FortiNAC

VMware Virtual Machine

Installation Guide
FortiNAC Firmware Version 7.0 and Greater
Date: December 15, 2022
Rev: T

1
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET KNOWLEDGE BASE

https://community.fortinet.com/t5/Knowledge-Base/ct-p/knowledgebase

FORTINET BLOG
http://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

http://support.fortinet.com

FORTINET COOKBOOK
http://cookbook.fortinet.com

NSE INSTITUTE
http://training.fortinet.com

FORTIGUARD CENTER
http://fortiguard.com

FORTICAST
http://forticast.fortinet.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

2
Contents
Overview ............................................................................................................................................... 4
Requirements .................................................................................................................................... 4
Build Virtual Machines ........................................................................................................................ 6
Download the Virtual Machine ......................................................................................................... 6
Import Virtual Machine .................................................................................................................... 8
Clone the Virtual Machines ............................................................................................................ 10
Edit Settings .................................................................................................................................... 11
Assign Static IP Address for eth0 ................................................................................................... 12
Appendix ............................................................................................................................................. 13
Control/Application VM Server Pair Resource Sizing .................................................................... 13
Virtual Machine Backup Considerations ........................................................................................ 13
Increase the Hard DriveSize ........................................................................................................... 14
Configure Time Settings for Host ................................................................................................... 26
Change the MySQL UUID file of Cloned VMs ............................................................................... 29

3
Overview
This document provides the steps necessary for installing FortiNAC appliance(s). It is intended to
be used in conjunction with the FortiNAC Deployment Guide in the Fortinet Document Library.
This installation guide is the first step in the deployment.

Virtual Appliance (VM) Part Numbers

Part Number Description
FNC-M-VM Control Manager
FNC-CA-VM Control and Application Server (CA)

Requirements
 VMware
o The VM Guest is built with Virtual Hardware Version 7. This makes the guest
compatible with ESXi 4.x and above.
o Deployment of the OVA has been tested and verified with vCenter 6.5 and above.

 ESX Server Hardware

o The requirements for the ESX server used to host the FortiNAC Virtual Machine will
vary greatly depending on many different factors. Factors include:
 The number of other Virtual Machines that are running on the same server
 The load those VMs place on the server
 The number of devices, hosts and users on your network that are to be
managed by FortiNAC
o Note: vSphere Fault Tolerance is not supported as a High Availability solution.
Refer to the “Performance Best Practices for VMware vSphere” document on the
VMware web site for additional information.

 Virtual appliance specifications and resource sizing values have been determined. See
section Appliance Installation of the Deployment Guide for details.
o The current OVA provided by Fortinet is built using VM Virtual Machine Hardware
Version 7 for OVA compatibility with ESXi4.x and later. VM Virtual Machine
Hardware Version 7 restricts the number of vCPU to 8.

If host machine is running ESXi5.x or later on robust hardware, then the VM Virtual
Machine Hardware Version can be upgraded. Once upgraded, the number of vCPU
can be increased. Refer to the following article for more information (note that the
article is not controlled by Fortinet and may have changed):

Upgrading a virtual machine to the latest hardware version (multiple

versions) (1010675)
https://kb.vmware.com/s/article/1010675
4
 Hard Drive (Disk) Size: The initial sizes of the hard drive/disk are provided in the following
table. To increase the drive size once the VM is deployed, see section Increase the Hard
Drive Size in the Appendix. If you need assistance, contact Fortinet Support.

Note: Some versions of VMware provide the ability to select either a “Thick” or “Thin”
drive. If this option is available, it is recommended to select one of the Thick options. Thick
provides faster data access compared to Thin, however, either will work.

 Adapters
o The recommended adapter type is VMXNET 3 (default). Note the following:
o Older VMs used E1000 as the pre-set adapter type. The recommended type is
VMXNET 3.
o All adapters on the VM should be set to the same adapter type (e.g eth0 and
eth1 both set to VMXNET 3). Otherwise, unexpected behavior may occur.
o Important: License key is created based upon eth0 MAC address and UUID.
If either component no longer matches the license key, the key will no longer
be valid and management processes will not start. Therefore:
 Ensure MAC address is set statically.
 If deleting and re-adding or modifying Network Adapter 1 (eth0) on an
existing FortiNAC VM with license key, configure the same MAC
address used by the adapter previously.
 If a new key is needed, contact Fortinet Customer Service for
assistance.
 Network Adapter 2 (eth1) can be deleted and re-added without
affecting the license key.
 Open Ports: The number of open (listening) TCP/UDP ports configured by default on the
FortiNAC appliance is based on current best practices. These ports are kept to a minimum
to provide maximum security by explicitly restricting unnecessary access from the outside.
The best practice is to keep the number of open ports to a minimum, and block all other
ports. If needing to provide users access to network resources through a static port (e.g.,
from outside a firewall), the best option is to allow users to connect by VPN. Refer to section
Open Port List of the FortiNAC Deployment Guide in the Fortinet Document Library.

5
Build Virtual Machines
Download the Virtual Machine
After registering the products, download the appropriate .ova image.

Note: Both FortiNAC CA and Manager use the same image. The product type is defined by the
license key installed.

1. In the Customer Portal, navigate to Support > Downloads

2. Click VM Images

3. From drop down list, click Other and then click on here.

6
 4. From drop down list, select FortiNAC.

5. Select the Download Tab to reveal the available versions. Please select the version as
recommended by Fortinet or Program Manager.

Note: The suggested version may be the GA version and not the newest version.

7
Import Virtual Machine
Note: Instructions for the Virtual Machine were written based on ESX Server V4.0 and vSphere
Client V4.0. If using a different version, some steps may be omitted.

1. Start vSphere Client and log into VCenter.

2. Select Hosts and Clusters.
3. In VCenter click File > Deploy OVF Template.
4. On the Deploy OVF Template window select Deploy from file.
5. Browse to the folder where you saved the compressed the VM file, select the file with
the .ova extension and click Open.
6. Click Next. Some versions of VMware provide the ability to select either a “Thick” or
“Thin” drive. If this option is available, it is recommended to select one of the Thick
options. Thick provides faster data access compared to Thin, however, either will
work.
7. Click Next until you reach the Name and Location window.
8. Enter a unique name for this VM in the Name field.
9. Make sure that the appropriate Data Center is selected in the Inventory Location
section and click Next.
10. On the Host / Cluster window select the Cluster where this VM will reside and click
Next.
11. On the Specify a Specific Host window, choose a Host for this VM and click Next.
12. On the Datastore window, choose a datastore for this VM and click Next.
13. On the Network Mapping window, you must map the network contained within the
VM template to a network at your facility. Click Destination Networks to display a
drop-down list of possible networks. Click Next.
14. The Ready to Complete window is displayed with a summary of all of your selections.
Review the summary. If anything is incorrect, use the Back button to go back to the
appropriate screen and make changes. Click Finish.

Note: This process will take several minutes due to the size of the VM.

8
 Deploy OVF Template - Ready To Complete
Note: Importing the .ova into a vCenter/ESX environment running version 5.5.0 or earlier can
trigger the warning dialog below to be displayed in vCenter. This warning can be ignored.
Warning
The OVF package is valid but consider the following warnings.
Line XX: Unable to parse 'use3dRenderer' for attribute 'key' on element 'Config' Line XX: Unable
to parse 'slotInfo.pciSlotNumber' for attribute 'key' on element 'Config'
...
Line XX: Unable to parse 'nestedHVEnabled' for attribute 'key' on element 'Config'

9
Clone the Virtual Machines
Each appliance requires its own Virtual Machine and its own license. If multiple appliances
were purchased, follow the instructions below to clone as many VMs as required.

1. Start vSphere Client and log into VCenter.

2. Select Hosts and Clusters.
3. Open the Data Center and the appropriate Cluster. Select the Host where the
imported VM resides.
4. Right-click on the VM imported in the previous section and select Clone from the
menu.
5. The Clone Virtual Machine wizard displays.
6. On the Name and Location window click in the Name field and enter a
unique name for this VM.
You may want to include the server type in the name to assist Customer Support if
you should have a problem. For example, if this VM will be used as a FortiNAC
Control Server, include Control Server in the name (e.g.
Megatech Control Server 1).
7. Make sure that the appropriate Data Center is selected in the Inventory
Location section and click Next.
8. On the Host / Cluster window select the Cluster where this VM will reside and
click Next.
9. On the Specify a Specific Host window, choose a Host for this VM and click
Next.
10. On the Datastore window, choose a datastore for this VM and click Next.
11. On the Disk Format window select Same format as source and click Next.
12. Guest Customization is not required. Click Next.
13. The Ready to Complete window is displayed with a summary of all of your
selections. Review the summary. If anything is incorrect, use the Back button to go
back to the appropriate screen and make changes. Click Finish.
Note: This process will take several minutes due to the size of the VM.

10
Edit Settings
The following describes the procedures for editing Virtual Machine settings.

Note: Instructions for the Virtual Machine were written based on ESX Server V4.0 and vSphere
Client V4.0. If you are using a different version, some steps may not be necessary.

1. Start vSphere Client and log into VCenter.

2. Select View > Inventory > Hosts and Clusters.
3. Open the Data Center and the appropriate Cluster. Select the Host where the
FortiNAC VM resides.
4. Right-click on the VM and select Edit Settings from the menu.
5. Click on the Hardware tab to select it.

6. On the Hardware list, click Memory and modify the Memory Size field if
necessary. See the Requirements section to determine the setting required.
7. On the Hardware list, click CPUs and modify the Number of virtual processors
field. See the Requirements section to determine the setting required.
8. Click Network Adapter 1 and select a VLAN or Network from the Network label
drop-down. Network Adapter 1 represents eth0 or the management interface for the
FortiNAC configuration. Select the Network that contains the IP address you will use
for eth0. Important: Ensure MAC address is set to static.

11
 9. Click Network Adapter 2 and select a VLAN or Network from the Network label
drop-down. Network Adapter 2 represents eth1 or the isolation interface for the
FortiNAC configuration. Select the Network that contains your DHCP IP addresses.
This network will be used for Isolation. Important: Ensure MAC address is set to
static.
Note: In a Layer 2 environment, isolation VLANs are tagged to the eth1 interface
(Network Adapter 2). For all VLANS tagged to a single interface you must create a
port with a VLAN ID of 4095 in VMware ESX. In ESX this is known as Virtual
Guest Tagging (VGT).
10. If additional hard drive space is needed, follow the directions in section Increase
the Hard Drive Size. Refer to the table of hard drive default sizes in the
Requirements section.
11. Click OK to save the new VM settings.

Assign Static IP Address for eth0

FortiNAC is configured by accessing the Configuration Wizard using the IP address of eth0.
Eth0 is the management interface for FortiNAC. Follow the instructions below to set the IP
address for eth0.

1. Make sure the FortiNAC virtual machine is running and the console is displayed.
2. Login to the FortiNAC CLI using the following:

User name = root

Password = 162PemBnI
3. Select an IP address to use as the management IP for the FortiNAC VM. To set the
IP address and default gateway, type the following:
configIP <ip addr> <mask> <default gateway>
Example:
configIP 192.168.5.244 255.255.255.0 192.168.5.1
The system pauses for several seconds while the interfaces are reset.

4. To confirm that the IP address for eth0 has been set correctly, type the
following:
ip addr show

Verify the FortiNAC appliance responds to PING and SSH access works.

Appliance installation is complete. Proceed to the FortiNAC Deployment Guide to continue

deployment.

12
Appendix
Control/Application VM Server Pair Resource Sizing
Note: The Control/Application Server pair is no longer available for purchase. For a current list of
available products, visit https://www.fortinet.com/products/network-access-control.html#models-
specs.

Use the same specifications and resource sizing values as the combined Control/Application
servers. See section Appliance Installation of the Deployment Guide for details.

Virtual Machine Backup Considerations

FortiNAC has features that allow you to backup the database to a remote server. Using
FortiNAC’s built in backup features is recommended. Refer to the FortiNAC help for
information on Remote Backup.
Most servers that host virtual machines also have an option to create a copy or a snapshot
of an existing virtual machine. This is another good option for periodically backing up your
FortiNAC virtual machine. However, this may be a manual process.

Some customers choose to use automated backup software that backs the entire virtual
machine. Because FortiNAC runs continuously these types of automated backups can cause
problems with the FortiNAC virtual machine including causing it to stop running. This
section outlines potential problems and possible solutions.
Automated backup software runs on the physical hardware that contains the virtual
machine, not inside the virtual machine. This type of backup software may attempt to force
the target virtual machine to flush everything being written to the disk drives to produce a
more reliable and consistent backup. However, this interference with the software
contained within the virtual machine can cause that software to stop running. Below are
some suggestions to assist in selecting and configuring backup software.
 FortiNAC runs on a CentOS platform, therefore backup software that supports
Linux and specifically CentOS is recommended. Refer to the backup software
documentation to determine how to configure backups for CentOS based virtual
machines.
 Verify with the manufacturer that your backup software has been installed and
configured correctly.
 Choose a time of day to run the backup when FortiNAC has the least amount of
traffic.
 Many backup software packages have an option to "quiesce the virtual machine's
hard drives". Set this parameter to false or disabled. When this parameter is
enabled, the backup is more reliable but could cause the virtual machine to shut
down. When this parameter is disabled, some amount of data may not make it into
the backup because it has not been written to the drive yet, but the virtual machine
should continue to run.

13
Increase the Hard Drive Size

Logical Volume Management provides a flexible method of allocating disk space. Logical
volumes combine partitions into physical volumes and groups that can be re- sized or moved
with minimal or no system interruption.
The following instructions describe how to:
 Verify available disk space, Physical Volumes, Partitions, Volume Groups, and
Logical Volumes.
 Create a Primary Partition for expanded space.
 Create a Physical Volume for the new partition.
 Add the Physical Volume to the Volume Group.
 Expand the size of the Logical Volume that contains the Volume Group.
 Verify that the size of the Logical Volume increased.

Logical Volume Manager Virtual Object Construction

FortiNAC firmware versions prior to 6.0.5 were configured with a default Disk Size of 50
GB and FortiNAC/Reporting/Analytics was configured with a default size of 300 GB. Refer
to Default Hard Drive Sizes.

14
This following information shows the required steps to increase the Virtual FortiNAC hard
drive for VMware from 50GB to 100GB, but any size greater than the default can be used.
From the console of VSphere:
1. Power off the VM whose disk space is to be increased.
2. Remove all snapshots.
Note: You cannot have snapshots if you need to increase the hard drive size in VSphere.

3. Back up or make a copy of the guest OS.

4. In the Hardware tab of the VM Settings, change the size of the hard drive. In this
example, set the new hard drive size to 100 GB.
5. Reboot the virtual appliance.

15
 Once the system has been booted, log into the system as root via ssh or a console
window.
1. Shut down the FortiNAC processes. For FortiNAC, type
shutdownCampusMgr

For FortiNAC/Reporting/Analytics, type service bsc-wildfly stop

2. Using the following commands, check the disk space, physical volumes,
partitions, volume groups and logical volumes being used.

Check Disk Space

Type df –lh
In this example, see the /dev/mapper/centos-root has the available disk space.

Check Physical Volumes

Type pvs
In this example, see the Physical Volumes /dev/sda2 is part of centos.

16
Check Partition

Type fdisk –l –u /dev/sda

In this example, see there are two partitions: /dev/sda1 and /dev/sda2.

Check Volume Groups

Type vgdisplay
In this example, see VG Name centos and VG Size 49.51.

17
Check Logical Volumes

Type lvdisplay
In this example, see that the LV Name is root and the LV size is 44.47 GiB.

3. Create a Primary Partition for the newly allocated space with a type 8e
(Logical Volume) and write the new partition table.
Type fdisk /dev/sda
In this example, the Partition will be /dev/sda3 of type 8e.
Please refer to the values that correspond with the comments in italics.

18
19
4. Reboot the VM.
Type reboot

5. Verify the new partition was added.

Type fdisk –l –u
In this example, see /dev/sda3 was added with type 8e.

20
6. Create a new Physical Volume for the new space that was added.
Type pvcreate /dev/sda3
In this example, Physical Volume /dev/sda3 was created.

7. List the Volume Groups available.

Type vgdisplay
In this example, see that the VG Name is centos and the VG Size is still
49.51.

8. Extend the Volume Group by adding the Physical Volume that was created in
Step 6 (/dev/sda3) to the Volume Group (centos).
Type vgextend centos /dev/sda3

21
9. Display how much free space is available the Volume Group now that the new
Physical Volume is added.
Type vgdisplay centos
In this example, see that 50.04 GiB is free, so use 50 in the next step.

10. Display and verify the name of the Logical Volume path we want to extend.
Type lvdisplay
In this example, see that /dev/centos/root is the Logical Volume path.

22
11. Extend the Logical Volume by adding the free space of the Volume Group.
Type lvextend –L+50G /dev/centos/root
In this example, the previous step determined that the 50 GB is free, so use
–L+50G for /dev/centos/root.

12. Verify that the Logical Volume grew in size.

23
 Type lvdisplay
In this example, see that the LV Name /dev/centos/root and LV Size is now
94.47 GiB (in Step 2, the LV size was 44.47).

13. Resize the CentOS 7 file system.

Type xfs_growfs /dev/centos/root
In this example, use the extended Logical Volume /dev/mapper/centos-root.

24
 14. Verify the operation system recognizes the additional space.
Type df –lh
In this example, see /dev/mapper/centos-root now shows 95G.

Procedure is complete.

25
Configure Time Settings for Host
The server that hosts your VM should have a Time Configuration entered to ensure that it
synchronizes its internal clock and calendar with an NTP server. It is important that the time be
correct or you may experience problems with your certificates or with agent server
communications.

Note: If your FortiNAC VM is already up and running, make sure to stop and restart the VM after
you are done with the time configuration.

1. Login to VCenter.
2. Select View > Inventory > Hosts and Clusters.
3. In the tree on the left select the Host or machine that is hosting your FortiNAC
VM. This may display simply as an IP address.
4. In the right-hand pane select the Configuration tab.

5. In the Software section click on Time Configuration. The current

configuration is displayed. If there is no NTP server displayed, you must
configure one.
6. At the top of the Time Configuration option, click Properties.

Time Configuration Properties

7. In the Time Configuration Properties window click the Options button.

8. On the Options window, General. Start and Stop with host should be
selected by default.

26
 Time Configuration Options - General

9. Click NTP Settings on the left.

Time Configuration Options - NTP Settings

27
10. On the NTP Settings window click the Add button. In the Add dialog enter the
address of the NTP server that should be used for time synchronization, such as
pool.ntp.org, and click OK.
11. Below the list of NTP servers check the Restart NTP service to apply
changes check box. Click OK to save your changes.
12. In VCenter tree on the left, right-click on the FortiNAC VM and select
Edit Settings.
13. On the Properties window select the Options tab.
14. From the list of options select VMware Tools.
15. In the panel on the right under Advanced, enable the Synchronize guest
time with host option and click OK.

Virtual Machine Properties (Settings)

28
Change the MySQL UUID file of Cloned VMs
If a VM was cloned for use as the secondary in a High Availability configuration, the cloned
UUID file used by MySQL can cause problems with MySQL replication between Primary
and Secondary servers.
1. Review contents of the cloned UUID file (auto.cnf) on both original and cloned VMs. Log
into the CLI using the root user and default password and type
cd /var/lib/mysql/
cat auto.cnf

2. Example
> cat auto.cnf
[auto]
server-uuid=ba26cab0-e9f8-11e9-988c-00505698d1c3

3. If UUID value of the cloned VM = value in original VM, remove the auto.cnf file of the
cloned VM. In the cloned VM CLI type
cd /var/lib/mysql/
rm auto.cnf

4. Restart MySQL in the cloned VM to create a new and unique auto.cnf file. Type
service mysqld restart

5. Review new UUID value

sysinfo –v | grep –i UUID

6. Compare with the UUID used by the license key.

licensetool

7. If the UUID values are different, contact Customer Service to update the UUID for the
appliance and download a new key file. FortiNAC processes will not start if the UUID in
the license key does not match. For instructions, see section Change Existing MAC
Address and UUID Information of the License Upgrade Guide in the Documentation
Library.

Once the above steps are completed, High Availability can be configured. For instructions, see
High Availability in the Documentation Library.

29
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other
jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except
to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-
identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such
warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto,
whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

30