Fortinet black logo

Administration Guide

Sample configurations

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:758435
Download PDF

Sample configurations

The Port and Host based CLI configurations shown below are samples of different types of configurations that may help you develop your own.

Example 1: Port based configuration - port speed

The configuration shown below modifies the speed and duplex configuration of the port and then returns it to its normal state.

Set/Undo

CLI Configuration

Commands To Set

config t
interface %port%
speed 10
duplex half
exit
exit

Commands To Undo

config t
interface %port%
speed auto
duplex auto
exit
exit

Example 2: Port based CLI configuration - device configuration

This configuration is used in conjunction with the Scheduler to configure devices to send traps to the FortiNAC Server. The sample IP address shown is the address of the FortiNAC Server that should receive the traps. In this case no Undo commands are used.

Set/Undo

CLI Configuration

Commands To Set

config t
snmp-server host 192.168.102.110 public
end
write mem

Commands To Undo

Example 3: Host based CLI configuration - IP address

The configuration shown below modifies an IP address ACL on the device to switch access for the host’s IP address from the FortiNAC software DNS server to the production DNS server. When the host is restricted to the FortiNAC software DNS server, it is essentially in isolation and can be forced to register. When the host has access to the production DNS server, it can connect to the network and access the Internet.

Set/Undo

CLI Configuration

Commands To Set

config t
ip access-list extended Nac
1 deny udp host %ip% host 192.168.34.2 eq domain
2 permit ip host %ip% host 192.168.105.2
exit
ip access-list resequence Nac 10 1
end
write mem

Commands To Undo

config t
ip access-list extended Nac
no deny udp host %ip% host 192.168.34.2 eq domain
no permit ip host %ip% host 192.168.105.2
end
write mem

In the example above 192.168.34.2 is the production DNS server and 192.168.105.2 is the FortiNAC software DNS server. In the second line, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

The ip access-list resequence Nac 10 1 command is important because it controls the sequence in which the host IP addresses are entered into the ACL. Starting with line 10, each IP address is added to the beginning of the list. Addresses already in the list are incremented by one.

Note

If FortiNAC cannot determine the IP or any data substitution value of the host, the CLI will not be run. A CLI Substitution Failure Event is generated describing the data which could not be substituted.

Example 4: Host based CLI configuration - MAC address

The configuration shown below modifies a MAC filtering ACL on the device to deny access to a particular MAC address sent by FortiNAC.

Set/Undo

CLI Configuration

Commands To Set

config t
mac access-list extended Nac
1 deny %macXXXX.XXXX.XXXX% any
exit
mac access-list resequence Nac 10 1
end
write mem

Commands To Undo

config t
mac access-list extended Nac
no deny %macXXXX.XXXX.XXXX% any
end
write mem

In the example above, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

The mac access-list resequence Nac 10 1 command is important because it controls the sequence in which the host MAC addresses are entered into the ACL. Starting with line 10, each MAC address is added to the beginning of the list. Addresses already in the list are incremented by one.

Sample configurations

The Port and Host based CLI configurations shown below are samples of different types of configurations that may help you develop your own.

Example 1: Port based configuration - port speed

The configuration shown below modifies the speed and duplex configuration of the port and then returns it to its normal state.

Set/Undo

CLI Configuration

Commands To Set

config t
interface %port%
speed 10
duplex half
exit
exit

Commands To Undo

config t
interface %port%
speed auto
duplex auto
exit
exit

Example 2: Port based CLI configuration - device configuration

This configuration is used in conjunction with the Scheduler to configure devices to send traps to the FortiNAC Server. The sample IP address shown is the address of the FortiNAC Server that should receive the traps. In this case no Undo commands are used.

Set/Undo

CLI Configuration

Commands To Set

config t
snmp-server host 192.168.102.110 public
end
write mem

Commands To Undo

Example 3: Host based CLI configuration - IP address

The configuration shown below modifies an IP address ACL on the device to switch access for the host’s IP address from the FortiNAC software DNS server to the production DNS server. When the host is restricted to the FortiNAC software DNS server, it is essentially in isolation and can be forced to register. When the host has access to the production DNS server, it can connect to the network and access the Internet.

Set/Undo

CLI Configuration

Commands To Set

config t
ip access-list extended Nac
1 deny udp host %ip% host 192.168.34.2 eq domain
2 permit ip host %ip% host 192.168.105.2
exit
ip access-list resequence Nac 10 1
end
write mem

Commands To Undo

config t
ip access-list extended Nac
no deny udp host %ip% host 192.168.34.2 eq domain
no permit ip host %ip% host 192.168.105.2
end
write mem

In the example above 192.168.34.2 is the production DNS server and 192.168.105.2 is the FortiNAC software DNS server. In the second line, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

The ip access-list resequence Nac 10 1 command is important because it controls the sequence in which the host IP addresses are entered into the ACL. Starting with line 10, each IP address is added to the beginning of the list. Addresses already in the list are incremented by one.

Note

If FortiNAC cannot determine the IP or any data substitution value of the host, the CLI will not be run. A CLI Substitution Failure Event is generated describing the data which could not be substituted.

Example 4: Host based CLI configuration - MAC address

The configuration shown below modifies a MAC filtering ACL on the device to deny access to a particular MAC address sent by FortiNAC.

Set/Undo

CLI Configuration

Commands To Set

config t
mac access-list extended Nac
1 deny %macXXXX.XXXX.XXXX% any
exit
mac access-list resequence Nac 10 1
end
write mem

Commands To Undo

config t
mac access-list extended Nac
no deny %macXXXX.XXXX.XXXX% any
end
write mem

In the example above, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

The mac access-list resequence Nac 10 1 command is important because it controls the sequence in which the host MAC addresses are entered into the ACL. Starting with line 10, each MAC address is added to the beginning of the list. Addresses already in the list are incremented by one.