Fortinet black logo

Overview

7.2.0
Copy Link
Copy Doc ID 570264e6-549b-11ed-9d74-fa163e15d75b:591825
Download PDF

Overview

This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library.

For simplicity, this document only discusses the deployment of a FortiNAC virtual appliance with a direct connection to the internet. Other deployment scenarios are possible and more secure. Using a virtual network with a VPN gateway is the preferred deployment. However, those deployments are more involved and beyond the scope of this document.

Note: A gateway is required if Azure appliances will be deployed in a High Availability configuration.

Virtual Appliance (VM) Part Numbers

Part Number

Description

FNC-MX-VM

Control Manager

FNC-CAX-VM

Control and Application Server (CA)

Requirements

  • Virtual appliance settings will vary depending on the underlying hardware being used for the hosting server. The ideal result is to yield a virtual environment where the average load does not exceed the Total GHz Rating of CPU Resources Allocated.

    • Determine the appropriate parameters for the virtual environment. It is recommended they be comparable to those of hardware-based FortiNAC appliances. Refer to the following tables in the FortiNAC Data Sheet:

      • Hardware Server Sizing - Hardware server part number most appropriate for the target environment

      • Specifications - Details regarding the applicable part number

      • VM Server Resource Sizing - Suggested values for memory and CPU to allocate for the virtual appliance

    See also https://docs.microsoft.com/en-us/azure/virtual-machines/sizes

  • Valid Azure account

  • There are two sets of commands referenced in this document: Operating system command line and Azure CLI. Operating system command line syntax referenced in this document is based on a computer running the Linux operating system. Windows syntax is not provided.

    A Linux computer to prepare and upload the FortiNAC image for Azure. The following must be installed:

    • AzureCLI standalone client. The Azure CLI commands in this document are based on Azure CLI version 2.29.1. Exact syntax may vary.

    • Qemu (version 2.2.0 or lower, or 2.6 or higher)

    • AzCopy. Refer to the following link for installing Azure CLI and working with azcopy: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

    • Gawk

    • Sufficient hard drive space (200GB+) available for a fully expanded FortiNAC image

  • Either a public or private IP Address can be used. A secure and private topology with FortiNAC is required if a private IP address is used. Related links:

    Site to Site VPN Gateways

    https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

    Creating a Virtual Network using a FortiGate Azure IPSEC connection

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/255100/ipsec-vpn-to-azure

  • port2 isolation related configurations

  • High Availability Configurations

    The Gateway IP address defined in the High Availability configuration must be able to respond to PING requests. Since Azure’s native gateway does not support ICMP, another IP address must be used. For details, see section Determine Gateway IP Addresses in High Availability - FortiNAC OS.

    • A gateway is required.

    • A shared/Virtual IP (VIP) cannot be configured in Azure.

Considerations

  • Currently, there is no Azure Market place appliance/product available to quickly deploy a FortiNAC Instance. Instructions are provided to create a disk image.

  • In versions 7.x and greater, FortiNAC doesn't have any ports open by default. In previous versions, this was not the case. As features are configured, ports must also be added to the allowaccess list in order for the feature to work.

Operating System and Open Ports

FortiNAC-F series appliances use the FortiNAC-OS operating system. Limited TCP/UDP ports are open by default for security purposes. This was not the case for FortiNAC appliances using the CentOS operating system.

Virtual appliances do not have any TCP/UDP ports listening by default. Opening additional ports requires the use of the "set allowaccess" command in the appliance CLI.

The configuration steps provided include opening ports for the applicable features and functions covered in this guide. As more features are configured, additional access must be enabled using the "set allowaccess" command via the appliance CLI. For details, see Open Ports in the FortiNAC Administration Guide.

The best practice is to keep the number of open ports to a minimum, and block all other ports. If there is a need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.

Overview

This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library.

For simplicity, this document only discusses the deployment of a FortiNAC virtual appliance with a direct connection to the internet. Other deployment scenarios are possible and more secure. Using a virtual network with a VPN gateway is the preferred deployment. However, those deployments are more involved and beyond the scope of this document.

Note: A gateway is required if Azure appliances will be deployed in a High Availability configuration.

Virtual Appliance (VM) Part Numbers

Part Number

Description

FNC-MX-VM

Control Manager

FNC-CAX-VM

Control and Application Server (CA)

Requirements

  • Virtual appliance settings will vary depending on the underlying hardware being used for the hosting server. The ideal result is to yield a virtual environment where the average load does not exceed the Total GHz Rating of CPU Resources Allocated.

    • Determine the appropriate parameters for the virtual environment. It is recommended they be comparable to those of hardware-based FortiNAC appliances. Refer to the following tables in the FortiNAC Data Sheet:

      • Hardware Server Sizing - Hardware server part number most appropriate for the target environment

      • Specifications - Details regarding the applicable part number

      • VM Server Resource Sizing - Suggested values for memory and CPU to allocate for the virtual appliance

    See also https://docs.microsoft.com/en-us/azure/virtual-machines/sizes

  • Valid Azure account

  • There are two sets of commands referenced in this document: Operating system command line and Azure CLI. Operating system command line syntax referenced in this document is based on a computer running the Linux operating system. Windows syntax is not provided.

    A Linux computer to prepare and upload the FortiNAC image for Azure. The following must be installed:

    • AzureCLI standalone client. The Azure CLI commands in this document are based on Azure CLI version 2.29.1. Exact syntax may vary.

    • Qemu (version 2.2.0 or lower, or 2.6 or higher)

    • AzCopy. Refer to the following link for installing Azure CLI and working with azcopy: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli

    • Gawk

    • Sufficient hard drive space (200GB+) available for a fully expanded FortiNAC image

  • Either a public or private IP Address can be used. A secure and private topology with FortiNAC is required if a private IP address is used. Related links:

    Site to Site VPN Gateways

    https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

    Creating a Virtual Network using a FortiGate Azure IPSEC connection

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/255100/ipsec-vpn-to-azure

  • port2 isolation related configurations

  • High Availability Configurations

    The Gateway IP address defined in the High Availability configuration must be able to respond to PING requests. Since Azure’s native gateway does not support ICMP, another IP address must be used. For details, see section Determine Gateway IP Addresses in High Availability - FortiNAC OS.

    • A gateway is required.

    • A shared/Virtual IP (VIP) cannot be configured in Azure.

Considerations

  • Currently, there is no Azure Market place appliance/product available to quickly deploy a FortiNAC Instance. Instructions are provided to create a disk image.

  • In versions 7.x and greater, FortiNAC doesn't have any ports open by default. In previous versions, this was not the case. As features are configured, ports must also be added to the allowaccess list in order for the feature to work.

Operating System and Open Ports

FortiNAC-F series appliances use the FortiNAC-OS operating system. Limited TCP/UDP ports are open by default for security purposes. This was not the case for FortiNAC appliances using the CentOS operating system.

Virtual appliances do not have any TCP/UDP ports listening by default. Opening additional ports requires the use of the "set allowaccess" command in the appliance CLI.

The configuration steps provided include opening ports for the applicable features and functions covered in this guide. As more features are configured, additional access must be enabled using the "set allowaccess" command via the appliance CLI. For details, see Open Ports in the FortiNAC Administration Guide.

The best practice is to keep the number of open ports to a minimum, and block all other ports. If there is a need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.