DO NOT REPRINT © FORTINET FortiNAC Lab Guide for FortiNAC 8.5 DO NOT REPRINT © FORTINET Fortinet Training http://www.fortinet.com/training Fortinet Document Library http://docs.fortinet.com Fortinet Knowledge Base http://kb.fortinet.com Fortinet Forums https://forum.fortinet.com Fortinet Support https://support.fortinet.com FortiGuard Labs http://www.fortiguard.com Fortinet Network Security Expert Program (NSE) https://www.fortinet.com/support-and-training/training/network-security-expert-program.html Feedback Email: courseware@fortinet.com 1/10/2020 DO NOT REPRINT © FORTINET TABLE OF CONTENTS Virtual Lab Basics Network Topology Lab Environment Remote Access Test Logging In Disconnections and Timeouts Screen Resolution Sending Special Keys Student Tools Troubleshooting Tips Lab 1: Getting Started with FortiNAC Lab 2: Administrative Account Creation, Network Modeling and Creating Groups Exercise 1: Creating an Administrative Account 6 6 6 7 8 10 10 11 12 12 15 16 17 Access the FortiNAC GUI Create an Administrative User Account 17 17 Exercise 2: Modeling Network Devices 19 Model Network Devices Configure Layer 3 Polling 19 23 Exercise 3: Creating and Populating Groups 24 Create and Populate Port Groups Create and Populate Port Groups with SSIDs Create Host Groups Aging Host Records 24 27 29 30 Lab 3: Identification and Classification of Rogue Devices using Device Profiling Rules Exercise 1: Vendor OUI Updates Update Vendor OUI Aliases for Card Readers Update Vendor OUI Aliases for IP Phones Update Vendor OUI Aliases for Cameras 31 32 32 33 33 Exercise 2: Creating Device Profiling Rules 34 Create a Device Profiling Rule for IP Phones Create a Device Profiling Rule for Card Readers 34 35 DO NOT REPRINT © FORTINET Create Device Profiling Rules for Cameras in the Manchester and Nashua facilities Create a Device Profiling Rule for the Environmental Units Create a Device Profiling Rule for Healthcare Devices Profile Existing Rogues, Evaluate New Rogues, and View Results Create a backup of the FortiNAC database 36 37 39 40 40 Lab 4: Visibility Views, Event Management and Logging Exercise 1: Creating Host View Filters and Exporting Results 41 42 Create a Custom Filter Use a Quick Filter Exercise 2: Configuring Upstream Logging for FortiNAC Events Configure an Upstream Log Receiver and Events for Upstream Logging Create a backup of the FortiNAC database Lab 5: FortiGate Integration and Logical Networks Exercise 1: Configuring Logical Networks and Creating a Firewall Tag Create Logical Networks for Card Readers, Cameras, and Contractors Define Logical Networks for Card Readers, Cameras, and Contractors by VLAN ID and VLAN Name Create a Firewall Tag for Contractors Exercise 2: Configuring FortiNAC for FSSO Integration 42 43 44 44 45 46 47 47 48 49 51 Configure FortiNAC FSSO Settings Configure FortiNAC as a Single Sign-On Agent on FortiGate Create a FortiGate FSSO Group and Define Members 51 51 52 Exercise 3: Creating a Creating a FortiGate Firewall Policy 54 Create an IPv4 Policy That Uses FSSO Group Memberships and a Test Policy Create a Backup of the FortiNAC Database (Optional) Lab 6: Portal Configuration and Access Control Enforcement Exercise 1: Customizing the Captive Portal Pages 54 55 56 57 Modify the Default Portal Page for the Registration Context 57 Exercise 2: Preparing Devices for Endpoint Isolation 59 Configure the Network Device Model Settings for State-Based Enforcement Exercise 3: Enforcing Access Control Configure FortiNAC to Enforce State-Based Access Control Create a Backup of the FortiNAC Database (Optional) 59 62 62 63 Lab 7: Security Policies for Network Access Control and Endpoint Compliance 64 Exercise 1: Creating User/Host Profiles and Network Access Policies for Card Readers and Cameras 65 Configure User/Host Profiles That Identify Card Readers and Cameras Exercise 2: Creating User/Host Profiles and Network Access Policies for Contractors Configure User/Host Profiles That Identify Contractors 65 68 68 DO NOT REPRINT © FORTINET Create a Backup of the FortiNAC Database (Optional) Lab 8: Guest and Contractor Services Configuration Exercise 1: Creating a Contractor Template Create a Contractor Template and an Administrative Sponsor Exercise 2: Creating and Testing a Contractor Account Create and Validate a Contractor Account Create a Backup of the FortiNAC Database (Optional) Lab 9: FortiNAC Integration Using SNMP and Syslog Exercise 1: Creating an Integration Using SNMP Trap Input Configure a Third-Party Integration Using SNMP Traps Exercise 2: Creating an Integration Using Syslog Input Configure a Third-Party Integration Using Incoming Syslog Information Exercise 3: Configuring an Administrative Group for Alarm Notification Configure an Administrative Group for Automated Notification of Alarms Lab 10: FortiNAC Automated Threat Response Exercise 1: Integrating With FortiGate for Automated Response Exercise 2: Creating Security Rules for Automated Threat Response Build Security Rules Configure a Denied Category Web Filter Rule Configure a Virus Infected File (EICAR test file) Rule Configure a General Security Risk Rule Exercise 3: Creating a Custom Security Event Parser Create Customized Security Event Parsers Exercise 4: Validating Security Rules Tips and Tricks Debug Log Files Services L2 Poll L3 Poll Portal Captive Portal Device Profiler 70 71 72 72 75 75 76 77 78 78 81 81 83 83 85 86 87 87 89 90 92 94 94 98 99 99 99 99 100 100 100 100 100 DO Virtual NOT REPRINT Lab Basics © FORTINET Virtual Lab Basics Network Topology In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. If your trainer asks you to use a different lab, such as devices physically located in your classroom, then ignore this section. This section applies only to the virtual lab accessed through the Internet. If you do not know which lab to use, please ask your trainer. Network Topology Lab Environment Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their own training lab environment or point of deliveries (PoD). FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 6 DO Remote NOTAccess REPRINT Test © FORTINET Virtual Lab Basics Remote Access Test Before starting any course, check if your computer can connect to the remote data center successfully. The remote access test fully verifies if your network connection and your web browser can support a reliable connection to the virtual lab. You do not have to be logged in to the lab portal in order to run the remote access test. To run the remote access test 1. From a browser, access the following URL: https://use.cloudshare.com/test.mvc If your computer connects successfully to the virtual lab, you will see the message All tests passed!: 2. Inside the Speed Test box, click Run. The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those estimations are not within the recommended values, you will get any error message: 7 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Virtual NOT REPRINT Lab Basics © FORTINET Logging In Logging In After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to log in. You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a link and a passphrase. To log in to the remote lab 1. Click the login link provided by your instructor over email. 2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login. 3. Enter your first and last name. 4. Click Register and Login. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 8 DO Logging NOTIn REPRINT © FORTINET Virtual Lab Basics Your system dashboard appears, listing the virtual machines (VMs) in your lab topology. 5. To open a VM from the dashboard, do one of the following: l From the top navigation bar, click a VM's tab. l From the box of the VM you want to open, click View VM. Follow the same procedure to access any of your VMs. When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a Fortinet VM. 9 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Virtual NOT REPRINT Lab Basics © FORTINET Disconnections and Timeouts For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM. From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab environment. Disconnections and Timeouts If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that contains the list of VMs for your session, and reopen the VM. If that fails, see Troubleshooting Tips on page 12. Screen Resolution The GUIs of some Fortinet devices require a minimum screen size. To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also change the color depth: FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 10 DO Sending NOTSpecial REPRINT Keys © FORTINET Virtual Lab Basics Sending Special Keys You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key: From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard: 11 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Virtual NOT REPRINT Lab Basics © FORTINET Student Tools Student Tools There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance: Troubleshooting Tips l l l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or highlatency connections. Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your computer is always on, and does not go to sleep or hibernate. For best performance, use a stable broadband connection, such as a LAN. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 12 DO Troubleshooting NOT REPRINT Tips © FORTINET l l l l Virtual Lab Basics You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and general performance: If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect, notify the instructor. If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset: If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action menu, and select Revert: Reverting to the VM's initial state will undo all of your work. Try other solutions first. 13 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Virtual NOT REPRINT Lab Basics © FORTINET l Troubleshooting Tips During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the following example appears: To expedite the response, enter the following command in the CLI: execute update-now FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 14 DO NOT REPRINT © FORTINET Lab 1: Getting Started with FortiNAC There is no lab associated with Lesson 1. 15 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Lab 2: Administrative Account Creation, Network Modeling and Creating Groups In this lab, you will create a new administrative user account. Use this account during the class when you need administrator access to FortiNAC. You will model the network infrastructure devices to begin achieving device and endpoint visibility, and finally you will create groups used to organize elements. Objectives l Access the FortiNAC GUI l Create new administrative accounts l Model network devices l Create groups Time to Complete Estimated: 25 minutes FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 16 DO NOT REPRINT © FORTINET Exercise 1: Creating an Administrative Account In this exercise, you will access the FortiNAC GUI, using a web browser, and create a new administrative user account. Access the FortiNAC GUI The FortiNAC GUI is where you perform all administrative functions. You will log in to the FortiNAC GUI throughout this lab with the login credentials that you create in the following procedure. To access the FortiNAC GUI 1. Log in to the CloudShare environment, and connect to the Jumpbox Server. 2. Log in using the username Administrator and the password Fortinet1!. 3. Launch a web browser and navigate to the Admin login page for the FortiNAC, using the bookmark or entering https://192.168.0.110:8443 in the URL field. 4. Log in to the FortiNAC GUI using the username admin and the password Fortinet1!. Create an Administrative User Account Administrative user accounts provide customized access and capabilities to FortiNAC administrators. In this procedure, you will create an administrative user account that you will use during this course. To create an administrative user account 1. In the Users menu, select Admin Users. 2. In the lower-left corner of the Admin Users window, click Add. A dialog box opens where you can enter a user ID. 3. Enter User1, and then click OK. The Modify User dialog opens with all required fields populated. The information in these fields is gathered from Active Directory. 4. Verify that the Authentication Type is set to LDAP, and set the Admin Profile to System Administrator. 17 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Creating REPRINT an Administrative Account © FORTINET Create an Administrative User Account 5. Click OK. 6. Test your access to the account by logging out of the FortiNAC GUI, and logging back in using the account that you created. The password for this account is Fortinet1!. 7. Accept the End User License Agreement. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 18 DO NOT REPRINT © FORTINET Exercise 2: Modeling Network Devices In this exercise, you will model wired components of the classroom network infrastructure for visibility purposes, and organize these components, using containers in the FortiNAC topology view. Model Network Devices In FortiNAC, infrastructure devices are modeled for visibility and control of them, as well as the endpoints that connect to them. In this exercise, you will add several infrastructure devices to the topology view, while following the best practices for device modeling. To model wired devices 1. In the Network Devices menu, select Topology. The topology view loads and looks similar to the following image: 2. Right-click the container named Fortinet Training, and then select Add Container. The Add Container dialog box opens. 3. Configure the following settings: 19 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Modeling REPRINT Network Devices © FORTINET Model Network Devices Field Value Name Building 1 Note Building 1 infrastructure devices 4. Click OK. 5. Right-click the new container, and then select Add Device. The Add Device dialog box opens. 6. Configure the following settings: Field Value IP Address 192.168.0.26 Security String private The completed fields should look like the following image: FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 20 DO Model NOT REPRINT Network Devices © FORTINET Exercise 2: Modeling Network Devices The ability of FortiNAC to communicate with the network infrastructure is fundamental to its ability to achieve visibility and provide control and automation. 7. Click OK. The device appears in the container. 8. Expand the Building 1 container, and then select the device named Building 1 Switch. The right side of the screen should have a tab labeled Ports. The Ports tab shows all physical ports discovered on the device. It also shows the ports that have devices connected to them, and the ports that are uplinks (small cable icon). Hosts should populate on some of the ports. 9. Right-click the container named Fortinet Training, and then select Add Container. 10. Configure the following settings: Field Value Name Nashua Facility Note Nashua infrastructure devices 11. Click OK. 12. Right-click the Nashua Facility container, select Add Device, and then configure the following settings: Field Value IP Address 192.168.0.27 Security String private There are no CLI settings. 13. Keep the values for the remaining settings, and click OK. 14. Right-click the container named Fortinet Training, and then select Add Container. The Add Container dialog box opens. 15. Configure the following settings: Field Value Name Manchester Facility Note Manchester facility infrastructure devices 16. Click OK. 17. Right-click the Manchester Facility container, select Add Device, and then configure the following settings: 21 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Modeling REPRINT Network Devices © FORTINET Model Network Devices Field Value IP Address 192.168.0.30 Security String private 18. Keep the values for the remaining settings, and click OK. 19. Right-click the Data Center container, select Add Device, and then configure the following settings: Field Value IP Address 192.168.0.15 Security String private User Name admin Password bsc123 20. Click OK. To model the FortiGate 1. Right-click the container named Fortinet Training, and then select Add Container. The Add Container dialog box appears. 2. Configure the following settings: Field Value Name Security Devices Note Our security devices 3. Click OK. 4. Right-click the new container, and then select Add Device. The Add Device dialog box opens. 5. Configure the following settings: Field Value Add to Container Security Devices IP Address 192.168.0.101 SNMP Protocol SNMPv1 Security String private User Name admin Password Fortinet1! FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 22 DO Configure NOTLayer REPRINT 3 Polling © FORTINET Exercise 2: Modeling Network Devices Field Value Enable Password (Leave this field empty) Protocol SSH2 6. Click Validate Credentials, and verify that the SNMP and CLI settings are correct. 7. Click OK. FortiGate appears in the container. Configure Layer 3 Polling In this section, you will configure FortiNAC to gather Layer 3 (IP address) information from FortiGate to enhance endpoint visibility. To configure layer 3 polling 1. In the Network Devices menu, select L3 Polling (IP → MAC). 2. On the L3 Polling page, set Display to All Devices. 3. In the list of network devices, select FortiGate-Edge, and then click the Set Polling button at the bottom of the screen. 4. In the Set Polling dialog box, select the Enable Polling check box, set the Interval to 5 Minutes and the Priority to Low, and then click OK. 23 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 3: Creating and Populating Groups In this exercise, you will create and modify several groups using methods that will help you achieve the site deployment objectives. Create and Populate Port Groups You can use port groups to organize physical ports into logical groups, to meet the requirements of a deployment strategy. In this procedure, you will create eight port groups to organize different sets of ports. To create and populate port groups 1. In the System menu, select Groups. 2. In the lower-left corner of the Groups view window, click Add. The first group that you add will be used to identify the physical wired ports in the conference room in building 1. 3. In the Add Group dialog box, configure the following settings: Field Value Name -Building 1 Conference Room Ports Add - in front of the names, so they are sorted to the top of the list. Member Type Port Description Wired conference room ports in building 1 4. In the Members tab, in the topology tree, locate and expand Building 1 Switch. Expand the pop-up window to make the port numbers visible. 5. Select ports 2 to 4 and ports 16 to 19, and move them to the Selected Members field on the right. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 24 DO Create NOT and REPRINT Populate Port Groups © FORTINET Exercise 3: Creating and Populating Groups There are no settings for the Groups tab at this time. 6. Click OK. 7. Following the same procedure, build a second port group by configuring the following settings: Field Value Name -Building 1 Ports Add - in front of the names, so they are sorted to the top of the list. Member Type Port Description All wired ports in building 1 8. In the Members tab, add all ports from Building 1 by selecting the container in the topology tree and clicking the right arrow to move the ports to the Selected Members panel. 9. Click OK. 10. Following the same procedures, build another port group by configuring the following settings: 25 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT3: Creating REPRINT and Populating Groups © FORTINET Field Value Name -Nashua Facility Ports Create and Populate Port Groups Add - in front of the names, so they are sorted to the top of the list. Member Type Port Description All wired ports in the Nashua facility 11. In the Members tab, add all of the ports from the switch that you modeled in the Nashua container. 12. Click OK. 13. Following the same procedures, build another port group by configuring the following settings: Field Value Name -Nashua Facility Conference Room Ports Add - in front of the names, so they are sorted to the top of the list. Member Type Port Description All conference room ports in the Nashua facility 14. In the Members tab, add ports 7 to 9 and 18 to 21 from the switch that you modeled in the Nashua Facility container. 15. Click OK. 16. Following the same procedures, build another port group by configuring the following settings: Field Value Name -Manchester Facility Ports Add - in front of the names, so they are sorted to the top of the list. Member Type Port Description All wired ports in the Manchester Facility 17. In the Members tab, add all of the ports from the switch that you modeled in the Manchester container. 18. Click OK. 19. Following the same procedures, build another port group by configuring the following settings: Field Value Name -Building 3 Wired Ports Add - in front of the names so they are sorted to the top of the list. Member Type Port Description Access ports in building 3 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 26 DO Create NOT and REPRINT Populate Port Groups with SSIDs © FORTINET Exercise 3: Creating and Populating Groups 20. In the Members tab, add ports 2 to 8 from the switch that you modeled in the Building 3 container. 21. Click OK. 22. Following the same procedures, build another port group by configuring the following settings: Field Value Name -Building 4 Wired Ports Add - in front of the names, so they are sorted to the top of the list Member Type Port Description Access ports in building 4 23. In the Members tab, add ports 2 to 8 from the switch that you modeled in the Building 4 container. 24. Click OK. 25. To build another port group, configure the following settings: Field Value Name -Engineering Ports Add - in front of the names, so they are sorted to the top of the list Member Type Port Description Access ports used by Engineering 26. In the Members tab, add ports 2 to 8 from the EngineeringSwitch switch that you modeled in the Data Center container. 27. Click OK. Create and Populate Port Groups with SSIDs When you add SSIDs to port groups, you can use them to identify point of connect in the same way that you use physical ports. In this exercise, you will create two additional port groups and add SSIDs to them. To create and populate port groups with SSIDs 1. Following the same procedures, create two groups. The first group will be used to identify Fortinet Secure SSIDs. 2. In the Add Group dialog box, configure the following settings: 27 Field Value Name -SecureSSIDs FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT3: Creating REPRINT and Populating Groups © FORTINET Field Value Member Type Port Description The secure SSIDs Create and Populate Port Groups with SSIDs 3. In the topology tree, expand the Wireless APs container. 4. Locate and expand TrXirrusArray. 5. Select the SSID ClassroomXirrusSecure, and move it to the Selected Members field on the right. 6. Locate and expand Aruba-IAP. 7. Select the SSID ClassroomIAP-Secure, and move it to the Selected Members field on the right. 8. Click OK. 9. Create another group, using the following settings: Field Value Name -OpenSSIDs Member Type Port Description The open (non-secure) SSIDs 10. In the topology tree, expand the Wireless APs container. 11. Locate and expand the TrXirrusArray. 12. Select the SSID ClassroomXirrus, and move it to the Selected Members field on the right. 13. Locate and expand the Aruba-IAP controller. 14. Select the SSID ClassroomIAP-1, and move it to the Selected Members field on the right. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 28 DO Create NOT HostREPRINT Groups © FORTINET Exercise 3: Creating and Populating Groups 15. Click OK. Create Host Groups You can use host groups to organize endpoints for management. In this exercise, you will create a host group that you will use in the following lab to automatically organize endpoints. To create a host group 1. Click the Add button. The Add Group window opens. 2. Configure the following settings: 29 Field Value Name -Card Readers Member Type Host Days Valid (Leave this field empty) Days Inactive (Leave this field empty) Description All card readers at Fortinet FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT3: Creating REPRINT and Populating Groups © FORTINET Aging Host Records Do not select any members for this group (no card readers are identified yet). You will use this group when you begin identifying the hosts on the network. 3. Click OK. Aging Host Records You can set aging values for host records. These values define how long a host remains in the database before it is deleted. This is an automated method to keep the database efficient. Setting aging at the group level overrides global aging settings. To age hosts by group 1. In the Filter section, in the Add Filter drop-down list, select Owner. 2. In the Owner drop-down list, select User, and then click Update. The list of user-owned groups that appears should include Accounting, Engineering, and IT Services. These groups are imported from Active Directory. Fortinet employees are members of these groups. Use the Ctrl key (Command key for Mac) together with the mouse to select only these three groups. 3. Right-click one of the selected groups, and then select Set Aging. 4. In the Set Aging pop-up window, leave the Days Valid field empty, and set Days Inactive to 90. 5. Click OK. The Days Inactive columns should reflect the change. Aging settings will be discussed in detail in an upcoming lesson. Setting the Days Inactive value to 90 will delete members of the group from the database if they have not been online for 90 consecutive days. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 30 DO NOT REPRINT © FORTINET Lab 3: Identification and Classification of Rogue Devices using Device Profiling Rules In this lab, you will modify the FortiNAC database of vendor OUIs and leverage these changes when you configure device profiling rules. Objectives l Make changes to the FortiNAC vendor OUI database l Create device profiling rules to automate the identification and classification of devices Time to Complete Estimated: 30 minutes 31 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 1: Vendor OUI Updates In this exercise, you will modify entries in the vendor OUI tables and leverage the powerful capabilities of the device profiling tool. Update Vendor OUI Aliases for Card Readers The vendor OUI tables allow FortiNAC to identify invalid OUIs if they attempt to access the network. You can also modify the tables, so you can use them in device profiling rules. To update vendor OUI aliases for card readers 1. In the FortiNAC GUI, in the System menu, select Settings. The Settings view opens. 2. In the navigation panel on the left side of the window, navigate to Identification > Vendor OUIs. 3. In the Add Filter drop-down list, select Vendor OUI. 4. In the Vendor OUI field, type 00:10:8d, and then click Update. One vendor OUI is displayed. 5. Double-click or select the entry, and, at the bottom of the screen, click Modify. The Modify Vendor OUI window opens. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 32 DO Update NOT REPRINT Vendor OUI Aliases for IP Phones © FORTINET Exercise 1: Vendor OUI Updates 6. In the Vendor Alias field, type Card Readers, and then click OK. 7. Repeat steps 5 to 7 using the vendor OUI of 00:01:e6 in step 5, to identify another type of card reader. Update Vendor OUI Aliases for IP Phones You will update vendor OUI aliases for all of the IP phones. To update vendor OUI aliases for IP phones 1. Update the Vendor OUI field to 00:06:5B, and then click Update. 2. Double-click or select the entry, and, at the bottom of the screen, click Modify. The Modify Vendor OUI window opens. 3. In the Vendor Aliasfield, type IP Phones, and then click OK. 4. Repeat steps 1 to 3 using the vendor OUI of 00:08:74, to identify another type of IP phone. Update Vendor OUI Aliases for Cameras You will update the vendor OUI aliases for all of the cameras. To update vendor OUI aliases for cameras 1. Update the Vendor OUI field to 00:0D:56, and then click Update. 2. Double-click or select the entry, and, at the bottom of the screen, click Modify. The Modify Vendor OUI window opens. 3. In the Vendor Alias field, type Cameras, and then click OK. 4. Repeat steps 1 to 3 using the vendor OUI of 00:03:E3, to identify another type of camera. 33 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 2: Creating Device Profiling Rules In this exercise, you will create several device profiling rules to identify and classify some of the many types of devices connected to our lab environment. Then, you will evaluate all of the unknown devices against these rules and view the results. Finally, you will create a backup copy of the FortiNAC database, to prevent data loss. Create a Device Profiling Rule for IP Phones You will create two device profiling rules for IP phones, and set a rule rank. To create a device profiling rule for IP phones 1. In the Hosts menu, select Device Profiling Rules. 2. Make sure that all of the existing rules are disabled, by ensuring that there is a red circle and slash in the Enabled column. 3. At the bottom of the screen, click Add. 4. In the Add Device Profiling Rule window, configure the following settings: Field Value Enabled (Select this option) Name Our IP Phones Description Identifies all connected IP phones Note (Leave this field empty) Notify Sponsor (Ensure this checkbox is not selected) Registration Automatic Type IP Phone Role NAC-Default Register as Device in Host View FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 34 DO Create NOT REPRINT a Device Profiling Rule for Card Readers © FORTINET Exercise 2: Creating Device Profiling Rules Field Value Add to Group (Ensure this checkbox is not selected) Access Availability Always 5. Ensure that all Rule Confirmation Settings are not selected. 6. Click the Methods tab. 7. Select the Vendor OUI method, then, at the bottom of the Vendor OUI tab, click Add. The Add OUI window opens. 8. In the Field drop-down list, select Vendor Alias. 9. In the Value field, type IP Phones, and then click OK. 10. In the Add Device Profiling Rule window, click OK. The new device profiling rule appears in the rules list as the only enabled rule. 11. Select the rule, and, using the Rank arrows at the top of the list, set the rule rank to 1. Create a Device Profiling Rule for Card Readers You will create a device profiling rule for card readers, and set a rule rank. To create a device profiling rule for card readers 1. In the Device Profiling Rules view, at the bottom of the screen, click Add. 2. In the Add Device Profiling Rule window, configure the following settings: 35 Field Value Enabled (Select this option) Name Card Readers Description Identifies card readers Note (Leave this field empty) Notify Sponsor (Ensure this checkbox is not selected) Registration Automatic Type Card Reader Role NAC-Default Register as Device in Host View Add to Group -Card Readers Access Availability Always FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. Device Profiling DO Exercise NOT2: Creating REPRINT Rules © FORTINET Create Device Profiling Rules for Cameras in the Manchester and Nashua facilities 3. Ensure that all Rule Confirmation Settings are not selected. 4. Click the Methods tab. 5. Select the Vendor OUI method, then, at the bottom of the Vendor OUI tab, click Add. The Add OUI window opens. 6. In the Field drop-down list, select Vendor Alias. 7. In the Value field, type Card Readers, and then click OK. 8. In the Add Device Profiling Rule window, click OK. 9. Select the rule, and, using the Set Rank button, set the rank to 2. Create Device Profiling Rules for Cameras in the Manchester and Nashua facilities You will create device profiling rules for cameras at two locations, and set rule rankings. To create a device profiling rule for cameras in the Manchester facility 1. In the Device Profiling Rules view, at the bottom of the screen, click Add. 2. In the Add Device Profiling Rule window, configure the following settings: Field Value Enabled (Select this option) Name Cameras in Manchester Description Identifies cameras in the Manchester facility Note (Leave this field empty) Notify Sponsor (Ensure this checkbox is not selected) Registration Automatic Type Camera Role NAC-Default Register as Device in Host View Access Availability Always 3. Ensure that all Rule Confirmation Settings are not selected. 4. Click the Methods tab. 5. Select the Location method, and then click Add. 6. Select the port group named -Manchester Facility Ports, and then click OK. 7. Select the Vendor OUI method, and then, at the bottom of the Vendor OUI tab, click Add. The Add OUI window opens. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 36 DO Create NOT REPRINT a Device Profiling Rule for the Environmental Units © FORTINET Exercise 2: Creating Device Profiling Rules 8. In the Field drop-down list, select Vendor Alias. 9. In the Value field, type Cameras, and then click OK. 10. In the Add Device Profiling Rule window, click OK. 11. Select the rule, and, using the Set Rank button, set the rank to 3. To create a device profiling rule for cameras in the Nashua facility 1. In the Device Profiling Rules view, at the bottom of the screen, click Add. 2. In the Add Device Profiling Rule window, configure the following settings: Field Value Enabled (Select this option) Name Cameras in Nashua Description Identifies cameras in the Nashua facility Note (Leave this field empty) Notify Sponsor (Ensure this checkbox is not selected) Registration Automatic Type Camera Role NAC-Default Register as Device in Host View Access Availability Always 3. Ensure that all Rule Confirmation Settings are not selected. 4. Click the Methods tab. 5. Select the Location method, and then click Add. 6. Select the port group named -Nashua Facility Ports, and then click OK. 7. Select the Vendor OUI method, and, at the bottom of the Vendor OUI tab, click Add. The Add OUI window opens. 8. In the Field drop-down list, select Vendor Alias. 9. In the Value field, type Cameras, and then click OK. 10. In the Add Device Profiling Rule window, click OK. 11. Select the rule, and, using the Set Rank button, set the rank to 4. Create a Device Profiling Rule for the Environmental Units You will create a device profiling rule for environmental units, and set a rule rank. 37 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Creating REPRINT Device Profiling Rules © FORTINET Create a Device Profiling Rule for the Environmental Units To create a device profiling rule for the environmental units 1. In the Device Profiling Rules view, at the bottom of the screen, click Add. 2. In the Add Device Profiling Rule window, configure the following settings: Field Value Enabled (Select this option) Name Environmental Control Units Description Identifies Mitsubishi ECUs Note (Leave this field empty) Notify Sponsor (Ensure this checkbox is not selected) Registration Automatic Type Environmental Control Role NAC-Default Register as Device in Host View Access Availability Always Confirm Device Rule on Connect (Select this option) 3. Ensure that the remaining Rule Confirmation Settings are not selected. 4. Click the Methods tab. 5. Select the Vendor OUI method, and then click Add. 6. Configure the following settings: Field Value Field Vendor Code Value 00:50:56 7. Click OK. 8. Select the SNMP method, and then configure the following settings: Field Value OID 1.3.6.1.2.1.1.2.0 Port 161 SNMP V1 Security String private 9. Select the Match checkbox, click Add, and in the Value field, type1.3.6.1.4.1.673.5685, and then click OK. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 38 DO Create NOT REPRINT a Device Profiling Rule for Healthcare Devices © FORTINET Exercise 2: Creating Device Profiling Rules 10. Select the TCP method, and enter two ports (separated by a comma): 2214, 3612. 11. In the Add Device Profiling Rule window, click OK. 12. Select the rule, and, using the Set Rank button, set the rank to 5. Create a Device Profiling Rule for Healthcare Devices You will create a device profiling rule for blood pressure monitors, and set a rule rank. To create a device profiling rule for healthcare devices 1. In the Device Profiling Rules view, at the bottom of the screen, click Add. 2. In the Add Device Profiling Rules window, configure the following settings: Field Value Enabled (Select this option) Name Healthcare Device Description Network connected blood pressure monitors Note (Leave this field empty) Notify Sponsor (Ensure this checkbox is not selected) Registration Automatic Type Health Care Device Role NAC-Default Register as Device in Host View Access Availability Always Confirm Device Rule on Connect (Select this option) 3. Ensure that the remaining Rule Confirmation Settings are not selected. 4. Click the Methods tab. 5. Select the Vendor OUI method, and then click Add. 6. Configure the following settings: Field Value Field Vendor Code Value 00:50:56 7. Click OK. 8. Select the SSH method. 9. In the Credentials section, click Add, and then configure the following settings: 39 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Creating REPRINT Device Profiling Rules © FORTINET Profile Existing Rogues, Evaluate New Rogues, and View Results Field Value Name admin Password Fortinet1! 10. Click OK. 11. In the Commands section, click Add, and then configure the following settings: Field Value Type Expect Command # 12. Click OK. 13. Select the Match checkbox, click Add, type BPMonitor, and then click OK. 14. Select the TCP method, and in the Port field, type 8080. 15. In the Add Device Profiling Rule window, click OK. 16. Select the rule, and, using the Set Rank button, set the rank to 6. Profile Existing Rogues, Evaluate New Rogues, and View Results You will evaluate all existing rogues against all enabled device profiling rules. To profile existing rogues, evaluate new rogues, and view results 1. In the lower-right corner of the Device Profiling Rules window, click Run. A dialog box opens asking if you are sure you want to evaluate all rogues. 2. Click Yes, and then click OK. FortiNAC evaluates all rogues that currently exist in its database. 3. In the Hosts menu, select Profiled Devices. 4. In the Filter section, click Update. FortiNAC should have identified many of the devices on the network. Create a backup of the FortiNAC database You will back up the FortiNAC database. To create a backup of the FortiNAC database 1. In the System menu, select Settings. 2. In the panel on the left side, expand the System Management folder. 3. Select Database Backup/Restore. 4. In the Schedule Database Backup section of the Database Backup/Restore view, click the Run Now button. A new entry will appear in the Database Restore field with the current date and timestamp. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 40 DO NOT REPRINT © FORTINET Lab 4: Visibility Views, Event Management and Logging In this lab, you will use the Host View to gather inventory information about network devices, and then export this information. Then, you will configure an upstream log receiver and the necessary events to meet logging requirements. Objectives l Access the Host View to create custom filters l Export Host View data l Configure upstream logging for events Time to Complete Estimated: 15 minutes 41 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 1: Creating Host View Filters and Exporting Results In this exercise, you will create custom and quick filters in the Host View, view the results, and export the data. Create a Custom Filter Custom filters allow you to locate user, host, and adapter records. You will use custom filters to create and export a list of cameras that belong to a specific vendor and are currently connected to the network.. To create a custom filter 1. In the Host menu, select Host View. 2. In the Search drop-down list, select Custom Filter. The Custom Filter window opens. 3. In the Adapter tab, select the Physical Address checkbox, and enter 00:03:E3*. 4. Click the Host tab. 5. In the Misc section, select Device Type and, in the drop-down list, select Camera. 6. Click OK. The Hosts view should update and display only cameras that have the designated vendor OUI. 7. To export the data, in the Hosts view, in the lower-left corner, click the icon for the format that you want. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 42 DO Use NOT a QuickREPRINT Filter © FORTINET Exercise 1: Creating Host View Filters and Exporting Results 8. In the Export Dialog, enter a filename for the export file, select the following fields for export, and move them to the right panel: Adapter-Location, Adapter-Physical Address, and Host-Device Type. 9. Click OK. 10. View the exported data. Use a Quick Filter Quick filters allow you to create quick and simple filters that focus on the most common filter criteria. You will create a quick filter to display and export card readers that are currently connected to the network. To use a Quick Filter 1. In the Search drop-down list, select Quick Filter. 2. In the search field, enter [00:10:8D*,00:01:E6*], and then press Enter. The Hosts view should update and display all of the card readers. You can use brackets in the Quick Search field to search for multiple criteria. This example will show all devices that have either vendor OUI. 3. To export the data, in the Hosts view, in the lower-left corner, click the icon for the format that you want. 4. In the Export Dialog, enter a File Name for the export file, select the following fields for export, and move them to the right panel: Adapter-Location, Adapter-Physical Address, and Host-Device Type. 5. Click OK. 6. View the exported data. 43 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 2: Configuring Upstream Logging for FortiNAC Events In this exercise, you will configure an upstream log host and designate an event to send upstream to that host when the event occurs. Configure an Upstream Log Receiver and Events for Upstream Logging By configuring an upstream log receiver, FortiNAC event and alarm information can be passed to an external system for logging. You will create an upstream log receiver and then configure events for upstream logging. To configuring an upstream log receiver 1. In the System menu, select Settings. The Settings view opens. 2. On the left side of the screen, click System Communication > Log Receivers. 3. In the Log Receivers view, at the bottom of the screen, click Add. 4. In the Add Log Host window, configure the following settings: Field Value Type Syslog CSV IP Address 192.168.0.2 Port 514 Facility Authorization 5. Click OK. To configure events for upstream logging 1. In the Logs menu, select Event Management. The Event Management view opens. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 44 DO Create NOT REPRINT a backup of the FortiNAC database © FORTINET Exercise 2: Configuring Upstream Logging for FortiNAC Events 2. Locate and select Host At Risk. 3. Right-click the event (or, at the bottom of the screen, click the Options button), and select Log Internal & External. 4. Repeat step 3 for the Disable Host Success event. Create a backup of the FortiNAC database You will back up the FortiNAC database. To create a backup of the FortiNAC database 1. In the System menu, select Settings. 2. In the panel on the left, expand the System Management folder. 3. Select Database Backup/Restore. 4. In the Schedule Database Backup section of the Database Backup/Restore view, click the Run Now button. A new entry will appear in the Database Restore field with the current date and timestamp. 45 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Lab 5: FortiGate Integration and Logical Networks In this lab, you will integrate FortiNAC with FortiGate. You will configure both systems to dynamically apply firewall policies to endpoints, based on tags and group memberships that are assigned using FortiNAC security policies. You will then configure logical networks to simplify network access policy management. Objectives l Define logical networks l Configure FSSO integration between FortiNAC and FortiGate l Create a FortiGate FSSO group and define membership using a tag or group from FortiNAC l Define firewall tags Time to Complete Estimated: 30 minutes FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 46 DO NOT REPRINT © FORTINET Exercise 1: Configuring Logical Networks and Creating a Firewall Tag In this exercise, you will define logical networks that will be used by FortiNAC network access policies. Logical networks create an abstraction layer between a value and any number of access configurations. This provides flexibility when enforcing access control, and greatly reduces the number of access control policies. Create Logical Networks for Card Readers, Cameras, and Contractors You will create and define logical networks for card readers, cameras, and contractors. To create logical networks 1. In the Network Devices menu, click Topology. The topology view will load. 2. Click the root container in the topology tree, and then click the Logical Networks tab. 3. Click Add to create a new logical network, and configure the following settings: Field Value Name Card Readers Description Used to provision badge readers 4. Click OK. The Card Readers Logical Network should now appear as the only entry in the list. 5. Click Add to create a second logical network, and configure the following settings: Field Value Name Cameras Description Used to provision cameras 6. Click OK. 47 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. Configuring Logical Networks and DO Exercise NOT1:a Firewall REPRINT Creating Tag © FORTINET Define Logical Networks for Card Readers, Cameras, and Contractors by VLAN ID and VLAN Name You now have two entries in the Logical Networks view. 7. Click Add to create a third logical network, and configure the following settings: Field Value Name Contractors Description Used to provision contractors 8. Click OK. You should now have three entries in the Logical Networks view. 9. Click Add to create a fourth logical network, and configure the following settings: Field Value Name No Access Description Used to deny network access 10. Click OK. You should now have four entries in the Logical Networks view. Define Logical Networks for Card Readers, Cameras, and Contractors by VLAN ID and VLAN Name After logical networks are configured, they appear in the model configuration of each infrastructure device in the topology view. They can be defined by VLAN name or VLAN ID. You will define what each logical network means, on multiple devices, using VLAN ID. To define logical networks by VLAN ID 1. In the Network Devices menu, click Topology. The opology view will open. 2. In the topology tree, expand the Building 3 branch, and then click Switch-3. 3. On the right side of the screen, click the Model Configuration tab. 4. At the top of the view, next to VLAN ID, make sure that the radio button is selected. 5. In the Logical Network list, locate Card Readers and, in the Access drop-down list, select 50. 6. In the Logical Network list, locate Cameras and, in the Access drop-down list, select 150. 7. In the Logical Network list, locate Contractors and, in the Access drop-down list, select 360. 8. In the Logical Network list, locate No Access and, in the Access drop-down list, select 132. 9. Click Save. 10. In the topology tree, expand the Building 4 branch, and then click Switch-4. 11. Click the Model Configuration tab. 12. At the top of the view, next to VLAN ID, make sure that the radio button is selected. 13. In the Logical Network list, locate Card Readers and, in the Access drop-down list, select 60. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 48 DO Create NOT REPRINT a Firewall Tag for Contractors © FORTINET Exercise 1: Configuring Logical Networks and Creating a Firewall Tag 14. In the Logical Network list, locate Cameras and, in the Access drop-down list, select 25. 15. In the Logical Network list, locate Contractors and, in the Access drop-down list, select 460. 16. In the Logical Network list, locate No Access and, in the Access drop-down list, select 142. 17. Click Save. 18. In the topology tree, expand the Data Center branch, and then click EngineeringSwitch. 19. Click the Model Configuration tab. 20. At the top of the view, next to VLAN Name, make sure that the radio button is selected. 21. In the Logical Network list, locate Card Readers and, in the Access drop-down list, select CardReaders. 22. In the Logical Network list, locate Cameras and, in the Access drop-down list, select Cameras. 23. In the Logical Network list, locate Contractors and, in the Access drop-down list, select Contractors. 24. In the Logical Network list, locate No Access and, in the Access drop-down list, select Eng-DeadEnd. 25. Click Save. These logical network names can be configured differently on each infrastructure device. This is an extremely useful feature if, for example, cameras use different VLANs at different locations. Create a Firewall Tag for Contractors You will create a firewall tag that will be applied to all contractors. This firewall tag will ultimately define group membership in FortiGate and result in the enforcement of firewall policies. To create firewall tags 1. Log in to the FortiNAC GUI. 2. Click Network Devices > Topology. 3. In the topology tree, expand the Security Devices container, and then click FortiGate-Edge. 4. On the right side of the screen, click the Virtualized Devices tab, right-click the root virtualized device, and then click Model Configuration. A dialog box will appear to inform you that no VLANs have been read from the device. Click OK. 5. Next to the logical network named Contractors, in the Firewall Tags field, type Contractors-Tag, and then press Enter. 6. Click Submit. 49 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Configuring REPRINT Logical Networks and Creating a Firewall Tag © FORTINET Create a Firewall Tag for Contractors You can create firewall tags directly in the configuration view of the FortiGate virtualized device model, as you did here, or you can create them in the Firewall Tags view that is located at System > Settings, in the System Communication folder. The firewall tag is applied by a security policy, as a result of a template that is applied to contractor accounts. This is covered in a future lab. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 50 DO NOT REPRINT © FORTINET Exercise 2: Configuring FortiNAC for FSSO Integration In this exercise, you will configure FortiNAC FSSO settings to prepare for Security Fabric integration with FortiGate. Integrating FortiNAC into the Security Fabric allows it to pass endpoint group and tag information to FortiGate, which can then be used to dynamically populate FortiGate groups. Configure FortiNAC FSSO Settings You will configure the settings that allow FortiNAC to be added as a Security Fabric connector. To configure FortiNAC FSSO settings 1. In the System menu, click Settings. 2. On the left side of the screen, expand the System Communication folder, and then click Fortinet FSSO Settings. 3. To display the remaining settings, select the Enable FSSO Communication checkbox. 4. Leave the Port setting as 8000 and the Subnet as 0.0.0.0/0. The Port setting defines the TCP port that will be used for communicating with FortGate, and the Subnet setting allows you to limit the FortiGate devices that will be allowed to add FortiNAC as a Security Fabric connector, by IP address or subnet. 5. Click the Password field. A Modify Password dialog box will appear. 6. Type Mypassword in both the Enter Password and Retype Password fields, and click OK. 7. Click Save Settings. Configure FortiNAC as a Single Sign-On Agent on FortiGate To configure FortiNAC as a single sign-on agent on FortiGate 1. To log in to FortiGate, on the browser bookmark bar, click the FortiGate bookmark, and then enter the username admin and the password Fortinet1!. 2. In the panel on the left side of the window, click Global, and then click root. 3. In the Security Fabric menu, click Fabric Connectors. 4. Click Create New. 5. In the SSO/Identity section, click Fortinet Single Sign-On Agent. 6. In the Name field, type Training-FortiNAC. 7. In the Primary FSSO Agent field, type 192.168.0.110 and, in the password field, type Mypassword. 8. Click Apply & Refresh. The Users/Groups field will update to 23, and a View button will appear. 51 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Configuring REPRINT FortiNAC for FSSO Integration © FORTINET Create a FortiGate FSSO Group and Define Members 9. Click View to display the Collector Agent Group Filters. These are the user groups, host groups, and firewall tags that were brought over from FortiNAC. Notice that the Contractors-Tag that you created was pulled in from FortiNAC. 10. Click OK. The FortiNAC will appear as a Security Fabric connector. Create a FortiGate FSSO Group and Define Members To create a FortiGate FSSO group and define members 1. In the FortiGate GUI, on the left side of the screen, open the User & Device menu. 2. Click User Groups and, at the top of the view, click Create New. 3. In the Name field, type Contractors, and then, in the Type field, select Fortinet Single Sign-On (FSSO). 4. Click the Members field, to open the Select Entries pane. 5. In the Select Entries panel, select CONTRACTORS-TAG. CONTRACTORS-TAG should appear in the Members field. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 52 DO Create NOT REPRINT a FortiGate FSSO Group and Define Members © FORTINET Exercise 2: Configuring FortiNAC for FSSO Integration 6. Click OK. The CONTRACTORS-TAG option appeared in the Select Entries list because it was created as a firewall tag on FortiNAC and pulled into FortiGate using the FSSO agent. 53 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 3: Creating a Creating a FortiGate Firewall Policy In this exercise, you will create an IPv4 policy on FortiGate that will apply only to users or hosts that have a firewall tag assigned to them by FortiNAC. Create an IPv4 Policy That Uses FSSO Group Memberships and a Test Policy You will configure a policy that will rely partly on membership in the FSSO group, which is dynamically updated by FortiNAC, based on a security policy. To create an IPv4 policy on FortiGate 1. To log in to FortiGate, on the browser bookmark bar, click the FortiGate bookmark and, enter the username admin and the password Fortinet1!. 2. In the left panel, click Global, and then click root. 3. Go toPolicy & Object > IPv4 Policy. 4. Click Create New, and enter the following: Field Value Name Contractor Access Incoming Interface Internal Network (Port3) Outgoing Interface Internet (port1) Source all (in the Address tab), Contractors (in the User tab) Destination all Schedule always Service ALL Action ACCEPT NAT Enable this option AntiVirus Enable this option and select Eicar Virus Web Filter Enable this option and select Contractor Web Filter DNS Filter Enable this option and select Contractor DNS Filter Log Allowed Traffic Enable this option and select Security Events Enable this policy Enable this option FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 54 DO Create NOT REPRINT a Backup of the FortiNAC Database (Optional) © FORTINET Exercise 3: Creating a Creating a FortiGate Firewall Policy 5. Keep the default values for all other settings, and click OK to save the changes. 6. In the top right of the screen, click By Sequence. 7. In the ID column, move the Contractor Access policy under the Generate Security Test policy, to rank it as second. 8. Log out of FortiGate. This policy was created here to demonstrate how the Contractors group, whose membership is determined by the FortiNAC firewall tag, can be associated with an IPv4 policy. You will see the results of this policy in a future lab. Create a Backup of the FortiNAC Database (Optional) You will back up the FortiNAC database. To create a backup of the FortiNAC database 1. In the System menu, click Settings. 2. In the panel on the left, expand the System Management folder. 3. Click Database Backup/Restore. 4. In the Schedule Database Backup section of the Database Backup/Restore view, click the Run Now button. A new entry will appear in the Database Restore field with the current date and timestamp. 55 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Lab 6: Portal Configuration and Access Control Enforcement In this lab, you will customize your captive portal pages for unknown host registration and verify the page appearance. Then, you will enable registration enforcement for unknown hosts by placing all your access ports into the Forced Registration group. You will enable enforcement on the wireless network, using the model configuration pages for your wireless devices. Objectives l Customize the captive portal pages l Prepare devices for endpoint isolation l Enforce access control Time to Complete Estimated: 25 minutes FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 56 DO NOT REPRINT © FORTINET Exercise 1: Customizing the Captive Portal Pages In this exercise, you will customize the registration captive portal page for your registration network. Modify the Default Portal Page for the Registration Context The captive portal pages are the web pages that end users will be directed to when they have been isolated because of their host state. To customize the captive portal pages 1. Click System > Portal Configuration. 2. Under the Content Editor tab, expand the Global branch, and select Styles. 3. Click the blue banner that says the network on the left and Registration on the right. The Page Title window opens. 4. To the right of the Background color field, click the box to open the color picker. 5. Choose a color for your page, and click OK. 6. On the Page Title screen, click OK. 7. Under the Content Editor tab, expand the Registration branch, and select Common. 8. In the Context Title field, type Fortinet Training Registration Page, to change the title. 9. Under the Registration branch, select Login Menu. 10. In the Window Title field, type Welcome to Fortinet Training. 11. Scroll down, and clear the Game Console Registration Enabled and Custom Registration Enabled options. 12. In the Guest Login Title field, type Contractor Registration<hr>. 13. In the Guest Login Link field, type <a href="GuestLoginGCS.jsp">Contractors who have a temporary account.</a>. 57 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Customizing REPRINT the Captive Portal Pages © FORTINET Modify the Default Portal Page for the Registration Context 14. Click Apply. 15. Verify the changes by logging out of the FortiNAC GUI and then visiting: https://192.168.0.110/registration. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 58 DO NOT REPRINT © FORTINET Exercise 2: Preparing Devices for Endpoint Isolation In this exercise, you will configure the infrastructure device models to enable access control enforcement. Configure the Network Device Model Settings for State-Based Enforcement State-based enforcement is the process of automatically isolating endpoints based on their assigned state in the FortiNAC database. To configure wired device models for access control enforcement 1. Click Network Device > Topology. 2. Under the topology tree on the left side of the screen, expand the Building 1 branch. 3. Right-click Building 1 Switch, and select Model Configuration. 4. In the VLAN ID section, type the VLAN ID settings shown in the following example: 5. Click Apply. 6. Under the topology tree, expand the Building 3 branch. 7. Select Switch-3, and click the Model Configuration tab. 8. In the Network Access section, in the VLAN Display Format row, select VLAN ID. 9. In the Logical Network column, in the Registration row, in the Access column drop-down list, select 130. 10. In the Logical Network column, in the Quarantine row, in the Access column drop-down list, select 131. 11. In the Logical Network column, in the Dead End row, in the Access column drop-down list, select 132. 59 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. Devices for Endpoint DO Exercise NOT2: Preparing REPRINT Isolation © FORTINET Configure the Network Device Model Settings for State-Based Enforcement 12. Click Save. To configure wired device models for access control enforcement using VLAN name 1. Under the topology tree, expand the Building 4 branch. 2. Select Switch-4, and click the Model Configuration tab. 3. In the Network Access section, in the VLAN Display Format row, select VLAN Name. 4. In the Logical Network column, in the Registration row, in the Access column drop-down list, select Bldg4Reg. 5. In the Logical Network column, in the Quarantine row, in the Access column drop-down list, select Bldg4Quar. 6. In the Logical Network column, in the Dead End row, in the Access column drop-down list, select Bldg4DeadEnd. 7. Click Save. 8. Under the topology tree, expand the Data Center branch. 9. Select EngineeringSwitch, and click the Model Configuration tab. 10. In the Network Access section, in the VLAN Display Format row, select VLAN Name. 11. In the Logical Network column, in the Registration row, in the Access column drop-down list, select Eng-Reg. 12. In the Logical Network column, in the Quarantine row, in the Access column drop-down list, select Eng-Quar. 13. In the Logical Network column, in the Dead End row, in the Access column drop-down list, select EngDeadEnd. 14. Click Save. To configure wireless device models for access control enforcement 1. Expand the Wireless APs branch, right-click TrXirrusArray, and select Model Configuration. 2. In the RADIUS section, click Modify, and in the RADIUS Secret field, type password. 3. Enter password again in the Retype Secret field. 4. Click OK. 5. In the Network Access section, in the Host State column, in the Default row, select Production in the dropdown menu in the Access Value column. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 60 Network Device Model Settings for State-Based DO Configure NOTtheREPRINT Enforcement © FORTINET Exercise 2: Preparing Devices for Endpoint Isolation 6. In the Network Access section, in the Host State column, in the Dead End row, select Enforce in the dropdown menu in the Access Enforcement column, and then select DeadEnd in the drop-down menu in the Access Value column. 7. In the Network Access section, in the Host State column, in the Registration row, select Enforce in the dropdown menu in the Access Enforcement column, and then select Registration in the drop-down menu in the Access Value column. 8. In the Network Access section, in the Host State column, in the Quarantine row, select Deny in the drop-down menu in the Access Enforcement column. 9. Click Apply. 10. Perform steps 1 to 9 for the Aruba-IAP controller, using the same access values. The access values selected for the Xirrus Array are Xirrus access groups that have been defined on the Xirrus Array and learned by FortiNAC. On the Aruba, the values are Aruba Roles that have been configured on the IAP and read in by FortiNAC. The model configuration values were set using both the Model Configuration tab, and the right-click option. Both options work exactly the same way—the lab presents both options to demonstrate the two ways that can be used to perform the same task. 61 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 3: Enforcing Access Control In this exercise, you will turn on enforcement of access control, preventing unknown devices from gaining access to the production network in specific locations. Configure FortiNAC to Enforce State-Based Access Control Access control is the automated isolation of connecting endpoints, based on the assigned state of each endpoint. To enforce access control on rogue hosts in specific locations 1. Click System > Groups. 2. Double-click the Forced Registration group. 3. On the Modify Group window, click the Groups tab. 4. Select -Building 1 Ports, -Nashua Facility Ports, -Building 3 Wired Ports, -Building 4 Wired Ports, and Engineering Ports. 5. Click OK. The Forced Registration group should now have a + sign to its left. 6. Expand the group by clicking on the + sign, and verify that the port groups you added are displayed. 7. Double-click the Role Based Access group. 8. On the Modify Group window, click the Groups tab. 9. Select -Building 1 Ports and -Nashua Facility Ports. 10. Click OK. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 62 DO Create NOT REPRINT a Backup of the FortiNAC Database (Optional) © FORTINET Exercise 3: Enforcing Access Control The Forced Registration group enforces access control on connected hosts that have a system assigned state or status of rogue. The Role Based Access group enforces network access policies on connected hosts. To enforce access control on at-risk hosts in specific locations 1. Click System > Groups. 2. Double-click the Forced Remediation group. 3. On the Modify Group window, click the Groups tab. 4. Select -Building 1 Ports, -Nashua Facility Ports, -Building 3 Wired Ports, and -Building 4 Wired Ports. 5. Click OK. The Forced Remediation group should now have a + sign to its left. 6. Expand the group, and verify that the port groups you added are displayed. Create a Backup of the FortiNAC Database (Optional) In this procedure, you will back up the FortiNAC database. To back up the FortiNAC database 1. In the System menu, select Settings. 2. In the panel on the left, expand the System Management folder. 3. Select Database Backup/Restore. 4. In the Schedule Database Backup portion of the Database Backup/Restore view, click the Run Now button. A new entry will appear in the Database Restore field with the current date and timestamp. 63 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Lab 7: Security Policies for Network Access Control and Endpoint Compliance In this lab, you will create user/host profiles to identify some of the different types of devices (card readers and cameras) and contractor hosts in your lab environment. You will then use these profiles to create network access policies for proper provisioning, and an endpoint compliance policy for host posture checking of contractor systems. Network access policies are used to automate the network provisioning of endpoints. Objectives l Create user/host profiles and network access policies for card readers and cameras l Create user/host profiles and network access policies for contractors l Create an endpoint compliance policy for contractors Time to Complete Estimated: 45 minutes FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 64 DO NOT REPRINT © FORTINET Exercise 1: Creating User/Host Profiles and Network Access Policies for Card Readers and Cameras In this exercise you will create network access policies for dynamic provisioning of the connected card readers and cameras, based on the logical networks defined in the model configurations of each device. This is a fundamental part of classification and control capabilities. Configure User/Host Profiles That Identify Card Readers and Cameras In this procedure, you will create user/host profiles that will identify card readers and cameras connected to the network. To create user/host profiles for card readers 1. Click Policy > Policy Configuration. The User/Host Profiles window opens. 2. On the left side of the view, verify that the User/Host Profiles tab is selected, and click Add. The Add User/Host Profile window opens. 3. In the Name field, type Card Readers. 4. Leave the Where (Location) field set to Any. 5. Leave the Who/What by Group field set to Any. 6. To the right of the Who/What by Attribute field, click Add. The Filter window opens. 7. Click the Host tab. 8. In the Misc section, select Device Type, and in the drop-down list, select Card Reader. 9. On the Filter window, click OK. 65 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 1: Creating User/Host Profiles and Network Access Policies DO Exercise NOT REPRINT for Card Readers and Cameras © FORTINET Configure User/Host Profiles That Identify Card Readers and Cameras 10. On the Add User/Host Profile window, click OK. You now have a profile that will match any card reader that connects to the network. To create user/host profiles for cameras 1. Continuing in the User/Host Profiles view, verify that the User/Host Profiles tab is selected, and click Add. The Add User/Host Profile window opens. 2. In the Name field, type Cameras. 3. Leave the Where (Location) field set to Any. 4. Leave the Who/What by Group field set to Any. 5. To the right of the Who/What by Attribute field, click Add. The Filter window opens. 6. Click the Host tab. 7. In the Misc section, select Device Type, and in the drop-down list, select Camera. 8. On the Filter window, click OK. 9. On the Add User/Host Profile window, click OK. You now have a profile that will match any camera. To create network access policies for card readers 1. Click the Network Access tab in the left panel, and click Add. The Add Network Access Policy window opens. 2. In the Name field, type Card Readers Access Policy. 3. In the User/Host Profile drop-down list, select Card Readers. 4. To the right of the Network Access Configuration field, click the Add Network Access Configuration button. The Add Network Access Configuration window opens. 5. In the Name field, type Card Reader Access. 6. In the Logical Networks drop-down list, select Card Readers. 7. In the Note field, type Assigns access for card readers. 8. On the Add Network Access Configuration window, click OK. 9. On the Add Network Access Policy window, in the Note field, type Assigns all card readers to the networks defined by the Card Reader Logical Network of each device, and click OK. You will now have one network access policy listed. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 66 Profiles That Identify Card DO Configure NOTandUser/Host REPRINT Readers Cameras © FORTINET Exercise 1: Creating User/Host Profiles and Network Access Policies for Card Readers and Cameras To create network access policies for cameras 1. Click the Network Access tab, and click Add. The Add Network Access Policy window opens. 2. In the Name field, type Cameras Access Policy. 3. In the User/Host Profile drop-down list, select Cameras. 4. To the right of the Network Access Configuration field, click the Add Network Access Configuration button. The Add Network Access Configuration window will appear. 5. In the Name field, type Camera Access. 6. In the Logical Networks drop-down list, select Cameras. 7. In the Note field, type Assigns access for cameras. 8. On the Add Network Access Configuration window, click OK. 9. On the Network Access Policies window, in the Note field, type Assigns all cameras to the networks defined by the Cameras logical network on each device, and click OK. You will now have two network access policies listed. 10. Click Host > Host View. 11. Create a custom filter to display all card readers or cameras. 12. Right-click individual devices, and select Policy Details, to verify that the card reader and camera polices are being assigned. 67 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 2: Creating User/Host Profiles and Network Access Policies for Contractors In this exercise, you will create user/host profiles that will identify contractors when they are connected to the network. You will then create network access policies for dynamic provisioning of the contractors. Configure User/Host Profiles That Identify Contractors You will create the necessary network access polices for the auto provisioning of contractors. To create a profile to block contractor access 1. Click Policy > Policy Configuration. The User/Host Profiles window opens. 2. Verify that the User/Host Profiles tab is selected, and click Add. The Add User/Host Profile window opens. 3. In the Name field, type Contractors - No Access. 4. To the right of the Where (Location) field, click Select. 5. In the Select Location window, select -Building 1 Conference Room Ports, -Nashua Facility Conference Room Ports, and -OpenSSIDs in the All Groups panel, and click > to move them to the Selected Groups panel, and then click OK. 6. Leave the Who/What by Group field set to Any. 7. To the right of the Who/What by Attribute field, click Add. The Filter window opens. 8. Click the Host tab, and in the Policy – Access section, select Role, and then in the drop-down list, select Contractor. 9. On the Filter window, click OK. 10. On the Add User/Host Profile window, click OK. You will now have a user/host profile that identifies contractors connected to conference room ports and nonsecure SSIDs. To create a profile to identify contractors 1. Verify that the User/Host Profiles tab is selected, and click Add. The Add User/Host Profile window opens. 2. In the Name field, type Contractors. 3. Leave the Where (Location) field set to Any. 4. Leave the Who/What by Group field set to Any. 5. To the right of the Who/What by Attribute field, click Add. The Filter window opens. 6. Click the Host tab, and in the Policy – Access section, select Role, and in the drop-down list, select Contractor, and then click OK. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 68 Profiles That Identify DO Configure NOTUser/Host REPRINT Contractors © FORTINET Exercise 2: Creating User/Host Profiles and Network Access Policies for Contractors 7. Click OK. You now have a user/host profile that identifies all contractors. To create network access policies to block contractor access The ranking of policies is very important. The first matched policy will be applied to the user or host. In this exercise, you will rank the restrictive policies (no access) higher than the production access policies. 1. From the User/Host Profiles window, click the Network Access tab. 2. Click Add. The Add Network Access Policy window opens. 3. In the Name field, type No Contractor Access. 4. In the User/Host Profile drop-down list, select Contractors - No Access. 5. To the right of the Network Access Configuration drop-down list, click the Add Network Access Configuration button to create a new configuration. 6. In the Name field, type Restricted Access. 7. In the Logical Network drop-down list, select No Access. 8. Click OK on both windows. To create network access policies to allow contractor access 1. Continuing in the Network Access tab, click Add. 2. In the Name field, type Contractor Access. 3. In the User/Host Profile drop-down list, select Contractors. 4. Click Add Network Access Configuration to create a new configuration. 5. In the Name field, type Contractor Production Access. 6. Set Logical Network to Contractors. 7. Click OK on both windows. Note that you are not only leveraging the logical networks defined at each device, but also leveraging one of the existing state-based isolation VLANs (DeadEnd) in a network access policy. To create an endpoint compliance policy for contractors 1. In the panel on the right, click the Endpoint Compliance tab, and then click Add. The Add Endpoint Compliance Policy window opens. 2. In the Name field, type Fortinet Contractor Compliance Policy. 3. In the User/Host Profile drop-down list, select Contractors. 4. Click Add Endpoint Compliance Configuration to create a new endpoint compliance configuration. The Add Endpoint Compliance Configuration window opens. 5. In the Name field, type Fortinet Contractor Endpoint Compliance. 6. Click the Add Scan icon. 69 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. User/Host Profiles and Network Access Policies for DO Exercise NOT2: Creating REPRINT Contractors © FORTINET Create a Backup of the FortiNAC Database (Optional) The Add Scan window opens. 7. In the Name field, type Fortinet Contractor Scan. 8. Select Scan on Connect. 9. Leave the rest of the scan settings at their default values. 10. Click the Windows tab. 11. With the category set to Anti-Virus, select FortiClient. 12. With the category set to Operating System, select the following: l Windows 7 l Windows 7 x64 l Windows 10 l Windows 10 x64 13. Click the Mac OS X tab. 14. With the category set to Anti-Virus, select FortiClient. 15. With the category set to Operating System, select the following: l 10.12 Sierra l 10.13 High Sierra 16. Click OK. 17. In the Scan drop-down list, select Fortinet Contractor Scan. 18. Click the Agent tab. 19. Select Latest Persistent Agent for Windows and Mac OS X. 20. Select None-Deny Access for all other options. 21. Click OK. 22. Verify that Fortinet Contractor Endpoint Compliance is selected for Endpoint Compliance Configuration, and click OK. Create a Backup of the FortiNAC Database (Optional) You will back up the FortiNAC database. To back up the FortiNAC database 1. In the System menu, select Settings. 2. In the panel on the left, expand the System Management folder. 3. Select Database Backup/Restore. 4. In the Schedule Database Backup portion of the Database Backup/Restore view, click the Run Now button. A new entry will appear in the Database Restore field with the current date and timestamp. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 70 DO NOT REPRINT © FORTINET Lab 8: Guest and Contractor Services Configuration In this lab, you will create a contractor templates to define the capabilities of your contractors. Then, you will create an administrative profile and administrative user to act as your guest/contractor manager. Next, acting as the guest/contractor manager, you will create a contractor account. Finally, you will register the lab Windows machine to the contractor. Objectives l Create a contractor template, administrative profile, and administrative user for contractor management l Create and test a contractor account Time to Complete Estimated: 20 minutes 71 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 1: Creating a Contractor Template In this exercise, you will create a contractor template that defines the attributes of all accounts built from that template. You will then create an admin profile that will grant an administrative user the ability to create and manage contractor accounts. Create a Contractor Template and an Administrative Sponsor Guest and contractor templates define the characteristics of the accounts created from them. You can create administrative sponsors for delegation of contractor management. To create a guest/contractor template 1. In the Users drop-down menu, click Guest/Contractor Templates. 2. Click Add to create a new template. 3. In the Name field, type Fortinet Contractor. 4. In the Visitor Type drop-down menu, click Contractor. 5. Click Select Role, and in the drop-down menu, click Contractor. 6. In the Password Length field, type 5, and click Use Mobile-Friendly Exclusions. 7. Click Account Duration, and in the Hours field, type 744. 8. Leave the remaining settings at their default values, and click the Data Fields tab. 9. On the Data Fields tab, select Ignore for all settings, except the following: l First Name l Last Name l Email l Phone 10. Click OK. To create an administrative profile for guest and contractor management 1. In the Users drop-down menu, click Admin Profiles. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 72 DO Create NOT REPRINT a Contractor Template and an Administrative Sponsor © FORTINET Exercise 1: Creating a Contractor Template 2. In the Admin Profiles view, verify that the Admin Profiles tab is selected. 3. Click Add to create a new administrative profile. 4. Configure the following settings: Field Value Name Guest and Contractor Manager Logout After 20 Login Availability Always Manage Hots and Ports All Note Profile for management of all guest and contractor accounts 5. Select Associated users do not expire. 6. On the General tab, leave the other settings at their default values. 7. Click the Permissions tab. 8. In the row for the Guest/Contractor Accounts permissions set, select the checkboxes in the Access and Custom columns. When you select Custom, a new Manage Guests tab appears. 9. Click the Manage Guests tab. 10. Configure the following settings: 73 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Creating REPRINT a Contractor Template © FORTINET Create a Contractor Template and an Administrative Sponsor Field Value Guest Account Access All Accounts Account Types Individual Create accounts 5 Create accounts active for 45 Allowed Templates Specify Templates 11. In the Selected Templates window, remove all the templates except Fortinet Contractor. 12. Click OK. To create an administrative user for guest and contractor management 1. In the Users drop-down menu, click Admin Users. 2. Click Add to create a new admin user. 3. In the User ID field, type Larry, and click OK. You are informed that the user ID was found in the directory. 4. Click OK. The Add User window opens with Larry’s information imported from LDAP. 5. In the Admin Profile drop-down list, click Guest and Contractor Manager. 6. Click OK. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 74 DO NOT REPRINT © FORTINET Exercise 2: Creating and Testing a Contractor Account In this exercise, you will create a contractor account using the template from the previous exercise. You will then register the Windows 7 system as a contractor machine. Create and Validate a Contractor Account Contractor accounts are used to grant the required access to a contractor. You will create a contractor template and an administrative sponsor to manage the contractors. You will then access the system as the sponsor, to create and validate the account. To create a Fortinet contractor 1. Log out of the FortiNAC GUI. 2. Log back in to the FortiNAC GUI, with the username Larry and password 123. 3. Accept the End User License Agreement. The Guest/Contractor Accounts window opens. 4. Click Add to create a new contractor account with the following settings: Field Value Template Fortinet Contractor Email joe.contractor@fortinet.com Password <This will be autogenerated> Account Start Date Set the date to today Account End Date Set the date to 3 weeks from now First Name Joe Last Name Contractor Phone 555-0152 Notice that the only available option in the Template drop-down list is Fortinet Contractor. This is because it is the only template that was made available in Larry's administrative profile. 5. Click OK. The View Accounts window opens with the following information: 75 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Creating REPRINT and Testing a Contractor Account © FORTINET Create a Backup of the FortiNAC Database (Optional) l User: joe.contractor@fortinet.com l Password: (Note the autogenerated password for use in the next steps) 6. Click Close. To register a host as a Fortinet contractor and verify the policy 1. Go to the Windows 7 client lab system. 2. Open Firefox. 3. In the Bookmarks menu, click Hacker Site. The website should load correctly. 4. In the Bookmarks menu, click Contractor Registration. 5. On the Registration page, select the Contractor Registration login option. 6. Use the credentials from the contractor account you created, and register your lab system. To test the contractor policy 1. In the Bookmarks menu, click Hacker Site. You should receive a Web Page Blocked! message. The web page is blocked by the FortiGate IPv4 policy that you created in a previous lab. The endpoint is now a member of the Contractors group on FortiGate because of the firewall tag and network access policy configured on FortiNAC. Create a Backup of the FortiNAC Database (Optional) You will back up the FortiNAC database. To back up the FortiNAC database 1. In the System menu, click Settings. 2. In the panel on the left, expand the System Management folder. 3. Click Database Backup/Restore. 4. In the Schedule Database Backup portion of the Database Backup/Restore view, click Run Now. A new entry will appear in the Database Restore field with the current date and timestamp. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 76 DO NOT REPRINT © FORTINET Lab 9: FortiNAC Integration Using SNMP and Syslog In this lab, you will perform the necessary configurations to integrate a security device capable of issuing SNMP traps with FortiNAC. Then, you will model the device as a pingable device, so that FortiNAC will accept the traps from the device. Next, you will perform the same procedures for a security device that issues syslog messages. Finally, you will set up help desk notifications that will be sent when the alarm is triggered. Objectives l Configure an integration with a device that issues SNMP traps l Configure an integration with a device that issues syslog messages l Configure notifications for alarms Time to Complete Estimated: 30 minutes 77 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 1: Creating an Integration Using SNMP Trap Input In this exercise, you will create an integration with a third-party device, using SNMP traps as input sent to FortiNAC. Configure a Third-Party Integration Using SNMP Traps Integration with third-party systems allows for the creation of events, alarms, and the automated execution of actions. You will create a custom trap configuration for a security device and then test the integration by validating event and alarm creation. To integrate with devices using SNMP traps 1. On the System menu, click Settings. The Settings view opens. 2. On the left side of the screen, in the navigation panel, expand the System Communication folder, and select Trap MIB Files. 3. At the bottom of the screen, click Add MIB. The Add MIB window opens. 4. Configure the following settings: Field Value MIB File Name TrainingTrap Label Content Violation Event Specific Type 23 Enterprise OID 1.3.6.1.4.1.1826 IP Address OID 1.3.6.1.4.1.1826.1.0.0.5 MAC Address OID (leave this field empty) User ID OID (leave this field empty) Alarm Cause Possible Violation of Web Content Rules Event Format (Java Message API) Event caused by {4} 5. Click OK. 6. On the Network Devices menu, click Topology. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 78 DO Configure NOTaREPRINT Third-Party Integration Using SNMP Traps © FORTINET Exercise 1: Creating an Integration Using SNMP Trap Input 7. Right-click the container named Security Devices. 8. Click Add Pingable Device. The Add Pingable Device dialog opens. 9. On the Element tab, configure the following settings: Field Value Add to Container Security Devices Name Guardian IP Address 192.168.0.22 Physical Address 00:50:8B:EE:0E:7A Device Type IPS/IDS Incoming Events Not Applicable SSO Agent Not Applicable Role NAC-Default Description Guardian is an inline security device Note John Doe manages this device 10. Enable Contact Status Polling, and set it for 10 minutes. 11. On the Details tab, configure the following settings: Field Value Machine Name Guardian Department IT Security Owner John Doe Administrative Contact jdoe@fortinet.com Geographical Location Data Center Business Purpose Network Security BOOTP Address (leave this field empty) Print Queue (leave this field empty) 12. Click OK. To validate the integration 1. On the Windows 7 client desktop, double-click the SendTrap tool. 2. Return to the Jumpbox, and on the Logs menu, click Events. 79 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Creating REPRINT an Integration Using SNMP Trap Input © FORTINET Configure a Third-Party Integration Using SNMP Traps 3. In the Filter section, click the Update button, and then look for a Content Violation Event. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 80 DO NOT REPRINT © FORTINET Exercise 2: Creating an Integration Using Syslog Input In this exercise, you will create an integration with a third-party device, using syslog messages as input sent to FortiNAC. Configure a Third-Party Integration Using Incoming Syslog Information Integration with third-party systems allows for the creation of events, alarms, and the automated execution of actions. You will integrate with a security device by creating a custom syslog parser for that device, and then test the integration by validating event and alarm creation. To integrate using syslog messages as input 1. On the System menu, click Settings. The Settings view opens. 2. On the left side of the screen, in the navigation panel, expand the System Communication folder, and select Syslog Files. 3. At the bottom of the screen, click Add. The Add SysLog File window opens. 4. Configure the following settings: Field Value Processing Enabled <check> Name Our-IDS Event Label Big Brother IDS Format CSV Delimiter: Comma (,) IP Column 2 Filter Column 3 Filter Values DoS Attack Severity Tag/Column 4 Low Severity Values 30 32 1254 Medium Severity Values 40 46 67 123 High Severity Values 50 1280 1423 5. Click OK. 6. On the Network Devices menu, click Topology. 81 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. an Integration Using Syslog DO Exercise NOT2: Creating REPRINT Input © FORTINET Configure a Third-Party Integration Using Incoming Syslog Information 7. Right-click the container named Security Devices, and click Add Pingable Device. The Add Pingable Device dialog opens. 8. On the Element tab, configure the following settings: Field Value Add to Container Security Devices Name Big Brother IDS IP Address 10.10.4.55 Physical Address 00:50:56:B8:45:28 Device Type IPS/IDS Incoming Events Syslog In the drop-down list, click Big Brother IDS. SSO Agent Not Applicable Role NAC-Default Description Big Brother is an inline Security Device Note John Doe manages this device 9. Enable Contact Status Polling, and set it for 10 minutes. 10. On the Details tab, configure the following settings: Field Value Machine Name Big Brother Department IT Security Owner John Doe Administrative Contact jdoe@fortinet.com Geographical Location Data Center Business Purpose Network Security BOOTP Address (leave this field empty) Print Queue (leave this field empty) 11. Click OK. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 82 DO NOT REPRINT © FORTINET Exercise 3: Configuring an Administrative Group for Alarm Notification In this exercise, you will configure an alarm to automatically notify an administrative user group when that alarm is generated. Configure an Administrative Group for Automated Notification of Alarms Alarm information can be automatically passed to members of administrative groups, in the form of email or SMS messages. You will create an administrative group to represent the help desk users. Then, you will use this group for notifications when the alarm is generated. To create a help desk user and group 1. On the Users menu, click Admin Profiles. 2. Click Add. 3. In the Name field, type Helpdesk Level 1. 4. Keep the default values for all other settings on the General tab. 5. On the Permissions tab, select the Access checkbox for the Event/Alarm Management permission set. 6. Click OK. 7. On the Users menu, click Admin Users. 8. Click Add. 9. In the User ID field, type dgray, and then click OK. A notification pop-up window should inform you that the userid was found in the directory. 10. Click OK. 11. On the Add User window, in the Admin Profile drop-down list, click Helpdesk Level 1. 12. In the Email field, type dgray@fortinet.com, and then click OK. 13. On the System menu, click Groups. 14. To create a new group, click Add. 15. In the Name field, type Level 1 Helpdesk Users. 16. In the Group Type drop-down list, click Administrator. 17. Move Gray, Dorian to the Selected Members list. 18. Click OK. To configure an alarm notification 1. On the Logs menu, click Event to Alarm Mappings. 2. At the bottom of the screen, click Add. 3. Configure the following settings: 83 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 3: Configuring an Administrative Group for DO Exercise NOT REPRINT Alarm Notification © FORTINET Configure an Administrative Group for Automated Notification of Alarms 4. Click OK. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 84 DO NOT REPRINT © FORTINET Lab 10: FortiNAC Automated Threat Response In this lab, you will perform the configurations that are necessary to integrate with security appliances capable of sending security alert messages to FortiNAC. Then, you will model the device as a pingable device, so that FortiNAC accepts messages from the device. Next, you will create a new event parser to handle incoming security events from a system that did not have a parser. Finally, you will create a series of security rules for security event generation, alarm generation, and the execution of automated actions. Objectives l Integrate with third-party security devices and configure notification groups l Create security rules for the generation of security events and alarms with automated actions Time to Complete Estimated: 35 minutes 85 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 1: Integrating With FortiGate for Automated Response In this exercise, you will configure FortiNAC to parse syslog input from FortiGate. To configure FortiNAC to process incoming events from FortiGate 1. Click Network Devices > Topology. 2. Under the topology tree, expand the Security Devices tree, and select FortiGate-Edge. 3. Click the Element tab. 4. To the right of Incoming Events, select Security Events. A new drop-down menu opens. 5. Select FortiOS5. FortiNAC will now know how to parse incoming security event (syslog) messages from this device (FortiGateEdge). 6. Click Save. The selected parser is named FortiOS5, but it will parse the current FortiOS security events because the format has not changed. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 86 DO NOT REPRINT © FORTINET Exercise 2: Creating Security Rules for Automated Threat Response In this exercise, you will examine how to create security rules that will trigger based on input from external security devices. These security rules are the key to automated responses and threat mitigation. Build Security Rules You will build a series of security rules, beginning with a very general rule (a catch most rule) and then more detailed rules, using security events generated from the initial rule. To manually build a security rule 1. Click Policy > Policy Configuration. 2. Click the Security Rules tab. 3. Click Add to create a new security rule. 4. Make sure Rule Enabled is selected. 5. In the Name field, type Catch Most. 6. Click the Add Security Trigger icon to create a new security trigger. 7. Configure the following settings: Field Value Name Catch Most trigger Time Limit 1 Filter Match Any 1 8. In the Security Filters section, click Add to create a new security filter. 9. Select Vendor, and type Fortinet. 10. In the Custom Fields section, click Add, and configure the following settings: Field Value Name CRLEVEL Value high 11. In the Add Field dialog box, click OK. 12. In the Add Security Filter dialog box, click OK. 13. Click Add to create a second security filter. 14. Select Vendor, and type Fortinet. 15. In the Custom Fields section, configure the following settings: 87 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Creating REPRINT Security Rules for Automated Threat Response © FORTINET Field Value Name CRLEVEL Value critical Build Security Rules 16. In the Add Field dialog box, click OK. 17. In the Add Security Filter dialog box, click OK. 18. Click Add to create a third security filter. 19. Select Vendor, and type Fortinet. 20. In the Custom Fields section, click Add, and configure the following settings: Field Value Name LEVEL Value information 21. In the Add Field dialog box, click OK. 22. In the Add Security Filter dialog box, click OK. 23. In the Add Security Trigger dialog box, click OK. 24. In the Add Security Rule dialog box, leave the User/Host Profile set to None. 25. In the Action drop-down list, select Automatic. 26. Click the Add Security Action icon to create a new security action with the following settings: Field Value Name Log to SIEM On Activity Failure Continue Running Activities 27. Leave Perform Secondary Task(s) cleared. 28. In the Add Security Action window, in the Activities section, click Add to add a new activity. 29. In the Activity drop-down list, select Send Alarm to External Log Hosts. 30. In the Add Security Activity dialog box, the Add Security Action dialog box, and the Add Security Rule dialog box, click OK. You will now have a single security rule named Catch Most. 31. Go to the Windows 7 client machine, and open a Firefox browser. 32. Click the News bookmark. You should receive a Web Page Blocked page. 33. Click the AV Test bookmark. You should receive a High Security Alert!! message. 34. Click the SecurityRisk bookmark, and let it try to load for a couple of seconds. Then, click X to stop trying to load the page. 35. Return to the Jumpbox Server and the FortiNAC GUI. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 88 DO Configure NOTaREPRINT Denied Category Web Filter Rule © FORTINET Exercise 2: Creating Security Rules for Automated Threat Response Configure a Denied Category Web Filter Rule You will create a security rule from a security event generated by the initial Catch Most security rule. To build a security rule from an existing security event 1. Click Logs > Security Events. 2. Click Update for the filter. Security events should populate the view. 3. Right-click the event with Alert Type = utm and Subtype = webfilter. 4. Click View Details, and scroll through the Event Details to see all the information contained in the alert that was sent by FortiGate. 5. Leave the Event Details window open, and right-click the same event again. This time, select Create Event Rule. 6. In the Create Event Rule window, in the Available Fields pane, select the following fields and click > to move them to the Selected Fields pane: l Alert Type l Subtype l PROFILE l MSG l CATDESC 7. Click OK. The Add Security Trigger window opens with a security filter already created based on the fields that you selected. 8. In the Name field, type Denied Category. 9. Leave Time Limit and Filter Match as they are, and click OK. The Add Security Rule window will appear. 10. Configure the security rule with the following settings: Field Value Name Denied Category Web Filter Matched 11. In the User/Host Profile drop-down list, select Match, and in the second drop-down list, select Fortinet Contractor. 12. Click the Add Security Action icon to add a new security action: Field Value Name Notify Help Desk and Log to SIEM On Activity Failure Continue Running Activities 13. Do not select the Perform Secondary Task(s) box. 14. In the Activities section of the Add Security Action window, click Add to add a new activity. 89 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. Security Rules for Automated Threat DO Exercise NOT2: Creating REPRINT Response © FORTINET Configure a Virus Infected File (EICAR test file) Rule 15. In the Activity drop-down, select Send Alarm to External Log Host, and click OK. 16. Click Add a second time and, in the Activity drop-down, select Email Group Action. The Add Security Activity pop-up will update and display two configurations. 17. Configure the following Security Activity settings: Field Value Group HelpDesk Message A user has attempted to access a denied website. Details were sent to SIEM. 18. On the Add Security Activity window, click OK. 19. On the Add Security Action window, click OK. 20. Leave Send Email when Rule is Matched and Send Email when Action is Taken cleared. 21. Click OK. 22. Close the Event Details window. 23. Click Policy Menu > Policy Configuration. 24. Click the Security Rules tab. You will see two security rules listed: Catch Most and Denied Category Web Filter Matched. Configure a Virus Infected File (EICAR test file) Rule You will create a third security rule from a security event generated by the initial Catch Most security rule. To build a security rule from an existing security event 1. Click Logs > Security Events. 2. Click Update. Security events should populate the view. 3. Right-click the event with Alert Type = utm and Subtype = virus. 4. Select View Details, and scroll through Event Details to see all the information contained in the alert sent by FortiGate. 5. Leave the Event Details window open, and right-click the same event again. 6. Select Create Event Rule. 7. In the Create Event Rule window, in the Available Fields pane, select the following fields and click > to move them to the Selected Fields pane: l Alert Type l Subtype l PROFILE l DTYPE 8. Click OK. The Add Security Trigger window opens with a security filter already created based on the fields that you selected. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 90 Virus Infected File (EICAR test file) DO Configure NOTaREPRINT Rule © FORTINET Exercise 2: Creating Security Rules for Automated Threat Response 9. In the Name field, type Virus Infected File. 10. Leave the Time Limit and Filter Match as they are, and click OK. 11. Configure the following: Field Value Name Virus Infected File Detected 12. In the User/Host Profile drop-down list, select Match, and in the second drop-down list, select Fortinet Contractor. 13. In the Action drop-down list, select Automatic. 14. Click Add Security Action, and configure a new security action with the following settings: Field Value Name Notify Help Desk, SOC, and Log to SIEM On Activity Failure Continue Running Activities 15. Do not select Perform Secondary Task(s). 16. In the Activities section, click Add and in the Activity drop-down list, select Send Alarm to External Log Hosts. 17. Click OK. 18. Click Add, and in the Activity drop-down list, select Email Group Action, and then configure the following settings: Field Value Group SOC Message A user has attempted to download a file containing a virus. Details have been sent to SIEM. 19. Click OK. 20. Click Add, and in the Activity drop-down list, select Email Group Action, and then configure the following settings: Field Value Group HelpDesk Message A user has attempted to download a file containing a virus. Details have been sent to the SOC and SIEM. 21. Click OK on the Add Security Action window. 22. Leave Send Email when Rule is Matched and Send Email when Action is Taken cleared. 23. Click OK. 24. Close the Event Details window. 25. Click Policy Menu > Policy Configuration. 91 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Creating REPRINT Security Rules for Automated Threat Response © FORTINET Configure a General Security Risk Rule 26. Click the Security Rules tab. You should see three security rules listed: Catch Most, Denied Category Web Filter Matched, and Virus Infected File Detected. Configure a General Security Risk Rule You will build a security rule, that is more specific than the Catch Most rule, without using an existing security event. To manually build a security rule without an existing security event 1. Click Policy > Policy Configuration. 2. Click the Security Rules tab. 3. Click Add to create a new security rule. 4. Make sure Rule Enabled is selected, and name the new security rule General Security Risk. 5. To the right of the Trigger field, click the Add Security Trigger icon to create a new security trigger. 6. Name the security trigger General Security Risk Trigger. 7. Leave the Time Limit set to 1 second, and the Filter Match set to All. 8. In the Security Filters section , click Add to add a new security filter. 9. Select Vendor, and type Fortinet. 10. In the Custom Fields section, click Add, and configure the following settings: Field Value Name SERVICE Value SecurityRisk 11. Click OK. 12. Click OK on the Add Security Filter window and Add Security Trigger window. 13. Leave User/Host Profile set to None, and set the Action drop-down list to Automatic. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 92 DO Configure NOTaREPRINT General Security Risk Rule © FORTINET Exercise 2: Creating Security Rules for Automated Threat Response 14. Click the Add Security Action icon to create a new action. 15. Name the new security action Response for General Security Risk. 16. Leave On Activity Failure set to Continue Running Activities, and leave the Perform Secondary Task(s) After checkbox unchecked. 17. Click Add in the Activities section to add a new activity. 18. In the Activity drop-down list, select Send Alarm to External Log Hosts, and click OK. 19. Click Add to add a second activity, and select Disable Host in the drop-down list. 20. Leave the Secondary Task checkbox unchecked, and click OK. 21. Click OK on the Add Security Action window. 22. Check the box to the left of Send Email when Rule is Matched. 23. From the Admin Group drop-down, select SOC-Helpdesk-TicketingSystem (this is an administrativelycreated group of administrative users who will be notified). 24. Click OK. 93 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 3: Creating a Custom Security Event Parser In this exercise, you will create a security event parser for integration with third-party devices that do not have an out-of-the-box parser. Create Customized Security Event Parsers Customized security event parsers allow for integration with nearly any type of security device. You will integrate with a new type of security device, generate security events and alarms, and see the execution of an automated work flow. To use the event parsers tool to integrate with a firewall 1. Click System > Settings. 2. Open the System Communication folder, and select Security Event Parsers. 3. Click Add to create a new event parser. 4. Fill in the fields as shown below (the character in the CSV Delimiter field is a comma): FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 94 DO Create NOT REPRINT Customized Security Event Parsers © FORTINET Exercise 3: Creating a Custom Security Event Parser 5. Click OK to complete the creation of the new syslog event parser. To model the firewall in the topology view 1. Click Network Devices > Topology. 2. Right-click Security Devices, and select Add Pingable Device. 3. Configure the new security device as follows: 4. Click OK. 95 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Exercise NOT3: Creating REPRINT a Custom Security Event Parser © FORTINET Create Customized Security Event Parsers To create a security rule for the old firewall 1. Click Policy > Policy Configuration. 2. From the panel on the left, select Security Rules. 3. Click Add to create a new security rule. The Security Rule window will open. 4. Make sure Rule Enabled is selected. 5. In the Name field, type Old Firewall Rule. 6. Click Add Security Trigger to create a new trigger for this rule. The Security Trigger window opens. 7. Configure the following settings: Field Value Name Old Firewall Trigger Time Limit 1 Seconds Filter Match All 8. In the Security Filter section, click Add, and take the following actions: a. Select Vendor, and type ACME Corp. b. Select Type, and type Alert. c. Select Subtype, and type Virus. d. Select Description, and type FlashGordon-HotHail-Virus Detected. e. Select Severity, and in the Min field, type 7, and in the Max field, type 9. f. Click OK. 9. On the Add Security Trigger window, click OK. 10. Set the Action to Automatic, and click the Add Security Action icon to create a new security action. 11. In the Name field, type Quarantine Infected Host. 12. In the Activities section of the window click Add. The Add Security Activity window opens. 13. In the Activity drop-down list, select Mark Host At Risk. 14. In the Primary Task drop-down list, select Quarantine Host. 15. Click OK. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 96 DO Create NOT REPRINT Customized Security Event Parsers © FORTINET Exercise 3: Creating a Custom Security Event Parser 16. Click OK to complete the security rule creation. To rank the security rules Security rules are processed in the order they are ranked. Select each rule individually, and use the Rank arrows or the Set Rank button to rank the security rules in the following order: 1. Virus Infected File Detected 2. Denied Category Web Filter Matched 3. General Security Risk 4. Old Firewall Rule 5. Catch Most 97 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 4: Validating Security Rules In this exercise, you will validate that the security rules are triggered by input from FortiGate. To validate security events, alarms, and actions 1. Click Logs > Security Events. 2. At the top of the window, configure the filter to show events generated in the last 5 minutes. 3. Click Update. There should be no, or very few, events. 4. Change to the Windows 7 client machine, and launch the Firefox web browser. 5. Click the News bookmark. You should receive a Web Page Blocked message. 6. Click the AV Test bookmark. You should receive a High Security Alert!! message. 7. Click the SecurityRisk bookmark, and let it try to load for a couple of seconds. Then, click X to stop trying to load the page. 8. Return to the Jumpbox Server and look at the Security Events view. There should be several entries. 9. Click Logs > Security Alarms. The Security Alarms window opens, and there should be security alarms listed in the view. 10. Locate and select the security alarm that has an Action Taken Date listed. 11. At the bottom of the screen, view the entry in the Event tab, and select the Actions Taken tab to validate that the configured actions were taken. 12. Click Undo Action. 13. Return to the Windows 7 client machine. 14. Click the News bookmark. 15. Return to the Jumpbox server, and look at the Security Events view. There should be entries in the view. 16. Click Logs > Security Alarms. The Security Alarms window opens and security alarms should be listed in the view for the Denied Category Web Filter Matched rule. 17. Return to the Windows 7 client machine. 18. Click the AV test bookmark. 19. Return to the Jumpbox server, and look at the Security Events view. There should be entries in the view. 20. Click Logs > Security Alarms. The Security Alarms window opens and security alarms should be listed in the view for the Virus Infected File Detected rule. 21. Click Hosts > Host View. 22. In the Search field, type *:9F:10:29 (the last six digits of the MAC address noted in the security event), and press Enter. The host record should be displayed and the Status column should have an X through it, indicating that the host has been disabled. FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 98 DO NOT REPRINT © FORTINET Tips and Tricks This section provides several helpful tools, commands, and log files to assist with troubleshooting different aspects of the FortiNAC product. Debug The following command turns on one or more debug logs for a single device: Device -ip 11.17.104.2 -setAttr -name DEBUG -value "debug1 debug2" Log Files To access log files, log in to the FortiNAC using the CLI. l Type logs at the prompt l tf will tail a file. For example: tf output.master l The MasterLoader log file is: output.master l The SlaveLoader log file is: output.slave l The ProbeLoader log file is: output.probe l The DHCP service log file is: dhcpd.log l The DNS log file is: named.log Services The following commands will stop/start/restart FortiNAC services: For the DHCP service: /etc/init.d/dhcpd stop/start/restart (i.e. /etc/init.d/dhcpd stop) For the DNS service: /etc/init.d/named stop/start/restart (i.e. /etc/init.d/named start) For the Apache service: /etc/init.d/httpd stop/start/restart (i.e. /etc/init.d/httpd restart) For the Tomcat-Portal service: /etc/init.d/tomcat-portal stop/start/restart (i.e. /etc/init.d/tomcat-portal stop) For the Tomcat-Admin service: /etc/init.d/tomcat-admin stop/start/restart (i.e. /etc/init.d/tomcat-admin stop) 99 FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. DO Tips NOT REPRINT and Tricks © FORTINET L2 Poll L2 Poll The following command performs an L2 poll on the specified device. UpdateClients –ip 11.17.104.2 L3 Poll The following command performs an L3 poll on the specified device. ReadArpCache -ip 11.17.104.2 Portal Enter the following as a URL to view a specific portal when there is more than one portal. http://<ns>/registration/?portalName=<name> Captive Portal Host is not being moved to the captive VLAN: l Verify that the Network Sentry has the correct configuration for device control (CLI and Read/Write SNMP security strings) within the Model Configuration. l Verify that the Network Access Value is correctly set in the Model Configuration. l Verify that the device is configured correctly. If a host is in the captive VLAN but not being presented the captive portal: l Verify the host is in the captive VLAN l Verify the host does not have static IP or DNS entries l l Ping sites that are not in the zones.common (approved) list. All sites should resolve to the FortiNAC captive interface. Ping sites that are in the zones.common (approved) list. Sites should resolve correctly. Device Profiler The following commands Export and Import Device Profiler rules. l Export DPC Rules DumpDpcRules -dbid 5 -export mydpcrule.xml l Import DPC Rules DumpDpcRules -import mydpcrule.xml FortiNAC 8.5 Lab Guide Fortinet Technologies Inc. 100 DO NOT REPRINT © FORTINET No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.