Version:


Table of Contents

Download PDF
Copy Link

Overview

This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library. This installation guide is the first step in the deployment.

Virtual Appliance (VM) Part Numbers

Part Number

Description

FNC-MX-VM

Control Manager

FNC-CAX-VM

Control and Application Server (CA)

Requirements

  • VMware

    • The VM Guest is built with Virtual Hardware Version 7. This makes the guest compatible with ESXi 4.x and above.

    • Deployment of the OVA has been tested and verified with vCenter 6.5 and above.

  • ESX Server Hardware

    • The requirements for the ESX server used to host the FortiNAC Virtual Machine will vary greatly depending on many different factors. Factors include:

      • The number of other Virtual Machines that are running on the same server

      • The load those VMs place on the server

      • The number of devices, hosts and users on your network that are to be managed by FortiNAC

    • Note: vSphere Fault Tolerance is not supported as a High Availability solution. Refer to the “Performance Best Practices for VMware vSphere” document on the VMware web site for additional information.

  • Virtual appliance specifications and resource sizing values have been determined. See section Appliance Installation of the Deployment Guide for details.

    • The current OVA provided by Fortinet is built using VM Virtual Machine Hardware Version 7 for OVA compatibility with ESXi4.x and later. VM Virtual Machine Hardware Version 7 restricts the number of vCPU to 8.

      If host machine is running ESXi5.x or later on robust hardware, then the VM Virtual Machine Hardware Version can be upgraded. Once upgraded, the number of vCPU can be increased. Refer to the following article for more information (note that the article is not controlled by Fortinet and may have changed):

      Upgrading a virtual machine to the latest hardware version (multiple versions) (1010675)

      https://kb.vmware.com/s/article/1010675

  • Adapters

    • The recommended adapter type is VMXNET 3 (default). Note the following:

    • Older VMs used E1000 as the pre-set adapter type. The recommended type is VMXNET 3.

    • All adapters on the VM should be set to the same adapter type (e.g eth0 and eth1 both set to VMXNET 3). Otherwise, unexpected behavior may occur.

    • Important: License key is created based upon eth0 MAC address and UUID. If either component no longer matches the license key, the key will no longer be valid and management processes will not start. Therefore:

      • Ensure MAC address is set statically.

      • If deleting and re-adding or modifying Network Adapter 1 (eth0) on an existing FortiNAC VM with license key, configure the same MAC address used by the adapter previously.

      • If a new key is needed, contact Fortinet Customer Service for assistance.

      • Network Adapter 2 (eth1) can be deleted and re-added without affecting the license key.

Considerations

In versions 7.x and greater, FortiNAC doesn't have any ports open by default. In previous versions, this was not the case. As features are configured, ports must also be added to the allowaccess list in order for the feature to work.

Operating System and Open Ports

The FortiNAC software runs on top of the FortiNAC-OS operating system. For security purposes, FortiNAC-OS does not have any open (listening) TCP/UDP ports configured by default. Access must be configured using the "set allowaccess" command via the appliance CLI. The ports that must be enabled depend upon the features required.

The best practice is to keep the number of open ports to a minimum, and block all other ports. If there is a need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.  For details, see Open Ports in the FortiNAC Administration Guide.

Overview

This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library. This installation guide is the first step in the deployment.

Virtual Appliance (VM) Part Numbers

Part Number

Description

FNC-MX-VM

Control Manager

FNC-CAX-VM

Control and Application Server (CA)

Requirements

  • VMware

    • The VM Guest is built with Virtual Hardware Version 7. This makes the guest compatible with ESXi 4.x and above.

    • Deployment of the OVA has been tested and verified with vCenter 6.5 and above.

  • ESX Server Hardware

    • The requirements for the ESX server used to host the FortiNAC Virtual Machine will vary greatly depending on many different factors. Factors include:

      • The number of other Virtual Machines that are running on the same server

      • The load those VMs place on the server

      • The number of devices, hosts and users on your network that are to be managed by FortiNAC

    • Note: vSphere Fault Tolerance is not supported as a High Availability solution. Refer to the “Performance Best Practices for VMware vSphere” document on the VMware web site for additional information.

  • Virtual appliance specifications and resource sizing values have been determined. See section Appliance Installation of the Deployment Guide for details.

    • The current OVA provided by Fortinet is built using VM Virtual Machine Hardware Version 7 for OVA compatibility with ESXi4.x and later. VM Virtual Machine Hardware Version 7 restricts the number of vCPU to 8.

      If host machine is running ESXi5.x or later on robust hardware, then the VM Virtual Machine Hardware Version can be upgraded. Once upgraded, the number of vCPU can be increased. Refer to the following article for more information (note that the article is not controlled by Fortinet and may have changed):

      Upgrading a virtual machine to the latest hardware version (multiple versions) (1010675)

      https://kb.vmware.com/s/article/1010675

  • Adapters

    • The recommended adapter type is VMXNET 3 (default). Note the following:

    • Older VMs used E1000 as the pre-set adapter type. The recommended type is VMXNET 3.

    • All adapters on the VM should be set to the same adapter type (e.g eth0 and eth1 both set to VMXNET 3). Otherwise, unexpected behavior may occur.

    • Important: License key is created based upon eth0 MAC address and UUID. If either component no longer matches the license key, the key will no longer be valid and management processes will not start. Therefore:

      • Ensure MAC address is set statically.

      • If deleting and re-adding or modifying Network Adapter 1 (eth0) on an existing FortiNAC VM with license key, configure the same MAC address used by the adapter previously.

      • If a new key is needed, contact Fortinet Customer Service for assistance.

      • Network Adapter 2 (eth1) can be deleted and re-added without affecting the license key.

Considerations

In versions 7.x and greater, FortiNAC doesn't have any ports open by default. In previous versions, this was not the case. As features are configured, ports must also be added to the allowaccess list in order for the feature to work.

Operating System and Open Ports

The FortiNAC software runs on top of the FortiNAC-OS operating system. For security purposes, FortiNAC-OS does not have any open (listening) TCP/UDP ports configured by default. Access must be configured using the "set allowaccess" command via the appliance CLI. The ports that must be enabled depend upon the features required.

The best practice is to keep the number of open ports to a minimum, and block all other ports. If there is a need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.  For details, see Open Ports in the FortiNAC Administration Guide.