1 of 19

FortiNAC

Known Anomalies

Version: 8.x

Date: July 1, 2020

2

FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET KNOWLEDGE BASE

http://kb.fortinet.com

FORTINET BLOG

http://blog.fortinet.com CUSTOMER SERVICE & SUPPORT

http://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTINET COOKBOOK

http://cookbook.fortinet.com

NSE INSTITUTE

http://training.fortinet.com

FORTIGUARD CENTER

http://fortiguard.com

FORTICAST

http://forticast.fortinet.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

3

CONTENTS

Overview .......................................................................................................................................... 4

FortiNAC .......................................................................................................................................... 5

Agent ............................................................................................................................................. 16

Endpoint Compliance .................................................................................................................... 17

Reporter/Analytics ......................................................................................................................... 18

4

Overview

These are the Known Anomalies in FortiNAC and agent packages. There are four categories:

FortiNAC: Unless otherwise indicated, anomalies apply to the following FortiNAC software versions listed below (and lower)

8.8.0

8.7.4

8.6.5

Agent: Anomalies specific to agent version (and lower):

5.2.3

Endpoint Compliance: AV/AS/OS support

Reporter/Analytics1: Anomalies specific to Analytics version (and lower):

6.0.2

1 This product is no longer available and has been replaced by FortiAnalyzer.

5

FortiNAC

ID FortiNAC Anomaly Description

0603134

0602639

Device Profiler Rule Confirmation does not trigger under certain conditions.

0609046 A port where the master Aruba Instant AP (IAP) with VIP is connected becomes a “learned uplink”. This type of uplink is not dynamically undone / removed when the IAP (with the VIP) is disconnected from that port.

0592398 TLS 1 and TLS 1.1 for ports 443 (Captive Portal) and 8443 (Administration UI) cannot be disabled via Administration UI. They must be disabled via CLI. For details, refer to related KB articles FD42834 (port 443) and FD42241 (port 8443).

0610581 L3 eth1 sub-interfaces are not removed after re-configuring an appliance configured for L3 Network Type to L2.

0518423 802.1x authentication for Aerohive SR2208P Switches is currently unsupported.

0548902 Management of wired ports on Aerohive AP-150W controlled by AerohiveNG is currently unsupported.

0600122 Several switch ports are left in an Admin Down state after a switch reboot. After receiving a WarmStart/ColdStart trap from the switch during startup, FortiNAC will perform a resync interfaces. The switch may not be up fully and FortiNACs VLAN switch attempts are too soon into the switch boot process. Switch ports may be left in an Admin Down state due to sporadic SNMP communication failures with the switch.

0600359 Host registers using Anonymous Authentication but no VLAN switch occurs until after L2 Poll. For details and workaround see related KB article FD49253.

0603133 Error "No VLANs have been read from the device" displays when using Model Configuration tab. This affects HP, Arista, Juniper Switches, and various other vendor models whose integration is not designed to display the available switch VLANs in drop-down menus.

6

ID FortiNAC Anomaly Description

0611613 Topology > Set Model Configuration option does not apply selected "Send Groups to the Firewall" and "Selected Groups" options for the FortiGate Virtual Device Model Configuration.

0603298 Brocade switch using RADIUS MAC Authentication do not change VLANs properly. This is due to FortiNAC not disconnecting the client. For details and workaround, see related KB article FD49254.

0590480 Dell switches configured to use a directory (such as Active Directory) for enable level CLI access will fail CLI credential validation. This will occur whether or not the enable password field is left blank in the Model Configuration. For details and workaround see related KB article FD49285.

0600078 Right clicking on an IP Phone in Host View and selecting groups results in a blank screen if the IP Phone is a member of a host group.

0600081 User Host Profile and Device Profile Rule do not allow the selection of IP Phone Group in configuration. For instructions on configuring a group for User Host Profiles and Device Profiling rules, refer to the IP Phone Integration reference manual in the Fortinet Document Library.

0626560 In Topology, the IP addresses of Access Points (APs) managed by Aruba controllers in an Active/Active configuration can flip between their actual IP address and 0.0.0.0. This can cause the contact status in Topology for these APs to be inaccurate. No client connectivity issues have been reported due to this behavior.

0606729 The feature "Palo Alto VPN Integration" is currently not supported. It has been determined not to be ready for customer production use managing remote user VPN connections through Palo Alto firewall.

0521333

0579297

AerohiveNG changed their operation such that it expects to receive a Filter-Id as opposed to a Tunnel-Private-Group-Id. This change prevents Aerohive from assigning the VLAN specified by FortiNAC, and sets the SSID's Default VLAN instead.

Resolution: Configure AeroHiveNG to use the Tunnel-Private-Group-Id information. Refer to the VLANs/Profiles section of the Aerohive Wireless Access Points Integration reference manual in the Fortinet Document Library.

0522462 "System Created UpLink" event is only generated for Threshold Uplinks. No other uplink type (e.g. Learned, User defined or WAP) generates this event.

7

ID FortiNAC Anomaly Description

0546489 Empty Allowed Domains List prevents named service from starting and portal pages from loading. For details and workaround, see related KB article FD44779.

0597648 "Registration FAILED Host Already Registered" events may occur seconds after registration successfully completes.

0600066 Upon failover in L3 High Availability configurations, there may be a delay when the end station attempts to reach the registration portal. This is due to the order in which the DNS servers are contacted. The end station attempts the primary DNS server first. Once this attempt has timed out, the secondary is contacted.

0557253

0520262

In some L2 High Availability environments, the VIP (Shared IP) is unreachable after a failover or resume until the router ARP cache clears. Some routers/L3 switches do not update their ARP cache based on the broadcast PING sent from FortiNAC upon completing failover/resume. The Cisco Nexus platform is known to have this behavior.

This affects the following:

Administration UI access (uses the VIP)

Receipt of SNMP traps pointed to the VIP

Agent communication where the host's Persistent Agent settings use the VIP in the Home Server or Allowed Server.

Resolution:

UI: After failover completes, wait to connect to FNAC via the eth0 IP / name for the 5 to 15 minutes (possibly longer depending upon the ARP cache timeout configuration) after a failover or resume.

Traps: it is recommended to configure network devices to send traps to both the primary and secondary FortiNAC Server/Control Server eth0 IP addresses instead of the VIP. Refer to the High Availability reference manual in the Fortinet Document Library.

Agents: it is recommended to configure the Allow Servers using the FQDN of both Primary and Secondary FortiNAC Server/Application Servers. Refer to the “Software Modifiable Settings” section of the Persistent Agent Deployment and Configuration reference manual in the Fortinet Documentation Library.

When configured to scan for Critical or Security updates when Microsoft's update servers are inaccessible, the agents will wait for a long time before timing out.

8

ID FortiNAC Anomaly Description

Avoid the usage of characters such as '&', '<', and '>' in Portal Configuration names.

On Aruba devices that are configured to use "Roles with Rules" FortiNAC uses Change of Auth (CoA) to change the role. FortiNAC does not use CoA, however, when the role is changed as a result of deleting a host.

If Network Devices have device names that contain non-ASCII (non-printable) characters, they will not be shown in containers in Topology View.

SSO Agent and Incoming Events integration type field does not appear on Fortinet devices when modeled for L3 polling.

Registration and Remediation on the Model of a Meru controller in topology view display differently under the same conditions. However this does not impede functionality.

In ESX VM environments with FortiNAC Firmware Version 5.x and lower, on VMs that use adapter types of "VMXNET-3", when you install O/S Updates that contain kernel updates, the update of the new CentOS-5 kernel can cause the VMXNET-3 adapters to be inoperable and the drivers will need to be reloaded. After installing the O/S Updates, access the console of the VM and reload the drivers on VMwareTools using this command: /usr/bin/vmware-config-tools.pl -d

Anonymous Authentication and Host Inventory features in the portal do not work simultaneously.

Changes device name in properties view in Topo... Affects SSID port groups and SSID interfaces are removed from topo view.

Temporary loss of connectivity to SSO agents such as iBoss can cause host / user information to not be sent after connectivity is restored.

Devices deleted in MDM services may remain registered when using an NCM with host propagation enabled.

9

ID FortiNAC Anomaly Description

Enabling proxy support for OS updates from the user interface is currently not supported. It will be added in a future release.

Workaround: Configure via the CLI. For instructions refer to the Appendix of the CentOS Updates Reference Manual in the Fortinet Document Library.

Using Kaspersky 2016 on hosts in registration will lead to inconsistent and unpredictable results. The browser redirect sometimes gives an ERR_CONNECTION_RESET error. The Kaspersky Security Network (KSN) feature of Kaspersky 2016 detects the redirect as suspicious/malicious activity.

Resolution: Disable Kaspersky until device is registered.

At this time, integration with Ubiquiti AirOS AP is not supported.

Ubiquiti AirOS AP does not have the necessary capabilities to allow for full integration with FortiNAC. The limitations are as follows:

No support for external MAC Authentication using RADIUS.

Limited CLI and SNMP capability. No ability to dynamically modify access parameters (ie. VLANs) for active sessions.

At this time, integration with Cisco 1852i Controller is not supported due to the device's limited CLI and SNMP capability.

At this time, integration with Juniper MAG6610 VPN Gateway is not supported. This includes Pulse Connect Secure ASA.

The Administration UI only displays and exports a portion of the events that should be displayed based on the filter. This can occur if a large number of events match the filter.

Workaround: Modify the filter to return a smaller number of events.

Not all models of all network devices can be configured to perform Physical MAC Address Filtering even though the Admin UI indicates that the configuration can be set.

Resolution: Hosts can be disabled by implementing a Dead-end VLAN.

10

ID FortiNAC Anomaly Description

For Portal v2 configurations, web pages that are stored in the site directory to be used for Scan Configurations will not be included when you do an Export of the Portal v2 configuration.

Resolution: The files in the site directory are backed up with the Remote Backup feature, but otherwise keep a copy of these files in a safe place.

Removing a device from the L2 Wired Devices or L2 Wireless Devices Group does not disable L2 (Hosts) Polling under the Polling tab in Topology.

The "Set all hosts 'Risk State' to 'Safe'" button changes the status of all hosts marked At-Risk to Safe. However, the status of the individual scans for each host remain unchanged.

At this time, Fortinet does not support wired port management for the Cisco 702W. The access point does not provide the management capabilities required.

FortiNAC may list the Voice VLAN as the Default VLAN on Avaya switch ports in Topology. This can occur if the VlanIdList column in the switch lists the Voice VLAN first.

Workaround: See Solution 2635 "FortiNAC Listing Voice VLAN as Default VLAN on Avaya Switch Ports"

In a Layer 3 High Availability (HA) environment, configWizard must have a DHCP scope defined. Running configWizard without a DHCP scope can cause a failover.

On FortiNAC appliances with CentOS 7, duplicate log messages may appear in dhcpd.log for each sub interface (eth1, eth1:1, eth1:2, etc).

Additional login requests may occur when using the Persistent Agent with a lengthy scan.

At this time, Fortinet is not able to support the Linksys LAPN600 Wireless-N600 Dual Band Access Point.

Fortinet does not support the Sophos UTM.

If Contact Status = Lost (unable to ping), FortiNAC still attempts to perform a L2 poll. This generates L2 Poll Failure events.

11

ID FortiNAC Anomaly Description

Resolution: Address the communication issue. If the device is no longer needed, delete the model from FortiNAC.

Fortigate devices supporting FortiSwitches in FortiLink mode do not display the port list correctly in certain views of the Administration UI. The "Add Group" and "Modify Group" dialogs for port type groups under System > Group do not show all the interfaces in the port list.

Resolution:

1. Navigate to Network Devices > Topology 2. Click on the desired switch model 3. Under the Ports tab, select the desired port(s)

For a single port, right click on the port and select “Group Membership”

For multiple ports, multi-select the ports, right click and select either "Add Ports to Groups" or "Remote Ports from Groups"

When hosts have the Persistent Agent installed and Device Profiler is running, “Device Profiling Rule Missing Data” events and alarms can be triggered. The agent reports on host adapters that are offline and Device Profiler tries to categorize them but there is not enough information because the adapter is offline. There is no workaround.

System > Settings > Updates > Operating System will only record and display dates of OS updates that are completed through the Administrative UI. If Operating System updates are run via command line using the "yum" tool, the update is not recorded. Resolution: Execute Operating System Updates through the Administrative UI in order to maintain update history.

When a client is registered with an endpoint compliance policy with agent set to None-Bypass, the host is marked “at risk” when user initiates a scan Scan Host(s) option in Host View.

Registration report results are organized by adapter record as opposed to host record. This may cause confusion when trying to interpret the results.

CLI Configurations (a.k.a. "Flex CLI") do not work with VPN access.

"Security Risk Host" Alarm does not Clear with "Host Safe" Event.

Resolution: Use "Host Passed Security" Event to clear the alarm.

12

ID FortiNAC Anomaly Description

Network Access Policy values are not validated against the device before applying. Consequently, Network Access Policy Application to Switches without VLAN configured may cause unexpected results.

FortiNAC does not adjust the administrative status of a switch port based upon the receipt of SNMP link state traps.

Resolution: The Synchronize Devices task via System > Scheduler can be scheduled, allowing FortiNAC to update the administrative status of interfaces on a regular basis.

The Host Inventory feature of the Portal cannot be used in an NCM environment. Hosts that are deleted from the portal will not be deleted from all pods in the NCM environment.

Views that contain passwords (Model Configuration Views of devices, Add and Modify RADIUS Settings views, etc) show the passwords in clear text when using "View Source" on the browser.

Hosts that fail registration due to being over the physical address limit will receive the "Registration Failed" message. This occurs when the scan's order of operations is set to register first, then scan.

Location-based Endpoint Compliance Policies whose scans are configured for "Scan on Connect" may not match immediately upon connecting to the network.

Ports on Avaya Networks 4850GTS-PWR+ switches sometimes show "Not Connected" even though the port is active. This is due to multiple ports on the switch using the same MAC Address. This prevents NAC from correctly discerning which are "Connected" versus "Not Connected". There is no workaround.

MDM registered hosts will not register successfully on Aruba configured for "Roles Only" if no roles or policies are configured.

Scan Results for Windows Operating System scans can show that Automatic Updates, Critical Updates, Internet Connection Sharing, Security Updates and Trigger SCCM Evaluation have Passed even when these settings have not been checked in the Scan Configuration.

If DNS servers configured in the Application Server fail the lookup test queries when configWizard is run, configWizard produces "Host Key verification failure" messages.

13

ID FortiNAC Anomaly Description

Devices connecting via 802.1x but not using an agent may get registered using Device Profiler before the logged on user is detected.

At this time, UniFi AP AC-Pro is not supported. The AP does not have the necessary capabilities to allow for full integration.

Switches can consume a license if reporting a string-padded Type value (Example: "switch " instead of "switch").

If there are a large number of standalone Access Points in Topology, the Access Point view may take longer than expected to load.

Device models for Avaya 4800 switches (and potentially other related models) only support SSH. Device models for Avaya Ethernet Routing Switches only support Telnet. Contact Support if the alternate protocol is required.

From a security event, the "Modify Host" view is opened when the user selects "View Host".

"Host Registration Failure" events do not provide MAC or IP address information.

When attempting to register via the Captive Portal, a user may occasionally encounter HTTP Status 500 error indicating "Session already invalidated". Resolution: Re-enter credentials.

Uploading a duplicate SSL certificate when using multiple certificates in Certificate Management causes an error to be presented.

Resolution: Remove duplicates from the files being uploaded.

If the "Time to live" attribute in LDAP config is set to reference an attribute in AD, it does not apply the proper expiration date to user records created via the Admin UI until the next Directory Sync.

FortiNAC does not support interface lists on Juniper devices. Therefore, it is possible to see both interface list commands as well as individual interface configurations in the switch CLI when VLANs are switched.

Querying Cisco ASA firewall for IP->MAC does not always reflect the current IP address. FortiNAC parses the first one in the list versus the newest.

14

ID FortiNAC Anomaly Description

0520319

0519218

Currently the function to send syslog messages (Send Alarm to External Log Hosts) doesn't work with Scan Chaining (Advanced Scan Controls) from the Endpoint Compliance Configuration.

0521142 Unable to download the Legacy Dissolvable agent (2.x) when Host Inventory is configured. Legacy agents are not able to interact properly with the Host Inventory page. When user attempts to download the agent, the following message is displayed:

500 rs http status 500

Resolution: Use a newer version of agent. Legacy agents are no longer supported.

0524182 Scheduler is based on the time set when the scheduler task was created. It does not take into consideration time changes (such as Daylight Savings time). Therefore, if time changes, the scheduler time will change to reflect the new version of the time set.

Example: Task created during Daylight Savings Time to run at noon. Once DST ends, scheduler changes the scheduled time from 12pm to 11am.

Resolution: Modify the scheduled time to the desired clock time after each time change.

0520356 It's possible the Port table in Topology will show the expected Current VLAN, but the Adapter table below shows a different value for "Access Value."

520794 Reading VLANs does not populate the current VLAN properly in Topology Port View for any managed wired switch using RADIUS authentication with MAC-based VLAN assignment (such as Aerohive).

0520042 CLI login failure with Avaya switches that do not have a login banner.

Resolution 1: Enable the banner from the switch CLI.

Resolution 2: Modifications are required in order to accommodate the new login sequence. For details see related KB article FD44733.

0520046 When a host disconnects from Aerohive switch, the system does not recognize the host is off line until the next L2 poll.

Resolution: Change L2 polling rate from 1 hour to 15 minutes.

15

ID FortiNAC Anomaly Description

0522468 Although there are fields to set the role or access value in the Authentication portal, these functions are currently not supported.

0520360 Ports of interface type propMultiplexor(54) (virtual interface) are automatically hidden, but are not marked as uplinks. Consequently, devices connected to these ports will be detected and host records created. For details see KB article FD44601.

Resolution: Manually mark the ports as Uplinks. Contact Support for assistance.

0520405 When configuring Object Groups in the Cisco ASA for VPN Integration, individual IP address entries must be added to the object group as opposed to a range.

0522026 Cisco WLC VAP Access Points do not model correctly due to two MAC addresses per WAP (one shows online and the other offline). This results in one of the MACs showing as a rogue, preventing the connected switch port from becoming a WAP uplink.

Resolution: Manually register the APs that remain rogue as Wireless Access Points. The connecting switch port should change to a WAP uplink.

16

Agent

ID Agent Anomaly Description

Additional login requests may occur when using the Persistent Agent with a lengthy scan.

Agent versions 3.4.0 through 3.5.5 are not supported on Mac OS X 10.6, Snow Leopard, and 4.x versions of the Agent will only be supported on Mac OS X 10.7 and above.

Resolution: Apple delivered its final update for the Mac OS X 10.6 Operating System in September 2013, but if hosts with this Operating System are still allowed on your network, use a 3.x version of the Agent - 3.5.6 or greater.

Note: 10.6 is no longer supported. For a list of currently supported client platforms, refer to the Agent Release Notes in the Fortinet Document Library.

Linux hosts cannot be prevented from accessing the network via VPN based on FortiNAC group membership that is referenced in a User/Host Profile to assign a Network Access Policy.

Resolution: There is no workaround.

Currently the Linux Persistent Agent does not have the ability to be updated via the FortiNAC Administrative UI.

Currently the Agent is not supported on Windows 10S and will not run.

When a user attempts to register a host which exceeds the user's maximum number of hosts allowed, if the user is using the Dissolvable Agent a message is displayed, "Over Registered Limit". If the user is using the Persistent

Agent, however, "Registration Failed" is displayed.

Hosts connecting to VPN via a local SSID do not match the VPN Client: Yes criteria.

17

Endpoint Compliance

ID Endpoint Compliance Anomaly Description

Only English versions of AV/AS and their corresponding definitions are supported.

Anti-Virus product Iolo technologies System Mechanic Professional is currently not supported.

18

Reporter/Analytics

ID Analytics Anomaly Description

There is currently no method to backup the Analytics database using the Administrative UI.

When trying to retrieve data from a report, the "Please Wait" message does not disappear if there is a server issue.

In the Reports > Security Reports > Security Alarms view, the Action Email Group is listing the database ID number instead of the Group name.

Device data is lost when upgrading Analytics from version 3.x directly to 5.x.

Workaround: Prior to upgrade, export the reports pertaining to device data. Navigate to the following locations in the Analytics Administrative UI and click the Export Reports button:

Reports > PCI Compliance Report > Network Device Count

Reports > Network Report > Device Graphs

If the ETL Job Scheduler frequency is set to “Daily,” the Dashboard calculation becomes erratic. Sometimes the Dashboard is calculated, but most of the time is does not, resulting in a blank Dashboard screen.

Resolution: Change the frequency to either hourly or every 12 hours.

On a large data set, Analytics GUI will time out and the report cannot be run. If this occurs, call support.

The process name for the Analytics agent appears as "jar" when viewing the results of the jps command in the FortiNAC Server/Control Server CLI.

Analytics custom date range displays dates outside of the search criteria.

When attempting to add a client in Analytics using a name that already exists for "Clients FortiNAC DB" name, a generic message "Error - return to dashboard" is returned.

On-Premise Analytics does not support LDAP authentication. User accounts must be created along with credentials.

19

ID Analytics Anomaly Description

There is no Single Sign-On for On-Premise Analytics. If accessing Analytics via the FortiNAC Administrative UI, user must enter their Analytics UI credentials.

Attempting to export large amounts of data to Excel from Analytics may fail.

Resolution: Export to PDF.

Analytics On-Premise Server occasionally displays 404 error on the landing page of the GUI.

Resolution: Restart the wildfly service

service bsc-wildfly restart

Unable to perform upgrade using the Analytics Administration UI.

Resolution: Upgrade via Analytics CLI. Contact Support for assistance.