Fortinet FortiNac BFN620XL Installation guide

Category
Networking
Type
Installation guide
Appliance Installation Guide
Version: 8.3
Date:8/24/2018
FORTINET DOCUMENTLIBRARY
https://docs.fortinet.com
FORTINETVIDEOGUIDE
https://video.fortinet.com
FORTINETKNOWLEDGE BASE
http://kb.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTINETCOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGAND CERTIFICATION PROGRAM
https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com/
FORTIGUARDCENTER
https://fortiguard.com
FORTICAST
http://forticast.fortinet.com
ENDUSER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf
Friday, August 24, 2018
FortiNAC Appliance Installation Guide
49-830-503677-20180731
Contents
Naming Conventions 1
Ethernet Connections 3
Process Overview 5
Hardware Setup 6
Connect To The Appliance 6
Login To Configuration Wizard - Hardware Setup 7
Verify License Key 9
Assign IP Address 10
Configuration Wizard - Passwords 12
Connect To The Network 14
Software Configuration 15
Login To Configuration Wizard - Software 15
Password Setup 17
Network Type 20
Layer 2 Network - VLANs 21
Layer 2 Network - Configure VLANS 22
Layer 2 Network - Additional Routes 27
Layer 2 Network - Summary 27
Layer 3 Network - Route Scopes 28
Layer 3 Network - Configure Route Scopes 30
Importing Route Scopes 38
Layer 3 Network - Additional Routes 40
Results: Layer 2/Layer3 Networks Or Control Manager 42
Log In To The Admin User Interface 44
Change Passwords After Configuration 45
Appliance Installation Guide
iii
Naming Conventions
Before you begin the installation, you need to determine the Product Descriptor for the product
you are configuring.
Refer to the Appliance Identification Details page in the information packet that
came with your appliance. Locate your Appliance Identifier.
If you don’t have the Appliance Identification Details page, check the Appliance Identifier
tag located on the metal casing on the back or the top of the appliance.
- Using the Appliance Identifier information, refer to the tables below to determine
the Product Descriptor. The Product Descriptor is used throughout this
document.
In addition, the Appliance Identifier contains the BFN number for the type of appliance you are
configuring. Refer to this number as you go through the Hardware Setup procedures identify
your appliance and its corresponding Ethernet ports.
Refer to the Tables in this section. If your appliance is not listed, contact Customer Support. You
can download electronic versions of the Appliance Installation Guides through the Configuration
Wizard. See Login To Configuration Wizard - Software on page 15.
Note: The Configuration Wizard uses the Product Descriptor as a common naming scheme
when referring to the different products. Tables in this section show this relationship.
Table 1: Naming Conventions For Appliance BFN320
Product Name
Appliance
Label
Product Descriptor Appliance Identifier
NS500 Network Control
and Application Server
NS500 FortiNac Server SYS-G-BFN320-NS500
NS500R Network Control
and Application Server
NS500R FortiNac Server SYS-G-BFN320-NS500R
NS1200 Network Control
Server
NS1200
FortiNac
Control Server
SYS-G-BFN320-NS1200
NS1200R Network Control
Server
NS1200R
FortiNac
Control Server
SYS-G-BFN320-NS1200R
NS1200OPA Analytics
Server
NS1200OPA FortiNac On-Premises
Analytics Server
SYS-G-BFN320-NS1200OPA
NS8200 Network
Application Server
NS8200 FortiNac
Application Server
SYS-G-BFN320-NS8200
NS8200R Network
Application Server
NS8200R
FortiNac
Application Server
SYS-G-BFN320-NS8200R
1
Table 2: Naming Conventions for Appliance BFN330
Product Name
Appliance
Label
Product Descriptor Appliance Identifier
NS500CA Network Control
and Application Server
NS500CA FortiNac Server SYS-BFN330-NS500CA
Table 3: Naming Conventions For Appliance BFN620
Product Name
Appliance
Label
Product Descriptor Appliance Identifier
NS2200 Network Control
Server
NS2200 FortiNac
Control Server
SYS-G-BFN620-NS2200
NS9200 Network
Application Server
NS9200 FortiNac
Application Server
SYS-G-BFN620-NS9200
NS550 Network Control
Manager
NS550
FortiNac
Control Manager
SYS-G-BFN620-NS550
Table 4: Naming Conventions for Appliance BFN620XL
Product Name
Appliance
Label
Product Descriptor Appliance Identifier
NS3200 Network Control
Server
NS3200 FortiNac
Control Server
SYS-G-BFN620XL-NS3200
NS10200 Network
Application Server
NS10200 FortiNac Application
Server
SYS-G-BFN620XL-NS10200
Table 5: Naming Conventions for Appliance BFN630
Product Name
Appliance
Label
Product Descriptor Appliance Identifier
NS600CA High
Performance Control and
Application Server
NS600CA FortiNac Server SYS-BFN630-NS600CA
NS1000C High
Performance Control Server
NS1000CA FortiNac
Control Server
SYS-BFN630-NS1000C
NS1000A High
Performance Application
Server
NS1000CA
FortiNac
Application Server
SYS-BFN630-NS1000A
NS550CM Network Control
Manager
NS550CM
FortiNac
Control Manager
SYS-BFN630-NS550CM
NS600AS On-Premises
Analytics Server
NS600AS FortiNac
On-Premises Analytics
Server
SYS-BFN630-NS600AS
2
Table 6: Naming Conventions for Appliance BFN630XL
Product Name
Appliance
Label
Product Descriptor Appliance Identifier
NS700CA Ultra High
Performance Control and
Application Server
NS700CA FortiNac Server SYS-BFN630XL-NS700CA
NS2000C Ultra High
Performance Control Server
NS2000CA FortiNac
Control Server
SYS-BFN630XL-NS2000C
NS2000A Ultra High
Performance Application
Server
NS2000CA
FortiNac Application
Server
SYS-BFN630XL-NS2000A
Ethernet Connections
Each Ethernet port is used for a different purpose during initial configuration and normal
operation. The following table provides details on the options for each appliance type and its
corresponding Ethernet ports.
Note: Manual configuration is required for eth2. The eth3 or fourth interface is reserved for future
use. Contact Customer Support for assistance.
Table 7: Ethernet Connections
Appliance Product Port Port Used During Initial (Basic Network) Configuration
BFN320
BFN330
BFN620
BFN630
All Products eth1 Used temporarily during configuration until the IP address,
mask, default gateway, and host name are setup.
Configuration Wizard DHCP Service—Disabled once
appliance is rebooted (or shutdown and restarted).
Appliance Product Port Port Used During Normal Operations (After Basic
Network Configuration Complete)
BFN320
BFN330
BFN620
BFN630
All Products eth0 Management
FortiNac Server eth1 Isolation networks, such as Registration or Remediation.
FortiNac
Application Server
eth1 Isolation networks, such as Registration or Remediation.
FortiNac Control Server eth1 Either DHCP detection or not used.
FortiNac Control Manager eth1 Not used.
FortiNac Server
eth2
Rogue DHCP detection, additional isolation networks (for
example, Remote Registration and Remote Scan), access
point management, or not used.
FortiNac
Application Server
eth2
Additional isolation networks (for example, Remote
Registration and Remote Scan), access point
management, or not used.
3
4
Process Overview
The following is a summary of the steps you will use to configure your appliance.
Important: The FortiNac appliance set (physical or virtual) are intended forFortinet software,
tools and services use only.Fortinetc does not confirm for use any other software, tools or
services.
Table 8: Hardware And Software Configuration Overview
Process Steps Prerequisites
Hardware Setup
Connect appliance to the network.
See Hardware Setup on the
next page.
Physically connect your laptop to
the appliance using eth1.
None
Launch Configuration Wizard and
login.
Validate license.
License key if not already
installed.
Assign IP address and other basic
networking information, such as,
mask, DNS, or hostname.
IP address for this appliance
Disconnect laptop from eth1 and
connect appliance to network on
eth0.
None
Software Configuration
Return to Configuration Wizard to
enter basic setup data. See
Software Configuration on page
15.
Specify forwarding DNS for all
isolation networks and enter time
zone information.
None
Set up passwords.
Select network type: Layer 2 or
Layer 3.
Have information available for
Layer 2 VLAN network or Layer 3
routed network.
Create additional routes.
Optional routes for network traffic
typically used in a Layer 3
environment.
View Summary and apply the
configuration. Reboot.
None
Re-run the Configuration Wizard at any time to reconfigure settings. To re-run the Configuration
Wizard see Login To Configuration Wizard - Software on page 15 and enter the URL as
shown.
5
Hardware Setup
Hardware Setup
Unpack and power up the appliance(s) as described in the Hardware Setup Guide included with
the appliance. For some appliances, the power supply fan goes on when the appliance is first
plugged in.
Note: On some appliances the power switch is located behind the bezel on the front of the
machine. Be sure to remove the bezel and power up the appliance first.
DO NOT CONNECT THE APPLIANCE(S) TO THE NETWORK AT THIS TIME.
Connect To The Appliance
1. See Figures 1 through 7. Note that the port etched with number 1 is eth0 and the port
etched with number 2 is eth1 or the left most port is eth0 and the next port to the right is
eth1.
2. Use either a straight-through or crossover RJ45 cable to connect your PC to eth1 of the
appliance. Port eth1 serves DHCP in the 192.168.1.x range. The appliance itself has an
IP address of 192.168.1.1. Be certain to connect the RJ45 cable to the correct Ethernet
port. LED 1 on the front of the appliance lights to indicate when eth0 has established
connection. LED 2 lights to indicate when eth1 has established connection.
Note: Not all models of the appliance have LED lights on the front.
Note: When a FortiNac Control Server and Application Server are paired, configure the
FortiNac Application Server hardware first to assign an IP address. The FortiNac
Control Server must know the IP address of the FortiNac Application Server in order to
communicate with it.
3. On the PC, bring up a web browser. To launch the Configuration Wizard, navigate to:
http://192.168.1.1:8080/configWizard
Note: Appliances have a LCD panel on the front that displays the Appliance Type, such as
FortiNac Control Server, and the FortiNac Version number installed. This information does not
display until the FortiNac software is started.
Figure 1: Appliance BFN320
6
Figure 2: Appliance BFN620 and BFN620XL
Figure 3: Appliance BFN330
Figure 4: Appliance BFN630 and BFN630XL
Login To Configuration Wizard - Hardware Setup
1. If you have not done so already, bring up a web browser and navigate to:
http://192.168.1.1:8080/configWizard
2. Enter the User Name and Password credentials to gain access to the Configuration
Wizard.
User Name = config
Password = config
3. Click OK.
Hardware Setup
7
Hardware Setup
Note: You will be required to change the Configuration Wizard password during the
setup process.
8
Verify License Key
Each appliance requires a unique License Key to run the application. The License Key contains
the license count, license time, feature set, and high availability options.
Note: When the License Key Validation window opens, if you do not see a license key, contact
Customer Support or your sales representative to obtain it. For customer identification, have the
MAC Address of the appliance ready when you call for assistance. The MAC Address is located
on the shipping label, the Appliance Identification Details document and on the back or the top
of the metal casing of the appliance.
1. If a license key appears in the text area, click OK. If there is no key, contact Customer
Support or your sales representative.
2. On the next screen you can download PDF versions of the documentation to your PC
and then click OK to continue.
Figure 5: License Key Validation Window
Verify License Key
9
Assign IP Address
Assign IP Address
The initial Basic Network screen displays the Product Descriptor and the type of system you are
configuring. See Naming Conventions on page 1.
1. Configure the FortiNac appliance and enter the values based on the definitions in Basic
Network Window Field Definitions below.
WARNING: Do not use the following as the Host Name for the appliance: nac,
isolation, registration, remediation, remotereg, remotescan, vpn, authentication, hub,
access point management, or deadend. These names are reserved for system use.
WARNING: Host names should contain only letters, numbers or hyphens (-).
Uppercase letters are converted to lowercase automatically.
2. Click Apply.
3. Review the information in the Results page. If there are errors or omissions, click Back
on the browser. Make the changes and reapply them.
4. Reboot or shut down the appliance. The DHCP service accessed via eth1 during
installation is disabled.
Note: The data displayed in the Configuration Wizard may not represent the current
configuration of the appliance. When you make edits in the Configuration Wizard, your
modifications are stored in a temporary file. This allows you to exit the Configuration
Wizard before you save your changes permanently.
Table 9: Basic Network Window Field Definitions
Field Definition
FortiNac Product
Host Name
Name of the appliance you are configuring. Host names should contain only
letters, numbers or hyphens (-). Uppercase letters are converted to lowercase
automatically.
Note: Do not use nac, isolation, registration, remediation,
remotereg, remotescan, vpn, authentication, hub, or deadend.
These names are reserved for system use.
eth0 IP Address
Management IPv4 address of the appliance you are configuring.
Default Gateway
Default Gateway IPv4 address for the appliance you are configuring. A
default gateway is the device that passes traffic from the local subnet to
devices on other subnets.
eth0 IPv6 Address
Management of IPv6 address of the appliance you are configuring.
IPv6 Default Gateway
Default Gateway IPv6 address for the appliance you are configuring. A
default gateway is the device that passes traffic from the local subnet to
devices on other subnets.
10
Field Definition
Mask
Subnet IPv4 mask for the appliance you are configuring. A subnet is a logical
grouping of connected network devices; the mask defines the boundaries of
the subnet.
IPv6 Mask in CIDR notation
Subnet IPv6 mask for the appliance you are configuring, in CIDR format (e.g.,
64).
DNS
Primary IP Address
IP address of the Primary DNS Server. This is used in the basic IP network
configuration for the appliance.
Secondary IP Address
IP address of the Secondary DNS Server. This is used in the basic IP network
configuration for the appliance.
Domain
Enter your domain name, such as megatech.com or megatech.edu.
Forwarding DNS for all Isolation Networks
Use Primary and
Secondary DNS
Select this option to use the Primary and Secondary DNS IP addresses.
Specify [Use semi-colon (;)
to separate]
Select this option to specify a different DNS IP address, and enter the
address(es).
NTP and Time Zone
NTP Server [example:
pool.ntp.org]
The address of the NTP(Network Time Protocol) server used to keep system
clocks up-to-date with official time.
Time Zone
Specify which timezone where the system is located to show the correct time
for your timezone.
Assign IP Address
11
Configuration Wizard - Passwords
Figure 6: Basic Network - Assign IP Address
Configuration Wizard - Passwords
Password fields appear empty until you modify a password. Passwords can be modified again
later by accessing the Change Passwords screen. See Change Passwords After Configuration
on page 45.
CLI/SSH and Configuration Wizard passwords must be eight characters or longer and contain a
lowercase letter, an uppercase letter, a number, and one of the following symbols:
Required Symbols
! exclamation point @ at _ underscore
# pound $ dollar ~ tilde
% percent ^ caret - hyphen
* asterisk ? question mark
Note: The symbols listed below are not permitted in CLI/SSH and Configuration Wizard
passwords.
Prohibited Symbols
( open parenthesis space { open curly bracket
) close parenthesis ; semicolon } close curly bracket
12
Prohibited Symbols
' back quote : colon [ open square bracket
& ampersand " double quote ] close square bracket
+ plus ' single quote , comma
= equal < less than . period
| pipe > greater than / forward slash
\ back slash
Password types include:
adminCLI/SSH password you use to log into the appliance. Must be at least 8
characters and no more than 64 characters.
rootCLI/SSH password Customer Support uses to log into the appliance. Must be at
least 8 characters and no more than 64 characters. Notify Customer Support if you
change this password.
Configuration WizardPassword you use to log into the Configuration Wizard.
Note: FortiNac Application Server Passwords only display when you configure a FortiNac
Control Server.
Configuration Wizard - Passwords
13
Connect To The Network
Connect To The Network
1. Disconnect the PC from the eth1 port on the appliance.
2. Connect eth0 of the appliance to the network. If you have a FortiNac Control Server and
FortiNac Application Server pair, connect eth0 of each appliance to the network. Port
eth0 is the management interface for the appliance. If a management VLAN exists,
connect eth0 to a management VLAN network port.
Note: See Ethernet Connections on page 3 and Hardware Setup on page 6 for additional
information and pictures of each appliance type and corresponding ports.
WARNING: DO NOT use a firewall between any FortiNac appliances because the firewall
interferes with the connection between those appliances. There should never be a firewall
between any of the following:
-FortiNac Control Server and FortiNac Application Server
-FortiNac Control Manager and the appliances it manages
-Primary and Secondary servers in a High Availability Environment
-FortiNac Integrated RADIUSServer and the FortiNac Control Server and FortiNac Application
Server
-FortiNac Integrated RADIUSServer and the FortiNac Server
-Host running the Admin UI and the FortiNac Control Server
-Host running the Admin UI and FortiNac Server
-Host running the Admin UI and FortiNac Control Manager
14
Software Configuration
Now that your appliance has been assigned an IP address and is connected to the network, you
are ready to configure your NTP, time zone, routes, and DHCP scopes associated with your
Layer 2 or Layer 3 network.
Use the following buttons and links to navigate through the Configuration Wizard.
Steps paneThis is the panel displayed on the left of each Configuration window.
Each step is a link to its corresponding window. It is not required that you follow the
configuration steps sequentially.
Help—Displays a PDF version of this document.
ResetClick Reset to return field values to what they were when you opened the view.
If you move to another window, you can no longer reset field values.
SummaryLists all configured settings. You can view a summary at any point in the
configuration process and apply those settings.
Login To Configuration Wizard - Software
1. Bring up a web browser and point it to the IP Address of the FortiNac Server, FortiNac
Control Server or FortiNac Management Server. Use one of the following URLs:
http://<IP Address>:8080/configWizard
http://<Host Name of the appliance>:8080/configWizard
Note: The Configuration Wizard writes files configured on the FortiNac Control Server
to the FortiNac Application Server. No direct configuration of the FortiNac Application
Server is required after the initial basic network setup is completed and it is connected
to the network.
2. Enter the User Name and Password credentials that you configured when assigning
an IP address to gain access to the Configuration Wizard.
3. Click OK.
4. Click OK on the License Key screen.
5. Download the documentation needed to configure and administer the product. These
files are in PDF format and require a PDF viewer to read them. Click the Download
button to save the files, then click OK.
Software Configuration
15
Software Configuration
Figure 7: Download Documentation Window
16
Password Setup
Figure 8: Change Passwords
Figure 9: Configuration Wizard - Password Setup
Password Setup
17
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50

Fortinet FortiNac BFN620XL Installation guide

Category
Networking
Type
Installation guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI