Fortinet black logo

Administration Guide

Create a new NAC policy

This section describes how to create a new FortiSwitch network access control (NAC) policy.

You can create a NAC policy that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them.

For more information about NAC, see FortiSwitch network access control in the FortiSwitch Administration Guide.

NAC policies can be created whether the FortiSwitch is in central management mode or per-device management mode, and the changes are saved to the FortiGate database.

Note

You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.

To create a NAC policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select NAC Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    This field is required.

    Status

    Set the policy to Enabled or Disabled.

    FortiLink Interface

    Use the search field to find and select the FortiLink interface.

    FortiSwitch Groups

    Select All or Specify the FortiSwitch groups.

    Description

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Device Patterns

    Category

    Select Device, User, EMS Tag or Vulnerability. Vulnerability is only available in 7.4 and later ADOMs.

    For Device pattern fields, you can use the wildcard * character when entering the value to be matched.

    MAC Address

    Enable or disable matching a MAC address, then enter a MAC address.

    Only available if Category is Device.

    Hardware Vendor

    Enable or disable matching a hardware vendor, then enter a hardware vendor name.

    Only available if Category is Device.

    Device Family

    Enable or disable matching a device family, then enter a device family name.

    Only available if Category is Device.

    Type

    Enable or disable matching a device type, then enter a device type.

    Only available if Category is Device.

    Operating System

    Enable or disable matching an operating system, then enter an operating system.

    Only available if Category is Device.

    User group

    Select a user group.

    Only available if Category is User.

    FortiClient EMS Tag

    Select a FortiClient EMS tag.

    Only available if Category is EMS Tag.

    Severity

    Configure the severity number (0 = Info, 1 = Low, 2 = Medium, 3 = High, 4 = Critical).

    Only available if Category is Vulnerability.

    Switch Controller Action

    Assign VLAN

    Enable to select a VLAN interface for the switch controller action.

    Bounce Port

    Enable or disable the bounce port.

    Assign device to dynamic address

    Enable to use a dynamic firewall address for matching a device, then select the address. For more information, see To create a dynamic firewall address for the NAC policy.

    Wireless Controller Action

    Assign VLAN

    Enable to select a VLAN interface for the wireless controller action.

    Revision

    Change Note

    Add a description of the changes being made to the policy. This field is required.
  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
To create a dynamic firewall address for the NAC policy:
  1. Go to Policy & Objects > Firewall Objects > Addresses.
  2. Click Create New.
  3. From the Type dropdown, select Dynamic.
  4. For the Sub Type field, select Switch Controller NAC Policy Tag.
  5. From the Interface dropdown, select the FortiLink interface.
  6. Configure the other options, as needed.
  7. Click OK to save the dynamic firewall address.

    You can now use the dynamic firewall address in a NAC policy through the Assign device to dynamic address option. The dynamic firewall address will be included when the NAC policy is deployed.

This section describes how to create a new FortiSwitch network access control (NAC) policy.

You can create a NAC policy that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match the policy are assigned to a specific VLAN or have port-specific settings applied to them.

For more information about NAC, see FortiSwitch network access control in the FortiSwitch Administration Guide.

NAC policies can be created whether the FortiSwitch is in central management mode or per-device management mode, and the changes are saved to the FortiGate database.

Note

You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.

To create a NAC policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select NAC Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    This field is required.

    Status

    Set the policy to Enabled or Disabled.

    FortiLink Interface

    Use the search field to find and select the FortiLink interface.

    FortiSwitch Groups

    Select All or Specify the FortiSwitch groups.

    Description

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Device Patterns

    Category

    Select Device, User, EMS Tag or Vulnerability. Vulnerability is only available in 7.4 and later ADOMs.

    For Device pattern fields, you can use the wildcard * character when entering the value to be matched.

    MAC Address

    Enable or disable matching a MAC address, then enter a MAC address.

    Only available if Category is Device.

    Hardware Vendor

    Enable or disable matching a hardware vendor, then enter a hardware vendor name.

    Only available if Category is Device.

    Device Family

    Enable or disable matching a device family, then enter a device family name.

    Only available if Category is Device.

    Type

    Enable or disable matching a device type, then enter a device type.

    Only available if Category is Device.

    Operating System

    Enable or disable matching an operating system, then enter an operating system.

    Only available if Category is Device.

    User group

    Select a user group.

    Only available if Category is User.

    FortiClient EMS Tag

    Select a FortiClient EMS tag.

    Only available if Category is EMS Tag.

    Severity

    Configure the severity number (0 = Info, 1 = Low, 2 = Medium, 3 = High, 4 = Critical).

    Only available if Category is Vulnerability.

    Switch Controller Action

    Assign VLAN

    Enable to select a VLAN interface for the switch controller action.

    Bounce Port

    Enable or disable the bounce port.

    Assign device to dynamic address

    Enable to use a dynamic firewall address for matching a device, then select the address. For more information, see To create a dynamic firewall address for the NAC policy.

    Wireless Controller Action

    Assign VLAN

    Enable to select a VLAN interface for the wireless controller action.

    Revision

    Change Note

    Add a description of the changes being made to the policy. This field is required.
  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
To create a dynamic firewall address for the NAC policy:
  1. Go to Policy & Objects > Firewall Objects > Addresses.
  2. Click Create New.
  3. From the Type dropdown, select Dynamic.
  4. For the Sub Type field, select Switch Controller NAC Policy Tag.
  5. From the Interface dropdown, select the FortiLink interface.
  6. Configure the other options, as needed.
  7. Click OK to save the dynamic firewall address.

    You can now use the dynamic firewall address in a NAC policy through the Assign device to dynamic address option. The dynamic firewall address will be included when the NAC policy is deployed.