Location and Type

Endpoint Distribution by Type and Operating System

Endpoint Inventory Details

Network Inventory Details

Consolidated FortiNAC Endpoints Reports

Network Inventory Summary

Total number of Rogue and Registered Endpoint (example below)

Consolidated FortiNAC Network Report (example below)

Examples:

How it Works

FortiNAC sends the following information to FortiAnalyzer over TCP port 514 in order to build reports:

Events
Alarms
Endpoint data
Network infrastructure data

Note: In earlier FortiAnalyzer versions, FortiNAC templates must be downloaded from the Document Library and imported. For details see Report Templates.

Requirements

• FortiNAC license key containing certificates. Older appliances may not have this type of key. If keys were installed prior to January 1st 2020, a new key must be downloaded from FortiCare (https://support.fortinet.com/). See KB article 192245 to verify.

• Allow TCP 514 traffic between FortiNAC and FortiAnalyzer.

Supported versions

Model/ SKU	FortiNAC Version	Minimum FortiAnalyzer Version
FortiNAC-F VM (CentOS-based VMs)	F7.2	7.2.4
FortiNAC-VM-ESXI/ FNC-CAX-VM	F7.2	7.4.2
FortiNAC-MX-VM/ FNC-MX-VM	F7.2	7.4.2
FortiNAC-CA-500F/ FNC-CA-500F	F7.2	7.4.2
FortiNAC-CA-600F/ FNC-CA-600F	F7.2	7.4.2
FortiNAC-CA-700F/ FNC-CA-700F	F7.2	7.4.2
FortiNAC-M-550F/ FNC-M-550F	F7.2	7.4.2

Reference FortiAnalyzer Release Notes:

https://docs.fortinet.com/document/fortianalyzer/7.2.4/release-notes/572813/fortinac-models

https://docs.fortinet.com/document/fortianalyzer/7.4.2/release-notes/572813/fortinac-models

FortiAnalyzer Sizing Guidelines

The amount of resources the FortiAnalyzer requires is dependent upon the following factors:

How much log data FortiNAC is expected to produce per day
How long FortiNAC logs are archived

Use the following guidelines below to determine the appropriate required sizing

	Logging Aggressiveness: LPS (Logs per second)			Archive Storage Requirements GB			Analytic Storage Requirements GB
Network Size	Low	Med	high	Low	Med	high	Low	Med	high
Small	0.1	0.5	1.5	0	1	2	0	0	1
Medium	0.5	2.5	7.5	1	4	11	0	2	7
Large	1	5	15	1	7	22	1	5	14
Global	5	25	75	7	37	110	5	24	72
Logging aggressiveness controlled in FortiNAC under Logs > Events				Archive Period: 365 days/50 bytes			Analytic Period:30 days/400 bytes

Overview

The information in this document provides guidance for configuring FortiAnalyzer to integrate with FortiNAC. This document details the items that must be configured.

What it Does

FortiAnalyzer is a platform providing Centralized Logging, Analysis, and Reporting. This provides the following benefits:

Delivers increased knowledge of security events throughout the network
Minimizes the effort required to scrutinize and maintain policies
Minimizes the effort required to identify attack patterns to help fine-tune organizational policies

Default templates are available for report generation:

CTAP FortiNAC Version

Endpoint Distribution by Vendor (example below)

Endpoint Distribution by Location and Type

Endpoint Distribution by Type and Operating System

Endpoint Inventory Details

Network Inventory Details

Consolidated FortiNAC Endpoints Reports

Network Inventory Summary

Total number of Rogue and Registered Endpoint (example below)

Consolidated FortiNAC Network Report (example below)

Examples:

How it Works

FortiNAC sends the following information to FortiAnalyzer over TCP port 514 in order to build reports:

Events
Alarms
Endpoint data
Network infrastructure data

Note: In earlier FortiAnalyzer versions, FortiNAC templates must be downloaded from the Document Library and imported. For details see Report Templates.

Requirements

• Allow TCP 514 traffic between FortiNAC and FortiAnalyzer.

Supported versions

Model/ SKU	FortiNAC Version	Minimum FortiAnalyzer Version
FortiNAC-F VM (CentOS-based VMs)	F7.2	7.2.4
FortiNAC-VM-ESXI/ FNC-CAX-VM	F7.2	7.4.2
FortiNAC-MX-VM/ FNC-MX-VM	F7.2	7.4.2
FortiNAC-CA-500F/ FNC-CA-500F	F7.2	7.4.2
FortiNAC-CA-600F/ FNC-CA-600F	F7.2	7.4.2
FortiNAC-CA-700F/ FNC-CA-700F	F7.2	7.4.2
FortiNAC-M-550F/ FNC-M-550F	F7.2	7.4.2

Reference FortiAnalyzer Release Notes:

https://docs.fortinet.com/document/fortianalyzer/7.2.4/release-notes/572813/fortinac-models

https://docs.fortinet.com/document/fortianalyzer/7.4.2/release-notes/572813/fortinac-models

FortiAnalyzer Sizing Guidelines

The amount of resources the FortiAnalyzer requires is dependent upon the following factors:

How much log data FortiNAC is expected to produce per day
How long FortiNAC logs are archived

Use the following guidelines below to determine the appropriate required sizing

	Logging Aggressiveness: LPS (Logs per second)			Archive Storage Requirements GB			Analytic Storage Requirements GB
Network Size	Low	Med	high	Low	Med	high	Low	Med	high
Small	0.1	0.5	1.5	0	1	2	0	0	1
Medium	0.5	2.5	7.5	1	4	11	0	2	7
Large	1	5	15	1	7	22	1	5	14
Global	5	25	75	7	37	110	5	24	72
Logging aggressiveness controlled in FortiNAC under Logs > Events				Archive Period: 365 days/50 bytes			Analytic Period:30 days/400 bytes

FortiAnalyzer Device Integration

Overview

Overview

What it Does

How it Works

Requirements

FortiAnalyzer Sizing Guidelines

Overview

What it Does

How it Works

Requirements

FortiAnalyzer Sizing Guidelines