FortiNAC and FortiGate VPN Integration

Good morning. I work for a partner and have spent the last 4-5 years installing and configuring FortiNAC deployments and I am curious how many have success with FortiGate VPN integrations.

We have a bunch with less than 50 users that are fine however about a year ago we tackled a VPN integration with over 500 users and it was been nothing but problems.

Started with some documentation issues in regards to the syslog filters, then ran into a FSSO bug in 9.4.x, then had some other misc issues pop up. Had another documentation issue with the FortiSwitch integration guide that caused other issues. Even had a self inflicted issue with some POS SG300 switches on our network. Did you know in L3 mode the ARP timer is like 9-10hours!!! Like WTF!

Have had a case open since August of last year and basically the last response we got back earlier this year was that the way the NAC tracks the syslog logon/logoff messages was poor and its losing track of what users were actively on the VPN and people were randomly getting their tags removed.

It got so bad that we had to remove the NAC enforcement from the VPN until they get the issue straightened out but the client is running out of patience on a product they spent a bunch of money on. We are working with the account rep from FortiNET to get something worked out for them.

Just curious to see how many others are using this feature with the NAC and if you are experiencing similar issues specifically with larger client counts.

Like I mentioned we do not see it with our smaller clients but this one larger one has really caused issues and we are just seeing what others are experiencing. Our FortiNET reps keep assuring us that the product is very stable HOWEVER I have came across about 10 bugs in the last 6-8 months that would sort of suggest otherwise.

Appreciate your time.

Hi,
Won’t dig into your issues, but what is your actual requirement. I’ve done couple of FNC vpn integrations couple of years ago (probably even more)… but now since FTNT has Endpoint tagging ability with EMS (even pre-ZTNA) times, I tend to stay on fgt+fctEMS scenarios to do device posture checks, assign tags and reference them in the firewall policies.
SO to control remote users - use FCTEMS, then for the local switches do enforecement with fnc

This hit VERY close to home as it sounds like EXACTLY what we’re going through with a client. Sure we don’t work for the same partner?

Ran into an FSSO bug (tags not showing up - having to run diag debug authd fsso refresh-logons constantly). Then DNS “issues” - HA FortiNAC, but FortiGate only allows two DNS servers. Documentation says to MANUALLY change DNS servers if you have an HA failover - complete BS (ended up using some load balanced VIPs - one for corp and one for FNAC DNS). If this sounds like your FSSO issue, mind sharing the bug ID? Our TAC case hasn’t gotten that far yet.

Bunch of other issues with the VPN integration - death by a thousand cuts.

At this point, I think FortiClient EMS would be a better product for the job of “posturing” VPN users (though contractors would be a challenge still)…

Hi,

I succesfuly integrated it to our network but we are still at a phase where only few people use it at IT department because of the same problems you just described. Mostly the tags dissapearing at random times. The same with FortiAP integration, sometimes LAN also (cisco 2960x), altough on LAN thats mostly vlans not switching correctly. Now we bought the extended VMs license because we want to migrate to FortiNAC-OS versions. As I did the PoC on this version (7.2) everything was more stable, also confirmed with TAC that there are numerous improvements on tags. But Iam still not confident that after full migration to F branch of FortiNAC that everything would be working okay. I like what the NAC can do but everytime there some “but” somewhere that doesnt work or is not documented correctly. TAC is mostly slow with the issues on NAC (But thats usually because there is the first round with someone that doesnt know anything avout the product, as it gets escalated through SE it gets better). But I have to say that its better over the course of the two years that we are using the FNAC.

We also have 1 and 1/2 year long NFR ticket for TEAP support. But good news is that maybe on 7.6 branch there would support for it finally as FreeRADIUS already implemented it in their new versions.

I hope that my reply makes sense. It was a little brain dump.

Im not really looking for anyone to dig into my issues. Support and engineering have found the issues with the product and we are just waiting for a fix.

Our requirement is to use PA health to allow employees on the VPN and then contractors use the portal and run a dissolvable agent. The issue we are currently struggling with is the just agent health status which we could replace with EMS using ZTNA tags but would lose the ability for contractors to do posture assessment with the dissolvable agent.

we actually did switch one our clients over to EMS as they were having some random issues and didn’t require the portal with dissolvable agent so EMS with ZTNA tags worked for them and its been solid.

ha well we don’t have any NSE8s on our staff so I don’t think so but sure sounds like I am not alone with these problems.

We ran into the same DNS issue where we had to configure one DNS server entry went to a VIP to then LB between NAC01 and NAC02, then the production DNS entry went to VIP to LB between 2 production DCs otherwise we would be losing some of the HA that we have built into our system.

Are y’all on NAC-F yet? Thats been a fun ride so far but not terrible. We have 5 of our clients switched over with a bunch more waiting for funding approval to move forward with it.

The FSSO bug got fixed somewhere around 9.4.4 maybe 9.4.5. I tried finding it in one of my previous cases but couldn’t find it. The one issue we were having was if we switched NAC HA or FW HA the FSSO service would not resync and records would slowly die out and with 1000+ FSSO entries it def became an issue for us but so far FSSO has been stable since that bug/patch.

we also use that for content filtering and ISFW functions on our FW so we felt that one bad.

The biggest issue we are having now is people can connect to the VPN and then randomly the NAC decides they no longer should have a VPN tag and it removes them while they are still connected.

I was talking with one of the higher tier support guys about it and he basically said there was no mechanism for the NAC to do a periodic sanity check with current VPN users and was relying too heavily on SYSLOG to track logon/logoff events.

For what it’s worth, I’m not the NAC guy in our shop. New deployments are FNAC-F, but I’d say most are the “legacy”. I think we’ve been involved with/aware of one migration between the two and it was… interesting…

I think NAC does well at being a jack of all trades, but master of none. It can integrate with pretty much anything you throw at it, but it does it fairly mediocre because of the flexibility. The VPN integration I think is a shining example of that. NAC posturing for VPN is almost something that needs to be explicitly supported from the VPN client to the endpoint (FortiGate) and on to the NAC. It’s very apparent with the “everything has a MAC address” stance of FortiNAC. I had to restrain myself talking to a Fortinet guy that was trying to look at the ARP table for SSL VPN user “MAC addresses”. Oof.