By Manny Fernandez

March 5, 2026

FortiNAC Initial Inventory Discovery – Session 2

In case you did not see the previous FortiNAC post, we installed FortiNAC on ProxMox.  We went through the initial install and left it at that.  In this article, we are going to go over the initial inventory scan.

In this configuration, I have a FortiGate 600E (getting long in the tooth), a FortiSwitch 548D-FPOE, a FortiSwitch 224 and a FortiSwitch-T1024F-FPOE

SNMPv3

First we will need to create an administrative user, and API user, enabled SNMP on the interface, Create an SMPv3

Let’s start with the SNMPv3

Go to System then SNMP.  Ensure that SNMP Agent is turned on

Then scroll down to SNMPv3 and +Create New

Give it a User Name (1) then we are going to ensure you have the Authentication and you hit the Change to add a password and do the same with the Private and add a password on that one as well.  You can choose SHA1 as the Authentication Algorithm and AES for Encryption Algorithm

Under the Hosts ensure you add the IP address of the FortiNAC server.

I like to enable the A new device is found

And the Configuration change (FM trap)

Create Admin Account

Now lets create an administrator account.  Go to System then Administrators and Choose Administrator .  Then choose +Create New , choose Administrator

Give it a Username and give it a super_admin profile.  NOTE: Ensure that it has a Trusted Hosts

Note: While it might seem like a read-only account would suffice for discovery, FortiNAC actually requires Read-Write access to specific areas of the FortiGate configuration. This is because discovery in the FortiNAC context is rarely passive; the system needs to interact with the FortiGate API/CLI to pull ARP tables, MAC tables, and interface information.

If you are creating a custom profile on the FortiGate (under System > Admin Profiles), ensure the following toggles are set:

API Admin

Now lets create the API admin.  Go to System then Administrators then +Create New then choose REST API admin

With this user, you can give them super_admin_readonly and give them a Trusted Hosts IP address.

NOTE: You need to store this API key.  You have only this one time to capture it.  If you miss it or missplace it, you will need to regenerate it.  If you have other devices using this particular API key, you willl need to visit all of them to update them.

Creating Container

Now that we have the FortiGate section squared away, lets move to the FortiNAC GUI.  I am in Pembroke Pines, FL.  I colloquially refer to it as the PPOC (Pembroke Pines Operations Center).  I will create a container that will house my PPOC, this could be a Country, State, Location, etc.

We are going to go to Network then Inventory and under Customer, we are going to Right Click and choose Add Container

There we will create PPOC

We will give it a Name and hit OK

Add Device

Now lets right click the PPOC and choose Add Device

You will need to add the IP address of the FortiGate.  Once there you will need to add the SNMPv3 credentials, the CLI credentials (the Administrator account), and finally the API key from the previous steps.  Choose to Validate Credentials

If all is successful, you should see the FortiGate under the PPOC container.

Right click on the FortiGate and choose Group Membership and you want to ensure you have the following selected.

You will need to enable the L3 (IP-> MAC)  and Physical Address Filtering which will give you the ability to disable a host with NAC.

Now lets re-sync the interfaces by right clicking the FortiGate you discovered and choosing Resync Interfaces

You will want to go to the Polling tab and ensure you have successful polling on L2 and L3.

Once this is complete, you should see your FortiSwitches under the FortiGate.

In my next FortiNAC session, I will cover Establishing Trust (Session3) and then Policies (Session 4).

Thanks and hope this helps.

 

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • 1. High-Level Overview The FortiGate Wireless Intrusion Detection System... Full Story

  • What MIMO Actually Does Multiple Input, Multiple Output (MIMO)... Full Story

  • A practitioner's tour of the diagnose, test, and fnsysctl... Full Story