Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Specify FortiSwitch groups in NAC policies 7.0.2

You can now specify FortiSwitch groups in NAC policies using the GUI and CLI. In previous FortiOS versions, you specified individual managed FortiSwitch units when creating a NAC policy using the set switch-scope command or selecting the FortiSwitch units in the Create NAC Policy window.

In FortiOS 7.0.2, the set switch-scope command has been replaced with the set switch-group command, and the Create NAC Policy window allows you to specify FortiSwitch groups. You can select more than one FortiSwitch group in the CLI and GUI, and the same FortiSwitch unit can be included in more than one FortiSwitch group. If no FortiSwitch group is specified in the set switch-group command, all FortiSwitch groups are used for the NAC policy.

When you upgrade to FortiOS 7.0.2, the individual FortiSwitch units selected for the NAC policy are assigned to a new FortiSwitch group, and the new FortiSwitch group replaces the individual FortiSwitch units in the NAC policy. If you downgrade from FortiOS 7.0.2, the individual FortiSwitch units in the FortiSwitch group are listed in the set switch-scope command in the NAC policy, and the set switch-group command is removed from the NAC policy.

To create a FortiSwitch group in the CLI:

config switch-controller switch-group

edit <name>

set description <string>

set fortilink <name_of_FortiLink_interface>

set members <serial-number-1> <serial-number-2> ...

 

next

end

For example:

config switch-controller switch-group

edit NACswitchgroup1

set description "FortiSwitch group for NAC policy"

set fortilink "fortilink"

set members S524DF4K15000024 S548DF5018000776

next

end

To create a FortiSwitch group in the GUI:
  1. Go to WiFi & Switch Controller > Managed FortiSwitches.

  2. Click Create New > FortiSwitch Group.

  3. In the Name field, enter a name for the FortiSwitch group.

  4. In the Members field, click + to select which switches to include in the FortiSwitch group.

  5. In the Description field, enter a description of the FortiSwitch group.

  6. Click OK.

To specify FortiSwitch groups in the NAC policy in the CLI:

config user nac-policy

edit <NAC_policy_name>

set description <description_of_NAC_policy>

set category {user | device | ems-tag}

set status enable

set switch-group <FortiSwitch_group_1> <FortiSwitch_group_2> ...

...

next

end

For example:

config user nac-policy

edit "OFFICE_VM"

set hw-vendor "VMware"

set switch-fortilink "fortilink"

set switch-mac-policy "OFFICE_VM"

set firewall-address "office_vm_device"

set switch-group NACswitchgroup1 NACswitchgroup2 NACswitchgroup3

next

end

To specify FortiSwitch groups in the NAC policy in the GUI:
  1. Go to WiFi & Switch Controller > NAC Policies.

  2. Click Create New.

  3. In the Name field, enter a name for the NAC policy.

  4. Make certain that the status is set to Enabled.

  5. Click Specify.
  6. Click + in the FortiSwitch groups field to select which FortiSwitch groups to apply the NAC policy to.
  7. Configure the remaining settings as needed.

  8. Select OK to create the new NAC policy.

Specify FortiSwitch groups in NAC policies 7.0.2

You can now specify FortiSwitch groups in NAC policies using the GUI and CLI. In previous FortiOS versions, you specified individual managed FortiSwitch units when creating a NAC policy using the set switch-scope command or selecting the FortiSwitch units in the Create NAC Policy window.

In FortiOS 7.0.2, the set switch-scope command has been replaced with the set switch-group command, and the Create NAC Policy window allows you to specify FortiSwitch groups. You can select more than one FortiSwitch group in the CLI and GUI, and the same FortiSwitch unit can be included in more than one FortiSwitch group. If no FortiSwitch group is specified in the set switch-group command, all FortiSwitch groups are used for the NAC policy.

When you upgrade to FortiOS 7.0.2, the individual FortiSwitch units selected for the NAC policy are assigned to a new FortiSwitch group, and the new FortiSwitch group replaces the individual FortiSwitch units in the NAC policy. If you downgrade from FortiOS 7.0.2, the individual FortiSwitch units in the FortiSwitch group are listed in the set switch-scope command in the NAC policy, and the set switch-group command is removed from the NAC policy.

To create a FortiSwitch group in the CLI:

config switch-controller switch-group

edit <name>

set description <string>

set fortilink <name_of_FortiLink_interface>

set members <serial-number-1> <serial-number-2> ...

 

next

end

For example:

config switch-controller switch-group

edit NACswitchgroup1

set description "FortiSwitch group for NAC policy"

set fortilink "fortilink"

set members S524DF4K15000024 S548DF5018000776

next

end

To create a FortiSwitch group in the GUI:
  1. Go to WiFi & Switch Controller > Managed FortiSwitches.

  2. Click Create New > FortiSwitch Group.

  3. In the Name field, enter a name for the FortiSwitch group.

  4. In the Members field, click + to select which switches to include in the FortiSwitch group.

  5. In the Description field, enter a description of the FortiSwitch group.

  6. Click OK.

To specify FortiSwitch groups in the NAC policy in the CLI:

config user nac-policy

edit <NAC_policy_name>

set description <description_of_NAC_policy>

set category {user | device | ems-tag}

set status enable

set switch-group <FortiSwitch_group_1> <FortiSwitch_group_2> ...

...

next

end

For example:

config user nac-policy

edit "OFFICE_VM"

set hw-vendor "VMware"

set switch-fortilink "fortilink"

set switch-mac-policy "OFFICE_VM"

set firewall-address "office_vm_device"

set switch-group NACswitchgroup1 NACswitchgroup2 NACswitchgroup3

next

end

To specify FortiSwitch groups in the NAC policy in the GUI:
  1. Go to WiFi & Switch Controller > NAC Policies.

  2. Click Create New.

  3. In the Name field, enter a name for the NAC policy.

  4. Make certain that the status is set to Enabled.

  5. Click Specify.
  6. Click + in the FortiSwitch groups field to select which FortiSwitch groups to apply the NAC policy to.
  7. Configure the remaining settings as needed.

  8. Select OK to create the new NAC policy.