OT and IoT virtual patching on NAC policies
OT and IoT virtual patching can be applied to a NAC policy by setting the category to Vulnerability and configuring the Match criteria based on severity. Devices that match the criteria can be assigned and isolated to a NAC VLAN.
Example
In this example, a device with a certain vulnerability severity is detected by the NAC policy on the FortiGate. Subsequently, the FortiSwitch port in which it is connected to is moved to vlan300 where traffic can be controlled for vulnerable devices. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes the vlan300 has already been configured.
The following settings are required for IoT device detection:
-
A valid Attack Surface Security Rating service license to download the IoT signature package.
-
Enable device detection on the LAN interface used by IoT devices.
-
In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.
-
In the CLI, enter:
config system interface edit <name> set device-identification enable next end
-
-
Configure a firewall policy with an application control sensor.
To configure virtual patching on NAC policies
-
Configure the NAC policy:
-
Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.
-
In the Device Patterns section, set Category to Vulnerability.
-
Set Match to Severity is at least and select a severity level (Information is used in this example).
-
In the Switch Controller Action section, enable Assign VLAN and select vlan300.
-
Configure the other settings as needed.
-
Click OK.
-
-
Enable NAC mode on the desired FortiSwitch ports (port6 in this example):
-
Go to WiFi & Switch Controller > FortiSwitch Ports.
-
Select port6, then right-click and set the Mode to NAC.
-
-
Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.
-
Go to WiFi & Switch Controller > FortiSwitch Ports and locate the port that the vulnerable device is connected to. The port has been dynamically assigned vlan300.
-
Configure a firewall policy to limit access for devices in this VLAN (vlan300).
To configure virtual patching on NAC policies in the CLI:
-
Configure the VLAN in the MAC policy:
config switch-controller mac-policy edit "IoT" set fortilink "fortilink" set vlan "vlan300" next end
-
Configure the NAC policy:
config user nac-policy edit "IoT" set category vulnerability set severity 0 1 2 3 4 set switch-fortilink "fortilink" set switch-mac-policy "IoT" next end
-
Enable NAC mode on the desired FortiSwitch ports:
config switch-controller managed-switch edit "S248E***********" config ports edit "port6" set access-mode nac next end next end
-
Configure a firewall policy to limit access for devices in this VLAN (vlan300).