Scribd
Upload
1K views32 pages

Fortinac Poc: A Guide To Poc Success

1. Download the appropriate FortiNAC virtual appliance image file for the target hypervisor. 2. Import the appliance OVA or VHD file into the hypervisor manager. 3. Configure the virtual machine with at least 4 vCPUs, 8GB RAM, and 100GB disk space. 4. Access the FortiNAC console to complete the initial configuration wizard and license activation.

Uploaded by

stiteuf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
1K views32 pages

Fortinac Poc: A Guide To Poc Success

1. Download the appropriate FortiNAC virtual appliance image file for the target hypervisor. 2. Import the appliance OVA or VHD file into the hypervisor manager. 3. Configure the virtual machine with at least 4 vCPUs, 8GB RAM, and 100GB disk space. 4. Access the FortiNAC console to complete the initial configuration wizard and license activation.

Uploaded by

stiteuf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 32

FortiNAC POC

A Guide to POC Success

David Ryan – Regional Sales Manager


[email protected]

Jeffrey Reed- FortiNAC Sales Engineer


[email protected] 1
FortiNAC Proof Of Concept – Customer Requirements
Getting Prepared – Customer Requirements Time Saving Tips
Virtual Machine Config
1.FortiNAC’s eth0 IP Address needs to have access to the network devices. Much time
•4vCPU – 12G of RAM – 100G disk space (we can load thin/dynamic except
has been wasted on POC calls fixing ACLs and Firewall policies to allow PING, SNMP,
Azure) SSH, HTTPS access to various firewalls, routers, switches and wireless systems. Please
•Two Ethernet Interfaces (included with basic machine image) be prepared!
•Password Manager to save your FortiNAC password changes!!  2.FortiNAC needs management access of the network devices. Most of the time its
•LDAP Service Account that has BIND access to the directory (admin not R/W SNMP and full SSH access. Without it we usually do not have a successful POC.
needed) 3.We need a SVC-Account for LDAP access. It does not have to be an administrator
Visibility for Wired Networks and Most Wireless LAN Controllers account. If you use your personal account and your password gets changed, LDAP
•SNMP Read-Only access & SSH Access for Layer2/3 devices & WLC look-up breaks.
•Optional: SNMP MAC Traps sent to FortiNAC (can configure after first 4.There are four sets of credentials associated to FortiNAC. DO NOT FORGET
session) PASSWORDS!
•Optional: Send DHCP Requests to FortiNAC’s ETH0 (no scopes, no answers) 1. configWizard
2. CLI admin
•Meraki API Key for Meraki Switches
3. CLI root
Control For Wired Networks 4. GUI root
•SNMP R/W Access & SSH Access for Layer2/3 devices
•SNMP MAC Traps sent to FortiNAC (or we can manually poll L2 Switches)
•At least two VLANs on the switch for Role Based changes
•Wired Device connected to switch for testing
Control For Wireless Networks
•Test SSID that is exclusive to FortiNAC testing
•At least two VLANs on the switch/WLC for Role Based changes
•Wireless Device able to see test SSID

Email me with questions along the way. Screen shots are helpful

2
FortiNAC Proof Of Concept Steps
Prior to First Online Session Customer Will: Many features that seem simple require ample discussion, planning and configuration
that are normally completed by the FortiNAC installation engineers. In order to keep
VM Install our POC focused and successful we try to stay on track with specific features and
•Appliance Import/Install to Hypervisor scope.
•Configure Linux VM via Hypervisor Console
We have many reference accounts that will talk to you about their production usage
•Register FortiNAC Evaluation License of FortiNAC to make sure you understand how advanced features work in a similar
•License the system environment
•Run through configWizard as directed
•Test CLI POC FAQs
FortiNAC Basics Q. After the POC, is my FortiNAC fully Installed?
•Add Authentication – LDAP (Active Directory) Integration A. Absolutely not. The POC is aimed at showing specific features and we do not
perform a full installation.
•Add Sys Admins Using AD credentials
•Configure Email Q. Can I give you access to my network and let you work unattended?
•Review Backups A. Absolutely not. In addition to the testing of certain functions, this is also a
knowledge transfer opportunity. I will not do the driving for a POC, just the navigating.

Prepare for Visibility Session Q. If I check the box to POC every single feature, will you.
•Create your Network Topology A. Probably not. The intent is to show you some great value but it’s not aimed at
•Add as many network devices as possible having a fully functional system. We have customer references that can show you a
fully functional system.

Email me with questions along the way. Screen shots are Q. Can I use my POC for a full production test?
helpful A. See Q #1, this is not a fully functional system. But sure, if you want to put a partial
installed system with minimal support into production that is an option.

3
FortiNAC Proof Of Concept Reference Guides
There are many sources of documents for FortiNAC. This guide is focused on the steps required to get a POC started. Here are a
few links that will be useful throughout the POC and possibly after the product is purchased and installed.
 
Latest Documents (search the “Search in FortiNAC”)
https://docs.fortinet.com/product/fortinac/8.8
 
Hardware and VM Install Guides
https://docs.fortinet.com/document/fortinac/8.8.0/hardware-and-vm-install-guides
 
Deployment Guide
https://docs.fortinet.com/document/fortinac/8.8.0/deployment-guide
 
Fortinet Knowledge Base (scroll down left side, pick FortiNAC)
https://kb.fortinet.com/kb/microsites/microsite.do
 
Subscribe: 
FortiNAC With Greg Genta
https://www.youtube.com/channel/UCjGRWVFUxNsY6Xfq4YN1GLw
 
Jeff Reed's Network Access Videos
https://www.youtube.com/channel/UCATKZBUODzUwduI1yJDF71w

4
FortiNAC POC Customer Requirements (basic)
Virtual Machine Config
•4vCPU – 8G-12G of RAM – 100G disk space (we can load thin/dynamic except Azure)
•Two Ethernet Interfaces (included with basic machine image)
•Password Manager to save your FortiNAC password changes!!
•LDAP Service Account that has BIND access to the directory

Visibility for Wired Networks and Most Wireless LAN Controllers


•SNMP Read-Only access & SSH Access for Layer2/3 devices & WLC
•Optional: SNMP MAC Traps sent to FortiNAC (can configure after first session)
Control For Wired Networks
•SNMP R/W Access & SSH Access for Layer2/3 devices
•SNMP MAC Traps sent to FortiNAC (or we can manually poll L2 Switches)
•At least two VLANs on the switch for Role Based changes
•Wired Device connected to switch for testing
Control For Wireless Networks
•Test SSID that is exclusive to FortiNAC testing
•At least two VLANs on the switch/WLC for Role Based changes
•Wireless Device able to see test SSID

5
FortiNAC POC
VM Appliance Installation

Greg Genta’s video describes how to set up the FortiNAC OVA Appliance for VMware.
https://www.youtube.com/watch?v=aoyf6N05iIU

FortiNAC install guide for all appliance Types (AWS, Azure, Hyper-V, KVM, VMware and HW
https://docs.fortinet.com/product/fortinac/hardware

6
FortiNAC Control and Application VM Download
FortiNAC VM Image Download
Please log into https://support.fortinet.com/ to download the Virtual
Appliance image.
- Mouse over "Download" (do not click "Download")
- Go to "Firmware Images“
-Select Product: FortiNac from drop down list
-Select Download tab
-Navigate to 8.7 or 8.8 folder, select the newest (highest) revision
- Your FortiNAC SE will guide you on the best version for your
POC
- Download proper image version (OVA, VHD, AWS etc) for your
hypervisor

Should you have any questions, or require further assistance, please


contact Jeff Reed [email protected]

7
FortiNAC Appliance Import to Hypervisor
FortiNAC is supported in AWS, Azure and on
VMware, Hyper-V and KVM Hyper-Visors.

Resource requirements for POC:


•4 vCPU
•8G RAM
•100G image (load thin or dynamic where
possible)

**Production Sizing**
Network Size Target Environment vCPU Memory Disk
Up to 2,000 Small 4 12G-16G 100G
Up to 10,000 Medium 6 16G-24G 100G
Up to 15,000 Large 8 24G-32G 100G
Up to 25,000 X-Large 14 32G-96G 100G

8
FortiNAC POC: Configure Linux VM
Configure Base VM
•Start Guest VM, go to CLI console
•Login to the FortiNAC CLI using the following:
• User name = admin Password = admin
•Apply an IP address to eth0 to use as the management IP
• To set the IP address, type the following:
• sudo configIP <ip addr> <mask> <default gateway>
• Example: sudo configIP 192.168.5.244 255.255.255.0 192.168.5.1
•The system runs a script for several seconds while the interfaces are written Did You Know? Mike
Gadoury lived in Bradford
into the FortiNAC config file NH, started Bradford
•To confirm that the IP address for eth0 has been set correctly, Software Consulting
• ip addr show (hence the /bsc)
• PING Gateway IP Address to verify

FortiNAC CLI Basics


•All FortiNAC programs under the /bsc directory
•CampusManager = original product name
•YAMS = Yet Another Management System
•Tomcat = admin interface

9
FortiNAC Azure Notes #SET PARAMETERS − MODIFY THESE VALUES TO MATCH YOUR ENVIRONMENT
$mySubscrip = "9acc4558−b556−5558−9a54−b46d555906ae4"
$myRG = "RG_FNAC"
This example assumes you are deploying FNAC to an existing VNET $myLoc = "eastus"
$myVNET = "VNET_FNA"
with an existing Subnet. Also, the fixed-size disk must be uploaded to
$pathToFixedSizeDiskBlob="https:ƒƒfstorage.blob.core.windows.netƒmydisksƒfortinac−8.6.0.320_fixed.vh
your Azure Blob Storage Account and be available. If that is not the d"
case, please create those objects before running this script. Update $nacSubnet="SUBNET_FNAC"
parameters with real world values. $nacVMName="VM_FNAC"

az configure −−defaults location=$myLoc group=$myRG az account set −−subscription $mySubscrip


NOTE: the commands leverage the AZ module in leu of the legacy
AzureRM module.
https://azure.microsoft.com/en-us/blog/azure-powershell-cross- #CREATE RESOURCE GROUP FOR FNAC
platform-az-module-replacing-azurerm/ az group create −−name $myRG

You can download a standard HyperV FortiNAC image from the


#CREATE DISK FOR FNAC
download directory and convert to fixed disk using QEMU as az disk create −−name DISK_FNAC−LAB−01−OS −−source $pathToFixedSizeDiskBlob
described here:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/
attachments/3c52cb13-d573-11e9-8977-00505692583a/FortiNAC- #DEPLOY VM FOR FNAC
az vm create −−name VM_FNAC−LAB−02 −−os−type linux −−attach−os−disk DISK_FNAC−LAB−01−OS −−vnet−name
8.6.0-Azure_Deployment_Guide.pdf
$myVNET −−subnet $nacSubnet

Or
#UNSET PARAMETERS #SET PARAMETERS
Download the Azure Fix-Disk Image, use this link: $mySubscrip = ""
$myRG = ""
fortinac-8.6.0.320-FIXED.vhd.zip
$myLoc = ""
https://fortinet.egnyte.com/dl/yWbQLKwThT/fortinac-8.6.0.320- $myVNET = ""
FIXED.vhd.zip_ $pathToFixedSizeDiskBlob=""
Password: FortiNAC! $nacSubnet=""
$nacVMName=""
Un-Zip the download and load into your Azure Blob. Follow the
example script on the right.

Skip to page 10 of this guide.


10
FortiNAC Control and Application VM Server Evaluation License

Your Fortinet team has submitted an “ITF” In your support portal:


request that goes through an internal approval •Asset ->
process. When approved, you will receive an •Register/Activate
email from [email protected]
that contains a PDF with instructions to register
and download the FortiNAC VM.

• Start Registration Wizard


• Skip the MAC & UUID for
now

11
FortiNAC configWizard: License the system Step1
On Support Portal
Navigate to your VM’s Management IP: •Edit Your FortiNAC product
https://172.16.50.6:8443/configWizard •Enter the UUID & eth0 MAC Address
•Save

12
FortiNAC configWizard: License the system Step2
Go to the License and Key option on the left side. Your license
file is the Get The License File URL.

Open the FortiNAC License File


Download with notepad, copy
contents into license window.
** Make sure you do not insert
any spaces after last character.

13
FortiNAC configWizard Basic Network
Configure all items with an *

Additional Details
https://docs.fortinet.com/document/fortinac/8.8.0/fortinac-configuration-wizard-guide
14
FortiNAC configWizard Passwords
These passwords are stored in an encrypted file outside the database and CANNOT be
recovered. Cut & Paste from your password manager!!

a. Required in Passwords
i. At least 8 characters
ii. A lowercase letter
iii.An uppercase letter
iv.A number
v. A symbol ! @ # % ^ * ? _ ~ -
b. NOT permitted in Passwords:
i. ( ) ` $ & + | \ { } [ ] ; : " ' < > , . / =
ii. NOTE: Spaces are NOT permitted in
They can all be the same but should be stored in passwords.
your password manager for future access.

15
FortiNAC configWizard Skip to Summary
Always Choose Layer 3 Network

16
FortiNAC configWizard Summary;Apply;Reboot
These password are stored in an encrypted file outside the database and CANNOT be
recovered.

17
FortiNAC - Test CLI
Don’t keep going if you cannot SSH to FortiNAC’s eth0 management interface using the
root credentials. You just set the root CLI password – make sure it works properly or you
will have to reinstall the VM.

18
FortiNAC Initial Web Interface (GUI) Access

• Navigate to https://<fortinac-ip>:8443
• User=root pwd= YAMS
• Accept EULA, change password
• **this is your 4th user account** make
the password the same as the other
root account for now.

19
FortiNAC LDAP Integration
Add Directory
1.System->Settings->Authentication->LDAP
2.Use the Add button at the bottom
3.Config settings for your closest AD Domain Controller
4.**MAC Address can be any 6 sets of digits like 01:02:03:04:05:06**
5.ALWAYS “Validate Credentials”
6.Accept User Attributes and Group Attributes default settings.
7.Search Branches: use your top level DC=company,DC=com for now; we
can filter down later.
8.Select Groups: shows list of groups and users. DO NOT SELECT ANY
GROUPS YET.
9.Click OK, go to next slide to test.

20
FortiNAC LDAP Integration – Test via Preview

1. Select your authentication server


2. Use the Preview button at the bottom
3. In the Filter To box, enter your AD user ID
4. Hit Search
5. Results should show first and last name
and other details configured in AD.
6. Click cancel or OK to exit

21
FortiNAC Add System Admins Using AD Credentials
1. User->Admin Users
2. Click Add at bottom
3. Enter User ID, click OK button
4. Should say “This User ID was found in the
directory”
5. Change Admin Profile: to System
Administrator
6. Make sure there is an email address
7. Repeat for all FortiNAC Sys Admins

22
FortiNAC Configure Email Notifications
1. System->Settings-> System Communications->Email Settings
2. Fill in fields appropriate to your organization
3. Test Email
4. Save Settings

23
FortiNAC VM – Backups *Please*

FortiNAC has a default backup, Database Backup


and Database Archiving schedule

--FortiNAC does not have a default Remote


Backup Configuration.

If you are not taking snap-shots, you may lose all


data if the VM crashes and is not salvageable!!

Configure the Remote Backup settings if you are


not using snap-shots please.

24
FortiNAC Network Discovery – Uplink Threshold

FortiNAC learns your network and will create


uplinks to other network devices. Two main
methods:
1.A MAC-Address for another managed switch is
found on a switch port. We mark that as an
uplink.
2.More than XX number of devices are on this
ports. By default the number is 20 but that is too
low when we initially perform the network
discovery. Too many ports will be configured for
“Threshold” links.

Configure System->Settings->Network Device-


>System Defined Uplink Count to 2000 to prevent
any mis-labeled uplinks.

25
FortiNAC Network Devices Topology
The Network Devices Topology view is the key to visibility of your network
•R-Click “Customer” and change to Appliance or Company Name
•R-Click appliance/company name “add container”
•Create as many containers as you want. These can be floors, buildings, cities,
countries, regions etc.
•See next page to add devices

26
FortiNAC Network Devices Topology – Add Devices
• R-Click a container, “Add Device”
• IP Address must be PING-able from FortiNAC
• Use SNMP v1, v2c, or v3; FortiNAC almost always needs Read-Write access
• Enter SSH credentials; FortiNAC needs root or level-15 type access
• “Enable Password:” only when you actually type enable while logging in
• ALWAYS USE “Validate Credentials” BEFORE HITTING OK! Do not proceed
until you have success with both SNMP and CLI

Misc Notes
•Watch out for ACLs and FW Policies!! PING/SSH from FortiNAC CLI to test
Add as many devices as you want. I perform this on full
•Fortigates need PING, SNMP, HTTPS and SSH enabled on Mgmt Interface and
production networks all the time, no control is enabled by
FortiNAC added to System->SNMP users default. The more network devices we add, the better
•MIST Wireless, Meraki Switches & MRs have special needs
you’ll understand visibility.
•Most WLCs only need SNMP Read-Only and SSH access

27
FortiNAC POC
Congratulations, your FortiNAC appliance has been installed
and you are ready for your One-On-One sessions with your
FortiNAC SE.

28
FortiNAC VM/Appliance Isolation Reference Design

Greg Genta’s video describes how to set


up the FortiNAC Isolation networks. Well
worth the 15mins!
 
https://youtu.be/wOPElLP1-jg

29
Appendix A Documentation
FortiNAC Engineering has developed extensive documentation over the years. Start here for all process documents:
https://docs.fortinet.com/product/fortinac

30
Appendix B Professional Services 5-session Engagement
FortiNAC Configuration and Visibility – Working Session One (Remote/Onsite X Automated Response Working Session Four (Remote/Onsite X
days) days) - Pro
•Appliance configuration Primary and Secondary •Security device integrations
•Integration with AD servers •Security policy development
•Apply certificates for appliances •Validation of security policies
•System communication for notification (email servers)  
•HA configuration and validation – Primary/Secondary Go Live Working Session Five (Remote/Onsite X days)
•Network discovery •Go Live support for enforcement at designated regional locations:
•Agent package preparation •Wrap Up
  •Review Plan and Status
Endpoint Classification Working Session Two (Remote/Onsite X days) •Transition and Next Steps
•Device profiling
•Re-profiling of devices on connect
•Agent policies for device and user tracking
  FortiNAC Professional Services is required to
Policy Development and Enforcement Working Session Three (Remote/Onsite X
days)
fully deploy FortiNAC. A pre-sales POC
•Policy Development engagement skips steps, cuts corners and
•Network Access keeps a limited scope. Normally we can
•Endpoint Compliance - audit only with notification
•Scan on connect for devices with agent upgrade your POC appliance to a production
•Portal development for unknown Guest device onboarding appliance as part of their services.
•Events for notification
•Syslog of Events to SIEM
•Validation of enforcement at designated pilot location(s)

31

You might also like