Fortinet black logo

Administration Guide

Policies

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:323706
Download PDF

Policies

Policies are assigned to hosts based on the User/Host Profile associated with each policy. User/Host Profiles allow you to select one or more pieces of user or host data to match with users and hosts and determine which policy is applied to that host. Policies are ranked in priority starting with number 1. When a host requires a particular service, such as Network Access, the host and user data are compared to the User/Host Profile in each policy starting with the first policy in the list. If the host and user do not match criteria in the first policy, the next one is checked until a match is found.

Types of data used to determine whether or not the host/user is a match include the following:

Data

Definition

Where (Location)

One or more port or device groups. A User/Host Profile can include more than one port or device group, however the connection location only needs to be contained in one of the selected groups. If the Location field is empty it is set to Any, indicating that location is not being used as criteria for the match, therefore any host connection location would be a match. .

Who/What by Group

One or more user or host groups. If the host or user is in at least one of the groups listed, then the host is considered a match. If this field is empty, it is set to Any, indicating that the Groups field is not used as criteria for the match, therefore any host is a match.

Who/What by Attribute

Allows you to create matches based on Adapter, Host or User data. A single filter can contain checks for multiple pieces of data, however the host, user and adapter must be an exact match to all of that data. If more than one filter is used, the host, user and adapter need only match the contents of one filter to be a match for the policy. See Filter example for additional information on filters.

When

Allows you to create matches based on the current time. If Always is selected, then time of day is not used. If Specify Time is selected, then the current time must be within the days and times included in the list to be a match for the host.

The host/user must match at least one item in each field that contains criteria other than Any. If the host/user does not match something in all fields, the policy is not selected and the next policy is checked.

Note

A host that has had a policy applied based on time of day, may be moved to a different policy when the window of time in the current policy has passed. For example, the host may be moved to another VLAN or disconnected from the network when the window of time in the applied Endpoint Compliance Policy has passed. Hosts are re-evaluated frequently, such as, when the device where they are connected is polled or when the Persistent Agent contacts the server. If another Policy exists that applies to this host, the host will be provided with configuration parameters from that new policy.

Note

There may be more than one Policy that is match for this host/user, however, the first match found is the one that is used.

Note

Policy assignments are not permanent. Each time a host is re-evaluated by FortiNAC, the User/Host Profile data is re-evaluated and a Policy is selected.

Policies

Policies are assigned to hosts based on the User/Host Profile associated with each policy. User/Host Profiles allow you to select one or more pieces of user or host data to match with users and hosts and determine which policy is applied to that host. Policies are ranked in priority starting with number 1. When a host requires a particular service, such as Network Access, the host and user data are compared to the User/Host Profile in each policy starting with the first policy in the list. If the host and user do not match criteria in the first policy, the next one is checked until a match is found.

Types of data used to determine whether or not the host/user is a match include the following:

Data

Definition

Where (Location)

One or more port or device groups. A User/Host Profile can include more than one port or device group, however the connection location only needs to be contained in one of the selected groups. If the Location field is empty it is set to Any, indicating that location is not being used as criteria for the match, therefore any host connection location would be a match. .

Who/What by Group

One or more user or host groups. If the host or user is in at least one of the groups listed, then the host is considered a match. If this field is empty, it is set to Any, indicating that the Groups field is not used as criteria for the match, therefore any host is a match.

Who/What by Attribute

Allows you to create matches based on Adapter, Host or User data. A single filter can contain checks for multiple pieces of data, however the host, user and adapter must be an exact match to all of that data. If more than one filter is used, the host, user and adapter need only match the contents of one filter to be a match for the policy. See Filter example for additional information on filters.

When

Allows you to create matches based on the current time. If Always is selected, then time of day is not used. If Specify Time is selected, then the current time must be within the days and times included in the list to be a match for the host.

The host/user must match at least one item in each field that contains criteria other than Any. If the host/user does not match something in all fields, the policy is not selected and the next policy is checked.

Note

A host that has had a policy applied based on time of day, may be moved to a different policy when the window of time in the current policy has passed. For example, the host may be moved to another VLAN or disconnected from the network when the window of time in the applied Endpoint Compliance Policy has passed. Hosts are re-evaluated frequently, such as, when the device where they are connected is polled or when the Persistent Agent contacts the server. If another Policy exists that applies to this host, the host will be provided with configuration parameters from that new policy.

Note

There may be more than one Policy that is match for this host/user, however, the first match found is the one that is used.

Note

Policy assignments are not permanent. Each time a host is re-evaluated by FortiNAC, the User/Host Profile data is re-evaluated and a Policy is selected.