Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Specify FortiSwitch groups in NAC policies 7.0.2

    Specify FortiSwitch groups in NAC policies 7.0.2

    You can now specify FortiSwitch groups in NAC policies using the GUI and CLI. In previous FortiOS versions, you specified individual managed FortiSwitch units when creating a NAC policy using the set switch-scope command or selecting the FortiSwitch units in the Create NAC Policy window.

    In FortiOS 7.0.2, the set switch-scope command has been replaced with the set switch-group command, and the Create NAC Policy window allows you to specify FortiSwitch groups. You can select more than one FortiSwitch group in the CLI and GUI, and the same FortiSwitch unit can be included in more than one FortiSwitch group. If no FortiSwitch group is specified in the set switch-group command, all FortiSwitch groups are used for the NAC policy.

    When you upgrade to FortiOS 7.0.2, the individual FortiSwitch units selected for the NAC policy are assigned to a new FortiSwitch group, and the new FortiSwitch group replaces the individual FortiSwitch units in the NAC policy. If you downgrade from FortiOS 7.0.2, the individual FortiSwitch units in the FortiSwitch group are listed in the set switch-scope command in the NAC policy, and the set switch-group command is removed from the NAC policy.

    To create a FortiSwitch group in the CLI:

    config switch-controller switch-group

    edit <name>

    set description <string>

    set fortilink <name_of_FortiLink_interface>

    set members <serial-number-1> <serial-number-2> ...

    next

    end

    For example:

    config switch-controller switch-group

    edit NACswitchgroup1

    set description "FortiSwitch group for NAC policy"

    set fortilink "fortilink"

    set members S524DF4K15000024 S548DF5018000776

    next

    end

    To create a FortiSwitch group in the GUI:

    1. Go to WiFi & Switch Controller > Managed FortiSwitches.

    2. Click Create New > FortiSwitch Group.

    3. In the Name field, enter a name for the FortiSwitch group.

    4. In the Members field, click + to select which switches to include in the FortiSwitch group.

    5. In the Description field, enter a description of the FortiSwitch group.

    6. Click OK.

    To specify FortiSwitch groups in the NAC policy in the CLI:

    config user nac-policy

    edit <NAC_policy_name>

    set description <description_of_NAC_policy>

    set category {user | device | ems-tag}

    set status enable

    set switch-group <FortiSwitch_group_1> <FortiSwitch_group_2> ...

    ...

    next

    end

    For example:

    config user nac-policy

    edit "OFFICE_VM"

    set hw-vendor "VMware"

    set switch-fortilink "fortilink"

    set switch-mac-policy "OFFICE_VM"

    set firewall-address "office_vm_device"

    set switch-group NACswitchgroup1 NACswitchgroup2 NACswitchgroup3

    next

    end

    To specify FortiSwitch groups in the NAC policy in the GUI:

    1. Go to WiFi & Switch Controller > NAC Policies.

    2. Click Create New.

    3. In the Name field, enter a name for the NAC policy.

    4. Make certain that the status is set to Enabled.

    5. Click Specify.
    6. Click + in the FortiSwitch groups field to select which FortiSwitch groups to apply the NAC policy to.

    7. Configure the remaining settings as needed.

    8. Select OK to create the new NAC policy.

    Previous
    Next

    Specify FortiSwitch groups in NAC policies 7.0.2

    Specify FortiSwitch groups in NAC policies 7.0.2

    You can now specify FortiSwitch groups in NAC policies using the GUI and CLI. In previous FortiOS versions, you specified individual managed FortiSwitch units when creating a NAC policy using the set switch-scope command or selecting the FortiSwitch units in the Create NAC Policy window.

    In FortiOS 7.0.2, the set switch-scope command has been replaced with the set switch-group command, and the Create NAC Policy window allows you to specify FortiSwitch groups. You can select more than one FortiSwitch group in the CLI and GUI, and the same FortiSwitch unit can be included in more than one FortiSwitch group. If no FortiSwitch group is specified in the set switch-group command, all FortiSwitch groups are used for the NAC policy.

    When you upgrade to FortiOS 7.0.2, the individual FortiSwitch units selected for the NAC policy are assigned to a new FortiSwitch group, and the new FortiSwitch group replaces the individual FortiSwitch units in the NAC policy. If you downgrade from FortiOS 7.0.2, the individual FortiSwitch units in the FortiSwitch group are listed in the set switch-scope command in the NAC policy, and the set switch-group command is removed from the NAC policy.

    To create a FortiSwitch group in the CLI:

    config switch-controller switch-group

    edit <name>

    set description <string>

    set fortilink <name_of_FortiLink_interface>

    set members <serial-number-1> <serial-number-2> ...

    next

    end

    For example:

    config switch-controller switch-group

    edit NACswitchgroup1

    set description "FortiSwitch group for NAC policy"

    set fortilink "fortilink"

    set members S524DF4K15000024 S548DF5018000776

    next

    end

    To create a FortiSwitch group in the GUI:

    1. Go to WiFi & Switch Controller > Managed FortiSwitches.

    2. Click Create New > FortiSwitch Group.

    3. In the Name field, enter a name for the FortiSwitch group.

    4. In the Members field, click + to select which switches to include in the FortiSwitch group.

    5. In the Description field, enter a description of the FortiSwitch group.

    6. Click OK.

    To specify FortiSwitch groups in the NAC policy in the CLI:

    config user nac-policy

    edit <NAC_policy_name>

    set description <description_of_NAC_policy>

    set category {user | device | ems-tag}

    set status enable

    set switch-group <FortiSwitch_group_1> <FortiSwitch_group_2> ...

    ...

    next

    end

    For example:

    config user nac-policy

    edit "OFFICE_VM"

    set hw-vendor "VMware"

    set switch-fortilink "fortilink"

    set switch-mac-policy "OFFICE_VM"

    set firewall-address "office_vm_device"

    set switch-group NACswitchgroup1 NACswitchgroup2 NACswitchgroup3

    next

    end

    To specify FortiSwitch groups in the NAC policy in the GUI:

    1. Go to WiFi & Switch Controller > NAC Policies.

    2. Click Create New.

    3. In the Name field, enter a name for the NAC policy.

    4. Make certain that the status is set to Enabled.

    5. Click Specify.
    6. Click + in the FortiSwitch groups field to select which FortiSwitch groups to apply the NAC policy to.

    7. Configure the remaining settings as needed.

    8. Select OK to create the new NAC policy.

    Previous
    Next