Scribd
Upload
40 views50 pages

Lab Guide

The document is a lab guide for the FortiNAC training workshop, focusing on securing IoT devices through improved network visibility and control. It outlines the agenda, objectives, and exercises for participants to configure FortiNAC, including device identification, polling configurations, and automated responses for threat mitigation. The guide emphasizes the importance of understanding the network infrastructure and managing connected devices effectively to enhance security in the IoT landscape.

Uploaded by

Cesar Poveda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views50 pages

Lab Guide

The document is a lab guide for the FortiNAC training workshop, focusing on securing IoT devices through improved network visibility and control. It outlines the agenda, objectives, and exercises for participants to configure FortiNAC, including device identification, polling configurations, and automated responses for threat mitigation. The guide emphasizes the importance of understanding the network infrastructure and managing connected devices effectively to enhance security in the IoT landscape.

Uploaded by

Cesar Poveda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

Securely Embrace the IoT Revolution with NAC

Lab Guide
FFT-FortiNAC r3-1716496942
Table of contents
1. Introduction .................................................................................................................................. 3
1.1. Fast Track Overview .......................................................................................................... 4
1.2. Agenda ................................................................................................................................ 5
1.3. Topology .............................................................................................................................. 6
2. Visibility ......................................................................................................................................... 7
2.1. Modeling Network Infrastructure ................................................................................... 8
2.2. Configuring Polling .......................................................................................................... 11
2.3. Identifying Devices .......................................................................................................... 13
2.4. Leveraging Network Visibility Views ............................................................................ 18
3. Control ......................................................................................................................................... 20
3.1. Onboarding Guest Devices ............................................................................................. 21
3.2. Create Guest Template and User/Host Profile ............................................................ 22
3.3. Create Endpoint Compliance and Network Access Policy ......................................... 25
3.4. Enforcing Access Control ................................................................................................ 28
3.5. Request Access ................................................................................................................ 31
3.6. Verify Access Control ...................................................................................................... 33
3.1. Security Fabric & Tags .................................................................................................... 35
3.1.1. Creating Firewall Tags, FSSO Configuration, and Logical Networks ........................... 36
3.1.2. Integrating FortiNAC into Security Fabric, Configuring FSSO and Firewall Policy on
FortiGate ....................................................................................................................... 39
3.1.3. Registering a Contractor Device ................................................................................ 42
4. Response ..................................................................................................................................... 44
4.1. Creating Automated Responses for Rapid Threat Mitigation .................................. 45
4.2. Validating Security Events, Alarms and Actions ........................................................ 48
5. Conclusion ................................................................................................................................... 49
5.1. Continued Education ....................................................................................................... 50

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 2 of 50 Fortinet Training Institute
1. Introduction

Fast Track Workshops:

Securely Embrace the IoT Revolution with NAC

Background

The proliferation of Internet of Things (IoT) devices, has made it necessary for organizations to improve their visibility into
what is attached to their networks. They need to know every device and every user accessing this expensive business tool.

IoT devices enable digital transformation initiatives and improve efficiency, flexibility, and optimization. However, they are
inherently untrustworthy, with designs that prioritize low cost over security. FortiNAC provides the network visibility to see
everything connected to the network, as well as the ability to control those devices and users, including dynamic, automated
responses.

Attend this technical training workshop to gain hands-on experience configuring FortiNAC to secure IoT devices within the
Fortinet Security Fabric.

Tasks

The blue button at the top of this page is the primary action button. When there is an action that can be completed on the
page, this button will change accordingly.

When ready, click the blue Continue button in the menu at the top of the page to get started.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 3 of 50 Fortinet Training Institute
1.1. Fast Track Overview

The Fast Track program is a collection of free, instructor-led, hands-on workshops that introduce Fortinet solutions for
securing your digital infrastructure.

These workshops are only an introduction to what Fortinet security solutions can do for your organization.

For more in-depth training, we encourage you to investigate our full portfolio of NSE training courses at
https://training.fortinet.com.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 4 of 50 Fortinet Training Institute
1.2. Agenda

Background

Workshops often include more hands-on activities than time permits, and not every exercise suits every opportunity. To
allow for customization, some exercises are optional, giving instructors the flexibility to exclude or rearrange the workshop
flow as needed. Average execution times are provided as an aid in planning and to help instructors ensure their Fast Track
session will stay within the available timeframe. Please take advice from your instructor if you have any questions.

Agenda

In the case of this workshop, the exercises are organized like this:

Section Topic Time Prerequisite Mandatory


1: Introduction 5 Minutes - Yes
Visibility
2: Network and endpoint-enhanced 15 Minutes - Yes
visibility
Control
3: 35 Minutes 2 No
Configure dynamic control capabilities
Response
4: Automated responses for rapid threat 10 Minutes - No
mitigation
Conclusion 1 Minute - No

Time to complete: 60 minutes

Tasks

Click Continue to move to the next page.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 5 of 50 Fortinet Training Institute
1.3. Topology

Background

This diagram is a useful reference tool while working on the lab exercises. The following topology diagram shows the
starting layout for this workshop.

Topology

Tasks

Click Continue to move to the next page.

This will be the last time we specifically state to click on the Continue button, from now on it is assumed the Continue
button will be used to move forward in the lab.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 6 of 50 Fortinet Training Institute
2. Visibility
Introduction

The proliferation of Internet of Things (IoT) devices, has made it necessary for organizations to improve their visibility into
what is attached to their networks.

They need to know every device and every user accessing their networks. FortiNAC can see every device and user when it
connects to the network, providing complete visibility to what is connecting and connected. This visibility includes not just
seeing an IP address but profiling the devices and identifying what type of device it is so that IT knows what is connecting to
the network.

In this lab objective, you create topology containers for modeling network infrastructure, configure layer 3 polling, and
device profiling rules to identify connected network devices.

Time to Complete

Estimated: 15 minutes

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 7 of 50 Fortinet Training Institute
2.1. Modeling Network Infrastructure

Background

In this exercise, you create a topology container to organize the infrastructure devices.

Next, you model a network switch to gain visibility of network-connected devices.

Then you model a FortiGate for enhanced endpoint visibility and future automated response integrations.

Tasks

Create Topology Containers

1. From the Lab Activity: FortiNAC tab, access FortiNAC via the HTTPS option using the following credentials:
Username: admin Password: Fortinet1!

2. Click Network > Inventory

3. Right-click Fortinet Training and click Add Container.

4. The Add Container dialog will appear. Use the following settings:
Name: Building 1
Note: Container for building 1 network switch

5. Click OK.

6. Right-click Fortinet Training and click Add Container.

7. Use the following settings:


Name: Security Devices
Note: Container for security devices

8. Click OK.

Model an SNMP-capable switch

1. Locate the Building 1 container, right-click it, and click Add Device.

2. Use the following settings:


Add to Container: Building 1
IP Address: 192.168.0.26
SNMP Protocol: SNMPv1
Security String: public
User Name: leave blank
Password: leave blank
Enable Password: leave blank

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 8 of 50 Fortinet Training Institute
Protocol: SSH 2

3. Click OK. The new device, called Building 1 Switch, appears within the container.

4. Expand the Building 1 branch and select the device. The Ports tab shows all physical ports discovered on the device as
well as the devices connected to each port.

Model FortiGate-Edge

1. Locate the Security Devices container, right-click, and click Add Device.

2. Use the following settings:


Add to Container: Security Devices
IP Address: 192.168.0.101
SNMP Protocol: SNMPv1
Security String: public
User Name: admin
Note: Type the username manually
Password: Fortinet1!
Note:Type the password manually
Enable Password: leave blank
Protocol: SSH 2

3. Click OK. The FGT-Edge appears within the container.

Model FortiGate-ISFW

1. Locate the Security Devices container, right-click, and click Add Device.

2. Use the following settings:


Add to Container: Security Devices
IP Address: 192.168.0.103
SNMP Protocol: SNMPv1
Security String: public
User Name: admin
Note:Type the username manually
Password: Fortinet1!
Note:Type the password manually
Enable Password: leave blank
Protocol: SSH 2

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 9 of 50 Fortinet Training Institute
3. Click OK. The FGT-ISFW appears within the container.

4. Expand FGT-ISFW
Note:FortiSwitch managed by FortiGate-ISFW should appear within the container.

Note: If you don’t see the FortiSwitch, please continue to the next lab objective. After a few minutes, FortiSwitch
would appear as FortiNAC polls the connected devices.

Question

Out of the following, which settings must be enabled on a switch to be successfully managed by FortiNAC? (Select all that
apply)

Stop and Think

SNMP community read/write access

802.1x authentication

SMTP access

CLI access via SSH/Telnet

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 10 of 50 Fortinet Training Institute
2.2. Configuring Polling

Configure Layer 3 Polling

In this exercise, you configure the FortiNAC to gather layer 3 (IP Address) information from the FortiGate to enhance
endpoint visibility.

1. Click Network > L3 Polling

2. Set Display to All Devices.

3. Right click FGT-EDGE and click Set Polling at the top of the screen.

4. Turn on the Enable Polling checkbox and use the following settings:
Interval: 5 Minutes
Priority: Low

5. Click OK.

6. Right click FGT-ISFW and click Set Polling at the top of the screen.

7. Turn on the Enable Polling checkbox and use the following settings:
Interval: 5 Minutes
Priority: Low

8. Click OK.

Configure Layer 2 Polling

1. Click Network > L2 Polling

2. Right click FGT-ISFW and click Set Polling at the top of the screen.

3. Turn on the Enable Polling checkbox and use the following settings:
Interval: 5 Minutes

4. Click OK.

Question

How does FortiNAC gather host information from the network infrastructure? (Select all that apply)

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 11 of 50 Fortinet Training Institute
Stop and Think

L2 polling

L3 polling

Security triggers

FortiNAC agent installation

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 12 of 50 Fortinet Training Institute
2.3. Identifying Devices

Background

In this exercise, you configure FortiNAC to identify connected network devices using device profiling.

Tasks
Create a Device Profiling Rule for IP Phones

1. Click Users & Hosts > Device Profiling Rules. All existing rules should be disabled.

2. Click Add.

3. In the General tab, use the following settings:


Turn on Enabled
Name: Lab IP Phones
Description: Identifies corporate IP phones
Registration: Automatic
Type: IP Phone
Role: NAC- Default
Register as: Device in Host View
Access Availability: Always
Turn on the Confirm Device Rule on Connect
Turn on the Confirm Device Rule on Interval and set it to 1 Days

4. Click the Methods tab.

5. Select Vendor OUI and click Add.

6. Select Vendor Code from the Field drop-down list. Set Value to 00:06:5B and click OK

7. Click Add.

8. Select Vendor Code from the Field drop-down. Set Value to 00:08:74 and click OK

9. Click OK

10. The new device profiling rule will appear in the rules list as the only enabled rule. Select the rule and use Set Rank to set
the rule rank to 1.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 13 of 50 Fortinet Training Institute
Create a Device Profiling Rule for Card Readers

1. Click Add.

2. In the General tab, use the following settings:


Turn on Enabled
Name: Card Readers
Description: Identify all security badge readers
Registration: Automatic
Type: Card Reader
Role: NAC- Default
Register as: Device in Host View
Turn on Add to Group and select Card Readers
Access Availability: Always
Turn on the Confirm Device Rule on Connect
Turn on the Confirm Device Rule on Interval and set it to 2 Days
Turn on Disable Device If Rule No Longer Matches Device

3. Click the Methods tab.

4. Select Vendor OUI and click Add.


Note: Ignore the vendor codes added previously if they appear here. This lab will work with these vendor codes but in a
real environment, you should delete these codes.

5. Select the Vendor Code from the Field drop-down list. Set Value to 00:10:8D and click OK

6. Click Add

7. Select Vendor Code from the Field drop-down. Set Value to 00:01:E6 and click OK

8. Click OK

9. Select the rule and use Set Rank to set the rule rank to 2

Create a Device Profiling Rule for Cameras

1. Click Add.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 14 of 50 Fortinet Training Institute
2. In the General tab, use the following settings:
Turn on Enabled
Name: IP Cameras
Description: Security Cameras
Registration: Automatic
Type: Camera
Role: NAC- Default
Register as: Device in Host View
Access Availability: Always
Turn on the Confirm Device Rule on Connect

3. Click the Methods tab.

4. Select Vendor OUI and click Add


Note: Ignore the vendor codes added previously if they appear here. This lab will work with these vendor codes but in a
real environment, you should delete these codes.

5. Select Vendor Code from the Field drop-down list. Set Value to 00:03:E3 and click OK

6. Click Add

7. Select Vendor Code from the Field drop-down. Set Value to 00:0D:56 and click OK

8. Click OK

9. Select the rule and use Set Rank to set the rule rank to 3.

Create a Device Profiling Rule for our Environmental Units

1. Click Add.

2. In the General tab, use the following settings:


Turn on Enabled
Name: Environment Control Units
Description: Identify all corporate environmental control units
Registration: Automatic
Type: Environmental Control
Role: NAC- Default
Register as: Device in Host View
Access Availability: Always

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 15 of 50 Fortinet Training Institute
Turn on the Confirm Device Rule on Connect

3. Click the Methods tab.

4. Select the SNMP method and use the following settings:


OID: 1.3.6.1.2.1.1.2.0
Port: 161
SNMP V1 Security String: Click Add and enter a security string: public
Check the Match box and click Add to enter a value of: 1.3.6.1.4.1.673.5685

5. Select TCP and set two ports: 2214,3612

6. Click OK.

7. Select the rule and use Set Rank to set the rule rank to 4

Profile Existing Rogues

1. Click Run at the top of the page.

2. A dialog box appears asking if you are sure you want to evaluate all rogues. Click Yes.

3. The FortiNAC evaluates all rogues that currently exist in its database.

4. Click Users & Hosts > Profiled Devices.

5. Click Update. Your FortiNAC has identified many of the devices on the network

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 16 of 50 Fortinet Training Institute
Question

What are the components of a device profiling rule?

Stop and Think

A user/host profile and registration settings

Methods and registration settings

Methods and network access policy settings

Filters and triggers

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 17 of 50 Fortinet Training Institute
2.4. Leveraging Network Visibility Views

Background

In this exercise, you utilize the host view to gather inventory information about network devices and export that information.

Tasks

Create a Custom Filter and Export the Results

1. Click Users & Hosts > Hosts

2. From the Quick Search drop-down & click + Create

3. Enter the filter name as IP Cameras

4. Set the type to Shared and click OK


Note: A Shared Filter window should pop up.

5. In the Shared Filter window, click the Host tab.


Note: If you do not see the Shared Filter window, click the Quick-Search drop-down tab & edit the IP Cameras filter
by clicking the pencil icon.

6. In the Misc section, turn on Device Type, select Camera from the drop-down list, and click OK

7. From the Quick Search drop-down list, select the IP Cameras filter.
Note: Hosts view displays all the IP cameras.

8. Select one IP camera and click Show Adapters to see the Device Location, Physical Address, Connected Container,
Vendor Name, etc. information.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 18 of 50 Fortinet Training Institute
Use a Quick Filter and Export Results

1. Change the filter and select the Quick Search filter from the drop-down list.

2. In the search field enter 00:10:8D*and press Enter.

3. Hosts view will update, and display the card readers.

Question

Which view would you use to locate a host and gain access to detailed host information?

Stop and Think

Topology view

User/host profile view

Host view

Profiling view

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 19 of 50 Fortinet Training Institute
3. Control
Introduction

Control of connecting and connected devices allows network administrators to enforce strict access policies.

An environment without efficient and timely control capabilities could be at the mercy of untrusted, potentially malicious
devices impacting productivity and straining IT resources. FortiNAC supplies comprehensive control at the point of
connection, both pre-connect and post-connect, blocking untrusted devices while granting precise access to trusted devices.

Once the devices are profiled, FortiNAC can segment the network to restrict device access to only those assets it needs to
reach.

This level of network segmentation protects against hacked IoT devices searching through the network and attacking
sensitive corporate data.

Time to Complete

Estimated: 35 minutes

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 20 of 50 Fortinet Training Institute
3.1. Onboarding Guest Devices

Introduction

With network infrastructures changing via digital transformation (e.g., bring your own device [BYOD], Internet of Things
[IoT], and cloud) and targeted threats against endpoints growing more frequent and sophisticated, outdated access controls
are exposing enterprise networks to undue risk.

First-generation NAC products functioned to authenticate and authorize endpoints (primarily managed PCs) using simple
scan and block technology.

The evolution to second-generation NAC solutions addressed the emerging demand for managing guest access, such as
visitors, contractors, and business partners, to corporate networks.

FortiNAC offers a third-generation NAC solution that identifies, validates, and controls every wired, wireless, or VPN
connection before access is granted.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 21 of 50 Fortinet Training Institute
3.2. Create Guest Template and User/Host Profile

Tasks

Create a Guest Template

1. From the web browser, access FortiNAC using the web console.

2. Click Users & Hosts > Guests & Contractors.

3. Click Templates located at the top right corner.

4. Click Add

5. In the Required Fields window, fill in the following information:


Template Name: Guest Users
Visitor Type: Self-Registered Guest
Role: Select Role: GuestSelfRegistration
Password Length: 5
Account Duration: 8 (hours)

6. Click the Data Fields tab, and set the following fields using the drop-down list:
First Name: Required
Last Name: Required
Email: Required
Person Visiting: Required

7. Set all the rest of the fields to Ignore

8. Click OK

Assign Guest Template to Portal Configuration

1. Click Portal > Portal Configuration

2. Expand Registration and click Self Registration Login

3. Set Required Sponsor Approval to None from the drop-down list.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 22 of 50 Fortinet Training Institute
4. Scroll down to Default Guest Template and select Guest Users template from the drop-down list.

5. Click Apply

Create a Guest User/Host Profile

1. Click Policy & Objects > User/Host Profiles

2. Click +Create New and use the following information:


Name: Self Registered Guest Users

3. For Who/What, toggle ON

4. Under Attributes (Satisfy Any of the Following), Click +

5. For Where choose Host from the drop-down list.

6. In the second drop-down tab, Under Policy-Access, choose Role

7. In the third-drop down tab, choose GuestSelfRegistration

8. Continue from Who/What Attributes to configure another Attribute, click + at the bottom.

9. For Where Click User from the drop-down list.

10. In the second drop-down tab, Under Policy-Access, choose Role

11. In the third-drop down tab, choose GuestSelfRegistration

12. For Where toggle ON and choose Locations: Any Of

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 23 of 50 Fortinet Training Institute
13. Click OK

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 24 of 50 Fortinet Training Institute
3.3. Create Endpoint Compliance and Network Access Policy

Create a Guest Endpoint Compliance Policy

1. Click Policy & Objects > Endpoint Compliance

2. Click +Create New and enter Name: Guests ECP

3. For Configuration, from the drop-down tab, click + Create

4. Enter the following Name: ECC

5. From the Scan drop-down tab, Click the pencil icon beside OS-Anti-Virus-Check

6. Click the Windows tab.

7. Make sure the Category is set to Anti-Virus, and beside Validate, make sure Any is set from the drop-down list.

8. Click + tab at the bottom of the list.

9. Click All and Close

10. Click the Operating System tab.

11. Click the X icon to delete the following operating systems:


Windows-7
Windows-7-x64

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 25 of 50 Fortinet Training Institute
12. Click OK

13. Click and choose OS-Anti-Virus-Check scan.

14. Under the Operating System Agent/Treatment section, make sure Windows is set to the Latest Dissolvable Agent

15. Click OK

16. Beside Configuration, click and choose ECC

17. For User/Host Profile, choose Self Registered Guest Users from the drop-down list.

18. Click OK

Create a Guest Network Access Policy

1. Click Policy & Objects

2. Click Network Access and Click +Create New

3. Enter Name: Restricted Guest Access

4. From the Configuration drop-down menu, click + Create

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 26 of 50 Fortinet Training Institute
5. Use the following Network Access Configuration information:
Name: Guest Network
Logical Network: Click + Create and enter the Name as Guest

6. Click OK

7. Besides Logical Network, choose Guest and Click OK

8. Besides Configuration, click and choose Guest Network

9. From the User/Host Profile drop-down list, choose Self Registered Guest Users

10. Click OK

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 27 of 50 Fortinet Training Institute
3.4. Enforcing Access Control

Review FortiSwitch VLAN Configuration

1. From the Lab Activity: FortiNAC tab, access FGT-ISFW via the HTTPS option using the following credentials
Username: admin Password: Fortinet1!

2. Click WiFi & Switch Controller

3. Click FortiSwitch VLANs


Note: FortiSwitch is set up as a managed switch via FortiGate-ISFW. You will see Registration and Guest VLANs
configured.

4. Click Registration and Edit


Note: Registration VLAN is your zero-trust VLAN. Any device that connects to the network automatically gets tagged with
Registration VLAN ID 198 and isolated from the rest of the network.

5. Scroll down to DHCP Server configuration


Note: Registration VLAN on FortiSwitch is set to relay all incoming DHCP requests to FortiNAC’s layer 3 Registration
interface (Eth1) IP address 192.168.200.10

Device Model Configuration for Enforcement of Access Control

1. From the web browser, access FortiNAC using the web console.

2. Click Network > Inventory

3. Expand the Security Devices container

4. Click FGT-ISFW > Virtualized Devices

5. Click root > Model Configuration

6. Under the Logical Network Configuration section, click +Create New and use the following information:
Logical Network: Guest (Choose from the drop-down list)
VLAN ID: 195 (Choose from the drop-down list)
Note: Any guest device that successfully registers to the network will be assigned VLAN ID 195.

7. Click OK

8. Under Logical Network Configuration, choose Registration and click Edit

9. Use the following information:


Network Access: Enforce
VLAN ID: 198
Note: Registration VLAN is a zero-trust network. Any device that connects to the network automatically gets tagged

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 28 of 50 Fortinet Training Institute
with VLAN ID 198, basically isolating the device from the rest of the network.

10. Click OK

11. Click OK

Enforcing Access Control

1. Click System > Groups


Note: Click the main System tab and not the one for FGT-ISFW.

2. Locate and select the Forced Registration group.

3. Click Modify

4. Expand Security Devices

5. Locate the FGT-ISFW and Click the checkmark box beside it to select all the ports.

6. Click the > arrow button to move the FGT-ISFW ports to the Selected Members list.

7. Click OK

8. In the System > Groups, locate and select Role Based Access group.

9. Click Modify

10. Expand Security Devices

11. Locate FGT-ISFW and Click the checkmark box beside it

12. Click the > arrow button to move the FGT-ISFW ports to the Selected Members list.

13. Click OK

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 29 of 50 Fortinet Training Institute
Securely Embrace the IoT Revolution with NAC Lab
Guide
Page 30 of 50 Fortinet Training Institute
3.5. Request Access

On-boarding a Guest Device

1. From the Lab Activity: FortiNAC tab, access Bob's machine via the RDP option using the following credentials
Username: bob Password: Fortinet1!

2. Open Network & Sharing Center > Guest > Properties > IPv4 > Properties >Obtain IPv4 Address
automatically > Obtain DNS server address automatically.
Note:Close the browser in case an automatic Chrome browser tab pops up. You will have to click the right mouse
button to see the "Open Network & Sharing Center"

3. Click OK > OK > Close

4. Open Command Prompt from Desktop and type ipconfig


Note: FortiNAC serves as the DHCP and DNS server for a device that connects to the network. Windows Guest machines
get an IP address in the Registration VLAN 198 subnet. If you don’t see the same IP configuration as shown in the
screenshot below, open Network settings, right-click > Disable > Enable the Guest network adapter.

5. Open Chrome browser from the Desktop and click CNN browser bookmark.
Note: Ignore the certificate warning. Click Advanced and proceed to the website. A captive portal should be presented by
FortiNAC

6. Click Guest Self Registration

7. Use the following information to fill in the details:

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 31 of 50 Fortinet Training Institute
First Name: Bob
Last Name: Smith
Email: [email protected]
Person Visiting: Alice

8. Click Request Guest Access


Note: A random password will be generated to provide guest access to the machine.

9. Click Login

10. Clicking login will start the FortiNAC Dissolvable Agent download. Allow the download to happen by clicking Keep the file.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 32 of 50 Fortinet Training Institute
3.6. Verify Access Control

Verify Access Control

1. Once the agent downloads, click and Open the FortiNAC Dissolvable Agent.exe
Note: Click Yes to allow the app to make changes.

2. In case, the error ‘Unable to obtain configuration from server’ error pops up, enter the server
address, http://192.168.200.10 and click Next
Note: Due to some limitations in the lab, this would occur. In the typical field deployment, this would be a seamless
experience with automatic configuration download from FortiNAC.

3. A Dissolvable Agent insecure connection warning pop-up appears. Click Yes

4. Click Register
Note: FortiNAC Dissolvable Agent will run a quick compliance check scan in the background to verify the running
operating system and antivirus software on the guest machine based on the Endpoint Compliance policy configured
earlier.

5. Click Finish

6. Open Command Prompt from Desktop and type ipconfig


Note: Wait for a few minutes. The Windows machine should get an IP address of 172.16.195.100. This implies that the
Windows Guest machine has been successfully moved from the Registration VLAN (172.16.198.x) to the Guest VLAN
(172.16.195.x)

7. Once the Windows device has an IP address 172.16.195.100, open the web browser and try accessing the CNN browser
bookmark.
Note: The device should have Internet access now; this means the device has been successfully on-boarded to the
network.

8. From the web browser, access FortiNAC using the web console.

9. Click Users & Hosts > Hosts

10. In the Search field bar, enter 172.16.195.10


Note: As FortiNAC polls the FortiGate-ISFW automatically every few minutes, you might not see the host listed here yet. In
that case, continue with the next lab objective or use case and come back at a later time to check again.

11. Right-click on the Windows host and click Policy Details


Note: You will find the matching Network Access policy, User/Host Profile, VLAN, and Endpoint Compliance information.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 33 of 50 Fortinet Training Institute
Securely Embrace the IoT Revolution with NAC Lab
Guide
Page 34 of 50 Fortinet Training Institute
3.1. Security Fabric & Tags

Introduction

Outdated endpoint access security solutions leave mobile and Internet of Things (IoT) devices vulnerable to targeted attacks
that can put the entire network at risk.

To protect valuable data, organizations need next-generation network access control (NAC).

As part of the Fortinet Security Fabric, FortiNAC provides comprehensive device visibility, enforces dynamic controls, and
orchestrates automated threat responses that reduce containment time from days to seconds. It enables policy-based
network segmentation for controlling access to sensitive information.

In this lab use case, you integrate FortiNAC into Security Fabric, create firewall tags and FSSO Security Fabric connector to
automatically associate tags to devices/hosts, and pass them to FortiGate to enforce firewall policies utilizing FSSO groups.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 35 of 50 Fortinet Training Institute
3.1.1. Creating Firewall Tags, FSSO Configuration, and Logical Networks

Background

In this exercise, you create a firewall tag, enable FSSO settings, and configure logical networks with the firewall tags.

Tasks

Create Firewall Tags for Contractors

1. From the web browser, access FortiNAC using the web console.

2. Click System > Settings.

3. Expand System Communication.

4. Click Firewall Tags and click Add.

5. Set Tag Name to Contractor-Tag

6. Click OK.

Enable FSSO Settings

1. Click Fortinet FSSO Settings.

2. Turn on Enable FSSO Communication.

3. Leave the Port at the default value of 8000.

4. Set the Password to Fortinet1!

5. Confirm Password Fortinet1!

6. Click OK.

7. Click Save Settings.

8. Click OK.

Configure Network Access Policy for Contractors

1. Click Policy & Objects

2. Click Network Access

3. Click +Create New

4. Enter Name Contractor Policy

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 36 of 50 Fortinet Training Institute
5. In the Configuration drop-down, click +Create

6. In the Create Network Access Configuration window, set Name to Contractor Network.

7. For Logical Network, click + Create

8. Set Name to Contractor and click OK

9. Select Logical Network as Contractor

10. Click OK

11. Beside Configuration, click and choose Contractor Network

12. For User/Host Profile, choose Contractor from the drop-down list.
Note: The user/host profile Contractor was pre-configured.

13. Click OK on the Create Network Access Policy window.

Assign Contractor-Tag to Logical Network

1. Click Network > Inventory

2. Expand Security Devices > click FGT-Edge

3. Click Virtualized Devices

4. Select root VDOM.

5. Click Model Configuration


Note: Ignore the warning ‘No VLANs have been read from the device’ by clicking OK

6. Under Logical Network Configuration, click + Create New and use the following information:
Logical Network: Contractor
Network Access: Deny
Firewall Tags: Click + and enter Contractor-Tag

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 37 of 50 Fortinet Training Institute
7. Click OK

8. Click OK

Question

Out of the following, what enables FortiNAC to automatically pass device and host tags to FortiGate and enforce firewall
policies utilizing FSSO groups?

Stop and Think

Security Fabric Connector integration

MDM device integration

FortiGate device profiling rule

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 38 of 50 Fortinet Training Institute
3.1.2. Integrating FortiNAC into Security Fabric, Configuring FSSO and Firewall Policy on FortiGate

Background

In this exercise, you configure the following on a FortiGate: Security Fabric devices, FSSO fabric connector, FSSO groups, and
an FSSO user group firewall policy.

Tasks

Integrating FortiNAC into the Security Fabric

1. From the Lab Activity: FortiNAC tab, access FortiNAC via the HTTPS option using the following credentials:
Username: admin Password: Fortinet1!

2. Click Network > Service Connectors > +Create New

3. Under the Syslog/Messaging section, click Security Fabric Connection

4. Use the following information:


IP: 192.168.0.101
Port: 8013

5. Click OK

Authorize FortiNAC on FGT-Edge

1. From the Lab Activity: FortiNAC tab, access FGT-Edge via the HTTPS option using the following credentials:
Username: admin Password: Fortinet1!

2. At the top-right corner, click the bell icon notification.

3. Click FortiNAC

4. Click Authorize

5. Click Security Fabric > Physical Topology

6. At the bottom left corner, Click Update Now

7. Move the mouse cursor over the newly added FortiNAC device to take a look at the Type, IP Address, Hostname, and
Status
Note: The screenshot below might be different from the actual lab.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 39 of 50 Fortinet Training Institute
Configure FortiNAC SSO Fabric Connector

1. Click Security Fabric > External Connectors

2. Under the Endpoint/Identity section, click FSSO Agent on Windows AD

3. Enter the following details:


Name: FSSO
Primary FSSO Agent: 192.168.0.127
Password: Fortinet1!

4. Click Apply & Refresh


Note: Firewall Tags/Groups from FortiNAC are imported into the FortiGate as Users/Groups

5. Click OK

Configure FSSO User Group

1. Click User & Authentication > User Groups and click Create New.

2. Enter the following details:


Name: Contractors
Type: Fortinet Single Sign-On (FSSO)
Members: CONTRACTOR-TAG
Note: FortiGate successfully pulled in user groups and firewall tags on FortiNAC via the Fabric Connector.

3. Click OK.

Apply the FSSO User Group to an IPv4 Policy

1. Click Policy & Objects > Firewall Policy

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 40 of 50 Fortinet Training Institute
2. Expand Internal Network (port 2) -> ISP (port 6), select the Contractors IPv4 policy, and click Edit

3. Click Source, then click the User tab and select the Contractors user group.

4. Make sure the Web Filter is set to No_Social_Media

5. Click OK.

Question

Which components of the FortiGate and FortiNAC can be used to configure dynamic policies based on FortiNAC profiling?
(Select all that apply)

Stop and Think

Firewall tags

Firewall groups

Identity-based policies

FSSO

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 41 of 50 Fortinet Training Institute
3.1.3. Registering a Contractor Device

Background

You will now register the Windows (Alice) machine as a contractor device and verify the FSSO tag, and user group, pulled in
by FortiGate from FortiNAC, and assigned to the host.

Tasks

1. From the web browser, access FortiNAC using the web console.

2. Click Users & Hosts > Hosts

3. In the search field, enter *93 and press Enter to display the Windows (Alice) client.

4. Select the host and right-click.

5. Click Register as Device.

6. Set Device Type to Registered Host

7. Select Contractor from the Role drop-down list.


Note: In the real world, the device would be registered by the contractor itself using the captive portal but for this lab, we
will manually register the device.

8. Click OK. The Host Role changes to Contractor and Status to Registered Host.

Verify Logon Event on FortiGate-Edge

1. From the web browser, access FortiGate-Edge using the web console.

2. Click Dashboard > Users & Devices

3. Click the Firewall Users widget to expand it.

4. Click Show all FSSO Logons. If you do not see an FSSO logged-on user entry, click the Refresh icon. Verify the User
Name (MAC address) and the User Group.

Test the FSSO User Group Firewall Policy

1. From the Lab Activity: FortiNAC tab, access Alice's machine via the RDP option using the following credentials:
Username: alice Password: Fortinet1!

2. Open the web browser and try to visit Facebook using the browser bookmark, or visit any social media website.

3. The FortiGate blocks access to all social media and the browser displays a FortiGuard block page. On the block page, take

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 42 of 50 Fortinet Training Institute
a look at the Group Name

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 43 of 50 Fortinet Training Institute
4. Response
Introduction

FortiNAC continuously watches the network and has extensive automation capabilities, so that when a triggering event is
observed, FortiNAC can take action in seconds.

For networks without automation, such triggers are often sent as alarms to the SOC, where a manual review is required
before action can be taken.

The delay before taking network action is minutes at best, and more frequently it is days or even months.

FortiNAC has extensive third-party support including vendors of firewalls, switches, wireless access points, authentication
servers, and endpoint security.

This extensive third-party support enables FortiNAC to restrict or quarantine devices that are behaving badly.

In this lab objective, you configure FortiGate integration allowing FortiNAC to automatically mark a host as at-risk.

Time to Complete

Estimated: 10 minutes

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 44 of 50 Fortinet Training Institute
4.1. Creating Automated Responses for Rapid Threat Mitigation

Background

In this exercise, you configure FortiGate integration allowing FortiNAC to receive input and automatically mark a host as at-
risk and generate notifications to administrators.

Tasks

Configure the FortiNAC to Process Input from a FortiGate

1. From the web browser, access FortiNAC using the web console.

2. Click Network > Inventory

3. Expand Security Devices and select FortiGate-Edge

4. Select the Element tab.

5. From the right of the Incoming Events, select Security Events. Select FortiOS5 in the drop-down menu
Note: You use FortiOS5 for devices running FortiOS 5.0 and later.

6. Click Save.

Create Security Rules for Security Events and Alarm Generation

1. Click Logs > Security Incidents

2. Click the Rules tab at the top right corner.

3. Click Add.

4. Turn on Rule Enabled and set Name to FortiGate Security Risk.

5. To the right of the Trigger, click Add Security Trigger.

6. Set Name to FortiGate Security Risk Trigger. Leave the Time Limit set to 1 second and the Filter Match set
to All.

7. In the Security Filters section, click Add.

8. Turn on Vendor and enter Fortinet

9. In the Custom Fields section, click Add and use the following information:
Name: SERVICE
Value: Security Risk

10. Click OK

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 45 of 50 Fortinet Training Institute
11. Click OK on the Add Security Filter window.

12. Click OK on the Add Security Trigger window.

13. Leave the User/Host Profile set to None.

14. Use the Action drop-down list and select Automatic.

15. Click Add Security Action.

16. Set Name to Response for FortiGate Security Risk.

17. Leave On Activity Failure set to Continue Running Activities and make sure the Perform Secondary Task(s) After
is turned off.

18. In the Activities section, click Add.

19. From the Activity drop-down list, select Send Alarm to External Log Hosts and click OK.

20. To add a second activity, click Add and select Disable Host from the drop-down list. Leave Secondary Task turned off
and click OK

21. Turn on Send Email when Rule is Matched. Use the Admin Group drop-down list and select All Management Group.

22. Click OK.

Question

To integrate FortiNAC with other security devices, the FortiNAC must model the other device in the topology view and have a
security rule.

What security rule component determines a rule match? (Select all that apply)

Stop and Think

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 46 of 50 Fortinet Training Institute
A user/host profile

A security event parser

A security trigger

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 47 of 50 Fortinet Training Institute
4.2. Validating Security Events, Alarms and Actions

Tasks

Validate Security Events, Alarms and Actions

1. Click Logs > Security Incidents > Events.

2. Under Filter, set Event Date to show events generated in the Last 5 minutes. Click Update. The FortiNAC shows no
events.

3. From the Lab Activity: FortiNAC tab, access the Alice machine using the RDP option.

4. Open Google Chrome and click the Security Risk browser bookmark.

5. From the web browser, access FortiNAC using the web console.

6. Take a look at the security Events view. The FortiNAC now shows events.

7. Click Logs > Security Incidents > Alarms and click Update

8. Locate and select a security alarm that lists a date/time in the Action Taken Date column.

9. View the entry in the Events tab at the bottom and select the Actions Taken tab to validate that FortiNAC applied the
right action.

10. Click Users & Hosts > Adapters.

11. In the Search field, enter *93 (the last two of the MAC addresses noted in the security event) and press Enter. The host
record has an X through it in the Status column indicating the host is disabled.

Note: FortiNAC controls access at the point of connection. Since this particular lab objective is not using an actual real
switch, it is not possible to take action and remove the Windows client from the network. This is a limitation on the hosted
cloud environment of the lab and not of the product itself.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 48 of 50 Fortinet Training Institute
5. Conclusion

This concludes the Fast Track Workshop lab activity. We hope you found the information provided useful and the user
experience compelling.

After completing this Fast Track module, you should now:

1. Understand the benefits of FortiNAC.

2. Be able to configure and leverage network visibility, control, and response capabilities of FortiNAC in your environment.

3. Extend these new skills to other Fortinet solutions.

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 49 of 50 Fortinet Training Institute
5.1. Continued Education

Now that you've completed the Securely Embrace the IoT Revolution with NAC workshop, here are a few additional
resources and next steps.

For continued learning about the FortiNAC product utilized in this workshop, please consider looking at the following NSE
training courses:

FCP Network Security certification including the following courses:


NSE 6: FortiNAC 7.2

Additional resources and tools can be found at the following locations:

Docs - FortiNAC-F 7.2


Docs - FortiNAC-F 7.4

Ask your instructor for more information about the following Fast Track workshops:

What’s New in FortiOS?


Cybersecurity for Safe, Reliable, Secure Industrial Control Systems (ICS)

Securely Embrace the IoT Revolution with NAC Lab


Guide
Page 50 of 50 Fortinet Training Institute

You might also like