Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Fortinet Security Fabric/FSSO Integration

    Home FortiNAC-F 7.2.0 Fortinet Security Fabric/FSSO Integration
    7.2.0
    7.2.0

    How it Works

    How it Works

    • When an online registered device matches a FortiNAC Network Access Policy, FortiNAC sends to the FortiGate one of the following:

      • Firewall Tag

      • User or Administrator Group

      • Host Group

        Note

        Network Access Policies do not match:

    • Unregistered (Rogue) devices

    • Offline registered hosts

      Therefore, this process would not apply.

    • FortiGate regularly polls FortiNAC and imports those Firewall Tags and groups. These can be used to create SSO User Groups. The SSO User Groups are used to build IPv4 policies in order to apply the network access segmentation.

    • When a registered device’s connection status changes, FortiNAC sends SSO message to FortiGate containing:

      • IP address - Device

      • User ID or MAC address - User

      • Group – Group Filter

        • User Group, Host Group or Firewall Tag defined within FortiNAC

    • FortiGate uses this information to build a SSO session and apply the appropriate IPv4 policy to the device.

    • As devices disconnect, FortiNAC updates the FortiGate. The SSO session is torn down and the policies previously applied are removed.

    • Host status takes precedence over a matching policy. For example, FortiNAC will not apply a matching policy for network access if the registered device is marked At-Risk. Instead, the At-Risk device would be provisioned the “Quarantine” network access as configured in the FortiGate device model.

    For a more details, see Connection Process in the Appendix.

    • FortiNAC automatically resynchronizes with the FortiGate every 15 minutes. If FortiNAC detects the FortiGate is missing SSO sessions, FortiNAC will re-add them.

    • FortiGates/FortiSwitches managed by FortiManager: When FortiNAC makes any changes to the FortiGate or FortiSwitch, the Fortigate/FortiSwitch updates FortiManager. This keeps FortiManager in sync.

    Previous
    Next

    How it Works

    How it Works

    • When an online registered device matches a FortiNAC Network Access Policy, FortiNAC sends to the FortiGate one of the following:

      • Firewall Tag

      • User or Administrator Group

      • Host Group

        Note

        Network Access Policies do not match:

    • Unregistered (Rogue) devices

    • Offline registered hosts

      Therefore, this process would not apply.

    • FortiGate regularly polls FortiNAC and imports those Firewall Tags and groups. These can be used to create SSO User Groups. The SSO User Groups are used to build IPv4 policies in order to apply the network access segmentation.

    • When a registered device’s connection status changes, FortiNAC sends SSO message to FortiGate containing:

      • IP address - Device

      • User ID or MAC address - User

      • Group – Group Filter

        • User Group, Host Group or Firewall Tag defined within FortiNAC

    • FortiGate uses this information to build a SSO session and apply the appropriate IPv4 policy to the device.

    • As devices disconnect, FortiNAC updates the FortiGate. The SSO session is torn down and the policies previously applied are removed.

    • Host status takes precedence over a matching policy. For example, FortiNAC will not apply a matching policy for network access if the registered device is marked At-Risk. Instead, the At-Risk device would be provisioned the “Quarantine” network access as configured in the FortiGate device model.

    For a more details, see Connection Process in the Appendix.

    • FortiNAC automatically resynchronizes with the FortiGate every 15 minutes. If FortiNAC detects the FortiGate is missing SSO sessions, FortiNAC will re-add them.

    • FortiGates/FortiSwitches managed by FortiManager: When FortiNAC makes any changes to the FortiGate or FortiSwitch, the Fortigate/FortiSwitch updates FortiManager. This keeps FortiManager in sync.

    Previous
    Next