NAC LAN segments 7.0.1

When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that device. When a link goes down, the NAC devices are cleared from all switch ports by default. Bouncing the switch port and restarting DHCP changes the IP addresses of hosts and invalidates firewall sessions. Starting in FortiOS 7.0.1, you can avoid these problems by assigning each VLAN to a separate LAN segment.

LAN segments prevent the IP addresses of hosts from changing but still provide physical isolation. For example, the following figure shows how four LAN segments have been assigned to four separate VLANs:

The switch controls traffic between LAN segments. Enable Block Intra-VLAN Traffic in the GUI or use the set switch-controller-access-vlan command to allow or prevent traffic between hosts in a LAN segment.

An RSPAN VLAN interface cannot be a member of a LAN segment group.
IGMP snooping is not supported with LAN segments.

LAN segments require the following:

FortiGate devices running FortiOS 7.0.1 or higher with managed FortiSwitch units running FortiSwitchOS 7.0.1 or higher.
To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.

To use LAN segments:

Configure FortiSwitch VLANs without layer-3 properties (unset the IP address, set the access mode to static, unset allowaccess, and disable the DHCP server).
Optionally, enable Block Intra-VLAN Traffic.
Enable LAN segments.
Specify the NAC LAN interface.
Specify which VLANs belong to that LAN segment.

Do not make changes after assigning a VLAN to a LAN segment. Changing VLANs assigned to LAN segments might have unexpected results.

To configure LAN segments on a global level:

config switch-controller fortilink-settings

edit <name_of_this_FortiLink_configuration>

config nac-ports

set lan-segment {enabled | disabled}

set nac-lan-interfaces <string>

set nac-segment-vlans <VLAN_interface_name>

end

For example:

config switch-controller fortilink-settings

edit "port20"

config nac-ports

set onboarding-vlan "onboarding"

set lan-segment enabled

set nac-lan-interface "nac_segment"

set nac-segment-vlans "voice" "video"

end

Example of using LAN segments with NAC

In this example, devices are initially placed in the onboarding VLAN and receive IP addresses from the nac_segment DHCP server. Ports connected to the devices are configured with the NAC access mode. NAC policies are used to identify devices by OS and place them into the appropriate VLAN segment and dynamic firewall address. Firewall policies match traffic from the nac_segment interface by the dynamic firewall address and apply the appropriate security profiles to each.

Configure the FortiSwitch VLANs for Office 1 and Office 2.

config system interface
edit "Office2"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 33
set color 10
set interface "fortilink"
set vlanid 2000
next
edit "Office1"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 34
set color 5
set interface "fortilink"
set vlanid 2001
next
end
The following is the configuration for the nac_segment interface and its corresponding DHCP server settings. These settings are the default.

config system interface
edit "nac_segment"
set vdom "root"
set ip 10.255.13.1 255.255.255.0
set description "NAC Segment VLAN"
set alias "nac_segment.fortilink"
set device-identification enable
set snmp-index 32
set switch-controller-feature nac-segment
set interface "fortilink"
set vlanid 4088
next
end
config system dhcp server
edit 5
set lease-time 300
set dns-service default
set default-gateway 10.255.13.1
set netmask 255.255.255.0
set interface "nac_segment"
config ip-range
edit 1
set start-ip 10.255.13.2
set end-ip 10.255.13.254
next
end
set timezone-option default
next
end
Add the Office 1 VLAN and Office 2 VLAN to the LAN segment VLANs.

config switch-controller fortilink-settings
edit "fortilink"
config nac-ports
set onboarding-vlan "onboarding"
set lan-segment enabled
set nac-lan-interface "nac_segment"
set nac-segment-vlans "voice" "video" "Office2" "Office1"
end
next
end
Configure the NAC policy for devices in Office 1 and Office 2.

If you configure the NAC policy from the GUI, you can create the office2_device and office1_device dynamic firewall addresses inline. However, if you create the NAC policy from the CLI, first create the firewall addresses and then create the MAC policy and NAC policies.

config firewall address
edit "office2_device"
set type dynamic
set sub-type swc-tag
set color 19
next
edit "office1_device"
set type dynamic
set sub-type swc-tag
set color 10
next
end

config switch-controller mac-policy
edit "Office2_FAP"
set fortilink "fortilink"
set vlan "Office2"
next
edit "Office2_PC"
set fortilink "fortilink"
set vlan "Office2"
next
edit "Office1_PC"
set fortilink "fortilink"
set vlan "Office1"
next
end

config user nac-policy
edit "OFFICE2_FAP"
set hw-vendor "Fortinet"
set family "FortiAP"
set os "FortiAP OS"
set switch-fortilink "fortilink"
set switch-scope "S248EPTF18001384"
set switch-mac-policy "Office2_FAP"
set firewall-address "office2_device"
next
edit "OFFICE2_PC"
set os "Linux"
set switch-fortilink "fortilink"
set switch-scope "S248EPTF18001384"
set switch-mac-policy "Office2_PC"
set firewall-address "office2_device"
next
edit "OFFICE1_PC"
set hw-vendor "VMware"
set switch-fortilink "fortilink"
set switch-scope "S524DN4K16000116"
set switch-mac-policy "Office1_PC"
set firewall-address "office1_device"
next
end
Configure the firewall policy for devices in Office 1 or Office 2.

The source of all traffic is nac_segment, but the traffic is filtered on the srcaddr by the dynamic firewall address previously assigned by the NAC policies.

config firewall policy
edit 5
set name "Office1_Device"
set uuid d3e2bbdc-d9c1-51eb-dbd3-cb534366b58d
set srcintf "nac_segment"
set dstintf "port1"
set action accept
set srcaddr "office1_device"
set dstaddr "all"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
next
edit 4
set name "Office2_Device"
set uuid a724c2fc-d9c1-51eb-e8d8-a501419308b3
set srcintf "nac_segment"
set dstintf "port1"
set action accept
set srcaddr "office2_device"
set dstaddr "all"
set schedule "always"
set service "ALL_ICMP" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "TFTP"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
next
edit 3
set name "All_devices"
set uuid 0accfbae-d9c1-51eb-b0bf-2ba0b00647c0
set srcintf "nac_segment"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set logtraffic all
set nat enable
next
end
Place the ports in NAC mode.

config switch-controller managed-switch
edit "S524DN4K16000116"
config ports
edit "port7"
set vlan "onboarding"
set allowed-vlans "quarantine" "nac_segment"
set untagged-vlans "quarantine" "nac_segment"
set access-mode nac
next
end
next
edit "S248EPTF18001384"
config ports
edit "port1"
set vlan "onboarding"
set allowed-vlans "quarantine" "nac_segment"
set untagged-vlans "quarantine" "nac_segment"
set access-mode nac
next
edit "port6"
set vlan "onboarding"
set allowed-vlans "quarantine" "nac_segment"
set untagged-vlans "quarantine" "nac_segment"
set access-mode nac
next
end
next
end

NAC LAN segments 7.0.1

An RSPAN VLAN interface cannot be a member of a LAN segment group.
IGMP snooping is not supported with LAN segments.

LAN segments require the following:

FortiGate devices running FortiOS 7.0.1 or higher with managed FortiSwitch units running FortiSwitchOS 7.0.1 or higher.
To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.

To use LAN segments:

Configure FortiSwitch VLANs without layer-3 properties (unset the IP address, set the access mode to static, unset allowaccess, and disable the DHCP server).
Optionally, enable Block Intra-VLAN Traffic.
Enable LAN segments.
Specify the NAC LAN interface.
Specify which VLANs belong to that LAN segment.

Do not make changes after assigning a VLAN to a LAN segment. Changing VLANs assigned to LAN segments might have unexpected results.

To configure LAN segments on a global level:

config switch-controller fortilink-settings

edit <name_of_this_FortiLink_configuration>

config nac-ports

set lan-segment {enabled | disabled}

set nac-lan-interfaces <string>

set nac-segment-vlans <VLAN_interface_name>

end

For example:

config switch-controller fortilink-settings

edit "port20"

config nac-ports

set onboarding-vlan "onboarding"

set lan-segment enabled

set nac-lan-interface "nac_segment"

set nac-segment-vlans "voice" "video"

end

Example of using LAN segments with NAC

Configure the FortiSwitch VLANs for Office 1 and Office 2.

config system interface
edit "Office2"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 33
set color 10
set interface "fortilink"
set vlanid 2000
next
edit "Office1"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 34
set color 5
set interface "fortilink"
set vlanid 2001
next
end
The following is the configuration for the nac_segment interface and its corresponding DHCP server settings. These settings are the default.

config system interface
edit "nac_segment"
set vdom "root"
set ip 10.255.13.1 255.255.255.0
set description "NAC Segment VLAN"
set alias "nac_segment.fortilink"
set device-identification enable
set snmp-index 32
set switch-controller-feature nac-segment
set interface "fortilink"
set vlanid 4088
next
end
config system dhcp server
edit 5
set lease-time 300
set dns-service default
set default-gateway 10.255.13.1
set netmask 255.255.255.0
set interface "nac_segment"
config ip-range
edit 1
set start-ip 10.255.13.2
set end-ip 10.255.13.254
next
end
set timezone-option default
next
end
Add the Office 1 VLAN and Office 2 VLAN to the LAN segment VLANs.

config switch-controller fortilink-settings
edit "fortilink"
config nac-ports
set onboarding-vlan "onboarding"
set lan-segment enabled
set nac-lan-interface "nac_segment"
set nac-segment-vlans "voice" "video" "Office2" "Office1"
end
next
end
Configure the NAC policy for devices in Office 1 and Office 2.

If you configure the NAC policy from the GUI, you can create the office2_device and office1_device dynamic firewall addresses inline. However, if you create the NAC policy from the CLI, first create the firewall addresses and then create the MAC policy and NAC policies.

config firewall address
edit "office2_device"
set type dynamic
set sub-type swc-tag
set color 19
next
edit "office1_device"
set type dynamic
set sub-type swc-tag
set color 10
next
end

config switch-controller mac-policy
edit "Office2_FAP"
set fortilink "fortilink"
set vlan "Office2"
next
edit "Office2_PC"
set fortilink "fortilink"
set vlan "Office2"
next
edit "Office1_PC"
set fortilink "fortilink"
set vlan "Office1"
next
end

config user nac-policy
edit "OFFICE2_FAP"
set hw-vendor "Fortinet"
set family "FortiAP"
set os "FortiAP OS"
set switch-fortilink "fortilink"
set switch-scope "S248EPTF18001384"
set switch-mac-policy "Office2_FAP"
set firewall-address "office2_device"
next
edit "OFFICE2_PC"
set os "Linux"
set switch-fortilink "fortilink"
set switch-scope "S248EPTF18001384"
set switch-mac-policy "Office2_PC"
set firewall-address "office2_device"
next
edit "OFFICE1_PC"
set hw-vendor "VMware"
set switch-fortilink "fortilink"
set switch-scope "S524DN4K16000116"
set switch-mac-policy "Office1_PC"
set firewall-address "office1_device"
next
end
Configure the firewall policy for devices in Office 1 or Office 2.

The source of all traffic is nac_segment, but the traffic is filtered on the srcaddr by the dynamic firewall address previously assigned by the NAC policies.

config firewall policy
edit 5
set name "Office1_Device"
set uuid d3e2bbdc-d9c1-51eb-dbd3-cb534366b58d
set srcintf "nac_segment"
set dstintf "port1"
set action accept
set srcaddr "office1_device"
set dstaddr "all"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
next
edit 4
set name "Office2_Device"
set uuid a724c2fc-d9c1-51eb-e8d8-a501419308b3
set srcintf "nac_segment"
set dstintf "port1"
set action accept
set srcaddr "office2_device"
set dstaddr "all"
set schedule "always"
set service "ALL_ICMP" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "TFTP"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
next
edit 3
set name "All_devices"
set uuid 0accfbae-d9c1-51eb-b0bf-2ba0b00647c0
set srcintf "nac_segment"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set logtraffic all
set nat enable
next
end
Place the ports in NAC mode.

config switch-controller managed-switch
edit "S524DN4K16000116"
config ports
edit "port7"
set vlan "onboarding"
set allowed-vlans "quarantine" "nac_segment"
set untagged-vlans "quarantine" "nac_segment"
set access-mode nac
next
end
next
edit "S248EPTF18001384"
config ports
edit "port1"
set vlan "onboarding"
set allowed-vlans "quarantine" "nac_segment"
set untagged-vlans "quarantine" "nac_segment"
set access-mode nac
next
edit "port6"
set vlan "onboarding"
set allowed-vlans "quarantine" "nac_segment"
set untagged-vlans "quarantine" "nac_segment"
set access-mode nac
next
end
next
end

New Features

NAC LAN segments 7.0.1

NAC LAN segments 7.0.1

To use LAN segments:

To configure LAN segments on a global level:

Example of using LAN segments with NAC

NAC LAN segments 7.0.1

To use LAN segments:

To configure LAN segments on a global level:

Example of using LAN segments with NAC