Fortinet white logo
Fortinet white logo

Administration Guide

OT and IoT virtual patching on NAC policies

OT and IoT virtual patching on NAC policies

OT and IoT virtual patching can be applied to a NAC policy by setting the category to Vulnerability and configuring the Match criteria based on severity. Devices that match the criteria can be assigned and isolated to a NAC VLAN.

Example

In this example, a device with a certain vulnerability severity is detected by the NAC policy on the FortiGate. Subsequently, the FortiSwitch port in which it is connected to is moved to vlan300 where traffic can be controlled for vulnerable devices. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes the vlan300 has already been configured.

The following settings are required for IoT device detection:

  • A valid Attack Surface Security Rating service license to download the IoT signature package.

  • Enable device detection on the LAN interface used by IoT devices.

    • In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.

    • In the CLI, enter:

      config system interface
          edit <name>
              set device-identification enable
          next
      end
  • Configure a firewall policy with an application control sensor.

To configure virtual patching on NAC policies
  1. Configure the NAC policy:

    1. Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.

    2. In the Device Patterns section, set Category to Vulnerability.

    3. Set Match to Severity is at least and select a severity level (Information is used in this example).

    4. In the Switch Controller Action section, enable Assign VLAN and select vlan300.

    5. Configure the other settings as needed.

    6. Click OK.

  2. Enable NAC mode on the desired FortiSwitch ports (port6 in this example):

    1. Go to WiFi & Switch Controller > FortiSwitch Ports.

    2. Select port6, then right-click and set the Mode to NAC.

  3. Enable application control on the firewall policy that is used to control outbound internet access for vulnerable devices (vlan300 to port1)

  4. Generate traffic on the vulnerable client device.

  5. Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.

    The vulnerable device is also shown on Dashboards > Assets & Identities in the Matched NAC Devices widget.

To configure virtual patching on NAC policies in the CLI:
  1. Configure the VLAN in the MAC policy:

    config switch-controller mac-policy
        edit "IoT"
            set fortilink "fortilink"
            set vlan "vlan300"
        next
    end
  2. Configure the NAC policy:

    config user nac-policy
        edit "IoT"
            set category vulnerability
            set severity 0 1 2 3 4
            set switch-fortilink "fortilink"
            set switch-mac-policy "IoT"
        next
    end
  3. Enable NAC mode on the desired FortiSwitch ports:

    config switch-controller managed-switch
        edit "S248E***********"
            config ports
                edit "port6"
                    set access-mode nac
                next
            end
        next
    end
  4. Configure a firewall policy to limit access for devices in this VLAN (vlan300).

OT and IoT virtual patching on NAC policies

OT and IoT virtual patching on NAC policies

OT and IoT virtual patching can be applied to a NAC policy by setting the category to Vulnerability and configuring the Match criteria based on severity. Devices that match the criteria can be assigned and isolated to a NAC VLAN.

Example

In this example, a device with a certain vulnerability severity is detected by the NAC policy on the FortiGate. Subsequently, the FortiSwitch port in which it is connected to is moved to vlan300 where traffic can be controlled for vulnerable devices. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes the vlan300 has already been configured.

The following settings are required for IoT device detection:

  • A valid Attack Surface Security Rating service license to download the IoT signature package.

  • Enable device detection on the LAN interface used by IoT devices.

    • In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.

    • In the CLI, enter:

      config system interface
          edit <name>
              set device-identification enable
          next
      end
  • Configure a firewall policy with an application control sensor.

To configure virtual patching on NAC policies
  1. Configure the NAC policy:

    1. Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.

    2. In the Device Patterns section, set Category to Vulnerability.

    3. Set Match to Severity is at least and select a severity level (Information is used in this example).

    4. In the Switch Controller Action section, enable Assign VLAN and select vlan300.

    5. Configure the other settings as needed.

    6. Click OK.

  2. Enable NAC mode on the desired FortiSwitch ports (port6 in this example):

    1. Go to WiFi & Switch Controller > FortiSwitch Ports.

    2. Select port6, then right-click and set the Mode to NAC.

  3. Enable application control on the firewall policy that is used to control outbound internet access for vulnerable devices (vlan300 to port1)

  4. Generate traffic on the vulnerable client device.

  5. Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.

    The vulnerable device is also shown on Dashboards > Assets & Identities in the Matched NAC Devices widget.

To configure virtual patching on NAC policies in the CLI:
  1. Configure the VLAN in the MAC policy:

    config switch-controller mac-policy
        edit "IoT"
            set fortilink "fortilink"
            set vlan "vlan300"
        next
    end
  2. Configure the NAC policy:

    config user nac-policy
        edit "IoT"
            set category vulnerability
            set severity 0 1 2 3 4
            set switch-fortilink "fortilink"
            set switch-mac-policy "IoT"
        next
    end
  3. Enable NAC mode on the desired FortiSwitch ports:

    config switch-controller managed-switch
        edit "S248E***********"
            config ports
                edit "port6"
                    set access-mode nac
                next
            end
        next
    end
  4. Configure a firewall policy to limit access for devices in this VLAN (vlan300).