Feature Specific Considerations

Upgrade path requirements:

• Systems on version 7 must upgrade to 8.0 before upgrading to 8.1 or higher.

• Systems on versions 8.2 or lower must upgrade to 8.3 before upgrading to 8.4 or higher.

Upgrading NAC from pre-8 versions to 8.x could break communication with agents running version 3.0 through 3.2. Hosts that have security disabled are not affected.

In newer agent versions 3.3 and greater, the communication protocol was changed from SSLv3 to TLS to address the POODLE vulnerability (CVE-2014-3566). As of Network Sentry 8.0.0, SSLv3 has been disabled completely.

Secure Agent Communication Compatibility Summary NAC 7.x: Compatible with all 3.x agents NAC 8.x: Compatible with 3.3.x (and above) agents

Workaround: Re-enable SSLv3 until agents are upgraded.

1. Navigate to Settings > Persistent Agent > Transport Configuration
2. Under TLS Service Configuration panel, SSLv3 can be added in the TLS Protocols field.

For new installs and upgrades from older than 8.2, the "Default UDP" Persistent Agent Transport Configuration (UDP 4567) will initially be disabled. Agent versions 3.x and 4.x use both TCP 4568 and UDP 4567 to communicate.

Workaround: After completing upgrade, re-enable the Default UDP Transport Configuration to allow FortiNAC to communicate to agents running pre-5.x versions.

1. In the Admin UI, navigate to Settings > Persistent Agent > Transport Configuration.
2. Under Packet Transport Configurations panel, click Add.
3. Fill in the fields with the values below:

   Name: Default UDP

   Bind to Address: (leave blank)

   Port: 4567

   Maximum Incoming Packets to Queue: 10000

   Transport Type: UDP

4. To apply changes, click Reload Services

Requires CentOS 7.4 or higher. The current CentOS version installed is listed as "Distribution" in the CLI login banner or typing "sysinfo".

Example:

> sysinfo

**************************************************

Recognized platform: Linux

Distribution: CentOS Linux release 7.6.1810 (Core)

If the CentOS version is below 7.4, run OS updates and reboot before upgrading. For instructions on updating CentOS, refer to the Fortinet Document Library.

A Network Access Policy is required for the user-id to be sent to the firewall for Palo Alto SSO and FortiGate RSSO integrations. For details, refer to related KB article FD49517.

Requires access to downloads.bradfordnetworks.com from each appliance or virtual machine. The update automatically installs CentOS files for the new Local Radius Server feature on the Control Server(s). If access is blocked, the software upgrade will fail. The default transfer protocol can be changed from FTP to either HTTPS or HTTP. For instructions, refer to the Appendix of the CentOS Updates reference manual.

When upgrading from a pre-8.8 version to 8.8.0 or 8.8.1, the upgrade may hang if the appliance does not have external FTP access. The upgrade introduces a new local RADIUS server feature that requires additional CentOS patches. The download and installation of the patches occur during the upgrade process. A new .repo file is written in order to download the patches and specifies FTP as the transfer protocol.

Note: As of 8.8.2, the default protocol was changed to HTTP.

Customers that currently do not have a README and want to upgrade themselves should do the following:

1. Modify firewall to allow FTP access for the eth0 IP address for each appliance until upgrade is completed
2. Once completed, modify the repo files to the desired protocol for future OS updates. For instructions, see section Change Transfer Protocol to HTTP/HTTPS in the CentOS Updates document in the Fortinet Document Library.

Customers that currently have a README, do not want to upgrade themselves, or cannot make the temporary firewall change should contact Support to schedule the upgrade.

802.1x implementations: Port 1813 no longer listening after upgrading from pre-8.8 version. After upgrade, re-enable by performing the following steps:

1. Navigate to System > Settings > Authentication > Radius
2. Deselect Accounting Port 1813
3. Click Save
4. Re-select Accounting Port 1813
5. Click Save

See KB Article FD50889.

https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD50889

• Important: Customers with 10.x XenMobile integrations must ensure XenMobile is running 10.10 or higher before upgrading FortiNAC. As of this version, FortiNAC no longer supports earlier 10.x XenMobile versions due to changes in API schema. This change does not affect 9.x versions of XenMobile.

• Ensure http access is allowed to the internet for the FNAC eth0 IP address. This must be done for both Primary and Secondary servers in High Availability configurations. See KB FD51203.

• Functionality to register hosts using SNMP traps (LogOn Script) is disabled. After upgrading to 8.8.5 or later from a pre-8.8.5 version, re-enable the functionality. Contact Support for assistance. See KB FD51186.

• Ensure http access is allowed to the internet for the FNAC eth0 IP address. This must be done for both Primary and Secondary servers in High Availability configurations. See KB FD51203.

As of Persistent Agent version 5.3, there is no option to disable secure agent communications. Agents upgraded from previous versions to 5.3 or greater will communicate over TCP 4568 regardless of the "securityEnabled" Persistent Agent setting. Therefore, the following must be done prior to upgrading hosts to agent version 5.3:

• Ensure valid SSL certificates are installed in the Persistent Agent Certificate Target

  Version 8.x: Navigate to System > Settings > Security > Certificate Management

  Version 9.x: Navigate to Security Configuration > Certificate Management

• Packet Transport Configurations must have TCP 4568 listed

  Version 8.x: Navigate to System > Settings > Persistent Agent > Transport Configuration

  Version 9.x: Navigate to Security Configuration > Agent Settings > Transport Configuration