Fortinet Security Integration


Userlevel 2
I have found a Solution Brief about a security integration about Extreme Networks and Fortinet,
http://learn.extremenetworks.com/rs/extreme/images/Fortinet-SB.pdf
We have a lot of customer with this two vendor and this type of integration can add value at our works, but I cannot find any doc that explain HOW TO deploy this type of scenario/integration ...
Is only a marketing doc or there are behind this partnership a real integration?
Someone have already made somthing similar?

Roberto

15 replies

Userlevel 6
Hi. Of course there is a lot of technology behind the integration on both ends = Forti and Extreme. I do have several happy customers (small and big also). I suggest you contact extreme Value Added Partner/resseller or Extreme representative. To demonstrate/test/implement the solution. The list of partners is available on our corporate website. Unfortunately the implementation can be very complex and also very simple (based on the network equipment). Good luck Zdenek
Userlevel 7
Pala, Zdenek wrote:

Hi. Of course there is a lot of technology behind the integration on both ends = Forti and Extreme. I do have several happy customers (small and big also). I suggest you contact extreme Value Added Partner/resseller or Extreme representative. To demonstrate/test/implement the solution. The list of partners is available on our corporate website. Unfortunately the implementation can be very complex and also very simple (based on the network equipment). Good luck Zdenek

Are we talking about OneFabricConnect, OneConnnect, Connect.... at this point I'm not sure what the name of the product is.

With Extreme Management Suite 7.0 it's included in the installation (NMS-ADV, no need to install it separate) but I can't find a 7.0 manual for it on the product download page - would you please be so kind and point me in the right direction.
Userlevel 2
Pala, Zdenek wrote:

Hi. Of course there is a lot of technology behind the integration on both ends = Forti and Extreme. I do have several happy customers (small and big also). I suggest you contact extreme Value Added Partner/resseller or Extreme representative. To demonstrate/test/implement the solution. The list of partners is available on our corporate website. Unfortunately the implementation can be very complex and also very simple (based on the network equipment). Good luck Zdenek

Me too
Userlevel 6
Pala, Zdenek wrote:

Hi. Of course there is a lot of technology behind the integration on both ends = Forti and Extreme. I do have several happy customers (small and big also). I suggest you contact extreme Value Added Partner/resseller or Extreme representative. To demonstrate/test/implement the solution. The list of partners is available on our corporate website. Unfortunately the implementation can be very complex and also very simple (based on the network equipment). Good luck Zdenek

https://extranet.extremenetworks.com/downloads/Pages/OneFabricConnect.aspx -> Partner Resources -> there is documentation available.

the integration with Fortigate is now being enhanced => new version will be even better from scalability point of view.

regards

Zdenek
Userlevel 6
Pala, Zdenek wrote:

Hi. Of course there is a lot of technology behind the integration on both ends = Forti and Extreme. I do have several happy customers (small and big also). I suggest you contact extreme Value Added Partner/resseller or Extreme representative. To demonstrate/test/implement the solution. The list of partners is available on our corporate website. Unfortunately the implementation can be very complex and also very simple (based on the network equipment). Good luck Zdenek

https://extranet.extremenetworks.com/downloads/Pages/OneFabricConnect.aspx -> documentation

the version 2.x is for NetSight 6.y
The Extreme Management Center does have Connect version 3.0 included in the product = as stated by Ronald.
Hi roberto the configuration guide for this feature is now part of the Extreme Control online help.

If you need an standalone document, you can use the previous version published here:

https://extranet.extremenetworks.com/downloads/Pages/dms.ashx?download=9eb4a775-2f5e-499f-8205-27366...

just note that since Extreme control 7.0 the installation comes pre-installed with Extreme control and you don't need to install it manually.

For a dynamic response scenario, we are developing a generic DIPS plugin probably for the end of the year.

To deploy a dynamic response scenario with fortinet you must configure the DIPS feature for paloalto and configure teh fortinet firewall to send syslog messages with the format defined in the PaloAlto plugin.
Hi all,

I'm Luca, I'm working with Roberto in Fortigate integration.

I have read the Palo Alto document, but there is a big issue: Palo Alto devices integration is done using XML API (User API) but Fortigate integration should be done using RSSO (Radius SSO).

We have to configure "remote" Radius user group.

I'm reading the "old" One Fabric Connect install document, but it has some omission: the first one is how to tell NAC Radius server to consider Fortigate as a client. Now I will try to add it as a switch.

Have you got some suggestion?

Regards
Userlevel 6
Hi. Just follow the installation guide. The fortigate must be configured: management center (netsight) as radius server with correct shared secret.. From the terminology point of view the fortigate is the radius accounting server and management center is a radius accounting client. But the place where you configure it on the fortigate gui is little bit confusing. Z.
Hi Zdenek,

thank you for the reply.

Really, I'm little confusing on Extreme side of the configuration steps.

I think that (first of all) I have to add the FG to NAC switches: I think that this step will add the firewall to the list of Radius client. Good, but the Fortigate will not do Radius authetication sessions. Fortigate sould receive accounting information from the NAC, so I have to configure the NAC to send accounting info.

Where and how can I configure the NAC to send Accounting info to the fortigate?

Regards,

Luca
Userlevel 6
Luca Messori wrote:

Hi Zdenek,

thank you for the reply.

Really, I'm little confusing on Extreme side of the configuration steps.

I think that (first of all) I have to add the FG to NAC switches: I think that this step will add the firewall to the list of Radius client. Good, but the Fortigate will not do Radius authetication sessions. Fortigate sould receive accounting information from the NAC, so I have to configure the NAC to send accounting info.

Where and how can I configure the NAC to send Accounting info to the fortigate?

Regards,

Luca

the communication is between Management Center (NetSight) and Fortigate.
The communicaiton is NOT bewteen AccessControllEngine (NAC-GW) and Fortigate.

Configure IP address of Management Center as your radius server on the Fortigate = that means the Fortigate will understand the shared secret and will accept radius accounting from the Management Center.

Configure Extreme Connect (OneFabric Connect) module to talk to your fortigate.

---
client connects to the network access switch/AP, AccessControllEngine (NAC-GW) wil process it. when the IP resolution is done, the Management Center (NetSight) sends radius accounting to the Fortigate with appropriate radius attributes. finaly the fortigate knows IP-profile-username

good luck 🙂
Userlevel 6
Luca Messori wrote:

Hi Zdenek,

thank you for the reply.

Really, I'm little confusing on Extreme side of the configuration steps.

I think that (first of all) I have to add the FG to NAC switches: I think that this step will add the firewall to the list of Radius client. Good, but the Fortigate will not do Radius authetication sessions. Fortigate sould receive accounting information from the NAC, so I have to configure the NAC to send accounting info.

Where and how can I configure the NAC to send Accounting info to the fortigate?

Regards,

Luca

It does not make sense to configure Fortigate as switch (radius client) in AccessControl (NAC) configuration. I do not expect you want Forgite send radius requests to AccessControlEngine (NAC-GW) to process.
Hi Zdenek,

thank you very much, I think that now I'm understanging.

The bad news is that I cannot do it without OneFabric Connect that require Advanced license.

Is this correct?

Is it possible to inform the Fortigate about connected users without using OneFabric Connect?

Thank you very much for the time spent,

have a nice weekend,

Luca
Userlevel 4
Hello, gentlemen!

Could you please answer me: is the integration between NMS-ADV and Fortinet (FG-600D in my case) possible without NAC?

I've found two articles:
https://www.fortinet.com/content/dam/fortinet/assets/alliances/Extreme-Network-Fortinet-SB.pdf

and

https://drive.google.com/file/d/0B5bMj99cONofd19hanpLdUpFQ1U/view

But they are old and may be something changed?

Thanks!
Userlevel 6
Hi. The integration gives of two benefits: Inform the firewall about user-ip or location-&user-ip mapping. For this we need NAC (extreme control) If the firewall/ips/anti-anything detects the security issue then it send syslog/trap to the NetSight (extreme management) and management does perform reaction. This can be done through ASM (Autometed Security Manager) or through NAC. ASM is available with NetSight version 7. Actualy there is no plan to support ASM in the NetSight / EMC version 8. There are some limits what ASM can do and in what network. Sales answer for your question is: you do not need NAC for the integration to work. But with NAC it is much more powerfull and much easier and flexible. Regards Zdenek
Userlevel 4
Pala, Zdenek wrote:

Hi. The integration gives of two benefits: Inform the firewall about user-ip or location-&user-ip mapping. For this we need NAC (extreme control) If the firewall/ips/anti-anything detects the security issue then it send syslog/trap to the NetSight (extreme management) and management does perform reaction. This can be done through ASM (Autometed Security Manager) or through NAC. ASM is available with NetSight version 7. Actualy there is no plan to support ASM in the NetSight / EMC version 8. There are some limits what ASM can do and in what network. Sales answer for your question is: you do not need NAC for the integration to work. But with NAC it is much more powerfull and much easier and flexible. Regards Zdenek

Thanks, Zdenek!

Could you please clarify something for me....

What means: "ASM is available with NetSight version 7. Actualy there is no plan to support ASM in the NetSight / EMC version 8".

Extreme Networks is going to stop supporting Security Integration with Fortinet?

Reply