FortiNAC

Nozomi Networks
Device Integration
Version: 8.3, 8.5, 8.6, 8.7, 8.8
Date: April 6, 2021
Rev: D

1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET KNOWLEDGE BASE

http://kb.fortinet.com

FORTINET BLOG
http://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

http://support.fortinet.com

FORTINET COOKBOOK
http://cookbook.fortinet.com

NSE INSTITUTE
http://training.fortinet.com

FORTIGUARD CENTER
http://fortiguard.com

FORTICAST
http://forticast.fortinet.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

2
Contents

Overview ............................................................................................................................................... 4
What it Does ...................................................................................................................................... 4
How it Works ..................................................................................................................................... 4
Requirements .................................................................................................................................... 4
Integration ............................................................................................................................................ 5
Configure FortiNAC .......................................................................................................................... 5
Keystore for TLS/SSL Communication ......................................................................................... 5
MDM Services ................................................................................................................................ 6
Validate Connectivity .................................................................................................................... 9
Events ............................................................................................................................................ 9
Policies ........................................................................................................................................... 9
Validate ........................................................................................................................................... 11
Troubleshooting .................................................................................................................................. 12
Debugging ........................................................................................................................................ 12
Appendix ............................................................................................................................................. 12
Communication without SSL Certificate .................................................................................... 12

3
Overview
The information in this document provides guidance for configuring integration in order for
FortiNAC to manage devices registered using the Nozomi Networks solution.

Note: As much information as possible about the integration of this device with FortiNAC
is provided. However, the vendor may have made modifications to the device’s firmware
that invalidate portions of this document. If having problems configuring the device, contact
the vendor for additional support.

What it Does
 Expands device Trust in FortiNAC to those devices managed by Nozomi system. This
also further extends FortiNAC’s endpoint visibility of managed devices.
 Provides security event parsing for Automated Threat Response.

How it Works
When a rogue host is detected on the network, FortiNAC communicates with Nozomi and retrieves
the host data. FortiNAC registers the host if it is already registered with Nozomi. FortiNAC polls
Nozomi periodically in order to update records for those hosts already registered in FortiNAC.

FortiNAC collects the following host data from Nozomi:

 Type (PC, Android, IOS, Camera, PLC/OT Device)
 Operating System
 Host Name

Requirements
Nozomi
 Software v19.x or higher
 Nozomi solution is in place and registering devices
 Valid signed SSL certificate installed in Nozomi system*
 REST API account on Nozomi system

FortiNAC
 Software version 8.6.0 or higher
 FortiNAC PRO License (only required if parsing IOC SYSLOG events)
 Certificate used to sign the Nozomi system's certificate is installed in FotiNAC as a trusted
certificate*

*If certificate is not available, see Communication without SSL Certificate in Appendix.

4
Integration

Configure FortiNAC
Configure a MDM Service to establish a connection with the Nozomi system. MDM Services are
used to configure the connection or integration between FortiNAC and Nozomi. FortiNAC and the
Nozomi system work together sharing data via an API to secure the network. FortiNAC leverages
the data in the Nozomi system’s database and registers hosts using that data as they connect to
the network.

Important: Proxy communication is not supported.

Keystore for TLS/SSL Communication

Install the CA Certificate used to sign the Nozomi server's certificate. This will allow FortiNAC to
trust communication with the Nozomi server. If certificate is not available, see Communication
without SSL Certificate in Appendix.

1. Copy the certificate file from the Certificate Authority to the /bsc/campusMgr/
directory on the FortiNAC server.
2. Use the keytool command to import the certificate into a keystore file.
For example, if the certificate file is named MainCertificate.der, you would type the
following:
keytool -import -trustcacerts -alias <servername as it appears in
certificate> -file <certificate file> -keystore .keystore

Note: Depending on the file extension of your certificate file, you may need to modify the command
shown above. For additional information on using the keytool key and certificate management tool
go to the Sun web site java.sun.com.

3. When the script responds with the Trust this certificate? prompt, type Yes and press
Enter.
4. At the prompt for the keystore password, type in the following password and press
Enter:
^8Bradford%23

5. To view the certificate, navigate to the /bsc/campusMgr/ directory and type the
following:
keytool -list -v -keystore .keystore

6. Type the password used to import the certificate and press Enter.
7. Restart control processes to apply changes
shutdownCampusMgr
<wait 15 seconds>
startupCampusMgr

5
MDM Services
1. In the Administrative UI, navigate to System > Settings > System Communication >
MDM Services and click Add.

2. Use the field definitions for the MDM Services in the following table to enter the MDM
Service information. Click OK to save.

Note: When integrating Nozomi with FortiNAC, if there is more than one FortiNAC with an
NCM, it is only necessary to configure the integration on one of the FortiNAC Servers. The host
records will be propagated on demand to the other FortiNAC Servers.

6
 MDM Services Field Definitions

Field Definition
MDM Vendor Select Nozomi

Name Name of the connection configuration for the connection between an MDM system
and FortiNAC.
The URL for the API to which FortiNAC must connect to request data. This will be
Request URL a unique URL based on your MDM system.
Note: Requires the Nozomi server name as it appears in SSL certificate.
(Example: https://MyNozomiServer)
User ID User name of the account used by FortiNAC to log into the MDM system when
requesting data.
Password Password for the account used by FortiNAC to log into the MDM system when
requesting data.

This field displays only when adding a new MDM connection configuration. It is not
displayed in the table of MDM servers.

On Demand If enabled, when an unknown host reaches the captive portal, FortiNAC queries the
Registration MDM server for information about that host. If the host exists in the MDM server, it is
registered in FortiNAC using the data from the MDM server.

Revalidate If enabled, when the host connects to the network FortiNAC queries the MDM
Health server to determine if the host is compliant with MDM policies.
Status On NOTE: This setting is disabled by default. It is recommended to keep disabled as
Connect health status is not collected for Nozomi.

Remove Hosts Deleted If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC
from MDM Server database if they have been removed or disabled on the MDM server.

If enabled, when FortiNAC polls the MDM server it retrieves and stores the
Application Updating Application Inventory for hosts that are in the FortiNAC database.

NOTE: This setting is disabled by default. It is recommended to keep disabled as

application data is not collected for Nozomi.
Automatic Registration If enabled, indicates how often FortiNAC should poll the MDM system for
Polling information.

7
 MDM Services Field Definitions

Field Definition

Last Modified By User name of the last user to modify the connection configuration.

Last Modified Date Date and time of the last modification to this connection configuration.
Right Click Options
Delete Deletes the MDM Service.

Modify Opens the Modify MDM Service dialog.

Poll Now Polls the MDM server immediately.

Opens the Admin Auditing Log showing all changes made to the selected item. For
information about the Admin Auditing Log, refer to Admin Auditing in the Online
Help or the Administration and Operation guide in the Fortinet Document Library
Show Audit Log for additional information.
Note: You must have permission to view the Admin Auditing Log. See
Add An Admin Profile in the Online Help or the Administration and Operation
guide in the Fortinet Document Library for additional information.

Test Connection Tests the connection between the selected MDM server and FortiNAC. Error
messages indicate which fields are missing or incorrect.
Buttons
Add Opens the Add MDM Service dialog.

Modify Opens the Modify MDM Service dialog.

Exports the data displayed to a file in the default downloads location. File types
Export include CSV, Excel, PDF or RTF. See Export Data in the Online Help or the
Administration and Operation guide in the Fortinet Document Library for additional
information.

Tests the connection between the selected MDM server and FortiNAC. Error
Test Connection messages indicate which fields are missing or incorrect.

Poll Now Polls the MDM server immediately.

8
Validate Connectivity
1. Select the Nozomi model and click on the Test Connection button. The following message
should display:

2. Click the Poll Now button at the bottom of the view.

3. Devices from Nozomi tables should pre-register in the FortiNAC system (if that option was
selected).

Events
Events associated with the MDM integration can be enabled and mapped to alarms. Events
include:
- MDM Host Created
- MDM Host Destroyed
- MDM Poll Failure
- MDM Poll Success
- MDM Host Compliance Failed
- MDM Host Compliance Passed

Hosts can be marked "at risk" when the host is not in Compliance with an Nozomi policy by using
an Alarm mapped to the MDM Host Compliance Failed event.

Refer to Enable And Disable Events and Map Events To Alarms in the Online Help or the
Administration and Operation guide in the Fortinet Document Library for additional information.

Policies
Configure policies to automatically provision network access based upon specific criteria as
registered hosts connect to the network. Network Access Policies are comprised of two components:

 User/Host Profile: Defines user and/or host data criteria used to assign Network Access
Policies. Additional fields that are specific to MDM Services have been added to the host
record and can be used as a filter in User/Host Profiles. Refer to Host View And Search
Field Definitions in the Online Help or the Administration and Operation guide in the
Fortinet Document Library for additional information.

9
 Managed by MDM FortiNAC registered the host based on data
from MDM database.
Compliant FortiNAC gathered endpoint compliance
information from the MDM server and
marks the host as compliant with MDM
policies or not. Note: Does not list
vulnerabilities.
Passcode enabled N/A
Data Encryption N/A
Compromised N/A

Note the following when determining criteria for User/Host Profiles:

- Devices registered using Nozomi system are registered as a device and not to a user.
- Devices registered from Nozomi system are assigned NAC-Default

 Network Access Configuration: Specifies the network access value (VLAN or role) to
apply when a host matches the associated User/Host Profile.

Example: Place all iOS devices on VLAN 10 and all Android devices on VLAN 11.

Apple Network Access Policy:

 User/Host Profiles specifying iOS operating system
 Network Access Configuration specifying VLAN 10

Android Network Access Policy:

 User/Host Profile specifying Android operating system
 Network Access Configuration specifying VLAN 11

Refer to Network Access Policies in the Online Help or the Administration and Operation guide
in the Fortinet Document Library for additional information.

10
Validate
Test features enabled in the MDM Service.

On Demand Registration:
1. Connect a Nozomi managed device to the network.
2. In FortiNAC Administration UI, navigate to Hosts > Host View and search for device by
MAC address.
3. If device is already authenticated, FortiNAC should automatically register the device and
assign the appropriate network access based upon Network Access Policies.

- Devices registered using Nozomi are registered to a user if the user in Nozomi
matches a user in FortiNAC. If the user is not found, the device will be registered as
a device and not to a user.
- Devices registered from Nozomi are assigned NAC-Default as the role unless the
user has a different role set in FortiNAC. If the user has a role, the device inherits
the user’s role.

Remove Hosts Deleted from MDM Server:

1. Disable or delete Host in Nozomi system.
2. In a separate window, navigate to System > Settings > System Communication > MDM
Services
3. Click on the Nozomi model and click the Poll Now button (or wait for the next polling cycle
if Automatic Polling is enabled). The host should disappear from the Host View.

11
Troubleshooting
Refer to the following KB articles:

Troubleshooting MDM registration issues

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD43815

Troubleshooting Policies
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD42422

Debugging
Enable debugging feature
CampusManagerDebug –name NozomiServer true
CampusManagerDebug –name MdmManager true

Disable debugging feature

CampusManagerDebug –name <value> false

Note: Debugs disable automatically upon restart of FortiNAC control and management processes.

Appendix
Communication without SSL Certificate
By default, FortiNAC will not connect to the Nozomi server without a valid certificate installed. If
a certificate is not available for install, however, FortiNAC can be configured to connect and ignore
certificate validation.

1. In FortiNAC CLI, login as root.

2. Modify file bsc/campusMgr/master_loader/properties_plugin/nozomi.properties
3. Change:
com.bsc.plugin.airwatch.NozomiServer.insecureSSL=false
to
com.bsc.plugin.airwatch.NozomiServer.insecureSSL=true

4. Restart control processes to apply

shutdownCampusMgr

<wait 15 seconds>

startupCampusMgr

12
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions,
and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and
other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance
metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may
change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

13