Appliance Configuration

Configure each FortiNAC-OS appliance with the following:

• License key

• Basic network settings

• CLI passwords

• Network type

• Allowed services

• Allowed serial numbers

1. Log in to the Customer Portal (https://support.fortinet.com).

2. In a text file (Notepad, etc) record the serial numbers of…

• Each FortiNAC-OS appliance

• Each CentOS appliance (if not all PODs will be migrated in the same session)

3. Browse to

   https://<IP address of FortiNAC-OS port1>:8443/

4. Login using the Default FortiNAC Admin GUI Credentials

   User: root

   Password: YAMS

5. Read the End User License Agreement. Accept the terms and continue.

6. For your license key, click import .lic file, and select the .lic file previously downloaded. It is not recommended to copy and paste into the box.

7. Click Next.

8. Enter a new User ID and Password to use when logging in. Click Next.

   For password requirement details, see Passwords in the Administration Guide.

   Note: The CLI account is not updated with a change until the Config Wizard is completed and a Config Wizard reboot is executed.

9. In the Basic Network view, configure the network settings then click Next.

   • Hostname = Hostname of CentOS appliance

   • Port1 IP address = Temporary IP

10. Select None for Network Type then click Next.

11. Review the data on the Summary View to confirm the configured settings.

12. Click Apply. The Configuration Wizard writes the data to the files on the appliances. This process may take several minutes to complete. When completed, the Results page appears.

13. Review the Results. Errors are noted at the top of the Results page.

14. Scroll down through the results and note errors or warnings. Make changes and apply them until a successful configuration is written.

15. Click Reboot.

16. Log in to the FortiNAC-OS CLI as admin.

17. Configure port1 and port2 access using the “set allowaccess” command. FortiNAC-OS does not have any open (listening) TCP/UDP ports configured by default and access must be enabled.

    Type:

    config system interface

    edit port1

    set allowaccess https-adminui ssh snmp dhcp fsso http-adminui nac-agent nac-ipc ping radius-acct radius-local radius syslog netflow radius-local-radsec

    next

    end

    config system interface

    edit port2

    set allowaccess dhcp dns http https nac-agent ping

    next

18. Using the list compiled in step 1, configure the allowed serial number list. This is required for appliance communication between the FortiNAC servers.

    For each server, enter the following commands, listing all the serial numbers recorded:

    execute enter-shell

    globaloptiontool -name security.allowedserialnumbers -setRaw "<serialnumber1>,<serialnumber2>,<serialnumber3>”

    Example

    globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"

Note:

• The message "Warning: There is no known option with name: security.allowedserialnumbers" may appear. This is normal.

• In High Availability configurations, only the Primary Server need to have the command entered. Database replication will copy the configuration to the Secondary Server.

19. Confirm entry by typing:

    globaloptiontool -name security.allowedserialnumbers

20. Log out of the CLI. Type:

    exit

    exit