Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    Home FortiNAC 8.5.3 Release Notes
    8.5.3
    9.4.7
    9.4.6
    9.4.5
    9.4.4
    9.4.3
    9.4.2
    9.4.1
    9.4.0
    9.2.8
    9.2.7
    9.2.6
    9.2.5
    9.2.4
    9.2.3
    9.2.2
    9.2.1
    9.2.0
    9.1.10
    9.1.9
    9.1.8
    9.1.7
    9.1.6
    9.1.5
    9.1.4
    9.1.3
    9.1.2
    9.1.0
    8.8.11
    8.8.10
    8.8.9
    8.8.8
    8.8.7
    8.8.6
    8.8.5
    8.8.4
    8.8.3
    8.8.2
    8.8.1
    8.8.0
    8.7.6
    8.7.5
    8.7.4
    8.7.2
    8.7.1
    8.7.0
    8.6.5
    8.6.4
    8.6.3
    8.6.2
    8.6.1
    8.6.0
    8.5.4
    8.5.3
    8.5.2
    8.5.1
    8.3.7
    8.3.6

    Policy assignment

    Policy assignment

    Policies are applied to hosts by comparing user and host data to the user/host profile contained in each policy until a match is found. The example below demonstrates this process.

    Types

    Policy Type

    Location

    Groups

    Attributes

    Time

    Host Notes

    Location

    One or more Port or Device Groups

    Any

    None

    Always

    Host connects to a port or device in one of the selected groups and is assigned this policy.

    Role

    Any

    Any

    User Role = (Role Name)

    Always

    Host connects to the network. If the logged in user has the selected role, the host is assigned this policy.

    Security and Access Attribute Value

    Any

    Any

    User SaAV = (Attribute Value)

    Always

    Host connects to the network. If the logged in user has the selected Security and Access Value, the host is assigned this policy.

    Group

    Any

    User Group1

    User Group2

    None

    Always

    Host connects to the network. If the logged in user is a member of either one of the selected groups, the host is assigned this policy.

    Guest

    Any

    Any

    Guest Role = Role Name

    Always

    Host connects to the network. If the Guest has the selected role, the host is assigned this policy.

    Registration

    Any

    Any

    Host = Rogue

    Always

    Host connects to the network. If the host is a rogue, it is assigned this policy.

    Remediation

    Any

    Any

    Host State = At Risk

    Always

    Host connects to the network. If the host state is At Risk, it is assigned this policy.

    VPN

    Any

    Any

    Host = VPN Client

    Always

    Host connects to the network. If the host is a VPN Client, it is assigned this policy.

    Time of Day

    Any

    Any

    None

    Monday -
    Friday 9 am to 5 pm

    Host connects to the network. If the connection time is on any day Monday through Friday and between 9 am and 5 pm, it is assigned this policy.

    Default or
    Catch All

    Any

    Any

    None

    None

    This policy will match ALL hosts and users. Host connects to the network. If the host does not match any other policy, it is assigned this policy. When this policy is reached, no other policies after it will be considered.

    Example endpoint compliance policy

    The example below outlines how FortiNAC would choose an endpoint compliance policy for a specific host.

    Assume the Host has the following characteristics:

    • Connects on a port that is contained within the Library Ports group.
    • Host is a member of the Accounting Group and the Finance Group.
    • Host is running a Persistent Agent.
    • Logged in user has a Role called Management.
    • Logged in user has a Security and Access Attribute value of Accounting.

    Rank

    Policy

    Location

    Groups

    Attributes

    Process

    1

    Policy A

    Port Group = Lobby Ports

    Accounting

    Filter1=User Role "Staff"

    Location - Not a match

    Group - Matches

    Attribute1 - Not a Match

    Go to the next policy.

    2

    Policy B

    Port Group = Library Ports

    Accounting

    Filter1=User Role "Management" and User Security and Access Value "Human Resources"

    Filter2=User Role "Staff"

    Location - Matches

    Group - Matches

    Filter1 - Does not match both pieces of data.

    Filter2 - Does not match.

    Go to the next policy.

    3

    Policy C

    Port Group1 = Lobby Ports

    Port Group2 = Second Floor Ports

    Finance

    Admin

    Filter1=User Role "Staff" and User Security and Access Value "Accounting"

    Filter2=User Role "Management" and Host has Persistent Agent

    Location - Not a match for either location.

    Group - Matches Finance group

    Filter1 - Does not match both pieces of data.

    Filter2 - Matches all data.

    In this case, the fact that neither location matches prevents the host from getting this policy.In the Group field, the host or user need only match one group. In the filter field, the host or user need only match one filter as long as it matches all parts of the filter.

    Go to the next policy.

    4

    Policy D

    Any

    Finance

    Admin

    Filter1=User Role "Management" and Host has Persistent Agent

    Filter2=User Role "Executives" and Host has Persistent Agent

    Location - No location selected so this field is not used.

    Group - Matches Finance group

    Filter1=Matches all data

    Filter2=Does not match both pieces of data

    This policy is selected for the host because Location is irrelevant, one group matches and one filter matches.

    5

    Policy E

    Port Group1 = Library Ports

    Port Group2 = Second Floor Ports

    Finance

    Admin

    Filter1=User Role "Management" and Host has Persistent Agent

    Filter2=User Role "Executives" and Host has Persistent Agent

    Location - Matches Port Group1

    Group - Matches Finance group

    Filter1=Matches all data

    Filter2=Does not match both pieces of data

    This policy is not selected because policies are checked in order by rank. The policy in rank 4 has already been selected even though this policy matches on more points. You must be careful about the order of the policies to ensure that the correct policy is applied to a host.

    Previous
    Next

    Policy assignment

    Policy assignment

    Policies are applied to hosts by comparing user and host data to the user/host profile contained in each policy until a match is found. The example below demonstrates this process.

    Types

    Policy Type

    Location

    Groups

    Attributes

    Time

    Host Notes

    Location

    One or more Port or Device Groups

    Any

    None

    Always

    Host connects to a port or device in one of the selected groups and is assigned this policy.

    Role

    Any

    Any

    User Role = (Role Name)

    Always

    Host connects to the network. If the logged in user has the selected role, the host is assigned this policy.

    Security and Access Attribute Value

    Any

    Any

    User SaAV = (Attribute Value)

    Always

    Host connects to the network. If the logged in user has the selected Security and Access Value, the host is assigned this policy.

    Group

    Any

    User Group1

    User Group2

    None

    Always

    Host connects to the network. If the logged in user is a member of either one of the selected groups, the host is assigned this policy.

    Guest

    Any

    Any

    Guest Role = Role Name

    Always

    Host connects to the network. If the Guest has the selected role, the host is assigned this policy.

    Registration

    Any

    Any

    Host = Rogue

    Always

    Host connects to the network. If the host is a rogue, it is assigned this policy.

    Remediation

    Any

    Any

    Host State = At Risk

    Always

    Host connects to the network. If the host state is At Risk, it is assigned this policy.

    VPN

    Any

    Any

    Host = VPN Client

    Always

    Host connects to the network. If the host is a VPN Client, it is assigned this policy.

    Time of Day

    Any

    Any

    None

    Monday -
    Friday 9 am to 5 pm

    Host connects to the network. If the connection time is on any day Monday through Friday and between 9 am and 5 pm, it is assigned this policy.

    Default or
    Catch All

    Any

    Any

    None

    None

    This policy will match ALL hosts and users. Host connects to the network. If the host does not match any other policy, it is assigned this policy. When this policy is reached, no other policies after it will be considered.

    Example endpoint compliance policy

    The example below outlines how FortiNAC would choose an endpoint compliance policy for a specific host.

    Assume the Host has the following characteristics:

    • Connects on a port that is contained within the Library Ports group.
    • Host is a member of the Accounting Group and the Finance Group.
    • Host is running a Persistent Agent.
    • Logged in user has a Role called Management.
    • Logged in user has a Security and Access Attribute value of Accounting.

    Rank

    Policy

    Location

    Groups

    Attributes

    Process

    1

    Policy A

    Port Group = Lobby Ports

    Accounting

    Filter1=User Role "Staff"

    Location - Not a match

    Group - Matches

    Attribute1 - Not a Match

    Go to the next policy.

    2

    Policy B

    Port Group = Library Ports

    Accounting

    Filter1=User Role "Management" and User Security and Access Value "Human Resources"

    Filter2=User Role "Staff"

    Location - Matches

    Group - Matches

    Filter1 - Does not match both pieces of data.

    Filter2 - Does not match.

    Go to the next policy.

    3

    Policy C

    Port Group1 = Lobby Ports

    Port Group2 = Second Floor Ports

    Finance

    Admin

    Filter1=User Role "Staff" and User Security and Access Value "Accounting"

    Filter2=User Role "Management" and Host has Persistent Agent

    Location - Not a match for either location.

    Group - Matches Finance group

    Filter1 - Does not match both pieces of data.

    Filter2 - Matches all data.

    In this case, the fact that neither location matches prevents the host from getting this policy.In the Group field, the host or user need only match one group. In the filter field, the host or user need only match one filter as long as it matches all parts of the filter.

    Go to the next policy.

    4

    Policy D

    Any

    Finance

    Admin

    Filter1=User Role "Management" and Host has Persistent Agent

    Filter2=User Role "Executives" and Host has Persistent Agent

    Location - No location selected so this field is not used.

    Group - Matches Finance group

    Filter1=Matches all data

    Filter2=Does not match both pieces of data

    This policy is selected for the host because Location is irrelevant, one group matches and one filter matches.

    5

    Policy E

    Port Group1 = Library Ports

    Port Group2 = Second Floor Ports

    Finance

    Admin

    Filter1=User Role "Management" and Host has Persistent Agent

    Filter2=User Role "Executives" and Host has Persistent Agent

    Location - Matches Port Group1

    Group - Matches Finance group

    Filter1=Matches all data

    Filter2=Does not match both pieces of data

    This policy is not selected because policies are checked in order by rank. The policy in rank 4 has already been selected even though this policy matches on more points. You must be careful about the order of the policies to ensure that the correct policy is applied to a host.

    Previous
    Next