Description
This article describes how to configure and troubleshoot Firewall TAGs with FortiGate and FortiNAC.
Related links:
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/787240/endpoint-connector-fortinac-6...
https://docs.fortinet.com/document/fortinac/8.5.0/fortinet-security-fabric-fsso-integration-guide
Scope
FortiGate and FortiNAC.
Solution
1) Log in to the FortiNAC GUI and go to System -> Settings -> System Communication Fortinet FSSO Settings.
2) Ensure that the 'Enable FSSO Communication' box is checked and fill in the 'Password' field (see the below example):
2) Force the FSSO Tag to be sent from FortiNAC to FortiGate to work around cases where the VLAN is terminating on a Layer 3 device other than the FortiGate:
# device -ip <IPaddress> -setAttr -name ForceSSO -value true
3) Enable the following debug options and send the Putty session output to TAC support:
# CampusMgrDebug -name DeviceInterface true
# CampusMgrDebug -name SSOManager true
# Device -ip <IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"
4) Reproduce the issue. Update the ticket with the timestamps and Username.
5) After reproducing the issue, run the following command:
# grab-log-snapshot
The script will collect and zip a large number of files.
This will take several minutes.
The resulting zip file (log-snapshot-<hostname>-<timestamp>.tar.gz) is located in /tmp directory.
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-How-to-Use-grab-log-snapshot/ta-p/190755?ex...
6) Disable debugging:
# CampusMgrDebug -name DeviceInterface false
# CampusMgrDebug -name SSOManager false
# Device -ip <IPaddress> -delAttr -name DEBUG -value "ForwardingInterface TelnetServer"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.