Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Concept Guide

    Home FortiNAC-F 7.6.0 Concept Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0

    Network Access Control Concepts

    Network Access Control Concepts

    Visibility

    By integrating with and leveraging the entire network environment, FortiNAC is able to deliver end-to-end visibility of all users and devices on the network in real-time, as well as monitor and log all network activity over time for historical views and detailed reporting capability.

    A close-up of a company's company's company's company's company's company's company's company's company's company's company's Description automatically generated

    With up to 21 different techniques, FortiNAC can then profile / classify each element based on observed characteristics and responses, as well as calling on FortiGuard’s IoT Services, a cloud-based database, for identification look-ups.

    Classifying of endpoints can be done actively or passively and can utilize permanent agents, dissolvable agents, or no agents. Additionally, FortiNAC can assess a device to see if it matches approved profiles, noting the need for software updates to patch vulnerabilities. With FortiNAC deployed, the entire network is known.

    Classification of state, users and endpoint devices on the network allows the FortiNAC Platform to make real-time policy decisions and to perform dynamic policy enforcement based on current conditions. FortiNAC develops a model representing every user and endpoint device in the network. It associates user information including identity, role, and state. For instance:

    • Is this a known user?

    • Is this an authorized user?

    • Is this a user who has been flagged as being “at risk” or non-compliant with security policy?

    It also associates device information including device type, role, and state. For instance:

    • Is this a known device or a rogue?

    • Is it currently online or offline?

    • Has it been flagged as being “at risk” or non-compliant with security policy?

    State data is maintained in the central database of the FortiNAC Platform to be leveraged by the Policy Engine and Enforcement Engine.

    Graphical user interface, application Description automatically generated

    Figure 1 – FortiNAC Dashboard, Host Summary, Fingerprint and Compliance.

    Control

    Policy Engine

    The Policy Engine enables the creation of security policies tailored to individual users and endpoint devices based upon a rich set of information residing in the central database of the FortiNAC Platform. The Policy Engine also functions as a centralized policy decision point responsible for making real-time policy decisions.

    Enforcement Engine

    Once a policy decision has been made, an automated response action is typically executed at one or more points of enforcement in the network. The Enforcement Engine leverages information from the Device, State, and Policy Engine to initiate policy enforcement actions.

    For example, access policy might be enforced by dynamically changing the VLAN of a switch port or by setting Access Control Lists (ACLs) on a router or adjusting a Group Policy on a firewall, to isolate an endpoint device that is determined to be in an “at risk” state.

    Act – Detect & Response

    One of the greatest challenges facing today’s IT organization is that of trying to keep up with evolving network security challenges with very limited staff resources. FortiNAC enables automation of various configuration and management tasks performed by IT staff today, such as provisioning network access for different users and devices. This not only frees IT staff to be able to focus on more important things, but also enhances security and efficiency with the ability to dynamically adapt to network threats and changes.

    Known or Unknown

    When any device connects to the network FortiNAC checks to see if it is known or Unknown. Known devices are allowed to access the appropriate network. Unknown devices are placed in an isolation Network.

    Security Systems

    When the FortiGate appliance detects a threat, it will send the threat and endpoint information to FortiNAC. The FortiNAC policy engine will process the information and take the appropriate action based on policy. For example, if the endpoint is owned by an executive of the company, an email can be sent to IT and the executive.

    A screenshot of a computer Description automatically generated

    Third party security systems including Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and other Deep Packet Inspection (DPI) systems are typically in-line appliances placed close to the external firewall to monitor network traffic for suspicious activity or signs of attack. While useful, these appliances do not incorporate information from other areas of the network environment to determine the “full picture.” When the security systems are integrated with FortiNAC, FortiNAC has the knowledge of the identity of the user and endpoint and will apply the appropriate action based on policy.

    Previous
    Next

    Network Access Control Concepts

    Network Access Control Concepts

    Visibility

    By integrating with and leveraging the entire network environment, FortiNAC is able to deliver end-to-end visibility of all users and devices on the network in real-time, as well as monitor and log all network activity over time for historical views and detailed reporting capability.

    A close-up of a company's company's company's company's company's company's company's company's company's company's company's Description automatically generated

    With up to 21 different techniques, FortiNAC can then profile / classify each element based on observed characteristics and responses, as well as calling on FortiGuard’s IoT Services, a cloud-based database, for identification look-ups.

    Classifying of endpoints can be done actively or passively and can utilize permanent agents, dissolvable agents, or no agents. Additionally, FortiNAC can assess a device to see if it matches approved profiles, noting the need for software updates to patch vulnerabilities. With FortiNAC deployed, the entire network is known.

    Classification of state, users and endpoint devices on the network allows the FortiNAC Platform to make real-time policy decisions and to perform dynamic policy enforcement based on current conditions. FortiNAC develops a model representing every user and endpoint device in the network. It associates user information including identity, role, and state. For instance:

    • Is this a known user?

    • Is this an authorized user?

    • Is this a user who has been flagged as being “at risk” or non-compliant with security policy?

    It also associates device information including device type, role, and state. For instance:

    • Is this a known device or a rogue?

    • Is it currently online or offline?

    • Has it been flagged as being “at risk” or non-compliant with security policy?

    State data is maintained in the central database of the FortiNAC Platform to be leveraged by the Policy Engine and Enforcement Engine.

    Graphical user interface, application Description automatically generated

    Figure 1 – FortiNAC Dashboard, Host Summary, Fingerprint and Compliance.

    Control

    Policy Engine

    The Policy Engine enables the creation of security policies tailored to individual users and endpoint devices based upon a rich set of information residing in the central database of the FortiNAC Platform. The Policy Engine also functions as a centralized policy decision point responsible for making real-time policy decisions.

    Enforcement Engine

    Once a policy decision has been made, an automated response action is typically executed at one or more points of enforcement in the network. The Enforcement Engine leverages information from the Device, State, and Policy Engine to initiate policy enforcement actions.

    For example, access policy might be enforced by dynamically changing the VLAN of a switch port or by setting Access Control Lists (ACLs) on a router or adjusting a Group Policy on a firewall, to isolate an endpoint device that is determined to be in an “at risk” state.

    Act – Detect & Response

    One of the greatest challenges facing today’s IT organization is that of trying to keep up with evolving network security challenges with very limited staff resources. FortiNAC enables automation of various configuration and management tasks performed by IT staff today, such as provisioning network access for different users and devices. This not only frees IT staff to be able to focus on more important things, but also enhances security and efficiency with the ability to dynamically adapt to network threats and changes.

    Known or Unknown

    When any device connects to the network FortiNAC checks to see if it is known or Unknown. Known devices are allowed to access the appropriate network. Unknown devices are placed in an isolation Network.

    Security Systems

    When the FortiGate appliance detects a threat, it will send the threat and endpoint information to FortiNAC. The FortiNAC policy engine will process the information and take the appropriate action based on policy. For example, if the endpoint is owned by an executive of the company, an email can be sent to IT and the executive.

    A screenshot of a computer Description automatically generated

    Third party security systems including Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and other Deep Packet Inspection (DPI) systems are typically in-line appliances placed close to the external firewall to monitor network traffic for suspicious activity or signs of attack. While useful, these appliances do not incorporate information from other areas of the network environment to determine the “full picture.” When the security systems are integrated with FortiNAC, FortiNAC has the knowledge of the identity of the user and endpoint and will apply the appropriate action based on policy.

    Previous
    Next