Fortinet black logo

Administration Guide

User/host profiles

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:15797
Download PDF

User/host profiles

User/host profiles are used to map sets of hosts and users to network access policies, endpoint compliance policies, Supplicant EasyConnect policies, Portal Policies, or Security Rules (ATR must be enabled). User/host profiles can be reused across many different policies.

For example, network access policies are used to assign the VLAN in which a host is placed. Each network access policy has a specific User/Host profile and a network access configuration containing a VLAN, CLI configuration or VPN Group. When a host requires network access, FortiNAC looks at the network access policies starting with the first policy in the list and checks that the User/Host profile is a match. If it is not, the next network access policy is checked until a match is found.

User/host profiles are combinations of user/host data. A host's or user's profile is not fixed but can change based on the user/host being moved to a different group, having a new attribute applied, connecting to the network in a different place or the current time of day. Users/hosts are only classified at the time that they need a service, such as a network access policy. When FortiNAC evaluates a host connection, the data for the user and host are prioritized as follows:

  • Logged in user and host
  • Registered user and host
  • Registered host

If you create a user/host profile with Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank, and When set to always, it matches all users and hosts. This is essentially a catch all profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a catch all profile is to create a general policy with that profile and place it last in the list of policies.

Settings

Field

Definition

Name

Each profile must have a unique name.

Where (Location)

Location on the network where the host is connected. This field lists groups of ports, SSIDs or devices. Hosts are checked to determine whether they have connected to the network via one of the selected devices, ports or SSIDs. Host must connect on one of the items contained within one of the selected groups to match this profile. When set to Any, this field is a match for all hosts or users.

Who/What By Group

Host or User groups where the host or user must be a member to match this profile. Host or user must be in at least one of the groups listed. When set to Any, this field is a match for all hosts or users.

Who/What By Attribute

Indicates whether or not attribute filters have been created for this Profile. Filters are based on Adapter, Host and User data. A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. See Filter example.

When

If the host is on the network during the specified time frame, it matches this profile. Time options include Always or a specific set of days of the week and times of the day.

Note

User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC.

Last Modified By

User name of the last user to modify the profile.

Last Modified Date

Date and time of the last modification to this profile.

Right click options

Copy

Copy the selected Profile to create a new record.

Delete

Deletes the selected Profile. Profiles that are currently in use cannot be deleted.

In Use

Indicates whether or not the selected Profile is currently being used by any other FortiNAC element. See Profiles in use.

Modify

Opens the Modify Profile window for the selected Profile.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Add or modify a profile

You are not required to complete all of the fields when creating a user/host profile. If you leave a field blank, it is set to Any or is left blank. When set to Any or blank, the field is a match for all hosts or users. You can create a profile with only location, only a group, only an attribute filter, only a time range or any combination of those options.

  1. SelectPolicy > Policy Configuration.
  2. Select User/Host Profiles.
  3. Click Add or select an existing Profile and click Modify.
  4. Click in the Name field and enter a name for this Profile.
  5. Click Select. Choose one or more device, port or SSID groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column.

    In the Select Location window, you can click Add Group to create a group, or click Modify Group to modify the selected group.

    Click OK to continue.

  6. Click the Select. Choose one or more Host, User, or Administrator groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column.

    Click OK to continue.

  7. To add a filter, click Add next to the Who/What by Attribute field. These filters narrow the number of hosts to which this Profile applies.

    The Adapter, Host, User, Application Filter window displays allowing you to select one or more pieces of data to use as a filter.

  8. Click in the drop-down menu next to the When field. Select either Always or select Specify Time. Always indicates that there is no time criteria to match this Profile. Specify Time allows you to choose days and times to be used as criteria for connecting hosts. Hosts must connect to the network during the selected times to match this profile.
  9. To specify a time, select Specify Time in the drop-down to display the Specify Time dialog.

    In the Time Range section enter the From and To times for the time of day that devices should be able to access the network.

    In the Days of the Week section select the days during which these devices should be allowed to access the network.

    Click OK.

  10. Click OK to save your data.

User/host profiles

User/host profiles are used to map sets of hosts and users to network access policies, endpoint compliance policies, Supplicant EasyConnect policies, Portal Policies, or Security Rules (ATR must be enabled). User/host profiles can be reused across many different policies.

For example, network access policies are used to assign the VLAN in which a host is placed. Each network access policy has a specific User/Host profile and a network access configuration containing a VLAN, CLI configuration or VPN Group. When a host requires network access, FortiNAC looks at the network access policies starting with the first policy in the list and checks that the User/Host profile is a match. If it is not, the next network access policy is checked until a match is found.

User/host profiles are combinations of user/host data. A host's or user's profile is not fixed but can change based on the user/host being moved to a different group, having a new attribute applied, connecting to the network in a different place or the current time of day. Users/hosts are only classified at the time that they need a service, such as a network access policy. When FortiNAC evaluates a host connection, the data for the user and host are prioritized as follows:

  • Logged in user and host
  • Registered user and host
  • Registered host

If you create a user/host profile with Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank, and When set to always, it matches all users and hosts. This is essentially a catch all profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a catch all profile is to create a general policy with that profile and place it last in the list of policies.

Settings

Field

Definition

Name

Each profile must have a unique name.

Where (Location)

Location on the network where the host is connected. This field lists groups of ports, SSIDs or devices. Hosts are checked to determine whether they have connected to the network via one of the selected devices, ports or SSIDs. Host must connect on one of the items contained within one of the selected groups to match this profile. When set to Any, this field is a match for all hosts or users.

Who/What By Group

Host or User groups where the host or user must be a member to match this profile. Host or user must be in at least one of the groups listed. When set to Any, this field is a match for all hosts or users.

Who/What By Attribute

Indicates whether or not attribute filters have been created for this Profile. Filters are based on Adapter, Host and User data. A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. See Filter example.

When

If the host is on the network during the specified time frame, it matches this profile. Time options include Always or a specific set of days of the week and times of the day.

Note

User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC.

Last Modified By

User name of the last user to modify the profile.

Last Modified Date

Date and time of the last modification to this profile.

Right click options

Copy

Copy the selected Profile to create a new record.

Delete

Deletes the selected Profile. Profiles that are currently in use cannot be deleted.

In Use

Indicates whether or not the selected Profile is currently being used by any other FortiNAC element. See Profiles in use.

Modify

Opens the Modify Profile window for the selected Profile.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Add or modify a profile

You are not required to complete all of the fields when creating a user/host profile. If you leave a field blank, it is set to Any or is left blank. When set to Any or blank, the field is a match for all hosts or users. You can create a profile with only location, only a group, only an attribute filter, only a time range or any combination of those options.

  1. SelectPolicy > Policy Configuration.
  2. Select User/Host Profiles.
  3. Click Add or select an existing Profile and click Modify.
  4. Click in the Name field and enter a name for this Profile.
  5. Click Select. Choose one or more device, port or SSID groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column.

    In the Select Location window, you can click Add Group to create a group, or click Modify Group to modify the selected group.

    Click OK to continue.

  6. Click the Select. Choose one or more Host, User, or Administrator groups by clicking on the names in the All Groups column and clicking the right arrow to move them to the Selected Groups column.

    Click OK to continue.

  7. To add a filter, click Add next to the Who/What by Attribute field. These filters narrow the number of hosts to which this Profile applies.

    The Adapter, Host, User, Application Filter window displays allowing you to select one or more pieces of data to use as a filter.

  8. Click in the drop-down menu next to the When field. Select either Always or select Specify Time. Always indicates that there is no time criteria to match this Profile. Specify Time allows you to choose days and times to be used as criteria for connecting hosts. Hosts must connect to the network during the selected times to match this profile.
  9. To specify a time, select Specify Time in the drop-down to display the Specify Time dialog.

    In the Time Range section enter the From and To times for the time of day that devices should be able to access the network.

    In the Days of the Week section select the days during which these devices should be allowed to access the network.

    Click OK.

  10. Click OK to save your data.