Subido por Keilon Araujo

FortiNAC 8.5 Lab Guide-Online

Anuncio
DO NOT REPRINT
© FORTINET
FortiNAC Lab Guide
for FortiNAC 8.5
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)
https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
1/10/2020
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Virtual Lab Basics
Network Topology
Lab Environment
Remote Access Test
Logging In
Disconnections and Timeouts
Screen Resolution
Sending Special Keys
Student Tools
Troubleshooting Tips
Lab 1: Getting Started with FortiNAC
Lab 2: Administrative Account Creation, Network Modeling and Creating
Groups
Exercise 1: Creating an Administrative Account
6
6
6
7
8
10
10
11
12
12
15
16
17
Access the FortiNAC GUI
Create an Administrative User Account
17
17
Exercise 2: Modeling Network Devices
19
Model Network Devices
Configure Layer 3 Polling
19
23
Exercise 3: Creating and Populating Groups
24
Create and Populate Port Groups
Create and Populate Port Groups with SSIDs
Create Host Groups
Aging Host Records
24
27
29
30
Lab 3: Identification and Classification of Rogue Devices using Device
Profiling Rules
Exercise 1: Vendor OUI Updates
Update Vendor OUI Aliases for Card Readers
Update Vendor OUI Aliases for IP Phones
Update Vendor OUI Aliases for Cameras
31
32
32
33
33
Exercise 2: Creating Device Profiling Rules
34
Create a Device Profiling Rule for IP Phones
Create a Device Profiling Rule for Card Readers
34
35
DO NOT REPRINT
© FORTINET
Create Device Profiling Rules for Cameras in the Manchester and Nashua facilities
Create a Device Profiling Rule for the Environmental Units
Create a Device Profiling Rule for Healthcare Devices
Profile Existing Rogues, Evaluate New Rogues, and View Results
Create a backup of the FortiNAC database
36
37
39
40
40
Lab 4: Visibility Views, Event Management and Logging
Exercise 1: Creating Host View Filters and Exporting Results
41
42
Create a Custom Filter
Use a Quick Filter
Exercise 2: Configuring Upstream Logging for FortiNAC Events
Configure an Upstream Log Receiver and Events for Upstream Logging
Create a backup of the FortiNAC database
Lab 5: FortiGate Integration and Logical Networks
Exercise 1: Configuring Logical Networks and Creating a Firewall Tag
Create Logical Networks for Card Readers, Cameras, and Contractors
Define Logical Networks for Card Readers, Cameras, and Contractors by VLAN ID and
VLAN Name
Create a Firewall Tag for Contractors
Exercise 2: Configuring FortiNAC for FSSO Integration
42
43
44
44
45
46
47
47
48
49
51
Configure FortiNAC FSSO Settings
Configure FortiNAC as a Single Sign-On Agent on FortiGate
Create a FortiGate FSSO Group and Define Members
51
51
52
Exercise 3: Creating a Creating a FortiGate Firewall Policy
54
Create an IPv4 Policy That Uses FSSO Group Memberships and a Test Policy
Create a Backup of the FortiNAC Database (Optional)
Lab 6: Portal Configuration and Access Control Enforcement
Exercise 1: Customizing the Captive Portal Pages
54
55
56
57
Modify the Default Portal Page for the Registration Context
57
Exercise 2: Preparing Devices for Endpoint Isolation
59
Configure the Network Device Model Settings for State-Based Enforcement
Exercise 3: Enforcing Access Control
Configure FortiNAC to Enforce State-Based Access Control
Create a Backup of the FortiNAC Database (Optional)
59
62
62
63
Lab 7: Security Policies for Network Access Control and Endpoint
Compliance
64
Exercise 1: Creating User/Host Profiles and Network Access Policies for Card
Readers and Cameras
65
Configure User/Host Profiles That Identify Card Readers and Cameras
Exercise 2: Creating User/Host Profiles and Network Access Policies for
Contractors
Configure User/Host Profiles That Identify Contractors
65
68
68
DO NOT REPRINT
© FORTINET
Create a Backup of the FortiNAC Database (Optional)
Lab 8: Guest and Contractor Services Configuration
Exercise 1: Creating a Contractor Template
Create a Contractor Template and an Administrative Sponsor
Exercise 2: Creating and Testing a Contractor Account
Create and Validate a Contractor Account
Create a Backup of the FortiNAC Database (Optional)
Lab 9: FortiNAC Integration Using SNMP and Syslog
Exercise 1: Creating an Integration Using SNMP Trap Input
Configure a Third-Party Integration Using SNMP Traps
Exercise 2: Creating an Integration Using Syslog Input
Configure a Third-Party Integration Using Incoming Syslog Information
Exercise 3: Configuring an Administrative Group for Alarm Notification
Configure an Administrative Group for Automated Notification of Alarms
Lab 10: FortiNAC Automated Threat Response
Exercise 1: Integrating With FortiGate for Automated Response
Exercise 2: Creating Security Rules for Automated Threat Response
Build Security Rules
Configure a Denied Category Web Filter Rule
Configure a Virus Infected File (EICAR test file) Rule
Configure a General Security Risk Rule
Exercise 3: Creating a Custom Security Event Parser
Create Customized Security Event Parsers
Exercise 4: Validating Security Rules
Tips and Tricks
Debug
Log Files
Services
L2 Poll
L3 Poll
Portal
Captive Portal
Device Profiler
70
71
72
72
75
75
76
77
78
78
81
81
83
83
85
86
87
87
89
90
92
94
94
98
99
99
99
99
100
100
100
100
100
DO Virtual
NOT
REPRINT
Lab Basics
© FORTINET
Virtual Lab Basics
Network Topology
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
6
DO Remote
NOTAccess
REPRINT
Test
© FORTINET
Virtual Lab Basics
Remote Access Test
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
To run the remote access test
1. From a browser, access the following URL:
https://use.cloudshare.com/test.mvc
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
2. Inside the Speed Test box, click Run.
The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those
estimations are not within the recommended values, you will get any error message:
7
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Virtual
NOT
REPRINT
Lab Basics
© FORTINET
Logging In
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
To log in to the remote lab
1. Click the login link provided by your instructor over email.
2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.
3. Enter your first and last name.
4. Click Register and Login.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
8
DO Logging
NOTIn REPRINT
© FORTINET
Virtual Lab Basics
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
5. To open a VM from the dashboard, do one of the following:
l
From the top navigation bar, click a VM's tab.
l
From the box of the VM you want to open, click View VM.
Follow the same procedure to access any of your VMs.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.
9
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Virtual
NOT
REPRINT
Lab Basics
© FORTINET
Disconnections and Timeouts
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
Disconnections and Timeouts
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
If that fails, see Troubleshooting Tips on page 12.
Screen Resolution
The GUIs of some Fortinet devices require a minimum screen size.
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
10
DO Sending
NOTSpecial
REPRINT
Keys
© FORTINET
Virtual Lab Basics
Sending Special Keys
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:
11
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Virtual
NOT
REPRINT
Lab Basics
© FORTINET
Student Tools
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l
l
l
Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or highlatency connections.
Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
For best performance, use a stable broadband connection, such as a LAN.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
12
DO Troubleshooting
NOT REPRINT
Tips
© FORTINET
l
l
l
l
Virtual Lab Basics
You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.
13
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Virtual
NOT
REPRINT
Lab Basics
© FORTINET
l
Troubleshooting Tips
During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
To expedite the response, enter the following command in the CLI:
execute update-now
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
14
DO NOT REPRINT
© FORTINET
Lab 1: Getting Started with FortiNAC
There is no lab associated with Lesson 1.
15
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 2: Administrative Account Creation, Network Modeling
and Creating Groups
In this lab, you will create a new administrative user account. Use this account during the class when you need
administrator access to FortiNAC. You will model the network infrastructure devices to begin achieving device
and endpoint visibility, and finally you will create groups used to organize elements.
Objectives
l
Access the FortiNAC GUI
l
Create new administrative accounts
l
Model network devices
l
Create groups
Time to Complete
Estimated: 25 minutes
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
16
DO NOT REPRINT
© FORTINET
Exercise 1: Creating an Administrative Account
In this exercise, you will access the FortiNAC GUI, using a web browser, and create a new administrative user
account.
Access the FortiNAC GUI
The FortiNAC GUI is where you perform all administrative functions.
You will log in to the FortiNAC GUI throughout this lab with the login credentials that you create in the following
procedure.
To access the FortiNAC GUI
1. Log in to the CloudShare environment, and connect to the Jumpbox Server.
2. Log in using the username Administrator and the password Fortinet1!.
3. Launch a web browser and navigate to the Admin login page for the FortiNAC, using the bookmark or entering
https://192.168.0.110:8443 in the URL field.
4. Log in to the FortiNAC GUI using the username admin and the password Fortinet1!.
Create an Administrative User Account
Administrative user accounts provide customized access and capabilities to FortiNAC administrators.
In this procedure, you will create an administrative user account that you will use during this course.
To create an administrative user account
1. In the Users menu, select Admin Users.
2. In the lower-left corner of the Admin Users window, click Add.
A dialog box opens where you can enter a user ID.
3. Enter User1, and then click OK.
The Modify User dialog opens with all required fields populated. The information in these fields is gathered from
Active Directory.
4. Verify that the Authentication Type is set to LDAP, and set the Admin Profile to System Administrator.
17
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT1: Creating
REPRINT
an Administrative Account
© FORTINET
Create an Administrative User Account
5. Click OK.
6. Test your access to the account by logging out of the FortiNAC GUI, and logging back in using the account that
you created.
The password for this account is Fortinet1!.
7. Accept the End User License Agreement.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
18
DO NOT REPRINT
© FORTINET
Exercise 2: Modeling Network Devices
In this exercise, you will model wired components of the classroom network infrastructure for visibility purposes,
and organize these components, using containers in the FortiNAC topology view.
Model Network Devices
In FortiNAC, infrastructure devices are modeled for visibility and control of them, as well as the endpoints that
connect to them.
In this exercise, you will add several infrastructure devices to the topology view, while following the best practices
for device modeling.
To model wired devices
1. In the Network Devices menu, select Topology.
The topology view loads and looks similar to the following image:
2. Right-click the container named Fortinet Training, and then select Add Container.
The Add Container dialog box opens.
3. Configure the following settings:
19
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT2: Modeling
REPRINT
Network Devices
© FORTINET
Model Network Devices
Field
Value
Name
Building 1
Note
Building 1 infrastructure devices
4. Click OK.
5. Right-click the new container, and then select Add Device.
The Add Device dialog box opens.
6. Configure the following settings:
Field
Value
IP Address
192.168.0.26
Security String
private
The completed fields should look like the following image:
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
20
DO Model
NOT
REPRINT
Network
Devices
© FORTINET
Exercise 2: Modeling Network Devices
The ability of FortiNAC to communicate with the network infrastructure is fundamental
to its ability to achieve visibility and provide control and automation.
7. Click OK.
The device appears in the container.
8. Expand the Building 1 container, and then select the device named Building 1 Switch.
The right side of the screen should have a tab labeled Ports. The Ports tab shows all physical ports discovered on
the device. It also shows the ports that have devices connected to them, and the ports that are uplinks (small
cable icon). Hosts should populate on some of the ports.
9. Right-click the container named Fortinet Training, and then select Add Container.
10. Configure the following settings:
Field
Value
Name
Nashua Facility
Note
Nashua infrastructure devices
11. Click OK.
12. Right-click the Nashua Facility container, select Add Device, and then configure the following settings:
Field
Value
IP Address
192.168.0.27
Security String
private
There are no CLI settings.
13. Keep the values for the remaining settings, and click OK.
14. Right-click the container named Fortinet Training, and then select Add Container.
The Add Container dialog box opens.
15. Configure the following settings:
Field
Value
Name
Manchester Facility
Note
Manchester facility infrastructure devices
16. Click OK.
17. Right-click the Manchester Facility container, select Add Device, and then configure the following settings:
21
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT2: Modeling
REPRINT
Network Devices
© FORTINET
Model Network Devices
Field
Value
IP Address
192.168.0.30
Security String
private
18. Keep the values for the remaining settings, and click OK.
19. Right-click the Data Center container, select Add Device, and then configure the following settings:
Field
Value
IP Address
192.168.0.15
Security String
private
User Name
admin
Password
bsc123
20. Click OK.
To model the FortiGate
1. Right-click the container named Fortinet Training, and then select Add Container.
The Add Container dialog box appears.
2. Configure the following settings:
Field
Value
Name
Security Devices
Note
Our security devices
3. Click OK.
4. Right-click the new container, and then select Add Device.
The Add Device dialog box opens.
5. Configure the following settings:
Field
Value
Add to Container
Security Devices
IP Address
192.168.0.101
SNMP Protocol
SNMPv1
Security String
private
User Name
admin
Password
Fortinet1!
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
22
DO Configure
NOTLayer
REPRINT
3 Polling
© FORTINET
Exercise 2: Modeling Network Devices
Field
Value
Enable Password
(Leave this field empty)
Protocol
SSH2
6. Click Validate Credentials, and verify that the SNMP and CLI settings are correct.
7. Click OK.
FortiGate appears in the container.
Configure Layer 3 Polling
In this section, you will configure FortiNAC to gather Layer 3 (IP address) information from FortiGate to enhance
endpoint visibility.
To configure layer 3 polling
1. In the Network Devices menu, select L3 Polling (IP → MAC).
2. On the L3 Polling page, set Display to All Devices.
3. In the list of network devices, select FortiGate-Edge, and then click the Set Polling button at the bottom of the
screen.
4. In the Set Polling dialog box, select the Enable Polling check box, set the Interval to 5 Minutes and the
Priority to Low, and then click OK.
23
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Creating and Populating Groups
In this exercise, you will create and modify several groups using methods that will help you achieve the site
deployment objectives.
Create and Populate Port Groups
You can use port groups to organize physical ports into logical groups, to meet the requirements of a deployment
strategy.
In this procedure, you will create eight port groups to organize different sets of ports.
To create and populate port groups
1. In the System menu, select Groups.
2. In the lower-left corner of the Groups view window, click Add.
The first group that you add will be used to identify the physical wired ports in the conference room in building
1.
3. In the Add Group dialog box, configure the following settings:
Field
Value
Name
-Building 1 Conference Room Ports
Add - in front of the names, so they are sorted to the top of the list.
Member Type
Port
Description
Wired conference room ports in building 1
4. In the Members tab, in the topology tree, locate and expand Building 1 Switch.
Expand the pop-up window to make the port numbers visible.
5. Select ports 2 to 4 and ports 16 to 19, and move them to the Selected Members field on the right.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
24
DO Create
NOT
and REPRINT
Populate Port Groups
© FORTINET
Exercise 3: Creating and Populating Groups
There are no settings for the Groups tab at this time.
6. Click OK.
7. Following the same procedure, build a second port group by configuring the following settings:
Field
Value
Name
-Building 1 Ports
Add - in front of the names, so they are sorted to the top of the list.
Member Type
Port
Description
All wired ports in building 1
8. In the Members tab, add all ports from Building 1 by selecting the container in the topology tree and clicking the
right arrow to move the ports to the Selected Members panel.
9. Click OK.
10. Following the same procedures, build another port group by configuring the following settings:
25
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT3: Creating
REPRINT
and Populating Groups
© FORTINET
Field
Value
Name
-Nashua Facility Ports
Create and Populate Port Groups
Add - in front of the names, so they are sorted to the top of the list.
Member Type
Port
Description
All wired ports in the Nashua facility
11. In the Members tab, add all of the ports from the switch that you modeled in the Nashua container.
12. Click OK.
13. Following the same procedures, build another port group by configuring the following settings:
Field
Value
Name
-Nashua Facility Conference Room Ports
Add - in front of the names, so they are sorted to the top of the list.
Member Type
Port
Description
All conference room ports in the Nashua facility
14. In the Members tab, add ports 7 to 9 and 18 to 21 from the switch that you modeled in the Nashua Facility
container.
15. Click OK.
16. Following the same procedures, build another port group by configuring the following settings:
Field
Value
Name
-Manchester Facility Ports
Add - in front of the names, so they are sorted to the top of the list.
Member Type
Port
Description
All wired ports in the Manchester Facility
17. In the Members tab, add all of the ports from the switch that you modeled in the Manchester container.
18. Click OK.
19. Following the same procedures, build another port group by configuring the following settings:
Field
Value
Name
-Building 3 Wired Ports
Add - in front of the names so they are sorted to the top of the list.
Member Type
Port
Description
Access ports in building 3
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
26
DO Create
NOT
and REPRINT
Populate Port Groups with SSIDs
© FORTINET
Exercise 3: Creating and Populating Groups
20. In the Members tab, add ports 2 to 8 from the switch that you modeled in the Building 3 container.
21. Click OK.
22. Following the same procedures, build another port group by configuring the following settings:
Field
Value
Name
-Building 4 Wired Ports
Add - in front of the names, so they are sorted to the top of the list
Member Type
Port
Description
Access ports in building 4
23. In the Members tab, add ports 2 to 8 from the switch that you modeled in the Building 4 container.
24. Click OK.
25. To build another port group, configure the following settings:
Field
Value
Name
-Engineering Ports
Add - in front of the names, so they are sorted to the top of the list
Member Type
Port
Description
Access ports used by Engineering
26. In the Members tab, add ports 2 to 8 from the EngineeringSwitch switch that you modeled in the Data Center
container.
27. Click OK.
Create and Populate Port Groups with SSIDs
When you add SSIDs to port groups, you can use them to identify point of connect in the same way that you use
physical ports.
In this exercise, you will create two additional port groups and add SSIDs to them.
To create and populate port groups with SSIDs
1. Following the same procedures, create two groups.
The first group will be used to identify Fortinet Secure SSIDs.
2. In the Add Group dialog box, configure the following settings:
27
Field
Value
Name
-SecureSSIDs
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT3: Creating
REPRINT
and Populating Groups
© FORTINET
Field
Value
Member Type
Port
Description
The secure SSIDs
Create and Populate Port Groups with SSIDs
3. In the topology tree, expand the Wireless APs container.
4. Locate and expand TrXirrusArray.
5. Select the SSID ClassroomXirrusSecure, and move it to the Selected Members field on the right.
6. Locate and expand Aruba-IAP.
7. Select the SSID ClassroomIAP-Secure, and move it to the Selected Members field on the right.
8. Click OK.
9. Create another group, using the following settings:
Field
Value
Name
-OpenSSIDs
Member Type
Port
Description
The open (non-secure) SSIDs
10. In the topology tree, expand the Wireless APs container.
11. Locate and expand the TrXirrusArray.
12. Select the SSID ClassroomXirrus, and move it to the Selected Members field on the right.
13. Locate and expand the Aruba-IAP controller.
14. Select the SSID ClassroomIAP-1, and move it to the Selected Members field on the right.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
28
DO Create
NOT
HostREPRINT
Groups
© FORTINET
Exercise 3: Creating and Populating Groups
15. Click OK.
Create Host Groups
You can use host groups to organize endpoints for management.
In this exercise, you will create a host group that you will use in the following lab to automatically organize
endpoints.
To create a host group
1. Click the Add button.
The Add Group window opens.
2. Configure the following settings:
29
Field
Value
Name
-Card Readers
Member Type
Host
Days Valid
(Leave this field empty)
Days Inactive
(Leave this field empty)
Description
All card readers at Fortinet
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT3: Creating
REPRINT
and Populating Groups
© FORTINET
Aging Host Records
Do not select any members for this group (no card readers are identified yet). You will
use this group when you begin identifying the hosts on the network.
3. Click OK.
Aging Host Records
You can set aging values for host records. These values define how long a host remains in the database before it
is deleted. This is an automated method to keep the database efficient. Setting aging at the group level overrides
global aging settings.
To age hosts by group
1. In the Filter section, in the Add Filter drop-down list, select Owner.
2. In the Owner drop-down list, select User, and then click Update.
The list of user-owned groups that appears should include Accounting, Engineering, and IT Services.
These groups are imported from Active Directory. Fortinet employees are members of these groups. Use the
Ctrl key (Command key for Mac) together with the mouse to select only these three groups.
3. Right-click one of the selected groups, and then select Set Aging.
4. In the Set Aging pop-up window, leave the Days Valid field empty, and set Days Inactive to 90.
5. Click OK.
The Days Inactive columns should reflect the change.
Aging settings will be discussed in detail in an upcoming lesson. Setting the Days
Inactive value to 90 will delete members of the group from the database if they have
not been online for 90 consecutive days.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
30
DO NOT REPRINT
© FORTINET
Lab 3: Identification and Classification of Rogue Devices
using Device Profiling Rules
In this lab, you will modify the FortiNAC database of vendor OUIs and leverage these changes when you
configure device profiling rules.
Objectives
l
Make changes to the FortiNAC vendor OUI database
l
Create device profiling rules to automate the identification and classification of devices
Time to Complete
Estimated: 30 minutes
31
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Vendor OUI Updates
In this exercise, you will modify entries in the vendor OUI tables and leverage the powerful capabilities of the
device profiling tool.
Update Vendor OUI Aliases for Card Readers
The vendor OUI tables allow FortiNAC to identify invalid OUIs if they attempt to access the network. You can also
modify the tables, so you can use them in device profiling rules.
To update vendor OUI aliases for card readers
1. In the FortiNAC GUI, in the System menu, select Settings.
The Settings view opens.
2. In the navigation panel on the left side of the window, navigate to Identification > Vendor OUIs.
3. In the Add Filter drop-down list, select Vendor OUI.
4. In the Vendor OUI field, type 00:10:8d, and then click Update.
One vendor OUI is displayed.
5. Double-click or select the entry, and, at the bottom of the screen, click Modify.
The Modify Vendor OUI window opens.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
32
DO Update
NOT
REPRINT
Vendor
OUI Aliases for IP Phones
© FORTINET
Exercise 1: Vendor OUI Updates
6. In the Vendor Alias field, type Card Readers, and then click OK.
7. Repeat steps 5 to 7 using the vendor OUI of 00:01:e6 in step 5, to identify another type of card reader.
Update Vendor OUI Aliases for IP Phones
You will update vendor OUI aliases for all of the IP phones.
To update vendor OUI aliases for IP phones
1. Update the Vendor OUI field to 00:06:5B, and then click Update.
2. Double-click or select the entry, and, at the bottom of the screen, click Modify.
The Modify Vendor OUI window opens.
3. In the Vendor Aliasfield, type IP Phones, and then click OK.
4. Repeat steps 1 to 3 using the vendor OUI of 00:08:74, to identify another type of IP phone.
Update Vendor OUI Aliases for Cameras
You will update the vendor OUI aliases for all of the cameras.
To update vendor OUI aliases for cameras
1. Update the Vendor OUI field to 00:0D:56, and then click Update.
2. Double-click or select the entry, and, at the bottom of the screen, click Modify.
The Modify Vendor OUI window opens.
3. In the Vendor Alias field, type Cameras, and then click OK.
4. Repeat steps 1 to 3 using the vendor OUI of 00:03:E3, to identify another type of camera.
33
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Creating Device Profiling Rules
In this exercise, you will create several device profiling rules to identify and classify some of the many types of
devices connected to our lab environment. Then, you will evaluate all of the unknown devices against these rules
and view the results. Finally, you will create a backup copy of the FortiNAC database, to prevent data loss.
Create a Device Profiling Rule for IP Phones
You will create two device profiling rules for IP phones, and set a rule rank.
To create a device profiling rule for IP phones
1. In the Hosts menu, select Device Profiling Rules.
2. Make sure that all of the existing rules are disabled, by ensuring that there is a red circle and slash in the Enabled
column.
3. At the bottom of the screen, click Add.
4. In the Add Device Profiling Rule window, configure the following settings:
Field
Value
Enabled
(Select this option)
Name
Our IP Phones
Description
Identifies all connected IP phones
Note
(Leave this field empty)
Notify Sponsor
(Ensure this checkbox is not selected)
Registration
Automatic
Type
IP Phone
Role
NAC-Default
Register as
Device in Host View
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
34
DO Create
NOT
REPRINT
a Device
Profiling Rule for Card Readers
© FORTINET
Exercise 2: Creating Device Profiling Rules
Field
Value
Add to Group
(Ensure this checkbox is not selected)
Access Availability
Always
5. Ensure that all Rule Confirmation Settings are not selected.
6. Click the Methods tab.
7. Select the Vendor OUI method, then, at the bottom of the Vendor OUI tab, click Add.
The Add OUI window opens.
8. In the Field drop-down list, select Vendor Alias.
9. In the Value field, type IP Phones, and then click OK.
10. In the Add Device Profiling Rule window, click OK.
The new device profiling rule appears in the rules list as the only enabled rule.
11. Select the rule, and, using the Rank arrows at the top of the list, set the rule rank to 1.
Create a Device Profiling Rule for Card Readers
You will create a device profiling rule for card readers, and set a rule rank.
To create a device profiling rule for card readers
1. In the Device Profiling Rules view, at the bottom of the screen, click Add.
2. In the Add Device Profiling Rule window, configure the following settings:
35
Field
Value
Enabled
(Select this option)
Name
Card Readers
Description
Identifies card readers
Note
(Leave this field empty)
Notify Sponsor
(Ensure this checkbox is not selected)
Registration
Automatic
Type
Card Reader
Role
NAC-Default
Register as
Device in Host View
Add to Group
-Card Readers
Access Availability
Always
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
Device Profiling
DO Exercise
NOT2: Creating
REPRINT
Rules
© FORTINET
Create Device Profiling Rules for Cameras in the Manchester and Nashua
facilities
3. Ensure that all Rule Confirmation Settings are not selected.
4. Click the Methods tab.
5. Select the Vendor OUI method, then, at the bottom of the Vendor OUI tab, click Add.
The Add OUI window opens.
6. In the Field drop-down list, select Vendor Alias.
7. In the Value field, type Card Readers, and then click OK.
8. In the Add Device Profiling Rule window, click OK.
9. Select the rule, and, using the Set Rank button, set the rank to 2.
Create Device Profiling Rules for Cameras in the Manchester and Nashua
facilities
You will create device profiling rules for cameras at two locations, and set rule rankings.
To create a device profiling rule for cameras in the Manchester facility
1. In the Device Profiling Rules view, at the bottom of the screen, click Add.
2. In the Add Device Profiling Rule window, configure the following settings:
Field
Value
Enabled
(Select this option)
Name
Cameras in Manchester
Description
Identifies cameras in the Manchester facility
Note
(Leave this field empty)
Notify Sponsor
(Ensure this checkbox is not selected)
Registration
Automatic
Type
Camera
Role
NAC-Default
Register as
Device in Host View
Access Availability
Always
3. Ensure that all Rule Confirmation Settings are not selected.
4. Click the Methods tab.
5. Select the Location method, and then click Add.
6. Select the port group named -Manchester Facility Ports, and then click OK.
7. Select the Vendor OUI method, and then, at the bottom of the Vendor OUI tab, click Add.
The Add OUI window opens.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
36
DO Create
NOT
REPRINT
a Device
Profiling Rule for the Environmental Units
© FORTINET
Exercise 2: Creating Device Profiling Rules
8. In the Field drop-down list, select Vendor Alias.
9. In the Value field, type Cameras, and then click OK.
10. In the Add Device Profiling Rule window, click OK.
11. Select the rule, and, using the Set Rank button, set the rank to 3.
To create a device profiling rule for cameras in the Nashua facility
1. In the Device Profiling Rules view, at the bottom of the screen, click Add.
2. In the Add Device Profiling Rule window, configure the following settings:
Field
Value
Enabled
(Select this option)
Name
Cameras in Nashua
Description
Identifies cameras in the Nashua facility
Note
(Leave this field empty)
Notify Sponsor
(Ensure this checkbox is not selected)
Registration
Automatic
Type
Camera
Role
NAC-Default
Register as
Device in Host View
Access Availability
Always
3. Ensure that all Rule Confirmation Settings are not selected.
4. Click the Methods tab.
5. Select the Location method, and then click Add.
6. Select the port group named -Nashua Facility Ports, and then click OK.
7. Select the Vendor OUI method, and, at the bottom of the Vendor OUI tab, click Add.
The Add OUI window opens.
8. In the Field drop-down list, select Vendor Alias.
9. In the Value field, type Cameras, and then click OK.
10. In the Add Device Profiling Rule window, click OK.
11. Select the rule, and, using the Set Rank button, set the rank to 4.
Create a Device Profiling Rule for the Environmental Units
You will create a device profiling rule for environmental units, and set a rule rank.
37
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT2: Creating
REPRINT
Device Profiling Rules
© FORTINET
Create a Device Profiling Rule for the Environmental Units
To create a device profiling rule for the environmental units
1. In the Device Profiling Rules view, at the bottom of the screen, click Add.
2. In the Add Device Profiling Rule window, configure the following settings:
Field
Value
Enabled
(Select this option)
Name
Environmental Control Units
Description
Identifies Mitsubishi ECUs
Note
(Leave this field empty)
Notify Sponsor
(Ensure this checkbox is not selected)
Registration
Automatic
Type
Environmental Control
Role
NAC-Default
Register as
Device in Host View
Access Availability
Always
Confirm Device Rule on Connect
(Select this option)
3. Ensure that the remaining Rule Confirmation Settings are not selected.
4. Click the Methods tab.
5. Select the Vendor OUI method, and then click Add.
6. Configure the following settings:
Field
Value
Field
Vendor Code
Value
00:50:56
7. Click OK.
8. Select the SNMP method, and then configure the following settings:
Field
Value
OID
1.3.6.1.2.1.1.2.0
Port
161
SNMP V1 Security String
private
9. Select the Match checkbox, click Add, and in the Value field, type1.3.6.1.4.1.673.5685, and then click
OK.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
38
DO Create
NOT
REPRINT
a Device
Profiling Rule for Healthcare Devices
© FORTINET
Exercise 2: Creating Device Profiling Rules
10. Select the TCP method, and enter two ports (separated by a comma): 2214, 3612.
11. In the Add Device Profiling Rule window, click OK.
12. Select the rule, and, using the Set Rank button, set the rank to 5.
Create a Device Profiling Rule for Healthcare Devices
You will create a device profiling rule for blood pressure monitors, and set a rule rank.
To create a device profiling rule for healthcare devices
1. In the Device Profiling Rules view, at the bottom of the screen, click Add.
2. In the Add Device Profiling Rules window, configure the following settings:
Field
Value
Enabled
(Select this option)
Name
Healthcare Device
Description
Network connected blood pressure monitors
Note
(Leave this field empty)
Notify Sponsor
(Ensure this checkbox is not selected)
Registration
Automatic
Type
Health Care Device
Role
NAC-Default
Register as
Device in Host View
Access Availability
Always
Confirm Device Rule on Connect
(Select this option)
3. Ensure that the remaining Rule Confirmation Settings are not selected.
4. Click the Methods tab.
5. Select the Vendor OUI method, and then click Add.
6. Configure the following settings:
Field
Value
Field
Vendor Code
Value
00:50:56
7. Click OK.
8. Select the SSH method.
9. In the Credentials section, click Add, and then configure the following settings:
39
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT2: Creating
REPRINT
Device Profiling Rules
© FORTINET
Profile Existing Rogues, Evaluate New Rogues, and View Results
Field
Value
Name
admin
Password
Fortinet1!
10. Click OK.
11. In the Commands section, click Add, and then configure the following settings:
Field
Value
Type
Expect
Command
#
12. Click OK.
13. Select the Match checkbox, click Add, type BPMonitor, and then click OK.
14. Select the TCP method, and in the Port field, type 8080.
15. In the Add Device Profiling Rule window, click OK.
16. Select the rule, and, using the Set Rank button, set the rank to 6.
Profile Existing Rogues, Evaluate New Rogues, and View Results
You will evaluate all existing rogues against all enabled device profiling rules.
To profile existing rogues, evaluate new rogues, and view results
1. In the lower-right corner of the Device Profiling Rules window, click Run.
A dialog box opens asking if you are sure you want to evaluate all rogues.
2. Click Yes, and then click OK.
FortiNAC evaluates all rogues that currently exist in its database.
3. In the Hosts menu, select Profiled Devices.
4. In the Filter section, click Update.
FortiNAC should have identified many of the devices on the network.
Create a backup of the FortiNAC database
You will back up the FortiNAC database.
To create a backup of the FortiNAC database
1. In the System menu, select Settings.
2. In the panel on the left side, expand the System Management folder.
3. Select Database Backup/Restore.
4. In the Schedule Database Backup section of the Database Backup/Restore view, click the Run Now button.
A new entry will appear in the Database Restore field with the current date and timestamp.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
40
DO NOT REPRINT
© FORTINET
Lab 4: Visibility Views, Event Management and Logging
In this lab, you will use the Host View to gather inventory information about network devices, and then export
this information. Then, you will configure an upstream log receiver and the necessary events to meet logging
requirements.
Objectives
l
Access the Host View to create custom filters
l
Export Host View data
l
Configure upstream logging for events
Time to Complete
Estimated: 15 minutes
41
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Creating Host View Filters and Exporting
Results
In this exercise, you will create custom and quick filters in the Host View, view the results, and export the data.
Create a Custom Filter
Custom filters allow you to locate user, host, and adapter records.
You will use custom filters to create and export a list of cameras that belong to a specific vendor and are currently
connected to the network..
To create a custom filter
1. In the Host menu, select Host View.
2. In the Search drop-down list, select Custom Filter.
The Custom Filter window opens.
3. In the Adapter tab, select the Physical Address checkbox, and enter 00:03:E3*.
4. Click the Host tab.
5. In the Misc section, select Device Type and, in the drop-down list, select Camera.
6. Click OK.
The Hosts view should update and display only cameras that have the designated vendor OUI.
7. To export the data, in the Hosts view, in the lower-left corner, click the icon for the format that you want.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
42
DO Use
NOT
a QuickREPRINT
Filter
© FORTINET
Exercise 1: Creating Host View Filters and Exporting Results
8. In the Export Dialog, enter a filename for the export file, select the following fields for export, and move them to
the right panel: Adapter-Location, Adapter-Physical Address, and Host-Device Type.
9. Click OK.
10. View the exported data.
Use a Quick Filter
Quick filters allow you to create quick and simple filters that focus on the most common filter criteria.
You will create a quick filter to display and export card readers that are currently connected to the network.
To use a Quick Filter
1. In the Search drop-down list, select Quick Filter.
2. In the search field, enter [00:10:8D*,00:01:E6*], and then press Enter.
The Hosts view should update and display all of the card readers.
You can use brackets in the Quick Search field to search for multiple criteria. This
example will show all devices that have either vendor OUI.
3. To export the data, in the Hosts view, in the lower-left corner, click the icon for the format that you want.
4. In the Export Dialog, enter a File Name for the export file, select the following fields for export, and move them
to the right panel: Adapter-Location, Adapter-Physical Address, and Host-Device Type.
5. Click OK.
6. View the exported data.
43
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Upstream Logging for FortiNAC
Events
In this exercise, you will configure an upstream log host and designate an event to send upstream to that host
when the event occurs.
Configure an Upstream Log Receiver and Events for Upstream Logging
By configuring an upstream log receiver, FortiNAC event and alarm information can be passed to an external
system for logging.
You will create an upstream log receiver and then configure events for upstream logging.
To configuring an upstream log receiver
1. In the System menu, select Settings.
The Settings view opens.
2. On the left side of the screen, click System Communication > Log Receivers.
3. In the Log Receivers view, at the bottom of the screen, click Add.
4. In the Add Log Host window, configure the following settings:
Field
Value
Type
Syslog CSV
IP Address
192.168.0.2
Port
514
Facility
Authorization
5. Click OK.
To configure events for upstream logging
1. In the Logs menu, select Event Management.
The Event Management view opens.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
44
DO Create
NOT
REPRINT
a backup
of the FortiNAC database
© FORTINET
Exercise 2: Configuring Upstream Logging for FortiNAC Events
2. Locate and select Host At Risk.
3. Right-click the event (or, at the bottom of the screen, click the Options button), and select Log Internal &
External.
4. Repeat step 3 for the Disable Host Success event.
Create a backup of the FortiNAC database
You will back up the FortiNAC database.
To create a backup of the FortiNAC database
1. In the System menu, select Settings.
2. In the panel on the left, expand the System Management folder.
3. Select Database Backup/Restore.
4. In the Schedule Database Backup section of the Database Backup/Restore view, click the Run Now button.
A new entry will appear in the Database Restore field with the current date and timestamp.
45
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 5: FortiGate Integration and Logical Networks
In this lab, you will integrate FortiNAC with FortiGate. You will configure both systems to dynamically apply
firewall policies to endpoints, based on tags and group memberships that are assigned using FortiNAC security
policies. You will then configure logical networks to simplify network access policy management.
Objectives
l
Define logical networks
l
Configure FSSO integration between FortiNAC and FortiGate
l
Create a FortiGate FSSO group and define membership using a tag or group from FortiNAC
l
Define firewall tags
Time to Complete
Estimated: 30 minutes
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
46
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Logical Networks and Creating a
Firewall Tag
In this exercise, you will define logical networks that will be used by FortiNAC network access policies. Logical
networks create an abstraction layer between a value and any number of access configurations. This provides
flexibility when enforcing access control, and greatly reduces the number of access control policies.
Create Logical Networks for Card Readers, Cameras, and Contractors
You will create and define logical networks for card readers, cameras, and contractors.
To create logical networks
1. In the Network Devices menu, click Topology.
The topology view will load.
2. Click the root container in the topology tree, and then click the Logical Networks tab.
3. Click Add to create a new logical network, and configure the following settings:
Field
Value
Name
Card Readers
Description
Used to provision badge readers
4. Click OK.
The Card Readers Logical Network should now appear as the only entry in the list.
5. Click Add to create a second logical network, and configure the following settings:
Field
Value
Name
Cameras
Description
Used to provision cameras
6. Click OK.
47
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
Configuring Logical Networks and
DO Exercise
NOT1:a Firewall
REPRINT
Creating
Tag
© FORTINET
Define Logical Networks for Card Readers, Cameras, and
Contractors by VLAN ID and VLAN Name
You now have two entries in the Logical Networks view.
7. Click Add to create a third logical network, and configure the following settings:
Field
Value
Name
Contractors
Description
Used to provision contractors
8. Click OK.
You should now have three entries in the Logical Networks view.
9. Click Add to create a fourth logical network, and configure the following settings:
Field
Value
Name
No Access
Description
Used to deny network access
10. Click OK.
You should now have four entries in the Logical Networks view.
Define Logical Networks for Card Readers, Cameras, and Contractors by VLAN
ID and VLAN Name
After logical networks are configured, they appear in the model configuration of each infrastructure device in the
topology view. They can be defined by VLAN name or VLAN ID.
You will define what each logical network means, on multiple devices, using VLAN ID.
To define logical networks by VLAN ID
1. In the Network Devices menu, click Topology.
The opology view will open.
2. In the topology tree, expand the Building 3 branch, and then click Switch-3.
3. On the right side of the screen, click the Model Configuration tab.
4. At the top of the view, next to VLAN ID, make sure that the radio button is selected.
5. In the Logical Network list, locate Card Readers and, in the Access drop-down list, select 50.
6. In the Logical Network list, locate Cameras and, in the Access drop-down list, select 150.
7. In the Logical Network list, locate Contractors and, in the Access drop-down list, select 360.
8. In the Logical Network list, locate No Access and, in the Access drop-down list, select 132.
9. Click Save.
10. In the topology tree, expand the Building 4 branch, and then click Switch-4.
11. Click the Model Configuration tab.
12. At the top of the view, next to VLAN ID, make sure that the radio button is selected.
13. In the Logical Network list, locate Card Readers and, in the Access drop-down list, select 60.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
48
DO Create
NOT
REPRINT
a Firewall
Tag for Contractors
© FORTINET
Exercise 1: Configuring Logical Networks and Creating a Firewall Tag
14. In the Logical Network list, locate Cameras and, in the Access drop-down list, select 25.
15. In the Logical Network list, locate Contractors and, in the Access drop-down list, select 460.
16. In the Logical Network list, locate No Access and, in the Access drop-down list, select 142.
17. Click Save.
18. In the topology tree, expand the Data Center branch, and then click EngineeringSwitch.
19. Click the Model Configuration tab.
20. At the top of the view, next to VLAN Name, make sure that the radio button is selected.
21. In the Logical Network list, locate Card Readers and, in the Access drop-down list, select CardReaders.
22. In the Logical Network list, locate Cameras and, in the Access drop-down list, select Cameras.
23. In the Logical Network list, locate Contractors and, in the Access drop-down list, select Contractors.
24. In the Logical Network list, locate No Access and, in the Access drop-down list, select Eng-DeadEnd.
25. Click Save.
These logical network names can be configured differently on each infrastructure
device. This is an extremely useful feature if, for example, cameras use different
VLANs at different locations.
Create a Firewall Tag for Contractors
You will create a firewall tag that will be applied to all contractors. This firewall tag will ultimately define group
membership in FortiGate and result in the enforcement of firewall policies.
To create firewall tags
1. Log in to the FortiNAC GUI.
2. Click Network Devices > Topology.
3. In the topology tree, expand the Security Devices container, and then click FortiGate-Edge.
4. On the right side of the screen, click the Virtualized Devices tab, right-click the root virtualized device, and then
click Model Configuration.
A dialog box will appear to inform you that no VLANs have been read from the device. Click OK.
5. Next to the logical network named Contractors, in the Firewall Tags field, type Contractors-Tag, and then
press Enter.
6. Click Submit.
49
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT
Logical Networks and Creating a Firewall Tag
© FORTINET
Create a Firewall Tag for Contractors
You can create firewall tags directly in the configuration view of the FortiGate
virtualized device model, as you did here, or you can create them in the Firewall Tags
view that is located at System > Settings, in the System Communication folder.
The firewall tag is applied by a security policy, as a result of a template that is applied
to contractor accounts. This is covered in a future lab.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
50
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring FortiNAC for FSSO Integration
In this exercise, you will configure FortiNAC FSSO settings to prepare for Security Fabric integration with
FortiGate. Integrating FortiNAC into the Security Fabric allows it to pass endpoint group and tag information to
FortiGate, which can then be used to dynamically populate FortiGate groups.
Configure FortiNAC FSSO Settings
You will configure the settings that allow FortiNAC to be added as a Security Fabric connector.
To configure FortiNAC FSSO settings
1. In the System menu, click Settings.
2. On the left side of the screen, expand the System Communication folder, and then click Fortinet FSSO
Settings.
3. To display the remaining settings, select the Enable FSSO Communication checkbox.
4. Leave the Port setting as 8000 and the Subnet as 0.0.0.0/0.
The Port setting defines the TCP port that will be used for communicating with
FortGate, and the Subnet setting allows you to limit the FortiGate devices that will be
allowed to add FortiNAC as a Security Fabric connector, by IP address or subnet.
5. Click the Password field.
A Modify Password dialog box will appear.
6. Type Mypassword in both the Enter Password and Retype Password fields, and click OK.
7. Click Save Settings.
Configure FortiNAC as a Single Sign-On Agent on FortiGate
To configure FortiNAC as a single sign-on agent on FortiGate
1. To log in to FortiGate, on the browser bookmark bar, click the FortiGate bookmark, and then enter the username
admin and the password Fortinet1!.
2. In the panel on the left side of the window, click Global, and then click root.
3. In the Security Fabric menu, click Fabric Connectors.
4. Click Create New.
5. In the SSO/Identity section, click Fortinet Single Sign-On Agent.
6. In the Name field, type Training-FortiNAC.
7. In the Primary FSSO Agent field, type 192.168.0.110 and, in the password field, type Mypassword.
8. Click Apply & Refresh.
The Users/Groups field will update to 23, and a View button will appear.
51
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT
FortiNAC for FSSO Integration
© FORTINET
Create a FortiGate FSSO Group and Define Members
9. Click View to display the Collector Agent Group Filters.
These are the user groups, host groups, and firewall tags that were brought over from FortiNAC.
Notice that the Contractors-Tag that you created was pulled in from FortiNAC.
10. Click OK.
The FortiNAC will appear as a Security Fabric connector.
Create a FortiGate FSSO Group and Define Members
To create a FortiGate FSSO group and define members
1. In the FortiGate GUI, on the left side of the screen, open the User & Device menu.
2. Click User Groups and, at the top of the view, click Create New.
3. In the Name field, type Contractors, and then, in the Type field, select Fortinet Single Sign-On (FSSO).
4. Click the Members field, to open the Select Entries pane.
5. In the Select Entries panel, select CONTRACTORS-TAG.
CONTRACTORS-TAG should appear in the Members field.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
52
DO Create
NOT
REPRINT
a FortiGate
FSSO Group and Define Members
© FORTINET
Exercise 2: Configuring FortiNAC for FSSO Integration
6. Click OK.
The CONTRACTORS-TAG option appeared in the Select Entries list because it
was created as a firewall tag on FortiNAC and pulled into FortiGate using the FSSO
agent.
53
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Creating a Creating a FortiGate Firewall Policy
In this exercise, you will create an IPv4 policy on FortiGate that will apply only to users or hosts that have a
firewall tag assigned to them by FortiNAC.
Create an IPv4 Policy That Uses FSSO Group Memberships and a Test Policy
You will configure a policy that will rely partly on membership in the FSSO group, which is dynamically updated by
FortiNAC, based on a security policy.
To create an IPv4 policy on FortiGate
1. To log in to FortiGate, on the browser bookmark bar, click the FortiGate bookmark and, enter the username
admin and the password Fortinet1!.
2. In the left panel, click Global, and then click root.
3. Go toPolicy & Object > IPv4 Policy.
4. Click Create New, and enter the following:
Field
Value
Name
Contractor Access
Incoming Interface
Internal Network (Port3)
Outgoing Interface
Internet (port1)
Source
all (in the Address tab), Contractors (in the User tab)
Destination
all
Schedule
always
Service
ALL
Action
ACCEPT
NAT
Enable this option
AntiVirus
Enable this option and select Eicar Virus
Web Filter
Enable this option and select Contractor Web Filter
DNS Filter
Enable this option and select Contractor DNS Filter
Log Allowed Traffic
Enable this option and select Security Events
Enable this policy
Enable this option
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
54
DO Create
NOT
REPRINT
a Backup
of the FortiNAC Database (Optional)
© FORTINET
Exercise 3: Creating a Creating a FortiGate Firewall Policy
5. Keep the default values for all other settings, and click OK to save the changes.
6. In the top right of the screen, click By Sequence.
7. In the ID column, move the Contractor Access policy under the Generate Security Test policy, to rank it as
second.
8. Log out of FortiGate.
This policy was created here to demonstrate how the Contractors group, whose
membership is determined by the FortiNAC firewall tag, can be associated with an
IPv4 policy. You will see the results of this policy in a future lab.
Create a Backup of the FortiNAC Database (Optional)
You will back up the FortiNAC database.
To create a backup of the FortiNAC database
1. In the System menu, click Settings.
2. In the panel on the left, expand the System Management folder.
3. Click Database Backup/Restore.
4. In the Schedule Database Backup section of the Database Backup/Restore view, click the Run Now button.
A new entry will appear in the Database Restore field with the current date and timestamp.
55
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 6: Portal Configuration and Access Control
Enforcement
In this lab, you will customize your captive portal pages for unknown host registration and verify the page
appearance. Then, you will enable registration enforcement for unknown hosts by placing all your access ports
into the Forced Registration group. You will enable enforcement on the wireless network, using the model
configuration pages for your wireless devices.
Objectives
l
Customize the captive portal pages
l
Prepare devices for endpoint isolation
l
Enforce access control
Time to Complete
Estimated: 25 minutes
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
56
DO NOT REPRINT
© FORTINET
Exercise 1: Customizing the Captive Portal Pages
In this exercise, you will customize the registration captive portal page for your registration network.
Modify the Default Portal Page for the Registration Context
The captive portal pages are the web pages that end users will be directed to when they have been isolated
because of their host state.
To customize the captive portal pages
1. Click System > Portal Configuration.
2. Under the Content Editor tab, expand the Global branch, and select Styles.
3. Click the blue banner that says the network on the left and Registration on the right.
The Page Title window opens.
4. To the right of the Background color field, click the box to open the color picker.
5. Choose a color for your page, and click OK.
6. On the Page Title screen, click OK.
7. Under the Content Editor tab, expand the Registration branch, and select Common.
8. In the Context Title field, type Fortinet Training Registration Page, to change the title.
9. Under the Registration branch, select Login Menu.
10. In the Window Title field, type Welcome to Fortinet Training.
11. Scroll down, and clear the Game Console Registration Enabled and Custom Registration Enabled options.
12. In the Guest Login Title field, type Contractor Registration<hr>.
13. In the Guest Login Link field, type <a href="GuestLoginGCS.jsp">Contractors who have a
temporary account.</a>.
57
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT1: Customizing
REPRINT
the Captive Portal Pages
© FORTINET
Modify the Default Portal Page for the Registration Context
14. Click Apply.
15. Verify the changes by logging out of the FortiNAC GUI and then visiting:
https://192.168.0.110/registration.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
58
DO NOT REPRINT
© FORTINET
Exercise 2: Preparing Devices for Endpoint Isolation
In this exercise, you will configure the infrastructure device models to enable access control enforcement.
Configure the Network Device Model Settings for State-Based Enforcement
State-based enforcement is the process of automatically isolating endpoints based on their assigned state in the
FortiNAC database.
To configure wired device models for access control enforcement
1. Click Network Device > Topology.
2. Under the topology tree on the left side of the screen, expand the Building 1 branch.
3. Right-click Building 1 Switch, and select Model Configuration.
4. In the VLAN ID section, type the VLAN ID settings shown in the following example:
5. Click Apply.
6. Under the topology tree, expand the Building 3 branch.
7. Select Switch-3, and click the Model Configuration tab.
8. In the Network Access section, in the VLAN Display Format row, select VLAN ID.
9. In the Logical Network column, in the Registration row, in the Access column drop-down list, select 130.
10. In the Logical Network column, in the Quarantine row, in the Access column drop-down list, select 131.
11. In the Logical Network column, in the Dead End row, in the Access column drop-down list, select 132.
59
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
Devices for Endpoint
DO Exercise
NOT2: Preparing
REPRINT
Isolation
© FORTINET
Configure the Network Device Model Settings for State-Based
Enforcement
12. Click Save.
To configure wired device models for access control enforcement using VLAN name
1. Under the topology tree, expand the Building 4 branch.
2. Select Switch-4, and click the Model Configuration tab.
3. In the Network Access section, in the VLAN Display Format row, select VLAN Name.
4. In the Logical Network column, in the Registration row, in the Access column drop-down list, select Bldg4Reg.
5. In the Logical Network column, in the Quarantine row, in the Access column drop-down list, select Bldg4Quar.
6. In the Logical Network column, in the Dead End row, in the Access column drop-down list, select Bldg4DeadEnd.
7. Click Save.
8. Under the topology tree, expand the Data Center branch.
9. Select EngineeringSwitch, and click the Model Configuration tab.
10. In the Network Access section, in the VLAN Display Format row, select VLAN Name.
11. In the Logical Network column, in the Registration row, in the Access column drop-down list, select Eng-Reg.
12. In the Logical Network column, in the Quarantine row, in the Access column drop-down list, select Eng-Quar.
13. In the Logical Network column, in the Dead End row, in the Access column drop-down list, select EngDeadEnd.
14. Click Save.
To configure wireless device models for access control enforcement
1. Expand the Wireless APs branch, right-click TrXirrusArray, and select Model Configuration.
2. In the RADIUS section, click Modify, and in the RADIUS Secret field, type password.
3. Enter password again in the Retype Secret field.
4. Click OK.
5. In the Network Access section, in the Host State column, in the Default row, select Production in the dropdown menu in the Access Value column.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
60
Network Device Model Settings for State-Based
DO Configure
NOTtheREPRINT
Enforcement
© FORTINET
Exercise 2: Preparing Devices for Endpoint
Isolation
6. In the Network Access section, in the Host State column, in the Dead End row, select Enforce in the dropdown menu in the Access Enforcement column, and then select DeadEnd in the drop-down menu in the
Access Value column.
7. In the Network Access section, in the Host State column, in the Registration row, select Enforce in the dropdown menu in the Access Enforcement column, and then select Registration in the drop-down menu in the
Access Value column.
8. In the Network Access section, in the Host State column, in the Quarantine row, select Deny in the drop-down
menu in the Access Enforcement column.
9. Click Apply.
10. Perform steps 1 to 9 for the Aruba-IAP controller, using the same access values.
The access values selected for the Xirrus Array are Xirrus access groups that have
been defined on the Xirrus Array and learned by FortiNAC. On the Aruba, the values
are Aruba Roles that have been configured on the IAP and read in by FortiNAC.
The model configuration values were set using both the Model Configuration tab,
and the right-click option. Both options work exactly the same way—the lab presents
both options to demonstrate the two ways that can be used to perform the same task.
61
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Enforcing Access Control
In this exercise, you will turn on enforcement of access control, preventing unknown devices from gaining access
to the production network in specific locations.
Configure FortiNAC to Enforce State-Based Access Control
Access control is the automated isolation of connecting endpoints, based on the assigned state of each endpoint.
To enforce access control on rogue hosts in specific locations
1. Click System > Groups.
2. Double-click the Forced Registration group.
3. On the Modify Group window, click the Groups tab.
4. Select -Building 1 Ports, -Nashua Facility Ports, -Building 3 Wired Ports, -Building 4 Wired Ports, and Engineering Ports.
5. Click OK.
The Forced Registration group should now have a + sign to its left.
6. Expand the group by clicking on the + sign, and verify that the port groups you added are displayed.
7. Double-click the Role Based Access group.
8. On the Modify Group window, click the Groups tab.
9. Select -Building 1 Ports and -Nashua Facility Ports.
10. Click OK.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
62
DO Create
NOT
REPRINT
a Backup
of the FortiNAC Database (Optional)
© FORTINET
Exercise 3: Enforcing Access Control
The Forced Registration group enforces access control on connected hosts that have a
system assigned state or status of rogue. The Role Based Access group enforces
network access policies on connected hosts.
To enforce access control on at-risk hosts in specific locations
1. Click System > Groups.
2. Double-click the Forced Remediation group.
3. On the Modify Group window, click the Groups tab.
4. Select -Building 1 Ports, -Nashua Facility Ports, -Building 3 Wired Ports, and -Building 4 Wired Ports.
5. Click OK.
The Forced Remediation group should now have a + sign to its left.
6. Expand the group, and verify that the port groups you added are displayed.
Create a Backup of the FortiNAC Database (Optional)
In this procedure, you will back up the FortiNAC database.
To back up the FortiNAC database
1. In the System menu, select Settings.
2. In the panel on the left, expand the System Management folder.
3. Select Database Backup/Restore.
4. In the Schedule Database Backup portion of the Database Backup/Restore view, click the Run Now button.
A new entry will appear in the Database Restore field with the current date and timestamp.
63
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 7: Security Policies for Network Access Control and
Endpoint Compliance
In this lab, you will create user/host profiles to identify some of the different types of devices (card readers and
cameras) and contractor hosts in your lab environment. You will then use these profiles to create network access
policies for proper provisioning, and an endpoint compliance policy for host posture checking of contractor
systems.
Network access policies are used to automate the network provisioning of endpoints.
Objectives
l
Create user/host profiles and network access policies for card readers and cameras
l
Create user/host profiles and network access policies for contractors
l
Create an endpoint compliance policy for contractors
Time to Complete
Estimated: 45 minutes
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
64
DO NOT REPRINT
© FORTINET
Exercise 1: Creating User/Host Profiles and Network
Access Policies for Card Readers and Cameras
In this exercise you will create network access policies for dynamic provisioning of the connected card readers and
cameras, based on the logical networks defined in the model configurations of each device. This is a fundamental
part of classification and control capabilities.
Configure User/Host Profiles That Identify Card Readers and Cameras
In this procedure, you will create user/host profiles that will identify card readers and cameras connected to the
network.
To create user/host profiles for card readers
1. Click Policy > Policy Configuration.
The User/Host Profiles window opens.
2. On the left side of the view, verify that the User/Host Profiles tab is selected, and click Add.
The Add User/Host Profile window opens.
3. In the Name field, type Card Readers.
4. Leave the Where (Location) field set to Any.
5. Leave the Who/What by Group field set to Any.
6. To the right of the Who/What by Attribute field, click Add.
The Filter window opens.
7. Click the Host tab.
8. In the Misc section, select Device Type, and in the drop-down list, select Card Reader.
9. On the Filter window, click OK.
65
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
1: Creating User/Host Profiles and Network Access Policies
DO Exercise
NOT
REPRINT
for
Card Readers
and Cameras
© FORTINET
Configure User/Host Profiles That Identify Card
Readers and Cameras
10. On the Add User/Host Profile window, click OK.
You now have a profile that will match any card reader that connects to the network.
To create user/host profiles for cameras
1. Continuing in the User/Host Profiles view, verify that the User/Host Profiles tab is selected, and click Add.
The Add User/Host Profile window opens.
2. In the Name field, type Cameras.
3. Leave the Where (Location) field set to Any.
4. Leave the Who/What by Group field set to Any.
5. To the right of the Who/What by Attribute field, click Add.
The Filter window opens.
6. Click the Host tab.
7. In the Misc section, select Device Type, and in the drop-down list, select Camera.
8. On the Filter window, click OK.
9. On the Add User/Host Profile window, click OK.
You now have a profile that will match any camera.
To create network access policies for card readers
1. Click the Network Access tab in the left panel, and click Add.
The Add Network Access Policy window opens.
2. In the Name field, type Card Readers Access Policy.
3. In the User/Host Profile drop-down list, select Card Readers.
4. To the right of the Network Access Configuration field, click the Add Network Access Configuration
button.
The Add Network Access Configuration window opens.
5. In the Name field, type Card Reader Access.
6. In the Logical Networks drop-down list, select Card Readers.
7. In the Note field, type Assigns access for card readers.
8. On the Add Network Access Configuration window, click OK.
9. On the Add Network Access Policy window, in the Note field, type Assigns all card readers to
the networks defined by the Card Reader Logical Network of each device, and click
OK.
You will now have one network access policy listed.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
66
Profiles That Identify Card
DO Configure
NOTandUser/Host
REPRINT
Readers
Cameras
© FORTINET
Exercise 1: Creating User/Host Profiles and Network Access Policies
for Card Readers and Cameras
To create network access policies for cameras
1. Click the Network Access tab, and click Add.
The Add Network Access Policy window opens.
2. In the Name field, type Cameras Access Policy.
3. In the User/Host Profile drop-down list, select Cameras.
4. To the right of the Network Access Configuration field, click the Add Network Access Configuration
button.
The Add Network Access Configuration window will appear.
5. In the Name field, type Camera Access.
6. In the Logical Networks drop-down list, select Cameras.
7. In the Note field, type Assigns access for cameras.
8. On the Add Network Access Configuration window, click OK.
9. On the Network Access Policies window, in the Note field, type Assigns all cameras to the
networks defined by the Cameras logical network on each device, and click OK.
You will now have two network access policies listed.
10. Click Host > Host View.
11. Create a custom filter to display all card readers or cameras.
12. Right-click individual devices, and select Policy Details, to verify that the card reader and camera polices are
being assigned.
67
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Creating User/Host Profiles and Network
Access Policies for Contractors
In this exercise, you will create user/host profiles that will identify contractors when they are connected to the
network. You will then create network access policies for dynamic provisioning of the contractors.
Configure User/Host Profiles That Identify Contractors
You will create the necessary network access polices for the auto provisioning of contractors.
To create a profile to block contractor access
1. Click Policy > Policy Configuration.
The User/Host Profiles window opens.
2. Verify that the User/Host Profiles tab is selected, and click Add.
The Add User/Host Profile window opens.
3. In the Name field, type Contractors - No Access.
4. To the right of the Where (Location) field, click Select.
5. In the Select Location window, select -Building 1 Conference Room Ports, -Nashua Facility Conference
Room Ports, and -OpenSSIDs in the All Groups panel, and click > to move them to the Selected Groups
panel, and then click OK.
6. Leave the Who/What by Group field set to Any.
7. To the right of the Who/What by Attribute field, click Add.
The Filter window opens.
8. Click the Host tab, and in the Policy – Access section, select Role, and then in the drop-down list, select
Contractor.
9. On the Filter window, click OK.
10. On the Add User/Host Profile window, click OK.
You will now have a user/host profile that identifies contractors connected to conference room ports and nonsecure SSIDs.
To create a profile to identify contractors
1. Verify that the User/Host Profiles tab is selected, and click Add.
The Add User/Host Profile window opens.
2. In the Name field, type Contractors.
3. Leave the Where (Location) field set to Any.
4. Leave the Who/What by Group field set to Any.
5. To the right of the Who/What by Attribute field, click Add.
The Filter window opens.
6. Click the Host tab, and in the Policy – Access section, select Role, and in the drop-down list, select
Contractor, and then click OK.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
68
Profiles That Identify
DO Configure
NOTUser/Host
REPRINT
Contractors
© FORTINET
Exercise 2: Creating User/Host Profiles and Network Access Policies
for Contractors
7. Click OK.
You now have a user/host profile that identifies all contractors.
To create network access policies to block contractor access
The ranking of policies is very important. The first matched policy will be applied to the
user or host. In this exercise, you will rank the restrictive policies (no access) higher
than the production access policies.
1. From the User/Host Profiles window, click the Network Access tab.
2. Click Add.
The Add Network Access Policy window opens.
3. In the Name field, type No Contractor Access.
4. In the User/Host Profile drop-down list, select Contractors - No Access.
5. To the right of the Network Access Configuration drop-down list, click the Add Network Access
Configuration button to create a new configuration.
6. In the Name field, type Restricted Access.
7. In the Logical Network drop-down list, select No Access.
8. Click OK on both windows.
To create network access policies to allow contractor access
1. Continuing in the Network Access tab, click Add.
2. In the Name field, type Contractor Access.
3. In the User/Host Profile drop-down list, select Contractors.
4. Click Add Network Access Configuration to create a new configuration.
5. In the Name field, type Contractor Production Access.
6. Set Logical Network to Contractors.
7. Click OK on both windows.
Note that you are not only leveraging the logical networks defined at each device, but
also leveraging one of the existing state-based isolation VLANs (DeadEnd) in a
network access policy.
To create an endpoint compliance policy for contractors
1. In the panel on the right, click the Endpoint Compliance tab, and then click Add.
The Add Endpoint Compliance Policy window opens.
2. In the Name field, type Fortinet Contractor Compliance Policy.
3. In the User/Host Profile drop-down list, select Contractors.
4. Click Add Endpoint Compliance Configuration to create a new endpoint compliance configuration.
The Add Endpoint Compliance Configuration window opens.
5. In the Name field, type Fortinet Contractor Endpoint Compliance.
6. Click the Add Scan icon.
69
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
User/Host Profiles and Network Access Policies for
DO Exercise
NOT2: Creating
REPRINT
Contractors
© FORTINET
Create a Backup of the FortiNAC Database
(Optional)
The Add Scan window opens.
7. In the Name field, type Fortinet Contractor Scan.
8. Select Scan on Connect.
9. Leave the rest of the scan settings at their default values.
10. Click the Windows tab.
11. With the category set to Anti-Virus, select FortiClient.
12. With the category set to Operating System, select the following:
l
Windows 7
l
Windows 7 x64
l
Windows 10
l
Windows 10 x64
13. Click the Mac OS X tab.
14. With the category set to Anti-Virus, select FortiClient.
15. With the category set to Operating System, select the following:
l
10.12 Sierra
l
10.13 High Sierra
16. Click OK.
17. In the Scan drop-down list, select Fortinet Contractor Scan.
18. Click the Agent tab.
19. Select Latest Persistent Agent for Windows and Mac OS X.
20. Select None-Deny Access for all other options.
21. Click OK.
22. Verify that Fortinet Contractor Endpoint Compliance is selected for Endpoint Compliance Configuration,
and click OK.
Create a Backup of the FortiNAC Database (Optional)
You will back up the FortiNAC database.
To back up the FortiNAC database
1. In the System menu, select Settings.
2. In the panel on the left, expand the System Management folder.
3. Select Database Backup/Restore.
4. In the Schedule Database Backup portion of the Database Backup/Restore view, click the Run Now button.
A new entry will appear in the Database Restore field with the current date and timestamp.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
70
DO NOT REPRINT
© FORTINET
Lab 8: Guest and Contractor Services Configuration
In this lab, you will create a contractor templates to define the capabilities of your contractors. Then, you will
create an administrative profile and administrative user to act as your guest/contractor manager. Next, acting as
the guest/contractor manager, you will create a contractor account. Finally, you will register the lab Windows
machine to the contractor.
Objectives
l
Create a contractor template, administrative profile, and administrative user for contractor management
l
Create and test a contractor account
Time to Complete
Estimated: 20 minutes
71
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Creating a Contractor Template
In this exercise, you will create a contractor template that defines the attributes of all accounts built from that
template. You will then create an admin profile that will grant an administrative user the ability to create and
manage contractor accounts.
Create a Contractor Template and an Administrative Sponsor
Guest and contractor templates define the characteristics of the accounts created from them. You can create
administrative sponsors for delegation of contractor management.
To create a guest/contractor template
1. In the Users drop-down menu, click Guest/Contractor Templates.
2. Click Add to create a new template.
3. In the Name field, type Fortinet Contractor.
4. In the Visitor Type drop-down menu, click Contractor.
5. Click Select Role, and in the drop-down menu, click Contractor.
6. In the Password Length field, type 5, and click Use Mobile-Friendly Exclusions.
7. Click Account Duration, and in the Hours field, type 744.
8. Leave the remaining settings at their default values, and click the Data Fields tab.
9. On the Data Fields tab, select Ignore for all settings, except the following:
l
First Name
l
Last Name
l
Email
l
Phone
10. Click OK.
To create an administrative profile for guest and contractor management
1. In the Users drop-down menu, click Admin Profiles.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
72
DO Create
NOT
REPRINT
a Contractor
Template and an Administrative Sponsor
© FORTINET
Exercise 1: Creating a Contractor Template
2. In the Admin Profiles view, verify that the Admin Profiles tab is selected.
3. Click Add to create a new administrative profile.
4. Configure the following settings:
Field
Value
Name
Guest and Contractor Manager
Logout After
20
Login Availability
Always
Manage Hots and Ports
All
Note
Profile for management of all guest and contractor accounts
5. Select Associated users do not expire.
6. On the General tab, leave the other settings at their default values.
7. Click the Permissions tab.
8. In the row for the Guest/Contractor Accounts permissions set, select the checkboxes in the Access and
Custom columns.
When you select Custom, a new Manage Guests tab appears.
9. Click the Manage Guests tab.
10. Configure the following settings:
73
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT1: Creating
REPRINT
a Contractor Template
© FORTINET
Create a Contractor Template and an Administrative Sponsor
Field
Value
Guest Account Access
All Accounts
Account Types
Individual
Create accounts
5
Create accounts active for
45
Allowed Templates
Specify Templates
11. In the Selected Templates window, remove all the templates except Fortinet Contractor.
12. Click OK.
To create an administrative user for guest and contractor management
1. In the Users drop-down menu, click Admin Users.
2. Click Add to create a new admin user.
3. In the User ID field, type Larry, and click OK.
You are informed that the user ID was found in the directory.
4. Click OK.
The Add User window opens with Larry’s information imported from LDAP.
5. In the Admin Profile drop-down list, click Guest and Contractor Manager.
6. Click OK.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
74
DO NOT REPRINT
© FORTINET
Exercise 2: Creating and Testing a Contractor Account
In this exercise, you will create a contractor account using the template from the previous exercise. You will then
register the Windows 7 system as a contractor machine.
Create and Validate a Contractor Account
Contractor accounts are used to grant the required access to a contractor.
You will create a contractor template and an administrative sponsor to manage the contractors. You will then
access the system as the sponsor, to create and validate the account.
To create a Fortinet contractor
1. Log out of the FortiNAC GUI.
2. Log back in to the FortiNAC GUI, with the username Larry and password 123.
3. Accept the End User License Agreement.
The Guest/Contractor Accounts window opens.
4. Click Add to create a new contractor account with the following settings:
Field
Value
Template
Fortinet Contractor
Email
joe.contractor@fortinet.com
Password
<This will be autogenerated>
Account Start Date
Set the date to today
Account End Date
Set the date to 3 weeks from now
First Name
Joe
Last Name
Contractor
Phone
555-0152
Notice that the only available option in the Template drop-down list is Fortinet
Contractor. This is because it is the only template that was made available in Larry's
administrative profile.
5. Click OK.
The View Accounts window opens with the following information:
75
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT2: Creating
REPRINT
and Testing a Contractor Account
© FORTINET
Create a Backup of the FortiNAC Database (Optional)
l
User: joe.contractor@fortinet.com
l
Password: (Note the autogenerated password for use in the next steps)
6. Click Close.
To register a host as a Fortinet contractor and verify the policy
1. Go to the Windows 7 client lab system.
2. Open Firefox.
3. In the Bookmarks menu, click Hacker Site.
The website should load correctly.
4. In the Bookmarks menu, click Contractor Registration.
5. On the Registration page, select the Contractor Registration login option.
6. Use the credentials from the contractor account you created, and register your lab system.
To test the contractor policy
1. In the Bookmarks menu, click Hacker Site.
You should receive a Web Page Blocked! message.
The web page is blocked by the FortiGate IPv4 policy that you created in a previous
lab. The endpoint is now a member of the Contractors group on FortiGate because of
the firewall tag and network access policy configured on FortiNAC.
Create a Backup of the FortiNAC Database (Optional)
You will back up the FortiNAC database.
To back up the FortiNAC database
1. In the System menu, click Settings.
2. In the panel on the left, expand the System Management folder.
3. Click Database Backup/Restore.
4. In the Schedule Database Backup portion of the Database Backup/Restore view, click Run Now.
A new entry will appear in the Database Restore field with the current date and timestamp.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
76
DO NOT REPRINT
© FORTINET
Lab 9: FortiNAC Integration Using SNMP and Syslog
In this lab, you will perform the necessary configurations to integrate a security device capable of issuing SNMP
traps with FortiNAC. Then, you will model the device as a pingable device, so that FortiNAC will accept the traps
from the device. Next, you will perform the same procedures for a security device that issues syslog messages.
Finally, you will set up help desk notifications that will be sent when the alarm is triggered.
Objectives
l
Configure an integration with a device that issues SNMP traps
l
Configure an integration with a device that issues syslog messages
l
Configure notifications for alarms
Time to Complete
Estimated: 30 minutes
77
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Creating an Integration Using SNMP Trap
Input
In this exercise, you will create an integration with a third-party device, using SNMP traps as input sent to
FortiNAC.
Configure a Third-Party Integration Using SNMP Traps
Integration with third-party systems allows for the creation of events, alarms, and the automated execution of
actions.
You will create a custom trap configuration for a security device and then test the integration by validating event
and alarm creation.
To integrate with devices using SNMP traps
1. On the System menu, click Settings.
The Settings view opens.
2. On the left side of the screen, in the navigation panel, expand the System Communication folder, and select
Trap MIB Files.
3. At the bottom of the screen, click Add MIB.
The Add MIB window opens.
4. Configure the following settings:
Field
Value
MIB File Name
TrainingTrap
Label
Content Violation Event
Specific Type
23
Enterprise OID
1.3.6.1.4.1.1826
IP Address OID
1.3.6.1.4.1.1826.1.0.0.5
MAC Address OID
(leave this field empty)
User ID OID
(leave this field empty)
Alarm Cause
Possible Violation of Web Content Rules
Event Format (Java Message
API)
Event caused by {4}
5. Click OK.
6. On the Network Devices menu, click Topology.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
78
DO Configure
NOTaREPRINT
Third-Party Integration Using SNMP Traps
© FORTINET
Exercise 1: Creating an Integration Using SNMP Trap Input
7. Right-click the container named Security Devices.
8. Click Add Pingable Device.
The Add Pingable Device dialog opens.
9. On the Element tab, configure the following settings:
Field
Value
Add to Container
Security Devices
Name
Guardian
IP Address
192.168.0.22
Physical Address
00:50:8B:EE:0E:7A
Device Type
IPS/IDS
Incoming Events
Not Applicable
SSO Agent
Not Applicable
Role
NAC-Default
Description
Guardian is an inline security device
Note
John Doe manages this device
10. Enable Contact Status Polling, and set it for 10 minutes.
11. On the Details tab, configure the following settings:
Field
Value
Machine Name
Guardian
Department
IT Security
Owner
John Doe
Administrative Contact
jdoe@fortinet.com
Geographical Location
Data Center
Business Purpose
Network Security
BOOTP Address
(leave this field empty)
Print Queue
(leave this field empty)
12. Click OK.
To validate the integration
1. On the Windows 7 client desktop, double-click the SendTrap tool.
2. Return to the Jumpbox, and on the Logs menu, click Events.
79
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT1: Creating
REPRINT
an Integration Using SNMP Trap Input
© FORTINET
Configure a Third-Party Integration Using SNMP Traps
3. In the Filter section, click the Update button, and then look for a Content Violation Event.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
80
DO NOT REPRINT
© FORTINET
Exercise 2: Creating an Integration Using Syslog Input
In this exercise, you will create an integration with a third-party device, using syslog messages as input sent to
FortiNAC.
Configure a Third-Party Integration Using Incoming Syslog Information
Integration with third-party systems allows for the creation of events, alarms, and the automated execution of
actions.
You will integrate with a security device by creating a custom syslog parser for that device, and then test the
integration by validating event and alarm creation.
To integrate using syslog messages as input
1. On the System menu, click Settings.
The Settings view opens.
2. On the left side of the screen, in the navigation panel, expand the System Communication folder, and select
Syslog Files.
3. At the bottom of the screen, click Add.
The Add SysLog File window opens.
4. Configure the following settings:
Field
Value
Processing Enabled
<check>
Name
Our-IDS
Event Label
Big Brother IDS
Format
CSV Delimiter: Comma (,)
IP Column
2
Filter Column
3
Filter Values
DoS Attack
Severity Tag/Column
4
Low Severity Values
30 32 1254
Medium Severity Values
40 46 67 123
High Severity Values
50 1280 1423
5. Click OK.
6. On the Network Devices menu, click Topology.
81
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
an Integration Using Syslog
DO Exercise
NOT2: Creating
REPRINT
Input
© FORTINET
Configure a Third-Party Integration Using Incoming Syslog
Information
7. Right-click the container named Security Devices, and click Add Pingable Device.
The Add Pingable Device dialog opens.
8. On the Element tab, configure the following settings:
Field
Value
Add to Container
Security Devices
Name
Big Brother IDS
IP Address
10.10.4.55
Physical Address
00:50:56:B8:45:28
Device Type
IPS/IDS
Incoming Events
Syslog
In the drop-down list, click Big Brother IDS.
SSO Agent
Not Applicable
Role
NAC-Default
Description
Big Brother is an inline Security Device
Note
John Doe manages this device
9. Enable Contact Status Polling, and set it for 10 minutes.
10. On the Details tab, configure the following settings:
Field
Value
Machine Name
Big Brother
Department
IT Security
Owner
John Doe
Administrative Contact
jdoe@fortinet.com
Geographical Location
Data Center
Business Purpose
Network Security
BOOTP Address
(leave this field empty)
Print Queue
(leave this field empty)
11. Click OK.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
82
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring an Administrative Group for Alarm
Notification
In this exercise, you will configure an alarm to automatically notify an administrative user group when that alarm
is generated.
Configure an Administrative Group for Automated Notification of Alarms
Alarm information can be automatically passed to members of administrative groups, in the form of email or SMS
messages.
You will create an administrative group to represent the help desk users. Then, you will use this group for
notifications when the alarm is generated.
To create a help desk user and group
1. On the Users menu, click Admin Profiles.
2. Click Add.
3. In the Name field, type Helpdesk Level 1.
4. Keep the default values for all other settings on the General tab.
5. On the Permissions tab, select the Access checkbox for the Event/Alarm Management permission set.
6. Click OK.
7. On the Users menu, click Admin Users.
8. Click Add.
9. In the User ID field, type dgray, and then click OK.
A notification pop-up window should inform you that the userid was found in the directory.
10. Click OK.
11. On the Add User window, in the Admin Profile drop-down list, click Helpdesk Level 1.
12. In the Email field, type dgray@fortinet.com, and then click OK.
13. On the System menu, click Groups.
14. To create a new group, click Add.
15. In the Name field, type Level 1 Helpdesk Users.
16. In the Group Type drop-down list, click Administrator.
17. Move Gray, Dorian to the Selected Members list.
18. Click OK.
To configure an alarm notification
1. On the Logs menu, click Event to Alarm Mappings.
2. At the bottom of the screen, click Add.
3. Configure the following settings:
83
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
3: Configuring an Administrative Group for
DO Exercise
NOT
REPRINT
Alarm
Notification
© FORTINET
Configure an Administrative Group for Automated
Notification of Alarms
4. Click OK.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
84
DO NOT REPRINT
© FORTINET
Lab 10: FortiNAC Automated Threat Response
In this lab, you will perform the configurations that are necessary to integrate with security appliances capable of
sending security alert messages to FortiNAC. Then, you will model the device as a pingable device, so that
FortiNAC accepts messages from the device. Next, you will create a new event parser to handle incoming
security events from a system that did not have a parser. Finally, you will create a series of security rules for
security event generation, alarm generation, and the execution of automated actions.
Objectives
l
Integrate with third-party security devices and configure notification groups
l
Create security rules for the generation of security events and alarms with automated actions
Time to Complete
Estimated: 35 minutes
85
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Integrating With FortiGate for Automated
Response
In this exercise, you will configure FortiNAC to parse syslog input from FortiGate.
To configure FortiNAC to process incoming events from FortiGate
1. Click Network Devices > Topology.
2. Under the topology tree, expand the Security Devices tree, and select FortiGate-Edge.
3. Click the Element tab.
4. To the right of Incoming Events, select Security Events.
A new drop-down menu opens.
5. Select FortiOS5.
FortiNAC will now know how to parse incoming security event (syslog) messages from this device (FortiGateEdge).
6. Click Save.
The selected parser is named FortiOS5, but it will parse the current FortiOS security
events because the format has not changed.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
86
DO NOT REPRINT
© FORTINET
Exercise 2: Creating Security Rules for Automated Threat
Response
In this exercise, you will examine how to create security rules that will trigger based on input from external
security devices. These security rules are the key to automated responses and threat mitigation.
Build Security Rules
You will build a series of security rules, beginning with a very general rule (a catch most rule) and then more
detailed rules, using security events generated from the initial rule.
To manually build a security rule
1. Click Policy > Policy Configuration.
2. Click the Security Rules tab.
3. Click Add to create a new security rule.
4. Make sure Rule Enabled is selected.
5. In the Name field, type Catch Most.
6. Click the Add Security Trigger icon to create a new security trigger.
7. Configure the following settings:
Field
Value
Name
Catch Most trigger
Time Limit
1
Filter Match
Any 1
8. In the Security Filters section, click Add to create a new security filter.
9. Select Vendor, and type Fortinet.
10. In the Custom Fields section, click Add, and configure the following settings:
Field
Value
Name
CRLEVEL
Value
high
11. In the Add Field dialog box, click OK.
12. In the Add Security Filter dialog box, click OK.
13. Click Add to create a second security filter.
14. Select Vendor, and type Fortinet.
15. In the Custom Fields section, configure the following settings:
87
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT2: Creating
REPRINT
Security Rules for Automated Threat Response
© FORTINET
Field
Value
Name
CRLEVEL
Value
critical
Build Security Rules
16. In the Add Field dialog box, click OK.
17. In the Add Security Filter dialog box, click OK.
18. Click Add to create a third security filter.
19. Select Vendor, and type Fortinet.
20. In the Custom Fields section, click Add, and configure the following settings:
Field
Value
Name
LEVEL
Value
information
21. In the Add Field dialog box, click OK.
22. In the Add Security Filter dialog box, click OK.
23. In the Add Security Trigger dialog box, click OK.
24. In the Add Security Rule dialog box, leave the User/Host Profile set to None.
25. In the Action drop-down list, select Automatic.
26. Click the Add Security Action icon to create a new security action with the following settings:
Field
Value
Name
Log to SIEM
On Activity Failure
Continue Running Activities
27. Leave Perform Secondary Task(s) cleared.
28. In the Add Security Action window, in the Activities section, click Add to add a new activity.
29. In the Activity drop-down list, select Send Alarm to External Log Hosts.
30. In the Add Security Activity dialog box, the Add Security Action dialog box, and the Add Security Rule
dialog box, click OK.
You will now have a single security rule named Catch Most.
31. Go to the Windows 7 client machine, and open a Firefox browser.
32. Click the News bookmark.
You should receive a Web Page Blocked page.
33. Click the AV Test bookmark.
You should receive a High Security Alert!! message.
34. Click the SecurityRisk bookmark, and let it try to load for a couple of seconds. Then, click X to stop trying to load
the page.
35. Return to the Jumpbox Server and the FortiNAC GUI.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
88
DO Configure
NOTaREPRINT
Denied Category Web Filter Rule
© FORTINET
Exercise 2: Creating Security Rules for Automated Threat Response
Configure a Denied Category Web Filter Rule
You will create a security rule from a security event generated by the initial Catch Most security rule.
To build a security rule from an existing security event
1. Click Logs > Security Events.
2. Click Update for the filter.
Security events should populate the view.
3. Right-click the event with Alert Type = utm and Subtype = webfilter.
4. Click View Details, and scroll through the Event Details to see all the information contained in the alert that was
sent by FortiGate.
5. Leave the Event Details window open, and right-click the same event again. This time, select Create Event
Rule.
6. In the Create Event Rule window, in the Available Fields pane, select the following fields and click > to move
them to the Selected Fields pane:
l
Alert Type
l
Subtype
l
PROFILE
l
MSG
l
CATDESC
7. Click OK.
The Add Security Trigger window opens with a security filter already created based on the fields that you
selected.
8. In the Name field, type Denied Category.
9. Leave Time Limit and Filter Match as they are, and click OK.
The Add Security Rule window will appear.
10. Configure the security rule with the following settings:
Field
Value
Name
Denied Category Web Filter Matched
11. In the User/Host Profile drop-down list, select Match, and in the second drop-down list, select Fortinet
Contractor.
12. Click the Add Security Action icon to add a new security action:
Field
Value
Name
Notify Help Desk and Log to SIEM
On Activity Failure
Continue Running Activities
13. Do not select the Perform Secondary Task(s) box.
14. In the Activities section of the Add Security Action window, click Add to add a new activity.
89
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
Security Rules for Automated Threat
DO Exercise
NOT2: Creating
REPRINT
Response
© FORTINET
Configure a Virus Infected File (EICAR test file)
Rule
15. In the Activity drop-down, select Send Alarm to External Log Host, and click OK.
16. Click Add a second time and, in the Activity drop-down, select Email Group Action.
The Add Security Activity pop-up will update and display two configurations.
17. Configure the following Security Activity settings:
Field
Value
Group
HelpDesk
Message
A user has attempted to access a denied website. Details
were sent to SIEM.
18. On the Add Security Activity window, click OK.
19. On the Add Security Action window, click OK.
20. Leave Send Email when Rule is Matched and Send Email when Action is Taken cleared.
21. Click OK.
22. Close the Event Details window.
23. Click Policy Menu > Policy Configuration.
24. Click the Security Rules tab.
You will see two security rules listed: Catch Most and Denied Category Web Filter Matched.
Configure a Virus Infected File (EICAR test file) Rule
You will create a third security rule from a security event generated by the initial Catch Most security rule.
To build a security rule from an existing security event
1. Click Logs > Security Events.
2. Click Update.
Security events should populate the view.
3. Right-click the event with Alert Type = utm and Subtype = virus.
4. Select View Details, and scroll through Event Details to see all the information contained in the alert sent by
FortiGate.
5. Leave the Event Details window open, and right-click the same event again.
6. Select Create Event Rule.
7. In the Create Event Rule window, in the Available Fields pane, select the following fields and click > to move
them to the Selected Fields pane:
l
Alert Type
l
Subtype
l
PROFILE
l
DTYPE
8. Click OK.
The Add Security Trigger window opens with a security filter already created based on the fields that you
selected.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
90
Virus Infected File (EICAR test file)
DO Configure
NOTaREPRINT
Rule
© FORTINET
Exercise 2: Creating Security Rules for Automated Threat
Response
9. In the Name field, type Virus Infected File.
10. Leave the Time Limit and Filter Match as they are, and click OK.
11. Configure the following:
Field
Value
Name
Virus Infected File Detected
12. In the User/Host Profile drop-down list, select Match, and in the second drop-down list, select Fortinet
Contractor.
13. In the Action drop-down list, select Automatic.
14. Click Add Security Action, and configure a new security action with the following settings:
Field
Value
Name
Notify Help Desk, SOC, and Log to SIEM
On Activity Failure
Continue Running Activities
15. Do not select Perform Secondary Task(s).
16. In the Activities section, click Add and in the Activity drop-down list, select Send Alarm to External Log
Hosts.
17. Click OK.
18. Click Add, and in the Activity drop-down list, select Email Group Action, and then configure the following
settings:
Field
Value
Group
SOC
Message
A user has attempted to download a file containing a virus. Details have been sent to
SIEM.
19. Click OK.
20. Click Add, and in the Activity drop-down list, select Email Group Action, and then configure the following
settings:
Field
Value
Group
HelpDesk
Message
A user has attempted to download a file containing a virus. Details have been
sent to the SOC and SIEM.
21. Click OK on the Add Security Action window.
22. Leave Send Email when Rule is Matched and Send Email when Action is Taken cleared.
23. Click OK.
24. Close the Event Details window.
25. Click Policy Menu > Policy Configuration.
91
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT2: Creating
REPRINT
Security Rules for Automated Threat Response
© FORTINET
Configure a General Security Risk Rule
26. Click the Security Rules tab.
You should see three security rules listed: Catch Most, Denied Category Web Filter Matched, and Virus
Infected File Detected.
Configure a General Security Risk Rule
You will build a security rule, that is more specific than the Catch Most rule, without using an existing security
event.
To manually build a security rule without an existing security event
1. Click Policy > Policy Configuration.
2. Click the Security Rules tab.
3. Click Add to create a new security rule.
4. Make sure Rule Enabled is selected, and name the new security rule General Security Risk.
5. To the right of the Trigger field, click the Add Security Trigger icon to create a new security trigger.
6. Name the security trigger General Security Risk Trigger.
7. Leave the Time Limit set to 1 second, and the Filter Match set to All.
8. In the Security Filters section , click Add to add a new security filter.
9. Select Vendor, and type Fortinet.
10. In the Custom Fields section, click Add, and configure the following settings:
Field
Value
Name
SERVICE
Value
SecurityRisk
11. Click OK.
12. Click OK on the Add Security Filter window and Add Security Trigger window.
13. Leave User/Host Profile set to None, and set the Action drop-down list to Automatic.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
92
DO Configure
NOTaREPRINT
General Security Risk Rule
© FORTINET
Exercise 2: Creating Security Rules for Automated Threat Response
14. Click the Add Security Action icon to create a new action.
15. Name the new security action Response for General Security Risk.
16. Leave On Activity Failure set to Continue Running Activities, and leave the Perform Secondary Task(s)
After checkbox unchecked.
17. Click Add in the Activities section to add a new activity.
18. In the Activity drop-down list, select Send Alarm to External Log Hosts, and click OK.
19. Click Add to add a second activity, and select Disable Host in the drop-down list.
20. Leave the Secondary Task checkbox unchecked, and click OK.
21. Click OK on the Add Security Action window.
22. Check the box to the left of Send Email when Rule is Matched.
23. From the Admin Group drop-down, select SOC-Helpdesk-TicketingSystem (this is an administrativelycreated group of administrative users who will be notified).
24. Click OK.
93
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Creating a Custom Security Event Parser
In this exercise, you will create a security event parser for integration with third-party devices that do not have an
out-of-the-box parser.
Create Customized Security Event Parsers
Customized security event parsers allow for integration with nearly any type of security device.
You will integrate with a new type of security device, generate security events and alarms, and see the execution
of an automated work flow.
To use the event parsers tool to integrate with a firewall
1. Click System > Settings.
2. Open the System Communication folder, and select Security Event Parsers.
3. Click Add to create a new event parser.
4. Fill in the fields as shown below (the character in the CSV Delimiter field is a comma):
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
94
DO Create
NOT
REPRINT
Customized
Security Event Parsers
© FORTINET
Exercise 3: Creating a Custom Security Event Parser
5. Click OK to complete the creation of the new syslog event parser.
To model the firewall in the topology view
1. Click Network Devices > Topology.
2. Right-click Security Devices, and select Add Pingable Device.
3. Configure the new security device as follows:
4. Click OK.
95
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Exercise
NOT3: Creating
REPRINT
a Custom Security Event Parser
© FORTINET
Create Customized Security Event Parsers
To create a security rule for the old firewall
1. Click Policy > Policy Configuration.
2. From the panel on the left, select Security Rules.
3. Click Add to create a new security rule.
The Security Rule window will open.
4. Make sure Rule Enabled is selected.
5. In the Name field, type Old Firewall Rule.
6. Click Add Security Trigger to create a new trigger for this rule.
The Security Trigger window opens.
7. Configure the following settings:
Field
Value
Name
Old Firewall Trigger
Time Limit
1 Seconds
Filter Match
All
8. In the Security Filter section, click Add, and take the following actions:
a. Select Vendor, and type ACME Corp.
b. Select Type, and type Alert.
c. Select Subtype, and type Virus.
d. Select Description, and type FlashGordon-HotHail-Virus Detected.
e. Select Severity, and in the Min field, type 7, and in the Max field, type 9.
f. Click OK.
9. On the Add Security Trigger window, click OK.
10. Set the Action to Automatic, and click the Add Security Action icon to create a new security action.
11. In the Name field, type Quarantine Infected Host.
12. In the Activities section of the window click Add.
The Add Security Activity window opens.
13. In the Activity drop-down list, select Mark Host At Risk.
14. In the Primary Task drop-down list, select Quarantine Host.
15. Click OK.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
96
DO Create
NOT
REPRINT
Customized
Security Event Parsers
© FORTINET
Exercise 3: Creating a Custom Security Event Parser
16. Click OK to complete the security rule creation.
To rank the security rules
Security rules are processed in the order they are ranked. Select each rule individually, and use the Rank arrows
or the Set Rank button to rank the security rules in the following order:
1. Virus Infected File Detected
2. Denied Category Web Filter Matched
3. General Security Risk
4. Old Firewall Rule
5. Catch Most
97
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Validating Security Rules
In this exercise, you will validate that the security rules are triggered by input from FortiGate.
To validate security events, alarms, and actions
1. Click Logs > Security Events.
2. At the top of the window, configure the filter to show events generated in the last 5 minutes.
3. Click Update.
There should be no, or very few, events.
4. Change to the Windows 7 client machine, and launch the Firefox web browser.
5. Click the News bookmark.
You should receive a Web Page Blocked message.
6. Click the AV Test bookmark.
You should receive a High Security Alert!! message.
7. Click the SecurityRisk bookmark, and let it try to load for a couple of seconds. Then, click X to stop trying to load
the page.
8. Return to the Jumpbox Server and look at the Security Events view.
There should be several entries.
9. Click Logs > Security Alarms.
The Security Alarms window opens, and there should be security alarms listed in the view.
10. Locate and select the security alarm that has an Action Taken Date listed.
11. At the bottom of the screen, view the entry in the Event tab, and select the Actions Taken tab to validate that
the configured actions were taken.
12. Click Undo Action.
13. Return to the Windows 7 client machine.
14. Click the News bookmark.
15. Return to the Jumpbox server, and look at the Security Events view.
There should be entries in the view.
16. Click Logs > Security Alarms.
The Security Alarms window opens and security alarms should be listed in the view for the Denied Category
Web Filter Matched rule.
17. Return to the Windows 7 client machine.
18. Click the AV test bookmark.
19. Return to the Jumpbox server, and look at the Security Events view.
There should be entries in the view.
20. Click Logs > Security Alarms.
The Security Alarms window opens and security alarms should be listed in the view for the Virus Infected File
Detected rule.
21. Click Hosts > Host View.
22. In the Search field, type *:9F:10:29 (the last six digits of the MAC address noted in the security event), and
press Enter.
The host record should be displayed and the Status column should have an X through it, indicating that the host
has been disabled.
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
98
DO NOT REPRINT
© FORTINET
Tips and Tricks
This section provides several helpful tools, commands, and log files to assist with troubleshooting different
aspects of the FortiNAC product.
Debug
The following command turns on one or more debug logs for a single device:
Device -ip 11.17.104.2 -setAttr -name DEBUG -value "debug1 debug2"
Log Files
To access log files, log in to the FortiNAC using the CLI.
l
Type logs at the prompt
l
tf will tail a file. For example: tf output.master
l
The MasterLoader log file is: output.master
l
The SlaveLoader log file is: output.slave
l
The ProbeLoader log file is: output.probe
l
The DHCP service log file is: dhcpd.log
l
The DNS log file is: named.log
Services
The following commands will stop/start/restart FortiNAC services:
For the DHCP service: /etc/init.d/dhcpd stop/start/restart (i.e. /etc/init.d/dhcpd stop)
For the DNS service: /etc/init.d/named stop/start/restart (i.e. /etc/init.d/named start)
For the Apache service: /etc/init.d/httpd stop/start/restart (i.e. /etc/init.d/httpd
restart)
For the Tomcat-Portal service:
/etc/init.d/tomcat-portal stop/start/restart (i.e. /etc/init.d/tomcat-portal stop)
For the Tomcat-Admin service:
/etc/init.d/tomcat-admin stop/start/restart (i.e. /etc/init.d/tomcat-admin stop)
99
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
DO Tips
NOT
REPRINT
and Tricks
© FORTINET
L2 Poll
L2 Poll
The following command performs an L2 poll on the specified device.
UpdateClients –ip 11.17.104.2
L3 Poll
The following command performs an L3 poll on the specified device.
ReadArpCache -ip 11.17.104.2
Portal
Enter the following as a URL to view a specific portal when there is more than one portal.
http://<ns>/registration/?portalName=<name>
Captive Portal
Host is not being moved to the captive VLAN:
l
Verify that the Network Sentry has the correct configuration for device control (CLI and Read/Write SNMP security
strings) within the Model Configuration.
l
Verify that the Network Access Value is correctly set in the Model Configuration.
l
Verify that the device is configured correctly.
If a host is in the captive VLAN but not being presented the captive portal:
l
Verify the host is in the captive VLAN
l
Verify the host does not have static IP or DNS entries
l
l
Ping sites that are not in the zones.common (approved) list. All sites should resolve to the FortiNAC captive
interface.
Ping sites that are in the zones.common (approved) list. Sites should resolve correctly.
Device Profiler
The following commands Export and Import Device Profiler rules.
l
Export DPC Rules
DumpDpcRules -dbid 5 -export mydpcrule.xml
l
Import DPC Rules
DumpDpcRules -import mydpcrule.xml
FortiNAC 8.5 Lab Guide
Fortinet Technologies Inc.
100
DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Descargar