Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lfrancelj
Staff
Staff

Created on ‎02-10-2021 10:28 PM Edited on ‎04-29-2024 04:50 AM By Moderator

Article Id 191204

Technical Tip: Configuring and troubleshooting Firewall TAGs

Description


This article describes how to configure and troubleshoot Firewall TAGs with FortiGate and FortiNAC.

Related documents:

 

Scope

 

FortiGate and FortiNAC Legacy.


Solution

 

  1. Log in to the FortiNAC GUI and go to System -> Settings -> System Communication Fortinet FSSO Settings.
    Ensure that the 'Enable FSSO Communication' box is checked and fill in the 'Password' field (see the below example):

 
  1. Create 'Firewall Tags':
 
 
  1. Go to the 'Topology' view, select the FortiGate, select the 'Virtualized Devices' tab, and select the VDOM to enable 'Firewall Tags'. Then, enter the tag that was created in the previous step and select 'Submit Query':
 
 
  1. Add a FortiNAC Fabric Connector on the FortiGate:
 
 
  1. Select 'Refresh' and select 'View':
 
 
  1. If the tag that was created on FortiNAC is visible, use these tags in the firewall policies.
 
Troubleshooting.
  1. To verify whether a TAG has been applied to a host and sent to FortiGate, use the following commands on FortiGate:
 
diag fire auth list | grep -A 7 x.x.x.x  <- Replace x.x.x.x with the IP address from the host.
diag debug auth fsso list | grep x.x.x.x <- Replace x.x.x.x with the IP address from the host.

 

  1. Force the FSSO Tag to be sent from FortiNAC to FortiGate to work around cases where the VLAN is terminating on a Layer 3 device other than the FortiGate:

 

 

device -ip <IPaddress> -setAttr -name ForceSSO -value true

 

 

  1. Enable the following debug options and send the Putty session output to TAC support:

 

 

nacdebug -name DeviceInterface true
nacdebug -name SSOManager true
Device -ip <IPaddress> -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"

 

 

  1. Reproduce the issue. Update the ticket with the timestamps and Username.

 

 

 

  1. After reproducing the issue, run the following command:

 

 

grab-log-snapshot

 

The script will collect and zip a large number of files.
This will take several minutes.
The resulting zip file (log-snapshot-<hostname>-<timestamp>.tar.gz) is located in /tmp directory.
See Technical Tip: How to get a debug log report from FortiNAC.

 

 

  1. Disable debugging:

 

nacdebug -name DeviceInterface false
nacdebug -name SSOManager false
Device -ip <IPaddress> -delAttr -name DEBUG -value "ForwardingInterface TelnetServer"

 

Verify which debugs are enabled:

 

 nacdebug -all | grep -i true

3045
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.