Fortinet white logo
Fortinet white logo

Administration Guide

7.2.0

System groups

System groups

The groups listed below are default system groups that exist within the FortiNAC database. They cannot be deleted. Some groups need to be fine tuned to your network. Details are included in the table below.

Group

Definition

Administrator

All Management

FortiNAC administrators with all management access rights. Initially contains only admin and root. New administrators are added to this group automatically. This is the default group for e-mail notifications triggered by alarms.

Add users to your own specific Administrator groups to give them privileges to manage (disable and enable) specific hosts and ports. If you place a user into your own Administrator group, be sure to remove that user from the All Management group. See Limit user access with groups.

Port

Access Point
Management

Ports with authorized access points connected and FortiNAC serving DHCP. Examples are dumb hubs or wireless units. FortiNAC provides management of hosts connecting through these access points.

Authorized Access Points

Ports that have authorized access points connected. Access points that connect to these ports do not generate Multi Access Point Detected events or alarms and the port is not switched to another VLAN during, for example, Forced Registration or role management VLAN Switching.

Access points that connect to ports that are not in this group do generate an event or alarm.

Add switch ports that connect to hubs and wireless access points to this group.

Forced Authentication

Ports that participate in forced authentication when unauthenticated users connect. If you have a port in this group, when a host connects to this port and is unauthenticated, the port is put into isolation VLAN and the host is forced to authenticate.

Forced Registration

Ports that participate in forced registration when unregistered hosts connect.

Add switch ports that participate in forced registration when an Unregistered Host connects to the Forced Registration port group. Only ports that participate have their VLAN ID set to the Registration VLAN when an Unregistered Host connects.

Forced Remediation

Ports that participate in forced remediation VLAN switching when hosts connect.

Reset Forced Default

Ports that return to the default VLAN when hosts disconnect.

Reset Forced
Registration

Ports that return to Registration when hosts disconnect.

Role-Based Access

Ports that participate in role-based access and switch VLANs, based on the role of network devices, such as printers, when they connect.

Add switch ports that participate in VLAN switching. Ports that participate have their VLAN ID set to the role specified for the connected network device.

Example:

A printer is set up with the role “Accounting”. When the printer connects to a port in this group, the printer is switched to the VLAN associated with the “Accounting” role.

System DHCP Port

The port used to discover unauthorized DHCP servers and validate authorized DHCP servers.

Device

Authorized DHCP Servers

Servers that are authorized to serve DHCP on the network.

Bridging Devices

Devices that support the SNMP bridging MIB.

Note

This group has been replaced by the L2 network devices group.

Device Interface Status

Devices created through Discovery or created manually are automatically added to this group. Use this group in conjunction with the task scheduler to periodically update the interface status for each device in the group.

L2 Network Devices

Devices that support the Standard 802.1d Bridge Table. This group is also used for filtering the list of devices displayed on the L2 Network Devices window. As new L2 devices are discovered they are added automatically to this group and to either L2 Wired Devices or L2 Wireless Devices.

L2 Wired Devices

A sub-group of L2 Network Devices that is used for filtering on the L2 Network Devices window. L2 Wired Devices are added to this group automatically as they are discovered.

Note: Removing a device from this group does not disable L2 (Hosts) Polling under the Polling tab in Inventory.

L2 Wireless Devices

A sub-group of L2 Network Devices that is used for filtering on the L2 Network Devices window. L2 Wireless Devices are added to this group automatically as they are discovered.

Note: Removing a device from this group does not disable L2 (Hosts) Polling under the Polling tab in Inventory.

L3 (IP-->MAC)

This group must be populated manually with your L3 devices. The L3 group can be used for filtering on the L3 Polling window.

Physical Address
Filtering

Devices that participate in the enabling and disabling of hosts.

Add switches that participate in host disabling to this group. If a host is connected to a switch that is not in the physical address filtering group, and that host is disabled through FortiNAC, the host remains connected to the network and is displayed as in violation. Add the switch regardless of whether a host is disabled through a Dead End VLAN, or through MAC address security.

Host view

Forced Scan Exceptions

Hosts that do not participate in forced scans.

Forced User Authentication Exceptions

Hosts that do not participate in forced user authentication.

Forced Remediation Exceptions

Hosts are scanned and can be marked "at risk", but are never put into remediation. Scan results are stored allowing the administrator to review the results and take corrective action without disrupting users on the network.

Global Agent Update Exceptions

Hosts in this group are excluded from automatic Persistent Agent Updates. Updates are controlled by MAC address. If a host has more than one MAC address, as long as any one of its MAC addresses is listed in this group the host is not updated.

Registered Hosts

Group of all registered hosts.

Rogue Hosts

This group has a special property that controls whether or not rogue hosts can access the network. Under Group Properties for this group, the Access field can be set to either Deny or Allow.

  • Deny: If the Access field is set to Deny, rogue hosts in this group are denied network access until they register and any new unregistered hosts are automatically put into the group as they connect to the network.
  • Allow: If the Access field is set to Allow, rogue hosts in this group are permitted to access the network and any new unregistered hosts are not added to the group.

Devices that are not in the Inventory but are connected to managed switches are created as rogue hosts.

If rogue hosts are denied access to the network, they are disabled. To prevent this from causing problems with new devices such as printers, lab hosts or servers, you must register them as devices or as hosts. See Register a host as a device or Add or modify a host for detailed instructions.

System groups

System groups

The groups listed below are default system groups that exist within the FortiNAC database. They cannot be deleted. Some groups need to be fine tuned to your network. Details are included in the table below.

Group

Definition

Administrator

All Management

FortiNAC administrators with all management access rights. Initially contains only admin and root. New administrators are added to this group automatically. This is the default group for e-mail notifications triggered by alarms.

Add users to your own specific Administrator groups to give them privileges to manage (disable and enable) specific hosts and ports. If you place a user into your own Administrator group, be sure to remove that user from the All Management group. See Limit user access with groups.

Port

Access Point
Management

Ports with authorized access points connected and FortiNAC serving DHCP. Examples are dumb hubs or wireless units. FortiNAC provides management of hosts connecting through these access points.

Authorized Access Points

Ports that have authorized access points connected. Access points that connect to these ports do not generate Multi Access Point Detected events or alarms and the port is not switched to another VLAN during, for example, Forced Registration or role management VLAN Switching.

Access points that connect to ports that are not in this group do generate an event or alarm.

Add switch ports that connect to hubs and wireless access points to this group.

Forced Authentication

Ports that participate in forced authentication when unauthenticated users connect. If you have a port in this group, when a host connects to this port and is unauthenticated, the port is put into isolation VLAN and the host is forced to authenticate.

Forced Registration

Ports that participate in forced registration when unregistered hosts connect.

Add switch ports that participate in forced registration when an Unregistered Host connects to the Forced Registration port group. Only ports that participate have their VLAN ID set to the Registration VLAN when an Unregistered Host connects.

Forced Remediation

Ports that participate in forced remediation VLAN switching when hosts connect.

Reset Forced Default

Ports that return to the default VLAN when hosts disconnect.

Reset Forced
Registration

Ports that return to Registration when hosts disconnect.

Role-Based Access

Ports that participate in role-based access and switch VLANs, based on the role of network devices, such as printers, when they connect.

Add switch ports that participate in VLAN switching. Ports that participate have their VLAN ID set to the role specified for the connected network device.

Example:

A printer is set up with the role “Accounting”. When the printer connects to a port in this group, the printer is switched to the VLAN associated with the “Accounting” role.

System DHCP Port

The port used to discover unauthorized DHCP servers and validate authorized DHCP servers.

Device

Authorized DHCP Servers

Servers that are authorized to serve DHCP on the network.

Bridging Devices

Devices that support the SNMP bridging MIB.

Note

This group has been replaced by the L2 network devices group.

Device Interface Status

Devices created through Discovery or created manually are automatically added to this group. Use this group in conjunction with the task scheduler to periodically update the interface status for each device in the group.

L2 Network Devices

Devices that support the Standard 802.1d Bridge Table. This group is also used for filtering the list of devices displayed on the L2 Network Devices window. As new L2 devices are discovered they are added automatically to this group and to either L2 Wired Devices or L2 Wireless Devices.

L2 Wired Devices

A sub-group of L2 Network Devices that is used for filtering on the L2 Network Devices window. L2 Wired Devices are added to this group automatically as they are discovered.

Note: Removing a device from this group does not disable L2 (Hosts) Polling under the Polling tab in Inventory.

L2 Wireless Devices

A sub-group of L2 Network Devices that is used for filtering on the L2 Network Devices window. L2 Wireless Devices are added to this group automatically as they are discovered.

Note: Removing a device from this group does not disable L2 (Hosts) Polling under the Polling tab in Inventory.

L3 (IP-->MAC)

This group must be populated manually with your L3 devices. The L3 group can be used for filtering on the L3 Polling window.

Physical Address
Filtering

Devices that participate in the enabling and disabling of hosts.

Add switches that participate in host disabling to this group. If a host is connected to a switch that is not in the physical address filtering group, and that host is disabled through FortiNAC, the host remains connected to the network and is displayed as in violation. Add the switch regardless of whether a host is disabled through a Dead End VLAN, or through MAC address security.

Host view

Forced Scan Exceptions

Hosts that do not participate in forced scans.

Forced User Authentication Exceptions

Hosts that do not participate in forced user authentication.

Forced Remediation Exceptions

Hosts are scanned and can be marked "at risk", but are never put into remediation. Scan results are stored allowing the administrator to review the results and take corrective action without disrupting users on the network.

Global Agent Update Exceptions

Hosts in this group are excluded from automatic Persistent Agent Updates. Updates are controlled by MAC address. If a host has more than one MAC address, as long as any one of its MAC addresses is listed in this group the host is not updated.

Registered Hosts

Group of all registered hosts.

Rogue Hosts

This group has a special property that controls whether or not rogue hosts can access the network. Under Group Properties for this group, the Access field can be set to either Deny or Allow.

  • Deny: If the Access field is set to Deny, rogue hosts in this group are denied network access until they register and any new unregistered hosts are automatically put into the group as they connect to the network.
  • Allow: If the Access field is set to Allow, rogue hosts in this group are permitted to access the network and any new unregistered hosts are not added to the group.

Devices that are not in the Inventory but are connected to managed switches are created as rogue hosts.

If rogue hosts are denied access to the network, they are disabled. To prevent this from causing problems with new devices such as printers, lab hosts or servers, you must register them as devices or as hosts. See Register a host as a device or Add or modify a host for detailed instructions.