FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rathan_FTNT
Staff
Staff
Article Id 194672
Description
This article describes how to add FortiNAC via Security Fabric.

Scope
A FortiNAC can be added to the Security Fabric on the root FortiGate.
After the unit has been added and authorized, log in to the FortiNAC from the FortiGate topology views is possible.

Adding a FortiNAC to the Security Fabric requires a FortiNAC with a license issued in the year 2020 that includes an additional certificate.
The unit cannot be added if it has an older license.
Use the license tool in the FortiNAC CLI to determine if the license includes the additional certificate.


Solution
To add a FortiNAC to the Security Fabric.

1) On the FortNAC, configure telemetry and input the IP address of the root FortiGate.
2) On the root FortiGate, authorize the FortiNAC.
3) Verify the connection status in the topology views.

To configure the FortiNAC.

1) Go to System -> Settings, and in the Folder View select 'Security Fabric Connection'.
2) Add a new entry with the root FortiGate unit's IP address. The default port is 8013.





To authorize the FortiNAC on the root FortiGate from GUI.

1) Go to Security Fabric > Fabric Connectors.
2) The FortiNAC will be highlighted in the topology list in the right panel with the status 'Waiting for Authorization'.
3) Select the highlighted FortiNAC and select 'Authorize'.





Optionally, deny authorization to the FortiNAC to remove it from the list is also possible.

To authorize the FortiNAC on the root FortiGate from CLI.
# config system csf
    # config trusted-list

        edit "FNVMCATM20-----6"
            set action accept
        next
    end
end
To verify the connection status.

1) After the FortiNAC is authorized, go to Security Fabric -> Physical Topology and confirm that it is included in the topology.







2) Go to Security Fabric -> Logical Topology and confirm the FortiNAC which is also displayed there.





3) Run the following command from CLI to view information about the FortiNAC unit's status:
# diagnose sys csf downstream-devices fortinac
{
"path":"FG5H1E5818-----6:FNVMCATM20-----6",
"mgmt_ip_str":"10.1.100.197",
"mgmt_port":0,
"admin_port":8443,
"serial":"FNVMCATM20-----6",
"host_name":"adnac",
"device_type":"fortinac",
"upstream_intf":"port2",
"upstream_serial":"FG5H1E5818-----6",
"is_discovered":true,
"ip_str":"10.1.100.197",
"downstream_intf":"eth0",
"authorizer":"FG5H1E5818-----6",
"idx":1
}
To log in to the FortiNAC from the FortiGate.

1) On the FortiGate, go to Security Fabric -> Physical Topology or Security Fabric -> Logical Topology.
2) Select on the FortiNAC and select 'Login to <serial_number>'.


Contributors