Support for FortiVoice tag dynamic address in NAC policies 7.4.4
|
This information is also available in the FortiOS 7.4 Administration Guide: |
FortiVoice tag dynamic addresses can now be applied to a NAC policy. New commands are available:
config user nac-policy
edit <name>
set category fortivoice-tag
set fortivoice-tag <string>
next
end
|
set category {device | firewall-user | ems-tag | fortivoice-tag | vulnerability} |
Set category to the fortivoice-tag option to use the fortivoice-tag command. |
|
set fortivoice-tag <string> |
Specify the name of the FortiVoice tag to use for NAC policy matching. |
FortiFones that match the NAC policy can be assigned and isolated to a NAC VLAN. See FortiVoice tag dynamic address for more information.
Example
In this example, a dynamic FortiVoice tag MAC address (MAC_FOV-500000003139_Registered_Phones) is applied to a NAC policy on the FortiGate. Subsequently, the connected FortiSwitch port is moved to vlan12, where traffic can be controlled for registered FortiFones. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes that the FortiVoice Fabric connector is authorized to join the Security Fabric and vlan12 is already configured. See Configuring FortiVoice for more information.
To configure FortiVoice Tag MAC address on NAC policies:
-
Configure the NAC policy:
-
Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.
-
In the Device Patterns section:
-
Set Category to FortiVoice tag.
- Set FortiVoice tag to MAC_FOV-500000003139_Registered_Phones.
-
-
In the Switch Controller Action section, enable Assign VLAN and select vlan12.
-
Configure the other settings as needed.
-
Click OK.
-
-
Enable NAC mode on the desired FortiSwitch ports (port6 in this example):
-
Go to WiFi & Switch Controller > FortiSwitch Ports.
-
Select port6, then right-click and set the Mode to NAC.
-
-
Configure firewall policy that is used to control outbound internet access for FortiFones (vlan12 to wan1):
-
Go to Policy & Objects > Firewall Policy.
-
Click Create New.
-
Name the policy and configure the following parameters:
Incoming Interface
vlan12
Outgoing Interface
wan1
Source
all
Destination
all
Schedule
always
Service
ALL
Action
ACCEPT
-
Configure the other settings as needed.
-
Click OK.
-
-
Generate traffic from the FortiFone.
-
Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.
FortiFone is also shown on Dashboards > Assets & Identities in the Matched NAC Devices widget.
-
Go to WiFi & Switch Controller > FortiSwitch Ports and locate the port that the FortiFone is connected to. The port has been dynamically assigned vlan12.
To configure FortiVoice Tag MAC address on NAC policies in the CLI:
-
Configure the NAC policy:
config user nac-policy edit "nac-policy-1" set category fortivoice-tag set fortivoice-tag "MAC_FOV-500000003139_Registered_Phones" set switch-fortilink "fortilink" set switch-mac-policy "mac-policy- next end -
Configure the VLAN in the MAC policy:
config switch-controller mac-policy edit "mac-policy-1" set fortilink "fortilink" set vlan "vlan12" next end -
Enable NAC mode on the desired FortiSwitch ports:
config switch-controller managed-switch edit "Access-FSW-C” config ports edit "port6" set access-mode nac next end next end -
Configure the firewall policy:
config firewall policy edit 1 set name "c_fov_fon" set srcintf "vlan12" set dstintf "wan1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable next end