Appliance Installation Guide Version: 8.5 Date: 5/28/2019 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET KNOWLEDGE BASE http://kb.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTINET COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING AND CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com/ FORTIGUARD CENTER https://fortiguard.com FORTICAST http://forticast.fortinet.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf Tuesday, May 28, 2019 FortiNAC Appliance Installation Guide 49-830-503677-20190731 Contents Naming Conventions 1 Ethernet Connections 2 Process Overview 3 Hardware Setup 4 Connect To The Appliance 4 Login To Configuration Wizard - Hardware Setup 5 Verify License Key 6 Assign IP Address 7 Configuration Wizard - Passwords 9 Connect To The Network 11 Software Configuration 12 Login To Configuration Wizard - Software 12 Password Setup 14 Network Type 17 Layer 2 Network - VLANs 18 Layer 2 Network - Configure VLANS 19 Layer 2 Network - Additional Routes 24 Layer 2 Network - Summary 24 Layer 3 Network - Route Scopes 25 Layer 3 Network - Configure Route Scopes 27 Importing Route Scopes 35 Layer 3 Network - Additional Routes 37 Results: Layer 2/Layer3 Networks Or Control Manager 39 Log In To The Admin User Interface 41 Change Passwords After Configuration 42 Appliance Installation Guide iii Naming Conventions Before you begin the installation, you need to determine the Product Descriptor for the product you are configuring. • Refer to the Appliance Identification Details page in the information packet that came with your appliance. Locate your Appliance Identifier. • If you don’t have the Appliance Identification Details page, check the Appliance Identifier tag located on the metal casing on the back or the top of the appliance. - Using the Appliance Identifier information, refer to the tables below to determine the Product Descriptor. The Product Descriptor is used throughout this document. In addition, the Appliance Identifier contains the BFN number for the type of appliance you are configuring. Refer to this number as you go through the Hardware Setup procedures identify your appliance and its corresponding Ethernet ports. Refer to the Tables in this section. If your appliance is not listed, contact Customer Support. You can download electronic versions of the Appliance Installation Guides through the Configuration Wizard. See Login To Configuration Wizard - Software on page 12. Note: The Configuration Wizard uses the Product Descriptor as a common naming scheme when referring to the different products. Tables in this section show this relationship. Table 1: Naming Conventions For Appliance FNT 330 and 440 FORTINET Part Number Part Type FORTINAC 600 HIGH PERF CONTROL APP SERVER FNC-CA-600C System SYC-FNT440-010 FORTINAC NETWORK CONTROL MANAGER FNC-M-550C System SYC-FNT440-020 FORTINAC ANALYTICS SERVER FNC-R-650C System SYC-FNT440-030 FORTINAC 1000C HIGH PERF CONTROL SERVER FNC-C-1000C System SKU Number Description SYC-FNT440-000 SYC-FNT440-040 FORTINAC 1000A HIGH PERF APPLICATION SERVER FNC-A-1000C System SYC-FNT440XL100 FORTINAC 700 ULTRA HIGH PERF CONTROL APP SERVER FNC-CA-700C System 1 SKU Number Description FORTINET Part Number Part Type SYC-FNT440XL110 FORTINAC 2000C ULTRA HIGH PERF CONTROL SERVER FNC-C-2000C System SYC-FNT440XL120 FORTINAC 2000A ULTRA HIGH PERF APP SERVER FNC-A-2000C System SYC-FNT330000* FORTINAC 500 HIGH PERF CONTROL APP SERVER FNC-CA-500C System Ethernet Connections Each Ethernet port is used for a different purpose during initial configuration and normal operation. The following table provides details on the options for each appliance type and its corresponding Ethernet ports. Note: Manual configuration is required for eth2. The eth3 or fourth interface is reserved for future use. Contact Customer Support for assistance. Table 2: Ethernet Connections Appliance Product Port Port Used During Initial (Basic Network) Configuration FNT330 All Products eth1 Used temporarily during configuration until the IP address, mask, default gateway, and host name are setup. FNT440 Configuration Wizard DHCP Service—Disabled once appliance is rebooted (or shutdown and restarted). Appliance FNT330 FNT440 2 Product Port Port Used During Normal Operations (After Basic Network Configuration Complete) All Products eth0 Management FortiNac Server eth1 Isolation networks, such as Registration or Remediation. FortiNac Application Server eth1 Isolation networks, such as Registration or Remediation. FortiNac Control Server eth1 Either DHCP detection or not used. FortiNac Control Manager eth1 Not used. FortiNac Server eth2 Rogue DHCP detection, additional isolation networks (for example, Remote Registration and Remote Scan), access point management, or not used. FortiNac Application Server eth2 Additional isolation networks (for example, Remote Registration and Remote Scan), access point management, or not used. Process Overview The following is a summary of the steps you will use to configure your appliance. Important: The FortiNac appliance set (physical or virtual) are intended forFortinet software, tools and services use only.Fortinetc does not confirm for use any other software, tools or services. Table 3: Hardware And Software Configuration Overview Process Steps Prerequisites Physically connect your laptop to the appliance using eth1. None Hardware Setup Connect appliance to the network. See Hardware Setup on the next page. Launch Configuration Wizard and login. Validate license. License key if not already installed. Assign IP address and other basic networking information, such as, mask, DNS, or hostname. IP address for this appliance Disconnect laptop from eth1 and connect appliance to network on eth0. None Software Configuration Specify forwarding DNS for all isolation networks and enter time zone information. None Set up passwords. Return to Configuration Wizard to enter basic setup data. See Software Configuration on page 12. Select network type: Layer 2 or Layer 3. Have information available for Layer 2 VLAN network or Layer 3 routed network. Create additional routes. Optional routes for network traffic typically used in a Layer 3 environment. View Summary and apply the configuration. Reboot. None Re-run the Configuration Wizard at any time to reconfigure settings. To re-run the Configuration Wizard see Login To Configuration Wizard - Software on page 12 and enter the URL as shown. 3 Hardware Setup Hardware Setup Unpack and power up the appliance(s) as described in the Hardware Setup Guide included with the appliance. For some appliances, the power supply fan goes on when the appliance is first plugged in. Note: On some appliances the power switch is located behind the bezel on the front of the machine. Be sure to remove the bezel and power up the appliance first. DO NOT CONNECT THE APPLIANCE(S) TO THE NETWORK AT THIS TIME. Connect To The Appliance 1. See Figures 1 through 7. Note that the port etched with number 1 is eth0 and the port etched with number 2 is eth1 or the left most port is eth0 and the next port to the right is eth1. 2. Use either a straight-through or crossover RJ45 cable to connect your PC to eth1 of the appliance. Port eth1 serves DHCP in the 192.168.1.x range. The appliance itself has an IP address of 192.168.1.1. Be certain to connect the RJ45 cable to the correct Ethernet port. LED 1 on the front of the appliance lights to indicate when eth0 has established connection. LED 2 lights to indicate when eth1 has established connection. Note: Not all models of the appliance have LED lights on the front. Note: When a FortiNac Control Server and Application Server are paired, configure the FortiNac Application Server hardware first to assign an IP address. The FortiNac Control Server must know the IP address of the FortiNac Application Server in order to communicate with it. 3. On the PC, bring up a web browser. To launch the Configuration Wizard, navigate to: http://192.168.1.1:8080/configWizard Note: Appliances have a LCD panel on the front that displays the Appliance Type, such as FortiNac Control Server, and the FortiNac Version number installed. This information does not display until the FortiNac software is started. Figure 1: Appliance FNT440 4 Hardware Setup Figure 2: Appliance FNT330 Login To Configuration Wizard - Hardware Setup 1. If you have not done so already, bring up a web browser and navigate to: http://192.168.1.1:8080/configWizard 2. Enter the User Name and Password credentials to gain access to the Configuration Wizard. User Name = config Password = config 3. Click OK. Note: You will be required to change the Configuration Wizard password during the setup process. 5 Verify License Key Verify License Key Each appliance requires a unique License Key to run the application. The License Key contains the license count, license time, feature set, and high availability options. Note: When the License Key Validation window opens, if you do not see a license key, contact Customer Support or your sales representative to obtain it. For customer identification, have the MAC Address of the appliance ready when you call for assistance. The MAC Address is located on the shipping label, the Appliance Identification Details document and on the back or the top of the metal casing of the appliance. 1. If a license key appears in the text area, click OK. If there is no key, contact Customer Support or your sales representative. 2. On the next screen you can download PDF versions of the documentation to your PC and then click OK to continue. Figure 3: License Key Validation Window 6 Assign IP Address Assign IP Address The initial Basic Network screen displays the Product Descriptor and the type of system you are configuring. See Naming Conventions on page 1. 1. Configure the FortiNac appliance and enter the values based on the definitions in Basic Network Window Field Definitions below. WARNING: Do not use the following as the Host Name for the appliance: nac, isolation, registration, remediation, remotereg, remotescan, vpn, authentication, hub, access point management, or deadend. These names are reserved for system use. WARNING: Host names should contain only letters, numbers or hyphens (-). Uppercase letters are converted to lowercase automatically. 2. Click Apply. 3. Review the information in the Results page. If there are errors or omissions, click Back on the browser. Make the changes and reapply them. 4. Reboot or shut down the appliance. The DHCP service accessed via eth1 during installation is disabled. Note: The data displayed in the Configuration Wizard may not represent the current configuration of the appliance. When you make edits in the Configuration Wizard, your modifications are stored in a temporary file. This allows you to exit the Configuration Wizard before you save your changes permanently. Table 4: Basic Network Window Field Definitions Field Definition FortiNac Product Host Name Name of the appliance you are configuring. Host names should contain only letters, numbers or hyphens (-). Uppercase letters are converted to lowercase automatically. Note: Do not use nac, isolation, registration, remediation, remotereg, remotescan, vpn, authentication, hub, or deadend. These names are reserved for system use. eth0 IP Address Management IPv4 address of the appliance you are configuring. Default Gateway Default Gateway IPv4 address for the appliance you are configuring. A default gateway is the device that passes traffic from the local subnet to devices on other subnets. eth0 IPv6 Address Management of IPv6 address of the appliance you are configuring. IPv6 Default Gateway Default Gateway IPv6 address for the appliance you are configuring. A default gateway is the device that passes traffic from the local subnet to devices on other subnets. 7 Assign IP Address Field Definition Mask Subnet IPv4 mask for the appliance you are configuring. A subnet is a logical grouping of connected network devices; the mask defines the boundaries of the subnet. IPv6 Mask in CIDR notation Subnet IPv6 mask for the appliance you are configuring, in CIDR format (e.g., 64). DNS Primary IP Address IP address of the Primary DNS Server. This is used in the basic IP network configuration for the appliance. Secondary IP Address IP address of the Secondary DNS Server. This is used in the basic IP network configuration for the appliance. Domain Enter your domain name, such as megatech.com or megatech.edu. Forwarding DNS for all Isolation Networks Use Primary and Secondary DNS Select this option to use the Primary and Secondary DNS IP addresses. Specify [Use semi-colon (;) to separate] Select this option to specify a different DNS IP address, and enter the address(es). NTP and Time Zone 8 NTP Server [example: pool.ntp.org] The address of the NTP (Network Time Protocol) server used to keep system clocks up-to-date with official time. Time Zone Specify which timezone where the system is located to show the correct time for your timezone. Configuration Wizard - Passwords Figure 4: Basic Network - Assign IP Address Configuration Wizard - Passwords Password fields appear empty until you modify a password. Passwords can be modified again later by accessing the Change Passwords screen. See Change Passwords After Configuration on page 42. CLI/SSH and Configuration Wizard passwords must be eight characters or longer and contain a lowercase letter, an uppercase letter, a number, and one of the following symbols: Required Symbols ! # % * exclamation point pound percent asterisk @ $ ^ ? at dollar caret question mark _ underscore ~ tilde - hyphen Note: The symbols listed below are not permitted in CLI/SSH and Configuration Wizard passwords. 9 Configuration Wizard - Passwords Prohibited Symbols ( ) ' & + = | \ open parenthesis close parenthesis back quote ampersand plus equal pipe back slash space ; semicolon : colon " double quote ' single quote < less than > greater than { } [ ] , . / open curly bracket close curly bracket open square bracket close square bracket comma period forward slash Password types include: • admin—CLI/SSH password you use to log into the appliance. Must be at least 8 characters and no more than 64 characters. • root—CLI/SSH password Customer Support uses to log into the appliance. Must be at least 8 characters and no more than 64 characters. Notify Customer Support if you change this password. • Configuration Wizard—Password you use to log into the Configuration Wizard. Note: FortiNac Application Server Passwords only display when you configure a FortiNac Control Server. 10 Connect To The Network Connect To The Network 1. Disconnect the PC from the eth0 port on the appliance. 2. Connect eth0 of the appliance to the network. If you have a FortiNac Control Server and FortiNac Application Server pair, connect eth0 of each appliance to the network. Port eth0 is the management interface for the appliance. If a management VLAN exists, connect eth0 to a management VLAN network port. Note: See Ethernet Connections on page 2 and Hardware Setup on page 4 for additional information and pictures of each appliance type and corresponding ports. WARNING: DO NOT use a firewall between any FortiNac appliances because the firewall interferes with the connection between those appliances. There should never be a firewall between any of the following: -FortiNac Control Server and FortiNac Application Server -FortiNac Control Manager and the appliances it manages -Primary and Secondary servers in a High Availability Environment -FortiNac Integrated RADIUS Server and the FortiNac Control Server and FortiNac Application Server -FortiNac Integrated RADIUS Server and the FortiNac Server -Host running the Admin UI and the FortiNac Control Server -Host running the Admin UI and FortiNac Server -Host running the Admin UI and FortiNac Control Manager 11 Software Configuration Software Configuration Now that your appliance has been assigned an IP address and is connected to the network, you are ready to configure your NTP, time zone, routes, and DHCP scopes associated with your Layer 2 or Layer 3 network. Use the following buttons and links to navigate through the Configuration Wizard. • Steps pane—This is the panel displayed on the left of each Configuration window. Each step is a link to its corresponding window. It is not required that you follow the configuration steps sequentially. • Help—Displays a PDF version of this document. • Reset—Click Reset to return field values to what they were when you opened the view. If you move to another window, you can no longer reset field values. • Summary—Lists all configured settings. You can view a summary at any point in the configuration process and apply those settings. Login To Configuration Wizard - Software 1. Bring up a web browser and point it to the IP Address of the FortiNac Server, FortiNac Control Server or FortiNac Management Server. Use one of the following URLs: http://<IP Address>:8080/configWizard http://<Host Name of the appliance>:8080/configWizard Note: The Configuration Wizard writes files configured on the FortiNac Control Server to the FortiNac Application Server. No direct configuration of the FortiNac Application Server is required after the initial basic network setup is completed and it is connected to the network. 2. Enter the User Name and Password credentials that you configured when assigning an IP address to gain access to the Configuration Wizard. 3. Click OK. 4. Click OK on the License Key screen. 5. Download the documentation needed to configure and administer the product. These files are in PDF format and require a PDF viewer to read them. Click the Download button to save the files, then click OK. 12 Software Configuration Figure 5: Download Documentation Window 13 Password Setup Password Setup Figure 6: Change Passwords Figure 7: Configuration Wizard - Password Setup 14 Password Setup Table 5: Password Field Definitions Field Definition admin Password The CLI/SSH Password used to access the appliance (max. 64 characters). You are required to change this password. root Password The CLI/SSH Password used by Customer Support to access the appliance (max. 64 characters). You are required to change this password. Call Customer Support to inform them of the password. This facilitates support for your appliance in the future. Configuration Wizard Password The Password used to access the Configuration Wizard (max. 64 characters). You are required to change this password. New CLI/SSH root Password Retype CLI/SSH root Password New CLI/SSH admin Password The CLI/SSH Password used by Customer Support to access the appliance (max. 64 characters). You are required to change this password. Call Customer Support to inform them of the password. This facilitates support for your appliance in the future. The CLI/SSH Password used to access the appliance (max. 64 characters). You are required to change this password. Retype CLI/SSH admin Password New Configuration Wizard Password Retype Configuration Wizard Password The Password used to access the Configuration Wizard. You are required to change this password. You are asked if you would like to restart tomcat-admin. If you are working your way through the Configuration Wizard, do not restart at this time. The system will be restarted at the end of the process. Configure Passwords To setup passwords: 1. On the Passwords window, click Change Passwords. 2. For each password that you modify, click in the Existing Password field and type the current password. 3. Click in the New Password field and type the new password (8 to 64 characters). 4. Click in the Retype Password field and enter the new password again. 5. Click Apply. Root and admin password changes take effect immediately. The Configuration Wizard password change will not take effect until tomcat-admin has been restarted. 6. You are asked if you would like to restart tomcat-admin. If you are working your way through the Configuration Wizard, do not restart at this time. The system will be restarted at the end of the process. If you are only changing passwords, you should click OK to restart. 15 Password Setup 7. Close the window or tab. 8. Click Next to continue. 16 Network Type Network Type At this point you must indicate whether you are connecting to a Layer 2 or a Layer 3 network. Important: In a High Availability environment with an L3 configuration where redundant FortiNac servers are on different subnets and do not use a shared IP address, you must select the Layer 3 network option. L3 High Availability configurations are not supported with Layer 2 Isolation settings. • Select the Layer 2 network option to specify VLAN isolation networks and their corresponding IP addresses. See Layer 2 Network - VLANs on page 18. • Select the Layer 3 network option to specify routed isolation networks and their corresponding IP addresses. See Layer 3 Network - Route Scopes on page 25. Click Next. Figure 8: Network Type 17 Layer 2 Network - VLANs Layer 2 Network - VLANs VLANs are the basic networking construct used to limit network access. When you implement network access control, include at least one non-production VLAN. In the Configuration Wizard this is the Isolation VLAN. If there is the need to separate clients based on state, such as known vs. unknown or out-of-compliance, configure multiple VLANs. In the Configuration Wizard these additional VLANS are the Registration, Remediation, Dead End, VPN, Authentication, Isolation, and Access Point Management VLANs. If you intend to use FortiNac only to monitor network access, configuring VLANs is not necessary. If in the future you choose to control access to the network, re-run the Configuration Wizard to configure VLANs at that time. If you do not configure VLANs at this time, click Next on the Isolation, Registration, Remediation, Dead End, VPN, Authentication and Access Point Management screens. Proceed to Layer 2 Network - Summary on page 24. Note: The Configuration Wizard dynamically writes all files configured on the FortiNac Control Server to the FortiNac Application Server. No direct configuration of the FortiNac Application Server is required after the initial basic network setup is completed. Table 6: Layer 2 VLAN Types VLAN Type Definition Layer 2 Isolation Isolates all clients connecting to the network and redirects them to the appropriate isolation web pages. In the Isolation VLAN the state of the client, such as known vs. unknown or out-of-compliance, determines the access control information presented to the client via the web browser or persistent agent. If you use this VLAN type, the configuration of the other VLAN types is optional. You can use the Isolation VLAN with Registration, Remediation, Dead End, VPN, Authentication, or Access Point Management VLANs as another non-production network. Layer 2 Registration Isolates unregistered clients from the production network during client registration. Layer 2 Remediation Isolates clients from the production network who pose a security risk because they failed a policy scan. Layer 2 Dead End Isolates disabled clients with limited or no network connectivity from the production network. Layer 2 Virtual Private Network Used for clients who connect to the network through VPN services. Layer 2 Authentication Isolates registered clients from the Production network during user authentication. Layer 2 Access Point Management 18 Used for clients that connect through devices managed by Access Point Management. You can manage clients connected to hubs or simple access points by using DHCP as a means to control or restrict client access. Once you have completed your configuration and started FortiNac, access Help for additional information about the Access Point Management Plugin. Layer 2 Network - Configure VLANS Layer 2 Network - Configure VLANS The configuration views for the Isolation, Registration, Remediation, Dead End, VPN, Authentication and VLAN types are similar. The Access Point Management VLAN configuration view is slightly different in that it contains sections for both authorized and unauthorized clients. Samples of the Isolation and the Access Point Management views are shown below. For each VLAN type you are configuring: 1. Click Next to proceed to the next configuration screen if you are not configuring the displayed VLAN type. 2. To configure the VLAN type displayed, select the check box next to the VLAN type, such as Isolation or Registration, and enter the required information. See the table below for definitions of the fields if needed. 3. To Add Subnets, click the Add button in the Isolation DNS Subnets section. 4. Click Next. Table 7: VLAN Isolation Network Field Definitions Field Definition VLAN Type Interface eth1 Interface IPv4 Address IP4 address for the VLAN interface on eth1. Use a different IP for each VLAN you configure. Mask Subnet mask. Gateway Gateway for eth1 when clients connect through this VLAN. VLAN ID Number used to identify this VLAN throughout the system. This number is used within FortiNac when modeling switch configurations and when setting up Network Access VLANS. Interface IPv6 Address IPv6 address for the VLAN interface on eth1. Use a different IP for each VLAN you configure. Interface IPv6 Mask in CIDR notation Subnet IPv6 mask for the VLAN interface in CIDR notation format (e.g., 64). Interface IPv6 Gateway IPv6 Gateway for the VLAN interface for eth1 when clients connect through this VLAN. Lease Pool Start End Starting and ending IP addresses that delineate the range of IP addresses available on this VLAN. Domain 19 Layer 2 Network - Configure VLANS Field Definition Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain. For example, for the isolation VLAN use megatech-iso.com or for the registration VLAN use megatech-reg.com. Domain Note: Note: If you use agents for OS X, iOS, and some Linux systems, using a .local suffix in Domain fields may cause communications issues. Example: Incorrect dns suffix for reg: tech-reg.megatech.local Correct dns suffix for reg: tech.megatech-reg.edu Lease Time Time in seconds that an IP address in this domain is available for use. When this time has elapsed the user is served a new IP address. The recommended lease time for Isolation, Registration, Remediation, Authentication, Dead End and VPN is 60 seconds. Isolation IP Subnets IP Subnets are optional and used in situations like Client control via FlexCLI or roles only Aruba/Xirrus integration. Subnets List of IP Addresses and corresponding Subnet Masks indicating IP addresses for which FortiNac will serve DNS. Should only be used for hosts that are being isolated by FortiNac. Can be any address on any subnet, as long as the same address is added to the filters as an isolation address when configuring the device. 20 Layer 2 Network - Configure VLANS Figure 9: Layer 2 Isolation Figure 10: Add Subnet 21 Layer 2 Network - Configure VLANS Table 8: Layer 2 Access Point Management Field Definitions Field Definition Access Point Management Interface eth1 Interface IP Address IP address for the VLAN interface on eth1. This VLAN is used when more than one MAC address is detected on a single port. Typically occurs when network users connect to a hub or an unmanaged router. Mask Subnet mask. Access Point Management: Production Network Scopes Gateway Gateway for eth1 when clients connect through this VLAN using the IP addresses defined for the Production Network. VLAN ID Number used to identify this VLAN throughout the system. This number is used by FortiNac. Network users in this VLAN are divided into authenticated users and unauthenticated users. Authenticated users can access the production network using a range of specified IP addresses. Unauthenticated users are isolated from the production network based on a separate range of IP addresses. However, all users remain in the same VLAN. Lease Pool Start End Starting and ending IP addresses that delineate the range of IP addresses available on this VLAN. Domain Domain Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain. For example, for the isolation VLAN use megatech-iso.com or for the registration VLAN use megatech-reg.com. Note: Note: If you use agents for OS X, iOS, and some Linux systems, using a .local suffix in Domain fields may cause communications issues. Example: Incorrect dns suffix for reg: tech-reg.megatech.local Correct dns suffix for reg: tech.megatech-reg.edu Lease Time Time in seconds that an IP address in this domain is available for use. When this time has elapsed the user is served a new IP address. The recommended lease time for Access Point Management/Production is 3600 seconds. Production DNS Primary IP address of the Primary DNS Server. Production DNS Secondary IP address of the Secondary DNS Server. Access Point Management: Isolation Network Scopes Gateway 22 Gateway for eth1 when clients connect through this VLAN using the IP addresses defined for the Isolation Network. Layer 2 Network - Configure VLANS Field Definition Mask Subnet mask. Lease Pool Start End Starting and ending IP addresses that delineate the range of IP addresses available for unauthenticated users on this VLAN. Domain Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain. For example, for the isolation VLAN use megatech-iso.com or for the registration VLAN use megatech-reg.com. Domain Note: Note: If you use agents for OS X, iOS, and some Linux systems, using a .local suffix in Domain fields may cause communications issues. Example: Incorrect dns suffix for reg: tech-reg.megatech.local Correct dns suffix for reg: tech.megatech-reg.edu Lease Time Time in seconds that an IP address in this domain is available for use. When this time has elapsed the user is served a new IP address. The recommended lease time for Access Point Management/Isolation is 60. 23 Layer 2 Network - Additional Routes Figure 11: Layer 2 Access Point Management Layer 2 Network - Additional Routes If you want to configure additional routes within your Layer 2 network, see Layer 3 Network Additional Routes on page 37 for steps. Configuration is the same for both network types. After you have configured additional routes, click Summary. See Layer 2 Network - Summary on page 24 for an example. Layer 2 Network - Summary 1. Review the data on the Summary View to confirm the configured settings. Important: Confirm that you have selected the check boxes for the VLANs you are configuring. If they have not been selected, click the Back button to move through the configuration screens and select the check box (es) you need. Click Next to return to the Summary view. 2. Click Apply. The Configuration Wizard writes the data to the files on the appliances. This process may take several minutes to complete. When completed, the Results page appears. See Results: Results: Layer 2/Layer3 Networks Or Control Manager on page 39. 24 Layer 3 Network - Route Scopes Figure 12: Summary Of Layer 2 Network VLAN Configuration Layer 3 Network - Route Scopes If you are configuring the appliance in a routed environment, as opposed to a Layer 2 environment, use the Layer 3 selection on the Network Type window. See Network Type on page 17. Instead of trunking VLANs on eth1, eth1 is connected to a single VLAN on an untagged port. Network traffic is routed to the clients rather than the clients connecting on the local Isolation VLANs. Multiple scopes are allowed for each of the routes (Registration, Remediation, Dead End, VPN, Authentication, Isolation, and Access Point Management). Within these scopes, multiple ranges in the lease pool are also permitted. In addition you can add static routes. See Layer 3 Network Additional Routes on page 37. If you are not configuring routes at this time move to another step by doing one of the following: select the step from the list on the left or click Next in each route screen. Re-run the Configuration Wizard to configure routes at a later time. 25 Layer 3 Network - Route Scopes Note: The Configuration Wizard dynamically writes all files configured on the FortiNac Control Server to the FortiNac Application Server. No direct configuration of the FortiNac Application Server is required after the initial basic network setup is completed. Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved. WARNING: If you are setting up appliance for High Availability in an environment where redundant servers do not use a shared IP address and reside in different subnets on your network, you must enter Route Scopes in the Configuration Wizard for both the Primary and Secondary server. Table 9: Layer 3 Route Scopes Route Scopes Definition Layer 3 Isolation Isolates all clients connecting to the network and redirects them to the appropriate isolation web pages. In the Isolation route scope the state of the client, such as known vs. unknown or out-of-compliance, determines the access control information presented to the client via the web browser or persistent agent. If you use these scopes, configuring the other scopes (Registration, Remediation, Dead End, VPN, Authentication, or Access Point Management) is optional. You can use the Isolation scope with these scopes for other non-production network access. Layer 3 Registration Isolates unregistered clients from the production network during client registration. Layer 3 Remediation Isolates clients from the production network who pose a potential threat after a failed policy sca. Layer 3 Dead End Isolates disabled clients with limited or no network connectivity from the production network. Layer 3 Virtual Private Network Used for clients who connect to the network through VPN services. Layer 3 Authentication Isolates registered clients from the Production network during user authentication. Layer 3 Access Point Management 26 Used for clients that connect through devices managed by Access Point Management. You can manage clients connected to hubs or simple access points by using DHCP as a means to control or restrict client access. Once you have completed your configuration and started FortiNac, access Help for additional information about the Access Point Management Plugin. Layer 3 Network - Configure Route Scopes Layer 3 Network - Configure Route Scopes The configuration views for the Isolation, Registration, Remediation, Dead End, VPN and Authentication scopes are similar. The Access Point Management scopes configuration view contains sections for both Production and Isolation clients. Sample Isolation and Access Point Management views are shown below. For each set of route scopes you are configuring: 1. Click Next to proceed to the next configuration screen if you are not configuring the displayed type or select the type from the left-hand navigation pane. 2. To configure the route scopes displayed, select the check box next to the name, such as Isolation or Registration, and enter the required information. See the table below for definitions of the fields. 3. Click Add to add scopes or Modify to change existing scope information for this route. 4. Enter the Label, Gateway, and Mask. 5. In the Lease Pools section, click Add to add the lease pool information for the scope. 6. Enter the IP Addresses for Start and End of the lease pool range, then click Add. 7. Repeat steps 3 through 6 to create additional scopes and lease pools. 8. In the Isolation IP Subnets section, enter the list of IP Addresses and corresponding Subnet Masks indicating IP addresses for which FortiNac will serve DNS. 9. For the Access Point Management scopes, enter the Interface IP Address and Mask. 10. Enter the Access Point Management Scopes and Lease Pool information. Add or modify scopes and associated lease pools. 11. Enter the Domain information in both the Production and Isolation sections. 12. Click Next when finished. Table 10: Layer 3 Isolation Field Definitions Field Definition Route Scope Interface eth1 Interface IP Address IP address for the Route Scope interface on eth1. Use a different IP for each route scope type you configure. Mask The subnet mask for the interface IP address. Note that the mask is shared between route scope types. If you modify the mask in one route scope, it changes in all others. 27 Layer 3 Network - Configure Route Scopes Field Definition This field is optional and does not need to be configured if the appliance and all of the managed devices are on the same subnet. Gateway If the appliance and any managed devices are on different subnets, enter the IP address of the routing device. A gateway is the device that passes traffic from the local subnet to devices on other subnets. Routes are automatically created for each Isolation Subnet to the Isolation Gateway. Routes traffic through eth1. Isolation Scopes Label User specified name for the scope. Can be associated with a location, such as Building-B, or a function within the organization, such as Accounting. Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved. Gateway Default gateway for the client lease pool you are adding. Do not use the default gateway for eth1. Mask Subnet mask for the default gateway. Domain Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain. For example, for the isolation VLAN use megatech-iso.com or for the registration VLAN use megatech-reg.com. Note: Note: If you use agents for OS X, iOS, and some Linux systems, using a .local suffix in Domain fields may cause communications issues. Example: Incorrect dns suffix for reg: tech-reg.megatech.local Correct dns suffix for reg: tech.megatech-reg.edu Lease Pools Starting and ending IP addresses that delineate the range of IP addresses available on this route. You can use multiple ranges. Lease Time Lease Time in seconds Time in seconds that an IP address is available for use. When this time has elapsed the user is served a new IP address. The recommended lease time for Isolation, Registration, Remediation, Dead End, VPN and Authentication is 60 seconds. Isolation IP Subnets Subnets IP Subnets are optional and used in situations like Client control via FlexCLI or roles only Aruba/Xirrus integration. List of IP Addresses and corresponding Subnet Masks indicating IP addresses for which FortiNac will serve DNS. Should only be used for hosts that are being isolated by FortiNac. Can be any address on any subnet, as long as the same address is added to the filters as an isolation address when configuring the device. 28 Layer 3 Network - Configure Route Scopes Figure 13: Layer 3 Network Configuration - Isolation Scopes 29 Layer 3 Network - Configure Route Scopes Figure 14: Add/Modify Layer 3 Scopes And Lease Pools Figure 15: Layer 3 Scopes - Add Lease Pool IP Range Table 11: Layer 3 Access Point Management Field Definitions Field Definition Access Point Management Interface eth1 Interface IP Address 30 IP address for the VLAN interface on eth1. This VLAN is used when more than one MAC address is detected on a single port. Typically occurs when network users connect to a hub or an unmanaged router. Layer 3 Network - Configure Route Scopes Field Definition Mask Subnet mask. Access Point Management Scopes Label User specified name for the scope. Can be associated with a location, such as Building-B, or a function within the organization, such as Accounting. Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved. Production Def Gateway Default gateway for the client lease pool you are adding. Do not use the default gateway for eth1. Production Mask Subnet mask for Production IP addresses. Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain. For example, for the isolation VLAN use megatech-iso.com or for the registration VLAN use megatech-reg.com. Production Domain Note: Note: If you use agents for OS X, iOS, and some Linux systems, using a .local suffix in Domain fields may cause communications issues. Example: Incorrect dns suffix for reg: tech-reg.megatech.local Correct dns suffix for reg: tech.megatech-reg.edu Production Lease Pools Starting and ending IP addresses that delineate the range of IP addresses available for authenticated users in this scope. Isolation Def Gateway Default gateway for eth1 when connecting through this scope using the IP addresses defined for the Isolation Network. Isolation Mask Subnet mask for Production IP addresses. Identifies the domain for this range of IP addresses. To help identify the VLAN, incorporate part of the name in the domain. For example, for the isolation VLAN use megatech-iso.com or for the registration VLAN use megatech-reg.com. Isolation Domain Note: Note: If you use agents for OS X, iOS, and some Linux systems, using a .local suffix in Domain fields may cause communications issues. Example: Incorrect dns suffix for reg: tech-reg.megatech.local Correct dns suffix for reg: tech.megatech-reg.edu Isolation Lease Pools Starting and ending IP addresses that delineate the range of IP addresses available for unauthenticated users in this scope. 31 Layer 3 Network - Configure Route Scopes Field Definition Access Point Management: Production Network Scopes Lease Time Time in seconds that an IP address in this domain is available for use. When this time has elapsed the user is served a new IP address. The recommended lease time for Access Point Management/Production is 3600 seconds. Production DNS Primary IP address of the Primary DNS Server. Production DNS Secondary IP address of the Secondary DNS Server. Access Point Management: Isolation Network Scopes Lease Time In Seconds 32 Time in seconds that an IP address in this domain is available for use. When this time has elapsed the user is served a new IP address. The recommended lease time for Access Point Management/Isolation is 60. Layer 3 Network - Configure Route Scopes Figure 16: Layer 3 Access Point Management 33 Layer 3 Network - Configure Route Scopes Figure 17: Layer 3 Add Access Point Management Scopes 34 Layer 3 Network - Configure Route Scopes Importing Route Scopes To import route scopes from a csv file, use one of the following formats: Single Route Format ScopeLabel,Default Gateway,Mask,Domain,Lease Pool “start address-end address,start address-end address” Access Point Management Route Format ScopeLabel,Production Default Gateway,Production Mask,Production Domain,Production Lease Pool “start addressend address,start address-end address”,Isolation Default Gateway,Isolation Mask,Isolation Domain,Isolation Lease Pool “start address-end address, start address-end address” Double quotes are accepted surrounding any field but are not required. On Lease Pools quotes should surround the entire list of lease pools. Note: The ScopeLabel field must be unique for each route scope that you import. If it is not unique, the record with the first instance of the ScopeLabel field is duplicated for each subsequent instance of the identical ScopeLabel. Note: When setting up Layer 3 Network Configurations in the Configuration Wizard, labels of DHCP Scopes should not begin with any of these strings: "REG_", "REM_", "AUTH_", "DE_", "ISOL_", "VPN_", or "HUB_". These are reserved. Examples: Single Route Scope building-1,172.16.220.1,255.255.255.0,companyreg.com,"172.16.220.100-172.16.220.150,172.16.220.200172.16.220.250" Access Point Management Route Scope building-1,172.16.220.1,255.255.255.0,company-apmprod.com,"172.16.220.100-172.16.220.150, 172.16.220.200172.16.220.250",172.16.220.1,255.255.255.0,company-apmisol.com,"172.16.220.151-172.16.220.175" For each scope you are configuring: 1. Navigate to the scope window, for example, Isolation. 2. Click Import. 3. On the Import Scopes File window browse to the csv file and click Apply. 35 Layer 3 Network - Configure Route Scopes Figure 18: Layer 3 Routes - Import Route Scopes Window 36 Layer 3 Network - Additional Routes Layer 3 Network - Additional Routes When a client connects on eth1 from a remote network, the return packet uses the eth0 Default Gateway unless a network route is added. It is recommended that you configure your network so that outbound and inbound routing uses the same interface, such as eth1. The routes you created in Layer 3 Network - Configure Route Scopes on page 27 route back to the clients via eth0. Note: In a High Availability environment you must enter additional routes on both the primary and secondary servers. When you re-run the Configuration Wizard, the routes that you entered previously appear in the view. You may have routes in your system routes file that were not entered in the Configuration Wizard. Be aware of the following issues: • If you import the system routes file, they overwrite any existing routes in the Additional Routes view. • If you enter routes in the Additional Routes view and save, these routes overwrite previous routes. • If there are no routes in the Additional Routes view and you save, all routes are erased from the system routes file except for the Default Gateway. To import system routes, click the Read File button on the Additional Routes window in the Configuration Wizard. The number of routes in the system routes file is listed next to the button. For each route you are configuring: 1. On the Additional Routes screen click Add. 2. Enter the Network IP Address, Mask, and Gateway, then click Add. Example: When eth1 IP is 192.168.10.2 and the eth1 gateway is 192.168.10.1 for DHCP Lease Pool 192.168.110.100-192.168.110.200 add the following route: Route Setup Field Example Definition Network 192.168.110.0 Identifies the network from which packets are coming. Mask 255.255.255.0 Subnet mask for the network. Gateway 192.168.10.1 Identifies the gateway for eth1. Do not use the gateway for the network. 3. Repeat step 2 to add additional routes. Important: The routes you enter into the list on this view are written to the system routes file when you click Apply on the Summary view. If the list is blank, ALL routes in the system routes file with the exception of the Default Gateway are removed from the system routes file. 4. Click Next. 37 Layer 3 Network - Additional Routes Figure 19: Additional Routes Window Figure 20: Add Route Window 38 Results: Layer 2/Layer3 Networks Or Control Manager Results: Layer 2/Layer3 Networks Or Control Manager 1. Review the Results. Errors are noted at the top of the Results page. 2. Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written. 3. Click Reboot to continue with the installation and begin network modeling and policy creation. OR Click Shutdown to turn off the appliance. 4. If the appliance has been Shutdown, it may be moved at this time, if necessary. 5. Re-run the Configuration Wizard at a later time to continue with configuration of VLANs or adjust previous settings. 6. Contact Customer Support for any unresolved issues. 39 Results: Layer 2/Layer3 Networks Or Control Manager . Figure 21: Results Window 40 Log In To The Admin User Interface Log In To The Admin User Interface Note: The User Name and Password for the Admin User Interface are root/YAMS. These credentials are not changed in the Configuration Wizard. You will be prompted to change your credentials when you log in the first time. 1. When the results of the configuration are satisfactory, use one of the following URLs to access the system’s graphical user interface: http://<IP Address>:8080/ or http://<Host Name of the appliance>:8080/ For secure port: https://<IP Address>:8443/ or https://<Host Name of the appliance>:8443/ 2. Enter the login credentials. User Name = root Password = YAMS Note: User Name and Password fields are case sensitive. 3. Once you have logged into FortiNac review the End User License Agreement and click Accept to continue. 4. On the Password screen, create a new Administrator user name and password and click Apply. 5. The Quick Start Wizard is displayed. Go through the steps to set up network access for users on your network. Click Help > Current View for information on using the software. Important: You must run the Auto-Definition Synchronizer scheduled task to retrieve the latest list of Vendor OUIs and AV/AS Definition updates. 41 Change Passwords After Configuration Change Passwords After Configuration Configuration files are overwritten whenever you run the Configuration Wizard. It is strongly recommended, therefore, that you do not make changes outside of the Configuration Wizard. Making all changes from within the Configuration Wizard prevents you from having custom configuration files that can be accidentally overwritten. Running the Configuration Wizard to change passwords after the initial setup also causes all configuration files to be overwritten if you use the Next button to scroll through all of the pages. If no manual changes have been made, this does not cause a problem. However, it is recommended that you go directly to the Change Password window without running the entire Configuration Wizard, save the passwords and exit the wizard. See Configuration Wizard - Passwords on page 9 for additional information on modifying your passwords. To go directly to the Change Passwords window, type one of the following URLs: http://<Host Name>:8080/configWizard/PasswordChange.jsp http://<IP Address>:8080/configWizard/PasswordChange.jsp Figure 22: Change Passwords Window 42 Change Passwords After Configuration 43 Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.