Support OT and IoT virtual patching on NAC policies
This information is also available in the FortiOS 7.4 Administration Guide: |
OT and IoT virtual patching can be applied to a NAC policy by setting the category to Vulnerability and configuring the Match criteria based on severity. Devices that match the criteria can be assigned and isolated to a NAC VLAN.
Example
In this example, a device with a certain vulnerability severity is detected by the NAC policy on the FortiGate. Subsequently, the FortiSwitch port in which it is connected to is moved to vlan300 where traffic can be controlled for vulnerable devices. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes the vlan300 has already been configured.
The following settings are required for IoT device detection:
-
A valid IoT Detection Service license to download the IoT signature package.
-
Enable device detection on the LAN interface used by IoT devices.
-
In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.
-
In the CLI, enter:
config system interface edit <name> set device-identification enable next end
-
-
Configure a firewall policy with an application control sensor.
To configure virtual patching on NAC policies
-
Configure the NAC policy:
-
Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.
-
In the Device Patterns section, set Category to Vulnerability.
-
Set Match to Severity is at least and select a severity level (Information is used in this example).
-
In the Switch Controller Action section, enable Assign VLAN and select vlan300.
-
Configure the other settings as needed.
-
Click OK.
-
-
Enable NAC mode on the desired FortiSwitch ports (port6 in this example):
-
Go to WiFi & Switch Controller > FortiSwitch Ports.
-
Select port6, then right-click and set the Mode to NAC.
-
-
Enable application control on the firewall policy that is used to control outbound internet access for vulnerable devices (vlan300 to port1)
-
Generate traffic on the vulnerable client device.
-
Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.
The vulnerable device is also shown on Dashboards > Assets & Identities in the Matched NAC Devices widget.
To configure virtual patching on NAC policies in the CLI:
-
Configure the VLAN in the MAC policy:
config switch-controller mac-policy edit "IoT" set fortilink "fortilink" set vlan "vlan300" next end
-
Configure the NAC policy:
config user nac-policy edit "IoT" set category vulnerability set severity 0 1 2 3 4 set switch-fortilink "fortilink" set switch-mac-policy "IoT" next end
-
Enable NAC mode on the desired FortiSwitch ports:
config switch-controller managed-switch edit "S248E***********" config ports edit "port6" set access-mode nac next end next end
-
Configure a firewall policy to limit access for devices in this VLAN (vlan300).