Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    FortiGate NAC engine optimization

    FortiGate NAC engine optimization

    The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. This process has been optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.

    These optimizations include:

    • A new event-based approach.

    • A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an event.

    • NAC inactive timers are now applied to the nac-mac-cache table.

    • Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.

    Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5 seconds.

    Example

    In the following example, you configure the NAC engine to run every five seconds.

    To configure the NAC engine to run every five seconds:
    config switch-controller system
    set nac-periodic-interval 5
end
    To view the NAC clients:
    # diagnose switch-controller nac-mac-cache show
VFID     SWITCH             MAC-ADDRESS        VLAN CREATION(secs ago)  LAST-SEEN(secs ago) INTERFACE
1        S524DN4K16000116   00:0c:29:a8:0a:1c 4089 24                 0                  port7
1        S248EPTF18001384   00:0c:29:d4:4f:3c 4089 44                 0                  port6
    Previous
    Next

    FortiGate NAC engine optimization

    FortiGate NAC engine optimization

    The FortiGate NAC engine is responsible for assigning the device to the right VLAN based on the NAC policy when a device first connects to a switch port or when a device goes from offline to online. This process has been optimized to shorten the amount of time it takes for a new device to be recognized and assigned to the VLAN.

    These optimizations include:

    • A new event-based approach.

    • A new NAC MAC cache table that populates MAC addresses from the FortiSwitch unit immediately after an event.

    • NAC inactive timers are now applied to the nac-mac-cache table.

    • Added nac-periodic-interval to run the NAC engine at intervals in case any events are missed. The range is 5 to 60 seconds, and the default setting is 15 seconds.

    Before these optimizations, the process took approximately 65 seconds from the time the device links to a switch port to matching the device to a NAC policy. After optimization, the process takes a maximum of 16 seconds with a minimum nac-periodic-interval of 5 seconds.

    Example

    In the following example, you configure the NAC engine to run every five seconds.

    To configure the NAC engine to run every five seconds:
    config switch-controller system
    set nac-periodic-interval 5
end
    To view the NAC clients:
    # diagnose switch-controller nac-mac-cache show
VFID     SWITCH             MAC-ADDRESS        VLAN CREATION(secs ago)  LAST-SEEN(secs ago) INTERFACE
1        S524DN4K16000116   00:0c:29:a8:0a:1c 4089 24                 0                  port7
1        S248EPTF18001384   00:0c:29:d4:4f:3c 4089 44                 0                  port6
    Previous
    Next