FortiGate model interface settings
In order to properly process connecting VPN clients, the following Connection States are required on the FortiGate Device Model:
-
VPN interface must either be "Device" or "Multiple Hosts" (never "Uplink").
-
Interfaces connecting to other network infrastructure devices must be "Uplink".
See below for additional details.
System Defined Uplink Count
Configure FortiNAC such that the VPN interface does not automatically change to "Uplink". Otherwise, all clients would be marked as offline and the FSSO tags removed, affecting network access.
-
Navigate to Network > Settings > Network Device.
-
Set the System Defined Uplink Count to a value greater than the maximum number of VPN clients that could be online at the same time. For additional details on this value, see System Defined Uplink Count under Network device of the Administration Guide.
Other FortiGate Interfaces
Ensure the FortiGate uplink interfaces have the "Uplink" connection state in the Ports View. Otherwise, MAC addresses for VPN sessions may be detected on an interface other than the VPN and not be processed.
If the FortiGate is located towards the edge of the network, FortiNAC may not automatically set ports as uplinks due to the low number of MAC addresses detected.
-
Navigate to Network > Inventory.
-
Select the FortiGate Device Model and click the Ports tab.
-
Manually set any uplink ports that do not have a Connection State of "Uplink".
a. Right-click on a port and select Port Properties.
b. Select Always Uplink.
c. Click OK to save.