Fortinet black logo

New Features

Home FortiManager 7.2.0 New Features
7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.7
6.2.3
6.2.2
6.2.1
6.2.0

NAC policy added to policy package 7.2.1

NAC policy added to policy package 7.2.1

The network access control (NAC) policy is added to manage policies for FortiSwitches in per-device or central management mode.

You can create a NAC policy that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them.

FortiSwitch Manager also supports dynamic port policy and FortiLink configuration.

This topic includes steps to create:

To create a NAC Policy:
Note

To make the NAC Policy option available, you must enable it in the Display Options for Policy & Objects.

Go to Policy & Objects > Tools > Display Options. In the Policy section, select the checkbox for NAC Policy and click OK. The NAC Policy option will now display in the tree menu.

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the FortiGate policy package, select NAC Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy.

    Status

    Set the policy to Enabled or Disabled.

    FortiLink Interface

    Use the search field to find and select the FortiLink interface.

    FortiSwitch Groups

    Select All or Specify the FortiSwitch groups.

    Description

    Optionally, add a description for the policy.

    Device Patterns

    Category

    Select Device, User, or EMS Tag.

    For Device pattern fields, you can use the wildcard * character when entering the value to be matched.

    MAC Address

    Enable or disable matching a MAC address, then enter a MAC address.

    Only available if Category is Device.

    Hardware Vendor

    Enable or disable matching a hardware vendor, then enter a hardware vendor name.

    Only available if Category is Device.

    Device Family

    Enable or disable matching a device family, then enter a device family name.

    Only available if Category is Device.

    Type

    Enable or disable matching a device type, then enter a device type.

    Only available if Category is Device.

    Operating System

    Enable or disable matching an operating system, then enter an operating system.

    Only available if Category is Device.

    User group

    Select a user group.

    Only available if Category is User.

    FortiClient EMS Tag

    Select a FortiClient EMS tag.

    Only available if Category is EMS Tag.

    Switch Controller Action

    Assign VLAN

    Enable to select a VLAN interface for the switch controller action.

    Bounce Port

    Enable or disable the bounce port.

    Assign device to dynamic address

    Enable to use a dynamic firewall address for matching a device, then select the address. See To create a dynamic firewall address for the NAC Policy: below.

    Wireless Controller Action

    Assign VLAN

    Enable to select a VLAN interface for the wireless controller action.

    Revision

    Change Note

    		Add a description of the changes being made to the policy. This field is required.

  6. Click OK to save the policy.

    You can now deploy the NAC policy using the Install Wizard. For example, see the install preview below:

To create a dynamic firewall address for the NAC Policy:
  1. Go to Policy & Objects > Object Configurations > Firewall Objects > Addresses.
  2. Click Create New.
  3. From the Type dropdown, select Dynamic.
  4. For the Sub Type field, select Switch Controller NAC Policy Tag.
  5. From the Interface dropdown, select the FortiLink interface.
  6. Configure the other options, as needed.

  7. Click OK to save the dynamic firewall address.

    You can now use the dynamic firewall address in a NAC policy through the Assign device to dynamic address option. For example, see the NAC policy configuration below:

    The firewall address will be included when the NAC policy is deployed. For example, see the install preview below:

To create a dynamic port policy:
  1. Go to FortiSwitch Manager > FortiSwitch Templates > Dynamic Port Policy.
  2. Click Create New, and enter a Name for the dynamic port policy.
  3. In the Policy Information section, click Create New.
  4. Enter the following information for the dynamic port policy rule:

    Option

    Description

    Name

    Enter a unique name for the dynamic port policy rule.

    Status

    Set the rule to Enabled or Disabled.

    Description

    Optionally, enter a description for the rule.

    Device Patterns

    MAC Address

    Enable or disable matching a MAC address, then enter a MAC address.

    Host

    Enable or disable matching a host address, then enter a host address.

    Hardware Vendor

    Enable or disable matching a hardware vendor, then enter a hardware vendor name.

    Device Family

    Enable or disable matching a device family, then enter a device family name.

    Type

    Enable or disable matching a device type, then enter a device type.

    Switch Controller Action

    LLDP Profile

    Enable to select an LLDP profile for the switch controller action.

    QoS Policy

    Enable to select a QoS policy for the switch controller action.

    802.1X Policy

    Enable to select an 802.1X policy for the switch controller action.

    VLAN Policy

    Enable to select a QoS policy for the switch controller action.

  5. Click OK to save the dynamic port policy.
  6. Go to FortiSwitch Manager > FortiSwitch Templates > FortiSwitch Template.
  7. Click Create New, and enter a Template Name and Platform.
  8. In the Switch VLAN Assignments table, select a port and click Edit.

    The Edit VLAN Assignment dialog displays.

  9. For the Access Mode field, select dynamic.
  10. From the Port Policy dropdown, select the dynamic port policy.

  11. Click OK.
  12. Click OK to save the FortiSwitch Template.

    The configuration will be deployed to the FortiGate device when the template is assigned to a FortiSwitch. For example, see the install preview below:

To create a FortiLink Settings template:
  1. Go to FortiSwitch Manager > FortiSwitch Templates > FortiLink Settings.
  2. Click Create New.
  3. Enter the following information:

    Option

    Description

    Name

    Enter a name for the FortiLink Settings template.

    NAC VLAN segmentation

    Enable or disable NAC VLAN segmentation.

    Primary Interface

    Select the primary interface.

    Onboarding VLAN

    Select the onboarding VLAN interface.

    Segment VLANs

    Select the segment VLANs.

  4. Click OK to save the FortiLink Settings template.
  5. Go to FortiSwitch Manager > FortiSwitch Templates > VDOM Settings, and edit a FortiGate's mapped FortiLink.
  6. From the NAC Settings dropdown, select the FortiLink settings template.

  7. Click OK.

    The configuration can now be deployed to FortiGate devices, as needed. For example, see the install preview below:

Previous
Next

NAC policy added to policy package 7.2.1

The network access control (NAC) policy is added to manage policies for FortiSwitches in per-device or central management mode.

You can create a NAC policy that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them.

FortiSwitch Manager also supports dynamic port policy and FortiLink configuration.

This topic includes steps to create:

To create a NAC Policy:
Note

To make the NAC Policy option available, you must enable it in the Display Options for Policy & Objects.

Go to Policy & Objects > Tools > Display Options. In the Policy section, select the checkbox for NAC Policy and click OK. The NAC Policy option will now display in the tree menu.

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the FortiGate policy package, select NAC Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy.

    Status

    Set the policy to Enabled or Disabled.

    FortiLink Interface

    Use the search field to find and select the FortiLink interface.

    FortiSwitch Groups

    Select All or Specify the FortiSwitch groups.

    Description

    Optionally, add a description for the policy.

    Device Patterns

    Category

    Select Device, User, or EMS Tag.

    For Device pattern fields, you can use the wildcard * character when entering the value to be matched.

    MAC Address

    Enable or disable matching a MAC address, then enter a MAC address.

    Only available if Category is Device.

    Hardware Vendor

    Enable or disable matching a hardware vendor, then enter a hardware vendor name.

    Only available if Category is Device.

    Device Family

    Enable or disable matching a device family, then enter a device family name.

    Only available if Category is Device.

    Type

    Enable or disable matching a device type, then enter a device type.

    Only available if Category is Device.

    Operating System

    Enable or disable matching an operating system, then enter an operating system.

    Only available if Category is Device.

    User group

    Select a user group.

    Only available if Category is User.

    FortiClient EMS Tag

    Select a FortiClient EMS tag.

    Only available if Category is EMS Tag.

    Switch Controller Action

    Assign VLAN

    Enable to select a VLAN interface for the switch controller action.

    Bounce Port

    Enable or disable the bounce port.

    Assign device to dynamic address

    Enable to use a dynamic firewall address for matching a device, then select the address. See To create a dynamic firewall address for the NAC Policy: below.

    Wireless Controller Action

    Assign VLAN

    Enable to select a VLAN interface for the wireless controller action.

    Revision

    Change Note

    		Add a description of the changes being made to the policy. This field is required.

  6. Click OK to save the policy.

    You can now deploy the NAC policy using the Install Wizard. For example, see the install preview below:

To create a dynamic firewall address for the NAC Policy:
  1. Go to Policy & Objects > Object Configurations > Firewall Objects > Addresses.
  2. Click Create New.
  3. From the Type dropdown, select Dynamic.
  4. For the Sub Type field, select Switch Controller NAC Policy Tag.
  5. From the Interface dropdown, select the FortiLink interface.
  6. Configure the other options, as needed.

  7. Click OK to save the dynamic firewall address.

    You can now use the dynamic firewall address in a NAC policy through the Assign device to dynamic address option. For example, see the NAC policy configuration below:

    The firewall address will be included when the NAC policy is deployed. For example, see the install preview below:

To create a dynamic port policy:
  1. Go to FortiSwitch Manager > FortiSwitch Templates > Dynamic Port Policy.
  2. Click Create New, and enter a Name for the dynamic port policy.
  3. In the Policy Information section, click Create New.
  4. Enter the following information for the dynamic port policy rule:

    Option

    Description

    Name

    Enter a unique name for the dynamic port policy rule.

    Status

    Set the rule to Enabled or Disabled.

    Description

    Optionally, enter a description for the rule.

    Device Patterns

    MAC Address

    Enable or disable matching a MAC address, then enter a MAC address.

    Host

    Enable or disable matching a host address, then enter a host address.

    Hardware Vendor

    Enable or disable matching a hardware vendor, then enter a hardware vendor name.

    Device Family

    Enable or disable matching a device family, then enter a device family name.

    Type

    Enable or disable matching a device type, then enter a device type.

    Switch Controller Action

    LLDP Profile

    Enable to select an LLDP profile for the switch controller action.

    QoS Policy

    Enable to select a QoS policy for the switch controller action.

    802.1X Policy

    Enable to select an 802.1X policy for the switch controller action.

    VLAN Policy

    Enable to select a QoS policy for the switch controller action.

  5. Click OK to save the dynamic port policy.
  6. Go to FortiSwitch Manager > FortiSwitch Templates > FortiSwitch Template.
  7. Click Create New, and enter a Template Name and Platform.
  8. In the Switch VLAN Assignments table, select a port and click Edit.

    The Edit VLAN Assignment dialog displays.

  9. For the Access Mode field, select dynamic.
  10. From the Port Policy dropdown, select the dynamic port policy.

  11. Click OK.
  12. Click OK to save the FortiSwitch Template.

    The configuration will be deployed to the FortiGate device when the template is assigned to a FortiSwitch. For example, see the install preview below:

To create a FortiLink Settings template:
  1. Go to FortiSwitch Manager > FortiSwitch Templates > FortiLink Settings.
  2. Click Create New.
  3. Enter the following information:

    Option

    Description

    Name

    Enter a name for the FortiLink Settings template.

    NAC VLAN segmentation

    Enable or disable NAC VLAN segmentation.

    Primary Interface

    Select the primary interface.

    Onboarding VLAN

    Select the onboarding VLAN interface.

    Segment VLANs

    Select the segment VLANs.

  4. Click OK to save the FortiLink Settings template.
  5. Go to FortiSwitch Manager > FortiSwitch Templates > VDOM Settings, and edit a FortiGate's mapped FortiLink.
  6. From the NAC Settings dropdown, select the FortiLink settings template.

  7. Click OK.

    The configuration can now be deployed to FortiGate devices, as needed. For example, see the install preview below:

Previous
Next