Overview
This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library.
For simplicity, this document only discusses the deployment of a FortiNAC virtual appliance with a direct connection to the internet. Other deployment scenarios are possible and more secure. Using a virtual network with a VPN gateway is the preferred deployment. However, those deployments are more involved and beyond the scope of this document.
Note: A gateway is required if Azure appliances will be deployed in a High Availability configuration.
Virtual Appliance (VM) Part Numbers
|
Part Number |
Description |
|---|---|
|
FNC-MX-VM |
Control Manager |
|
FNC-CAX-VM |
Control and Application Server (CA) |
Requirements
-
Virtual appliance specifications and resource sizing values, including memory and CPU. See section Appliance Installation of the Deployment Guide for details. This information will be required when creating the virtual machine.
See also https://docs.microsoft.com/en-us/azure/virtual-machines/sizes
-
Valid Azure account
-
There are two sets of commands referenced in this document: Operating system command line and Azure CLI. Operating system command line syntax referenced in this document is based on a computer running the Linux operating system. Windows syntax is not provided.
A Linux computer to prepare and upload the FortiNAC image for Azure. The following must be installed:
-
AzureCLI standalone client. The Azure CLI commands in this document are based on Azure CLI version 2.29.1. Exact syntax may vary.
-
Qemu (version 2.2.0 or lower, or 2.6 or higher)
-
AzCopy. Refer to the following link for installing Azure CLI and working with azcopy: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
-
Gawk
-
Sufficient hard drive space (200GB+) available for a fully expanded FortiNAC image
-
-
Either a public or private IP Address can be used. A secure and private topology with FortiNAC is required if a private IP address is used. Related links:
Site to Site VPN Gateways
https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Creating a Virtual Network using a FortiGate Azure IPSEC connection
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/255100/ipsec-vpn-to-azure
-
Eth1 isolation related configurations
-
When creating firewall rules for the isolation network, additional MicroSoft IP addresses may need to be allowed. See
https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519
-
Once FortiNAC is configured, additional domains may have to be added to the Allowed Domains List in order for clients in the isolation network to function properly. For details see Domains to Add to the Allowed Domains List in the Document Library.
-
Considerations
-
Currently, there is no Azure Market place appliance/product available to quickly deploy a FortiNAC Instance. Instructions are provided to create a disk image.
-
In versions 7.x and greater, FortiNAC doesn't have any ports open by default. In previous versions, this was not the case. As features are configured, ports must also be added to the allowaccess list in order for the feature to work.
Operating System and Open Ports
The FortiNAC software runs on top of the FortiNAC-OS operating system. For security purposes, FortiNAC-OS does not have any open (listening) TCP/UDP ports configured by default. Access must be configured using the "set allowaccess" command via the appliance CLI. The ports that must be enabled depend upon the features required.
The best practice is to keep the number of open ports to a minimum, and block all other ports. If there is a need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN. For details, see Open Ports in the FortiNAC Administration Guide.
