Policy assignment
Policies are applied to hosts by comparing user and host data to the user/host profile contained in the each policy until a match is found. The example below demonstrates this process.
Types
Policy Type |
Location |
Groups |
Attributes |
Time |
Host Notes |
---|---|---|---|---|---|
Location Based |
One or more Port or Device Groups |
Any |
None |
Always |
Host connects to a port or device in one of the selected groups and is assigned this policy. |
Role Based |
Any |
Any |
User Role = (Role Name) |
Always |
Host connects to the network. If the logged in user has the selected role, the host is assigned this policy. |
Role Based |
Any |
Any |
Host Role = (Role Name) |
Always |
Host connects to the network. If the host has the selected role, it is assigned this policy. |
Security and Access Attribute Value |
Any |
Any |
User SaaV = (Attribute Value) |
Always |
Host connects to the network. If the logged in user has the selected Security and Access Value, the host is assigned this policy. |
Group Based |
Any |
User Group1 User Group2 |
None |
Always |
Host connects to the network. If the logged in user is a member of either one of the selected groups, the host is assigned this policy. |
Group Based |
Any |
Host Group1 Host Group2 |
None |
Always |
Host connects to the network. If the host is a member of either one of the selected groups, it is assigned this policy. |
Guest |
Any |
Any |
Guest Role = Role Name |
Always |
Host connects to the network. If the Guest has the selected role, the host is assigned this policy. |
Registration |
Any |
Any |
Host = Rogue |
Always |
Host connects to the network. If the host is a rogue, it is assigned this policy. |
Remediation |
Any |
Any |
Host State = At Risk |
Always |
Host connects to the network. If the host state is At Risk, it is assigned this policy. |
VPN |
Any |
Any |
Host = VPN Client |
Always |
Host connects to the network. If the host is a VPN Client, it is assigned this policy. |
Time of Day |
Any |
Any |
None |
Monday - |
Host connects to the network. If the connection time is on any day Monday through Friday and between 9 am and 5 pm, it is assigned this policy. |
Default or |
Any |
Any |
None |
None |
This policy will match ALL hosts and users. Host connects to the network. If the host does not match any other policy, it is assigned this policy. When this policy is reached, no other policies after it will be considered. |
Example endpoint compliance policy
The example below outlines how FortiNAC would choose an endpoint compliance policy for a specific host.
Assume the Host has the following characteristics:
- Connects on a port that is contained within the Library Ports group.
- Host is a member of the Accounting Group and the Finance Group.
- Host is running a Persistent Agent.
- Logged in user has a Role called Management.
- Logged in user has a Security and Access Attribute value of Accounting.
Rank |
Policy |
Location |
Groups |
Attributes |
Process |
---|---|---|---|---|---|
1 |
Policy A |
Port Group = Lobby Ports |
Accounting |
Filter1=User Role "Staff" |
Location - Not a match Group - Matches Attribute1 - Not a Match Go to the next policy. |
2 |
Policy B |
Port Group = Library Ports |
Accounting |
Filter1=User Role "Management" and User Security and Access Value "Human Resources" Filter2=User Role "Staff" |
Location - Matches Group - Matches Filter1 - Does not match both pieces of data. Filter2 - Does not match. Go to the next policy. |
3 |
Policy C |
Port Group1 = Lobby Ports Port Group2 = Second Floor Ports |
Finance Admin |
Filter1=User Role "Staff" and User Security and Access Value "Accounting" Filter2=User Role "Management" and Host has Persistent Agent |
Location - Not a match for either location. Group - Matches Finance group Filter1 - Does not match both pieces of data. Filter2 - Matches all data. In this case, the fact that the neither location matches prevents the host from getting this policy.In the Group field, the host or user need only match one group. In the filter field, the host or user need only match one filter as long as it matches all parts of the filter. Go to the next policy. |
4 |
Policy D |
Any |
Finance Admin |
Filter1=User Role "Management" and Host has Persistent Agent Filter2=User Role "Executives" and Host has Persistent Agent |
Location - No location selected so this field is not used. Group - Matches Finance group Filter1=Matches all data Filter2=Does not match both pieces of data This policy is selected for the host because Location is irrelevant, one group matches and one filter matches. |
5 |
Policy E |
Port Group1 = Library Ports Port Group2 = Second Floor Ports |
Finance Admin |
Filter1=User Role "Management" and Host has Persistent Agent Filter2=User Role "Executives" and Host has Persistent Agent |
Location - Matches Port Group1 Group - Matches Finance group Filter1=Matches all data Filter2=Does not match both pieces of data This policy is not selected because policies are checked in order by rank. The policy in rank 4 has already been selected even though this policy matches on more points. You must be careful about the order of the policies to ensure that the correct policy is applied to a host. |