Support dynamic firewall addresses in NAC policies 7.0.1
You can configure a dynamic firewall address for devices and use it in a NAC policy. When a device matches the NAC policy, the MAC address for that device is automatically assigned to the dynamic firewall address, which can be used in firewall policies to control traffic from/to these devices.
Configuring a dynamic firewall address requires setting the address type to dynamic and the address subtype to swc-tag. Using the dynamic firewall address in a NAC policy requires specifying the conditions that a device must match and setting the firewall address to the name of the dynamic firewall address.
To configure a dynamic firewall address and use it in a NAC policy in the CLI:
config firewall address
edit <name_of_dynamic_firewall_address>
set type dynamic
set sub-type swc-tag
next
end
config user nac-policy
edit <policy_name>
set description <description_of_policy>
set category device
set status enable
set mac <MAC_address>
set hw-vendor <hardware_vendor>
set type <device_type>
set family <device_family>
set os <operating_system>
set hw-version <hardware_version>
set sw-version <software_version>
set host <host_name>
set user <user_name>.
set src <source>
set switch-fortilink <FortiLink_interface>
set switch-scope <list_of_managed_FortiSwitch_serial_numbers>
set switch-auto-auth {enable | disable}
set switch-mac-policy <switch_mac_policy>
set firewall-address <name_of_dynamic_firewall_address>
next
end
For example:
config firewall address
edit "lab_vm_device"
set type dynamic
set sub-type swc-tag
next
end
config user nac-policy
edit "LAB_VM"
set hw-vendor "VMware"
set switch-fortilink "port11"
set switch-mac-policy "LAB_VM"
set firewall-address "lab_vm_device"
next
end
To view the dynamic MAC addresses attached to the firewall:
diagnose firewall dynamic list
To configure a dynamic firewall address and use it in a NAC policy in the GUI:
- Go to WiFi & Switch Controller > NAC Policies.
- Click Create New.
- In the Name field, enter a name for the NAC policy.
- Make certain that the status is set to Enabled.
- Click Specify to select which FortiSwitch units to apply the NAC policy to or click All.
- Select Device for the category.
- If you want the device to match a MAC address, enable MAC Address and enter the MAC address to match.
- If you want the device to match a hardware vendor, enable Hardware Vendor and enter the name of the hardware vendor to match.
- If you want the device to match a device family, enable Device Family and enter the name of the device family to match.
- If you want the device to match a device type, enable Type and enter the device type to match.
- If you want the device to match an operating system, enable Operating System and enter the operating system to match.
- If you want the device to match a user, enable User slider and enter the user name to match.
- If you want to assign a specific VLAN to the device that matches the specified criteria, enable Assign VLAN and enter the VLAN identifier.
- If you do not want to bounce the switch port (administratively bringing the link down and then up) when NAC mode is configured, disable Bounce port.
- To use a dynamic firewall address for matching a device, enable Assign device to dynamic address and, from the dropdown list, click Create.
- In the Name field, enter the name of the dynamic firewall address.
- To change the color, click Change and select the color used for the corresponding icon in the GUI.
- The address type is set to Dynamic by default and the subtype is set to Switch Controller NAC Policy Tag by default.
- For the interface, select the interface whose IP address is to be used.
- In the Comments field, enter a description of the dynamic firewall address.
- Click OK to save the dynamic firewall address.
- In the Name field, enter the name of the dynamic firewall address.
- Click OK to create the new NAC policy.