Fortinet Security Integration

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
I have found a Solution Brief about a security integration about Extreme Networks and Fortinet,
http://learn.extremenetworks.com/rs/extreme/images/Fortinet-SB.pdf
We have a lot of customer with this two vendor and this type of integration can add value at our works, but I cannot find any doc that explain HOW TO deploy this type of scenario/integration ...
Is only a marketing doc or there are behind this partnership a real integration?
Someone have already made somthing similar?

Roberto
Photo of Roberto F.

Roberto F.

  • 690 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
Hi.

Of course there is a lot of technology behind the integration on both ends = Forti and Extreme.

I do have several happy customers (small and big also).

I suggest you contact extreme Value Added Partner/resseller or Extreme representative. To demonstrate/test/implement the solution.

The list of partners is available on our corporate website.

Unfortunately the implementation can be very complex and also very simple (based on the network equipment).

Good luck

Zdenek
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,044 Points 50k badge 2x thumb
Are we talking about OneFabricConnect, OneConnnect, Connect.... at this point I'm not sure what the name of the product is.

With Extreme Management Suite 7.0 it's included in the installation (NMS-ADV, no need to install it separate) but I can't find a 7.0 manual for it on the product download page - would you please be so kind and point me in the right direction.
Photo of Roberto F.

Roberto F.

  • 690 Points 500 badge 2x thumb
Me too
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
https://extranet.extremenetworks.com/downloads/Pages/OneFabricConnect.aspx -> Partner Resources -> there is documentation available.

the integration with Fortigate is now being enhanced => new version will be even better from scalability point of view.

regards

Zdenek
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
https://extranet.extremenetworks.com/downloads/Pages/OneFabricConnect.aspx -> documentation 

the version 2.x is for NetSight 6.y
The Extreme Management Center does have Connect version 3.0 included in the product = as stated by Ronald.
Photo of Ferrer, Salvador

Ferrer, Salvador, Employee

  • 230 Points 100 badge 2x thumb
Hi roberto the configuration guide for this feature is now part of the Extreme Control online help.

If you need an standalone document, you can use the previous version published here:

https://extranet.extremenetworks.com/downloads/Pages/dms.ashx?download=9eb4a775-2f5e-499f-8205-27366...

just note that since Extreme control 7.0 the installation comes pre-installed with Extreme control and you don't need to install it manually.

For a dynamic response scenario, we are developing a generic DIPS plugin probably for the end of the year.

To deploy a dynamic response scenario with fortinet you must configure the DIPS feature for paloalto and configure teh fortinet firewall to send syslog messages with the format defined in the PaloAlto plugin.
Photo of Luca Messori

Luca Messori

  • 210 Points 100 badge 2x thumb

Hi all,

I'm Luca, I'm working with Roberto in Fortigate integration.

I have read the Palo Alto document, but there is a big issue: Palo Alto devices integration is done using XML API (User API) but Fortigate integration should be done using RSSO (Radius SSO).

We have to configure "remote" Radius user group.

I'm reading the "old" One Fabric Connect install document, but it has some omission: the first one is how to tell NAC Radius server to consider Fortigate as a client. Now I will try to add it as a switch.

Have you got some suggestion?

Regards

Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
Hi.

Just follow the installation guide. The fortigate must be configured: management center (netsight) as radius server with correct shared secret..

From the terminology point of view the fortigate is the radius accounting server and management center is a radius accounting client. But the place where you configure it on the fortigate gui is little bit confusing.

Z.
Photo of Luca Messori

Luca Messori

  • 210 Points 100 badge 2x thumb

Hi Zdenek,

thank you for the reply.

Really, I'm little confusing on Extreme side of the configuration steps.


I think that (first of all) I have to add the FG to NAC switches: I think that this step will add the firewall to the list of Radius client. Good, but the Fortigate will not do Radius authetication sessions. Fortigate sould receive accounting information from the NAC, so I have to configure the NAC to send accounting info.


Where and how can I configure the NAC to send Accounting info to the fortigate?

Regards,

Luca

Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,824 Points 5k badge 2x thumb
the communication is between Management Center (NetSight) and Fortigate.
The communicaiton is NOT bewteen AccessControllEngine (NAC-GW) and Fortigate.

Configure IP address of Management Center as your radius server on the Fortigate = that means the Fortigate will understand the shared secret and will accept radius accounting from the Management Center.

Configure Extreme Connect  (OneFabric Connect) module to talk to your fortigate.

---
client connects to the network access switch/AP, AccessControllEngine (NAC-GW) wil process it. when the IP resolution is done, the Management Center (NetSight) sends radius accounting to the Fortigate with appropriate radius attributes. finaly the fortigate knows IP-profile-username

good luck :)
(Edited)
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,824 Points 5k badge 2x thumb
It does not make sense to configure Fortigate as switch (radius client) in AccessControl (NAC) configuration. I do not expect you want Forgite send radius requests to AccessControlEngine (NAC-GW) to process.
Photo of Luca Messori

Luca Messori

  • 210 Points 100 badge 2x thumb

Hi Zdenek,

thank you very much, I think that now I'm understanging.

The bad news is that I cannot do it without OneFabric Connect that require Advanced license.

Is this correct?

Is it possible to inform the Fortigate about connected users without using OneFabric Connect?


Thank you very much for the time spent,

have a nice weekend,

Luca

Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, gentlemen!

Could you please answer me: is the integration between NMS-ADV and Fortinet (FG-600D in my case) possible without NAC?

I've found two articles:
https://www.fortinet.com/content/dam/fortinet/assets/alliances/Extreme-Network-Fortinet-SB.pdf

and

https://drive.google.com/file/d/0B5bMj99cONofd19hanpLdUpFQ1U/view

But they are old and may be something changed?

Thanks!
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
Hi.

The integration gives of two benefits:

Inform the firewall about user-ip or location-&user-ip mapping. For this we need NAC (extreme control)

If the firewall/ips/anti-anything detects the security issue then it send syslog/trap to the NetSight (extreme management) and management does perform reaction. This can be done through ASM (Autometed Security Manager) or through NAC.

ASM is available with NetSight version 7. Actualy there is no plan to support ASM in the NetSight / EMC version 8.

There are some limits what ASM can do and in what network.

Sales answer for your question is: you do not need NAC for the integration to work. But with NAC it is much more powerfull and much easier and flexible.

Regards

Zdenek
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Thanks, Zdenek!

Could you please clarify something for me....

What means: "ASM is available with NetSight version 7. Actualy there is no plan to support ASM in the NetSight / EMC version 8". 

Extreme Networks is going to stop supporting Security Integration with Fortinet?