Support dynamic firewall addresses in NAC policies 7.0.1

You can configure a dynamic firewall address for devices and use it in a NAC policy. When a device matches the NAC policy, the MAC address for that device is automatically assigned to the dynamic firewall address, which can be used in firewall policies to control traffic from/to these devices.

Configuring a dynamic firewall address requires setting the address type to dynamic and the address subtype to swc-tag. Using the dynamic firewall address in a NAC policy requires specifying the conditions that a device must match and setting the firewall address to the name of the dynamic firewall address.

To configure a dynamic firewall address and use it in a NAC policy in the CLI:

config firewall address

edit <name_of_dynamic_firewall_address>

set type dynamic

set sub-type swc-tag

next

end

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category device

set status enable

set mac <MAC_address>

set hw-vendor <hardware_vendor>

set type <device_type>

set family <device_family>

set os <operating_system>

set hw-version <hardware_version>

set sw-version <software_version>

set host <host_name>

set user <user_name>.

set src <source>

set switch-fortilink <FortiLink_interface>

set switch-scope <list_of_managed_FortiSwitch_serial_numbers>

set switch-auto-auth {enable | disable}

set switch-mac-policy <switch_mac_policy>

set firewall-address <name_of_dynamic_firewall_address>

next

end

For example:

config firewall address

edit "lab_vm_device"

set type dynamic

set sub-type swc-tag

next

end

config user nac-policy

edit "LAB_VM"

set hw-vendor "VMware"

set switch-fortilink "port11"

set switch-mac-policy "LAB_VM"

set firewall-address "lab_vm_device"

next

end

To view the dynamic MAC addresses attached to the firewall:

diagnose firewall dynamic list

To configure a dynamic firewall address and use it in a NAC policy in the GUI:

1. Go to WiFi & Switch Controller > NAC Policies.
2. Click Create New.
3. In the Name field, enter a name for the NAC policy.
4. Make certain that the status is set to Enabled.
5. Click Specify to select which FortiSwitch units to apply the NAC policy to or click All.
6. Select Device for the category.
7. If you want the device to match a MAC address, enable MAC Address and enter the MAC address to match.
8. If you want the device to match a hardware vendor, enable Hardware Vendor and enter the name of the hardware vendor to match.
9. If you want the device to match a device family, enable Device Family and enter the name of the device family to match.
10. If you want the device to match a device type, enable Type and enter the device type to match.
11. If you want the device to match an operating system, enable Operating System and enter the operating system to match.
12. If you want the device to match a user, enable User slider and enter the user name to match.
13. If you want to assign a specific VLAN to the device that matches the specified criteria, enable Assign VLAN and enter the VLAN identifier.
14. If you do not want to bounce the switch port (administratively bringing the link down and then up) when NAC mode is configured, disable Bounce port.
15. To use a dynamic firewall address for matching a device, enable Assign device to dynamic address and, from the dropdown list, click Create.

    

    1. In the Name field, enter the name of the dynamic firewall address.

       

    2. To change the color, click Change and select the color used for the corresponding icon in the GUI.
    3. The address type is set to Dynamic by default and the subtype is set to Switch Controller NAC Policy Tag by default.
    4. For the interface, select the interface whose IP address is to be used.
    5. In the Comments field, enter a description of the dynamic firewall address.
    6. Click OK to save the dynamic firewall address.
16. Click OK to create the new NAC policy.