Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.4.3 Administration Guide
    7.4.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Create a new NAC policy

    Create a new NAC policy

    This section describes how to create a new FortiSwitch network access control (NAC) policy.

    You can create a NAC policy that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them.

    For more information about NAC, see FortiSwitch network access control in the FortiSwitch Administration Guide.

    NAC policies can be created whether the FortiSwitch is in central management mode or per-device management mode, and the changes are saved to the FortiGate database.

    Note

    You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.
    To create a NAC policy:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select NAC Policy.
    4. Click Create New.
    5. Enter the following information:

      Option

      Description

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      This field is required.

      Status

      Set the policy to Enabled or Disabled.

      FortiLink Interface

      Use the search field to find and select the FortiLink interface.

      FortiSwitch Groups

      Select All or Specify the FortiSwitch groups.

      Description

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Device Patterns

      Category

      Select Device, User, EMS Tag or Vulnerability. Vulnerability is only available in 7.4 and later ADOMs.

      For Device pattern fields, you can use the wildcard * character when entering the value to be matched.

      MAC Address

      Enable or disable matching a MAC address, then enter a MAC address.

      Only available if Category is Device.

      Hardware Vendor

      Enable or disable matching a hardware vendor, then enter a hardware vendor name.

      Only available if Category is Device.

      Device Family

      Enable or disable matching a device family, then enter a device family name.

      Only available if Category is Device.

      Type

      Enable or disable matching a device type, then enter a device type.

      Only available if Category is Device.

      Operating System

      Enable or disable matching an operating system, then enter an operating system.

      Only available if Category is Device.

      User group

      Select a user group.

      Only available if Category is User.

      FortiClient EMS Tag

      Select a FortiClient EMS tag.

      Only available if Category is EMS Tag.

      Severity

      Configure the severity number (0 = Info, 1 = Low, 2 = Medium, 3 = High, 4 = Critical).

      Only available if Category is Vulnerability.

      Switch Controller Action

      Assign VLAN

      Enable to select a VLAN interface for the switch controller action.

      Bounce Port

      Enable or disable the bounce port.

      Assign device to dynamic address

      Enable to use a dynamic firewall address for matching a device, then select the address. For more information, see To create a dynamic firewall address for the NAC policy.

      Wireless Controller Action

      Assign VLAN

      Enable to select a VLAN interface for the wireless controller action.

      Revision

      Change Note

      		Add a description of the changes being made to the policy. This field is required.
    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    To create a dynamic firewall address for the NAC policy:
    1. Go to Policy & Objects > Firewall Objects > Addresses.
    2. Click Create New.
    3. From the Type dropdown, select Dynamic.
    4. For the Sub Type field, select Switch Controller NAC Policy Tag.
    5. From the Interface dropdown, select the FortiLink interface.
    6. Configure the other options, as needed.
    7. Click OK to save the dynamic firewall address.

      You can now use the dynamic firewall address in a NAC policy through the Assign device to dynamic address option. The dynamic firewall address will be included when the NAC policy is deployed.

    Previous
    Next

    Create a new NAC policy

    Create a new NAC policy

    This section describes how to create a new FortiSwitch network access control (NAC) policy.

    You can create a NAC policy that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them.

    For more information about NAC, see FortiSwitch network access control in the FortiSwitch Administration Guide.

    NAC policies can be created whether the FortiSwitch is in central management mode or per-device management mode, and the changes are saved to the FortiGate database.

    Note

    You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.
    To create a NAC policy:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select NAC Policy.
    4. Click Create New.
    5. Enter the following information:

      Option

      Description

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      This field is required.

      Status

      Set the policy to Enabled or Disabled.

      FortiLink Interface

      Use the search field to find and select the FortiLink interface.

      FortiSwitch Groups

      Select All or Specify the FortiSwitch groups.

      Description

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Device Patterns

      Category

      Select Device, User, EMS Tag or Vulnerability. Vulnerability is only available in 7.4 and later ADOMs.

      For Device pattern fields, you can use the wildcard * character when entering the value to be matched.

      MAC Address

      Enable or disable matching a MAC address, then enter a MAC address.

      Only available if Category is Device.

      Hardware Vendor

      Enable or disable matching a hardware vendor, then enter a hardware vendor name.

      Only available if Category is Device.

      Device Family

      Enable or disable matching a device family, then enter a device family name.

      Only available if Category is Device.

      Type

      Enable or disable matching a device type, then enter a device type.

      Only available if Category is Device.

      Operating System

      Enable or disable matching an operating system, then enter an operating system.

      Only available if Category is Device.

      User group

      Select a user group.

      Only available if Category is User.

      FortiClient EMS Tag

      Select a FortiClient EMS tag.

      Only available if Category is EMS Tag.

      Severity

      Configure the severity number (0 = Info, 1 = Low, 2 = Medium, 3 = High, 4 = Critical).

      Only available if Category is Vulnerability.

      Switch Controller Action

      Assign VLAN

      Enable to select a VLAN interface for the switch controller action.

      Bounce Port

      Enable or disable the bounce port.

      Assign device to dynamic address

      Enable to use a dynamic firewall address for matching a device, then select the address. For more information, see To create a dynamic firewall address for the NAC policy.

      Wireless Controller Action

      Assign VLAN

      Enable to select a VLAN interface for the wireless controller action.

      Revision

      Change Note

      		Add a description of the changes being made to the policy. This field is required.
    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    To create a dynamic firewall address for the NAC policy:
    1. Go to Policy & Objects > Firewall Objects > Addresses.
    2. Click Create New.
    3. From the Type dropdown, select Dynamic.
    4. For the Sub Type field, select Switch Controller NAC Policy Tag.
    5. From the Interface dropdown, select the FortiLink interface.
    6. Configure the other options, as needed.
    7. Click OK to save the dynamic firewall address.

      You can now use the dynamic firewall address in a NAC policy through the Assign device to dynamic address option. The dynamic firewall address will be included when the NAC policy is deployed.

    Previous
    Next