Fortinet black logo

SD-Branch Retail Playbook

Home FortiGate / FortiOS 6.4.0 SD-Branch Retail Playbook

Integrated Segmentation

6.4.0
6.4.0
Copy Link
Copy Doc ID 2e714811-545f-11eb-b9ad-00505692583a:433397
Download PDF

Integrated Segmentation

In the previous chapter, we explored the advantages of the single vendor solution in terms of integrating Wireless into the Fortinet Security Fabric. Here, we will explore integrated segmentation through the FortiGate switch controller.

Let's review our Retail branch topology:

While many users will connect to your network over WiFi, there may be devices that still require wired connections such as VoIP phones, POS terminals, security cameras, printers, TVs and desktops. With the variety of devices and security needs, it is necessary to segment these devices in different subnets and VLANs. This can be accomplished with the built-in NAC features on the FortiGate switch controller, allowing you to define rules for segmenting your devices at a very granular level.

Default VLANs

When you first connect a FortiSwitch to the FortiGate on a designated FortiLink port, the switch automatically recognizes the switch controller and the FortiGate begins to configure the FortiSwitch using its default VLAN template. This template can be customized to define VLANs that are needed for your network. You can also customize the IPs for your subnets used in each VLAN.

Default VLANs include: default, quarantine, voice, video, rspan, and onboarding.

To learn more, visit the following page:

Network Access Control (NAC)

With VLANs defined you can group devices into the VLANs by defining NAC policies. NAC policies allow you to specify device matching criterion based on Device info, User logon info, or FortiClient EMS Tag.

Device Info: Information recognized by the FortiSwitch and the FortiGate such as MAC address, Hardware vendor, Device Family, Type, OS, and User.

User logon info: The firewall user identified by the FortiGate via firewall authentication

EMS Tag: If FortiClient is installed on the device and is managed by EMS, the EMS tags can be shared with the FortiGate to identify a user group, device group, or other categories

Once the device is matched, the NAC policy can either assign the port to a specific VLAN, or apply various profiles or policy to the port.

Based on your VLANs and NAC policies, you can define firewall policies to apply the appropriate UTM profiles and allow traffic only to appropriate networks, thereby securely segmenting your devices.

For more information, see the following topics:

Topic

Description
Configuring the FortiSwitch NAC settings Configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag.
Configuring the DHCP trust setting The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions.
FortiSwitch security policies (802.1x) To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication.
Blocking intra-VLAN traffic You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit.

Quarantine

It may be necessary to quarantine a rogue device or rogue user. The FortiGate switch controller can either quarantine users by placing them into the quarantine VLAN, or by directly placing the device MAC in a quarantine address group. Administrators can define firewall policies to handle the type of access a quarantined user has.

Quarantine can be triggered from several places, including the Physical Topology page, Device Inventory widget, and from the FortiSwitch Ports page.

The image below shows the Device Inventory widget, and a device that is connected to the FortiSwitch's port1.

Click the Quarantine Host on the device popup to quarantine the user.

The image below shows the same device which is now quarantined on port1 of the FortiSwitch.

Quarantining can also be triggered automatically, by a DDoS policy for example that detects a rogue device. To learn more about quarantining on the FortiSwitch, see:

Device Detection

Device Detection allows for more granular control and understanding of devices in your network. By enabling device detection on the switches, information about detected devices can be checked against local databases or FortiGuard services to help identify information such as device, vendor, family, and OS. This information is used in NAC policies, and it also provides more insight about the devices when viewing it with the FortiGate GUI, CLI, or logs.

See the following topics for more details:

Multi-switch Topology

When your network has out-grown your FortiSwitch, you may need to expand to a multi-tiered switching architecture to support the devices in your network.

The following pages can help you determine the best network topology to use.

Finally, many Switch Controller and NAC features were introduced on FortiOS 6.4, including several of the features described in this chapter. See the links below for a more complete list of new features:

Previous
Next

Integrated Segmentation

In the previous chapter, we explored the advantages of the single vendor solution in terms of integrating Wireless into the Fortinet Security Fabric. Here, we will explore integrated segmentation through the FortiGate switch controller.

Let's review our Retail branch topology:

While many users will connect to your network over WiFi, there may be devices that still require wired connections such as VoIP phones, POS terminals, security cameras, printers, TVs and desktops. With the variety of devices and security needs, it is necessary to segment these devices in different subnets and VLANs. This can be accomplished with the built-in NAC features on the FortiGate switch controller, allowing you to define rules for segmenting your devices at a very granular level.

Default VLANs

When you first connect a FortiSwitch to the FortiGate on a designated FortiLink port, the switch automatically recognizes the switch controller and the FortiGate begins to configure the FortiSwitch using its default VLAN template. This template can be customized to define VLANs that are needed for your network. You can also customize the IPs for your subnets used in each VLAN.

Default VLANs include: default, quarantine, voice, video, rspan, and onboarding.

To learn more, visit the following page:

Network Access Control (NAC)

With VLANs defined you can group devices into the VLANs by defining NAC policies. NAC policies allow you to specify device matching criterion based on Device info, User logon info, or FortiClient EMS Tag.

Device Info: Information recognized by the FortiSwitch and the FortiGate such as MAC address, Hardware vendor, Device Family, Type, OS, and User.

User logon info: The firewall user identified by the FortiGate via firewall authentication

EMS Tag: If FortiClient is installed on the device and is managed by EMS, the EMS tags can be shared with the FortiGate to identify a user group, device group, or other categories

Once the device is matched, the NAC policy can either assign the port to a specific VLAN, or apply various profiles or policy to the port.

Based on your VLANs and NAC policies, you can define firewall policies to apply the appropriate UTM profiles and allow traffic only to appropriate networks, thereby securely segmenting your devices.

For more information, see the following topics:

Topic

Description
Configuring the FortiSwitch NAC settings Configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag.
Configuring the DHCP trust setting The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions.
FortiSwitch security policies (802.1x) To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication.
Blocking intra-VLAN traffic You can block intra-VLAN traffic by aggregating traffic using solely the FortiGate unit.

Quarantine

It may be necessary to quarantine a rogue device or rogue user. The FortiGate switch controller can either quarantine users by placing them into the quarantine VLAN, or by directly placing the device MAC in a quarantine address group. Administrators can define firewall policies to handle the type of access a quarantined user has.

Quarantine can be triggered from several places, including the Physical Topology page, Device Inventory widget, and from the FortiSwitch Ports page.

The image below shows the Device Inventory widget, and a device that is connected to the FortiSwitch's port1.

Click the Quarantine Host on the device popup to quarantine the user.

The image below shows the same device which is now quarantined on port1 of the FortiSwitch.

Quarantining can also be triggered automatically, by a DDoS policy for example that detects a rogue device. To learn more about quarantining on the FortiSwitch, see:

Device Detection

Device Detection allows for more granular control and understanding of devices in your network. By enabling device detection on the switches, information about detected devices can be checked against local databases or FortiGuard services to help identify information such as device, vendor, family, and OS. This information is used in NAC policies, and it also provides more insight about the devices when viewing it with the FortiGate GUI, CLI, or logs.

See the following topics for more details:

Multi-switch Topology

When your network has out-grown your FortiSwitch, you may need to expand to a multi-tiered switching architecture to support the devices in your network.

The following pages can help you determine the best network topology to use.

Finally, many Switch Controller and NAC features were introduced on FortiOS 6.4, including several of the features described in this chapter. See the links below for a more complete list of new features:

Previous
Next