Network lockdown
You can initiate a network lockdown for Windows or macOS endpoints that are off-net. For example, you can initiate a network lockdown for Windows or macOS endpoints that do not satisfy on-net rule sets in the endpoint profile.
|
Network lockdown feature is available exclusively for FortiSASE instances with IPsec VPN remote user support enabled. SeeIPsec VPN remote user support . The settings to configure Network lockdown are visible on FortiSASE portal only if endpoints are running FortiClient version 7.2.5 or later. The feature is supported only for Windows and macOS endpoints. See Product integration and support. |
Network lockdown requires enabling FortiClient 7.2 support to be visible on the FortiSASE portal. Network lockdown exclusively applies to Windows endpoints running a supported FortiClient 7.2 version.
When network lockdown is configured, and FortiSASE determines an endpoint to be off-net based on on-net detection rule sets used in endpoint profile, a timer starts for configurable grace period during which off-net endpoints can access their network without any restrictions. The grace period provides some time for users to attempt connecting to FortiSASE SIA VPN or an alternate or personal VPN tunnel to regain its on-net status. Any VPN connection attempts made during grace period resets grace period for respective endpoint. During grace period, users can retry authenticating to VPN, up to a configurable maximum VPN authentication limit, beyond which, endpoints must be rebooted to refresh its VPN authentication attempts limits.
If grace period expires and endpoint remains off-net, FortiClient initiates network lockdown and notifies the user via FortiClient system tray icon. In network lockdown, endpoints are restricted from accessing their network except for the following:
- VPN access: To allow users connect to FortiSASE SIA or alternate or personal VPN to regain its on-net status.
- Destinations configured under Exempt destinations.
FortiClient exits from network lockdown, when the endpoints are determined to be on-net again.
|
|
Network lockdown activates only when an endpoint is off-net. Administrators should carefully configure on-net rule sets to avoid unintended behavior. These rules must be designed to allow endpoints to switch from off-net to on-net by connecting to FortiSASE SIA VPN or a custom or personal VPN, enabling them to exit network lockdown. |
To configure network lockdown:
- In the desired profile, on the Connection tab, enable On-net detection and apply a suitable rule set under On-net rule set.
- Enable Lockdown endpoint when off-net.
- For Grace period, configure a suitable time period to let endpoints have unrestricted network access for configured duration. The recommended grace period is 120 seconds.
- If your network has a captive portal that requires user authentication, enable Exempt captive portals to allow FortiClient to access the captive portal during a network lockdown. When a captive portal is detected by using network probes after a network change such as connecting to Wi-Fi, FortiClient automatically displays the captive portal using its embedded browser. If SAML authentication is enabled on the captive portal, there is no need to manually specify identity provider (IdP) URLs in the Exempt Destination configuration, even during network lockdown, as FortiClient handles this automatically.
- Under Exempt destinations, specify certain trusted destinations that endpoints can access during network lockdown:
- To exempt certain IP address destinations, do the following:
Set Type as IP.
For the IP address or subnet field, specify desired IP or subnet.
(Optional) Specify destination port under Exclude by port.
(Optional) Specify protocol type under Protocol.
Click OK.
- To exempt certain FQDN destinations, do the following:
Set Type as Domain.
In Domain field, specify desired FQDN/domain.
Click OK.
- To exempt certain IP address destinations, do the following:
- Specify suitable Maximum VPN authentication attempts limit. To understand the different use cases and implications of configuring various grace period values for network lockdown, see Use cases.
-
Configure the remaining options on the Connection tab as Connection describes.
Use cases
Network lockdown can be tailored to meet various customer requirements. Below are common use cases and the recommended settings to achieve the desired outcome.
| Use Case | Description | Recommended Configuration |
|---|---|---|
| Strict Lockdown | High-security environments requiring remote users to have no internet access until VPN connection is established. |
|
| Traveling Nomads | Users who travel frequently and need extra time for network onboarding tasks (e.g., booting up, connecting to guest Wi-Fi, passing through captive portals, and VPN authentication). |
|
| General Users | General users who do not require strict lockdown but need sufficient time for network connectivity. |
|
Considerations
- When FortiSASE configures the grace period on FortiClient endpoints, the countdown timer begins as soon as the device starts its boot-up process, if it was previously powered off. If the device was not shut down, the grace period timer starts immediately upon receiving the grace period configuration from FortiSASE. It is important to select an appropriate time window for the grace period as per your environment.
-
If SAML SSO is enabled for endpoints connecting to Secure Internet Access (SIA) VPN, Alternative VPN, or Personal VPN, FortiClient uses its embedded browser for SAML login, eliminating the need to specify IdP URLs under Exempt destinations. However, if Use external browser as user-agent for SAML login is enabled, IdP URLs must be manually specified under Exempt destinations. To simplify configuration, it is recommended to disable this setting and use FortiClient’s embedded browser instead.