Fortinet black logo

Version:

7.4.0
7.2.0
7.0.0

Version:

6.4.0
6.2.0

Table of Contents

New Features

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Download PDF
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:527756
Copy Link

FortiGate NAC engine optimization

The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. This process has been optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.

These optimizations include:

  • A new event-based approach.

  • A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an event.

  • NAC inactive timers are now applied to the nac-mac-cache table.

  • Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.

Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5 seconds.

Example

In the following example, you configure the NAC engine to run every five seconds.

To configure the NAC engine to run every five seconds:
config switch-controller system
    set nac-periodic-interval 5
end
To view the NAC clients:
# diagnose switch-controller nac-mac-cache show
VFID     SWITCH             MAC-ADDRESS        VLAN CREATION(secs ago)  LAST-SEEN(secs ago) INTERFACE
1        S524DN4K16000116   00:0c:29:a8:0a:1c 4089 24                 0                  port7
1        S248EPTF18001384   00:0c:29:d4:4f:3c 4089 44                 0                  port6
Previous
Next

FortiGate NAC engine optimization

The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. This process has been optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.

These optimizations include:

  • A new event-based approach.

  • A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an event.

  • NAC inactive timers are now applied to the nac-mac-cache table.

  • Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.

Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5 seconds.

Example

In the following example, you configure the NAC engine to run every five seconds.

To configure the NAC engine to run every five seconds:
config switch-controller system
    set nac-periodic-interval 5
end
To view the NAC clients:
# diagnose switch-controller nac-mac-cache show
VFID     SWITCH             MAC-ADDRESS        VLAN CREATION(secs ago)  LAST-SEEN(secs ago) INTERFACE
1        S524DN4K16000116   00:0c:29:a8:0a:1c 4089 24                 0                  port7
1        S248EPTF18001384   00:0c:29:d4:4f:3c 4089 44                 0                  port6
Previous
Next