Fortinet black logo

Handbook

Security policies for devices

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:184006
Download PDF

Security policies for devices

Security policies enable you to implement policies according to device type. For example:

  • Gaming consoles cannot connect to the company network or the Internet.
  • Personal tablet and phone devices can connect to the Internet but not to company servers.
  • Company-issued laptop computers can connect to the Internet and company servers. Web filtering and antivirus are applied.
  • Employee laptop computers can connect to the Internet, but web filtering is applied. They can also connect to company networks, but only if FortiClient Endpoint Security is installed to protect against viruses.

The following images show these policies implemented for WiFi to the company network and to the Internet.

Device policies for company laptop access to the company network

Device policies for WiFi access to the Internet

The next section explains device policy creation in detail.

Creating device policies

Device-based security policies are similar to policies based on user identity:

  • The policy enables traffic to flow from one network interface to another.
  • NAT can be enabled.
  • UTM protection can be applied.
To create a device policy
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Choose Incoming Interface, Outgoing Interface and Source as you would for any security policy.
  3. In Source, select an address and the device types that can use this policy.You can select multiple devices or device groups.
  4. Turn on NAT if appropriate.
  5. Configure Security Profiles as you would for any security policy.
  6. Select OK.

Adding endpoint protection

Optionally, you can require that users’ devices connecting to a particular network interface have FortiClient Endpoint Security software installed. Devices without an up-to-date installation of FortiClient software are restricted to a captive portal from which the user can download a FortiClient installer. For information about creating FortiClient profiles, see "Endpoint Protection".

To add endpoint protection to a security policy
  1. Go to Network > Interfaces and edit the interface.
  2. In Admission Control turn on Allow FortiClient Connections and FortiClient Enforcement.
  3. Optionally, select sources (addresses and device types) to exempt from FortiClient enforcement.
  4. Optionally, select destination addresses and services to exempt from FortiClient enforcement.
  5. Select OK.

FortiOS pushes a FortiClient profile out to the FortiClient software, configuring network protection such as antivirus, application control, and web category filtering. To create these profiles, go to Security Profiles > FortiClient Profiles.

FortiClient endpoint licence updates

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate's model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Model(s)

Maximum client limit

VM00

200

FGT/FWF 30 to 90 series

200

FGT 100 to 400 series

600

FGT 500 to 900 series, VM01, VM02

2,000

FGT 1000 to 2900 series

20,000

FGT 3000 to 3600 series, VM04

50,000

FGT 3700D and above, VM08 and above

100,000

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

Security policies for devices

Security policies enable you to implement policies according to device type. For example:

  • Gaming consoles cannot connect to the company network or the Internet.
  • Personal tablet and phone devices can connect to the Internet but not to company servers.
  • Company-issued laptop computers can connect to the Internet and company servers. Web filtering and antivirus are applied.
  • Employee laptop computers can connect to the Internet, but web filtering is applied. They can also connect to company networks, but only if FortiClient Endpoint Security is installed to protect against viruses.

The following images show these policies implemented for WiFi to the company network and to the Internet.

Device policies for company laptop access to the company network

Device policies for WiFi access to the Internet

The next section explains device policy creation in detail.

Creating device policies

Device-based security policies are similar to policies based on user identity:

  • The policy enables traffic to flow from one network interface to another.
  • NAT can be enabled.
  • UTM protection can be applied.
To create a device policy
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Choose Incoming Interface, Outgoing Interface and Source as you would for any security policy.
  3. In Source, select an address and the device types that can use this policy.You can select multiple devices or device groups.
  4. Turn on NAT if appropriate.
  5. Configure Security Profiles as you would for any security policy.
  6. Select OK.

Adding endpoint protection

Optionally, you can require that users’ devices connecting to a particular network interface have FortiClient Endpoint Security software installed. Devices without an up-to-date installation of FortiClient software are restricted to a captive portal from which the user can download a FortiClient installer. For information about creating FortiClient profiles, see "Endpoint Protection".

To add endpoint protection to a security policy
  1. Go to Network > Interfaces and edit the interface.
  2. In Admission Control turn on Allow FortiClient Connections and FortiClient Enforcement.
  3. Optionally, select sources (addresses and device types) to exempt from FortiClient enforcement.
  4. Optionally, select destination addresses and services to exempt from FortiClient enforcement.
  5. Select OK.

FortiOS pushes a FortiClient profile out to the FortiClient software, configuring network protection such as antivirus, application control, and web category filtering. To create these profiles, go to Security Profiles > FortiClient Profiles.

FortiClient endpoint licence updates

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate's model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Model(s)

Maximum client limit

VM00

200

FGT/FWF 30 to 90 series

200

FGT 100 to 400 series

600

FGT 500 to 900 series, VM01, VM02

2,000

FGT 1000 to 2900 series

20,000

FGT 3000 to 3600 series, VM04

50,000

FGT 3700D and above, VM08 and above

100,000

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.