Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate VPN Integration

    Home FortiNAC-F 7.6.0 FortiGate VPN Integration
    7.6.0
    7.6.0
    7.4.0
    7.2.0

    Create FortiGate Firewall Policies

    Create FortiGate Firewall Policies

    Create firewall policies to:

    • Allow network access to VPN clients authenticated by FortiNAC (authorized hosts).

    • Restrict network access to all other VPN clients. They are considered untrusted.

    Workflow:

    1. When a client initially connects to the VPN tunnel, network access is restricted.

    2. While restricted, FortiNAC answers all DNS queries. Limited network access is granted. The amount of network access allowed is dependent upon the organization’s policies. For example, it may be necessary to allow clients to update antivirus programs. In which case, network access to the internet may be required. FortiNAC would control which domains are resolved to the actual IP address.

    3. Once authenticated, clients match a FortiNAC Network Access Policy and a Logical Network is assigned. FortiNAC sends the group or tag associated with the Logical Network to the FortiGate.

    4. The matching FortiGate firewall policy applies the appropriate network access.

    Note:

    • FOS v6.0: Adding FSSO groups in firewall policies via UI is not available when the policy’s source interface is set to SSL-VPN. Support added in 6.2.3, 6.4.0 and later. See Appendix for workaround.

    • The following examples are for illustration purposes. It is up to the firewall administrator to configure their policies as appropriate to achieve the above goals.

    • It is assumed the applicable components required for firewall policies have already been configured (such as network interfaces).

      UI: Policy & Objects > IPv4 Policy

    Allow Network Access for Authorized Hosts

    Create Firewall policy to allow network access for authorized hosts:

    • Block DNS (at a minimum) or all traffic to/from FortiNAC VPN Interface (Ensures DNS requests are forwarded to production DNS).

    Block DNS to FortiNAC

    Name

    Name of Policy

    Incoming Interface (From)

    Any

    Outgoing Interface (To)

    FortiNAC VPN Isolation Network

    Source

    VPN IP Address Object(s)

    FSSO Group

    Destination

    VPN Isolation Interface Address

    Schedule

    Always

    Service

    DNS or ALL

    Action

    DENY

    Enable this policy

    enable

    • Allow traffic to/from the desired network destinations.

    Example

    Legend:

    FNAC_SSL_VPN_ADDR

    VPN IP Address Object (SSL)

    FNAC_IPsec_VPN_ADDR

    VPN IP Address Object (IPsec)

    VPN_AUTH

    FSSO Group sent by FortiNAC

    SERVER NET

    FortiNAC VPN Isolation Network

    FNAC_ETH1_VPN

    VPN Isolation Interface Address

    wan1

    Interface to internet

    MGMT NET

    Internal

    ID 10: Block VPN traffic from any network to FortiNAC VPN Interface

    ID 11: Allow VPN traffic from any interface out to the internet

    ID 13: Allow VPN traffic from any interface to the Management network

    A screenshot of a cell phone Description automatically generated

    Restrict Network Access for Unauthorized Hosts

    Create policies for managed VPN connections to restrict network access for unauthorized hosts. These are the default policies used until a host is authenticated with FortiNAC.

    • Allow traffic to/from FortiNAC VPN Interface (to ensure DNS requests are forwarded to FortiNAC)

    Name

    Name of policy

    Incoming Interface (From)

    VPN Interface

    Outgoing Interface (To)

    FortiNAC VPN Isolation Network

    (Inside)

    Source

    SSL_VPN Address Object

    Destination

    FortiNAC VPN Isolation Interface address

    Schedule

    Always

    Service

    All

    Action

    ACCEPT

    • Block all other traffic.

    Example

    Legend:

    FNAC_SSL_VPN_ADDR

    VPN IP Address Object (SSL)

    FNAC_IPsec_VPN_ADDR

    VPN IP Address Object (IPsec)

    VPN_AUTH

    FSSO Group sent by FortiNAC

    SERVER NET

    FortiNAC VPN Isolation Network

    FNAC_ETH1_VPN

    VPN Isolation Interface Address

    wan1

    Interface to internet

    MGMT NET

    Internal

    ID 9 & 15: Allow SSL and IPsec VPN traffic to the FortiNAC VPN eth1 interface

    ID 12 & 16: Block SSL and IPsec VPN traffic to all interfaces

    A screenshot of a cell phone Description automatically generated

    Rank new policies in the following order:

    1. Policies matching authenticated users (allowing regular network access)

    2. Policies allowing traffic to FortiNAC eth1 (restricting network traffic).

    If endpoint does not match a policy that permits regular network access (ID’s 10, 11, 13), then endpoint is considered untrusted. Therefore, apply policies to restrict endpoint’s network access to the FortiNAC Service Network (ID’s 9, 12, 15 16).

    A screenshot of a cell phone Description automatically generated

    Proceed to Validate.

    Previous
    Next

    Create FortiGate Firewall Policies

    Create FortiGate Firewall Policies

    Create firewall policies to:

    • Allow network access to VPN clients authenticated by FortiNAC (authorized hosts).

    • Restrict network access to all other VPN clients. They are considered untrusted.

    Workflow:

    1. When a client initially connects to the VPN tunnel, network access is restricted.

    2. While restricted, FortiNAC answers all DNS queries. Limited network access is granted. The amount of network access allowed is dependent upon the organization’s policies. For example, it may be necessary to allow clients to update antivirus programs. In which case, network access to the internet may be required. FortiNAC would control which domains are resolved to the actual IP address.

    3. Once authenticated, clients match a FortiNAC Network Access Policy and a Logical Network is assigned. FortiNAC sends the group or tag associated with the Logical Network to the FortiGate.

    4. The matching FortiGate firewall policy applies the appropriate network access.

    Note:

    • FOS v6.0: Adding FSSO groups in firewall policies via UI is not available when the policy’s source interface is set to SSL-VPN. Support added in 6.2.3, 6.4.0 and later. See Appendix for workaround.

    • The following examples are for illustration purposes. It is up to the firewall administrator to configure their policies as appropriate to achieve the above goals.

    • It is assumed the applicable components required for firewall policies have already been configured (such as network interfaces).

      UI: Policy & Objects > IPv4 Policy

    Allow Network Access for Authorized Hosts

    Create Firewall policy to allow network access for authorized hosts:

    • Block DNS (at a minimum) or all traffic to/from FortiNAC VPN Interface (Ensures DNS requests are forwarded to production DNS).

    Block DNS to FortiNAC

    Name

    Name of Policy

    Incoming Interface (From)

    Any

    Outgoing Interface (To)

    FortiNAC VPN Isolation Network

    Source

    VPN IP Address Object(s)

    FSSO Group

    Destination

    VPN Isolation Interface Address

    Schedule

    Always

    Service

    DNS or ALL

    Action

    DENY

    Enable this policy

    enable

    • Allow traffic to/from the desired network destinations.

    Example

    Legend:

    FNAC_SSL_VPN_ADDR

    VPN IP Address Object (SSL)

    FNAC_IPsec_VPN_ADDR

    VPN IP Address Object (IPsec)

    VPN_AUTH

    FSSO Group sent by FortiNAC

    SERVER NET

    FortiNAC VPN Isolation Network

    FNAC_ETH1_VPN

    VPN Isolation Interface Address

    wan1

    Interface to internet

    MGMT NET

    Internal

    ID 10: Block VPN traffic from any network to FortiNAC VPN Interface

    ID 11: Allow VPN traffic from any interface out to the internet

    ID 13: Allow VPN traffic from any interface to the Management network

    A screenshot of a cell phone Description automatically generated

    Restrict Network Access for Unauthorized Hosts

    Create policies for managed VPN connections to restrict network access for unauthorized hosts. These are the default policies used until a host is authenticated with FortiNAC.

    • Allow traffic to/from FortiNAC VPN Interface (to ensure DNS requests are forwarded to FortiNAC)

    Name

    Name of policy

    Incoming Interface (From)

    VPN Interface

    Outgoing Interface (To)

    FortiNAC VPN Isolation Network

    (Inside)

    Source

    SSL_VPN Address Object

    Destination

    FortiNAC VPN Isolation Interface address

    Schedule

    Always

    Service

    All

    Action

    ACCEPT

    • Block all other traffic.

    Example

    Legend:

    FNAC_SSL_VPN_ADDR

    VPN IP Address Object (SSL)

    FNAC_IPsec_VPN_ADDR

    VPN IP Address Object (IPsec)

    VPN_AUTH

    FSSO Group sent by FortiNAC

    SERVER NET

    FortiNAC VPN Isolation Network

    FNAC_ETH1_VPN

    VPN Isolation Interface Address

    wan1

    Interface to internet

    MGMT NET

    Internal

    ID 9 & 15: Allow SSL and IPsec VPN traffic to the FortiNAC VPN eth1 interface

    ID 12 & 16: Block SSL and IPsec VPN traffic to all interfaces

    A screenshot of a cell phone Description automatically generated

    Rank new policies in the following order:

    1. Policies matching authenticated users (allowing regular network access)

    2. Policies allowing traffic to FortiNAC eth1 (restricting network traffic).

    If endpoint does not match a policy that permits regular network access (ID’s 10, 11, 13), then endpoint is considered untrusted. Therefore, apply policies to restrict endpoint’s network access to the FortiNAC Service Network (ID’s 9, 12, 15 16).

    A screenshot of a cell phone Description automatically generated

    Proceed to Validate.

    Previous
    Next