Fortinet black logo

Administration Guide

Policy assignment

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:49701
Download PDF

Policy assignment

Policies are applied to hosts by comparing user and host data to the user/host profile contained in the each policy until a match is found. The example below demonstrates this process.

Types

Policy Type

Location

Groups

Attributes

Time

Host Notes

Location Based

One or more Port or Device Groups

Any

None

Always

Host connects to a port or device in one of the selected groups and is assigned this policy.

Role Based

Any

Any

User Role = (Role Name)

Always

Host connects to the network. If the logged in user has the selected role, the host is assigned this policy.

Role Based

Any

Any

Host Role = (Role Name)

Always

Host connects to the network. If the host has the selected role, it is assigned this policy.

Security and Access Attribute Value

Any

Any

User SaaV = (Attribute Value)

Always

Host connects to the network. If the logged in user has the selected Security and Access Value, the host is assigned this policy.

Group Based

Any

User Group1

User Group2

None

Always

Host connects to the network. If the logged in user is a member of either one of the selected groups, the host is assigned this policy.

Group Based

Any

Host Group1

Host Group2

None

Always

Host connects to the network. If the host is a member of either one of the selected groups, it is assigned this policy.

Guest

Any

Any

Guest Role = Role Name

Always

Host connects to the network. If the Guest has the selected role, the host is assigned this policy.

Registration

Any

Any

Host = Rogue

Always

Host connects to the network. If the host is a rogue, it is assigned this policy.

Remediation

Any

Any

Host State = At Risk

Always

Host connects to the network. If the host state is At Risk, it is assigned this policy.

VPN

Any

Any

Host = VPN Client

Always

Host connects to the network. If the host is a VPN Client, it is assigned this policy.

Time of Day

Any

Any

None

Monday -
Friday 9 am to 5 pm

Host connects to the network. If the connection time is on any day Monday through Friday and between 9 am and 5 pm, it is assigned this policy.

Default or
Catch All

Any

Any

None

None

This policy will match ALL hosts and users. Host connects to the network. If the host does not match any other policy, it is assigned this policy. When this policy is reached, no other policies after it will be considered.

Example endpoint compliance policy

The example below outlines how FortiNAC would choose an endpoint compliance policy for a specific host.

Assume the Host has the following characteristics:

  • Connects on a port that is contained within the Library Ports group.
  • Host is a member of the Accounting Group and the Finance Group.
  • Host is running a Persistent Agent.
  • Logged in user has a Role called Management.
  • Logged in user has a Security and Access Attribute value of Accounting.

Rank

Policy

Location

Groups

Attributes

Process

1

Policy A

Port Group = Lobby Ports

Accounting

Filter1=User Role "Staff"

Location - Not a match

Group - Matches

Attribute1 - Not a Match

Go to the next policy.

2

Policy B

Port Group = Library Ports

Accounting

Filter1=User Role "Management" and User Security and Access Value "Human Resources"

Filter2=User Role "Staff"

Location - Matches

Group - Matches

Filter1 - Does not match both pieces of data.

Filter2 - Does not match.

Go to the next policy.

3

Policy C

Port Group1 = Lobby Ports

Port Group2 = Second Floor Ports

Finance

Admin

Filter1=User Role "Staff" and User Security and Access Value "Accounting"

Filter2=User Role "Management" and Host has Persistent Agent

Location - Not a match for either location.

Group - Matches Finance group

Filter1 - Does not match both pieces of data.

Filter2 - Matches all data.

In this case, the fact that the neither location matches prevents the host from getting this policy.In the Group field, the host or user need only match one group. In the filter field, the host or user need only match one filter as long as it matches all parts of the filter.

Go to the next policy.

4

Policy D

Any

Finance

Admin

Filter1=User Role "Management" and Host has Persistent Agent

Filter2=User Role "Executives" and Host has Persistent Agent

Location - No location selected so this field is not used.

Group - Matches Finance group

Filter1=Matches all data

Filter2=Does not match both pieces of data

This policy is selected for the host because Location is irrelevant, one group matches and one filter matches.

5

Policy E

Port Group1 = Library Ports

Port Group2 = Second Floor Ports

Finance

Admin

Filter1=User Role "Management" and Host has Persistent Agent

Filter2=User Role "Executives" and Host has Persistent Agent

Location - Matches Port Group1

Group - Matches Finance group

Filter1=Matches all data

Filter2=Does not match both pieces of data

This policy is not selected because policies are checked in order by rank. The policy in rank 4 has already been selected even though this policy matches on more points. You must be careful about the order of the policies to ensure that the correct policy is applied to a host.

Policy assignment

Policies are applied to hosts by comparing user and host data to the user/host profile contained in the each policy until a match is found. The example below demonstrates this process.

Types

Policy Type

Location

Groups

Attributes

Time

Host Notes

Location Based

One or more Port or Device Groups

Any

None

Always

Host connects to a port or device in one of the selected groups and is assigned this policy.

Role Based

Any

Any

User Role = (Role Name)

Always

Host connects to the network. If the logged in user has the selected role, the host is assigned this policy.

Role Based

Any

Any

Host Role = (Role Name)

Always

Host connects to the network. If the host has the selected role, it is assigned this policy.

Security and Access Attribute Value

Any

Any

User SaaV = (Attribute Value)

Always

Host connects to the network. If the logged in user has the selected Security and Access Value, the host is assigned this policy.

Group Based

Any

User Group1

User Group2

None

Always

Host connects to the network. If the logged in user is a member of either one of the selected groups, the host is assigned this policy.

Group Based

Any

Host Group1

Host Group2

None

Always

Host connects to the network. If the host is a member of either one of the selected groups, it is assigned this policy.

Guest

Any

Any

Guest Role = Role Name

Always

Host connects to the network. If the Guest has the selected role, the host is assigned this policy.

Registration

Any

Any

Host = Rogue

Always

Host connects to the network. If the host is a rogue, it is assigned this policy.

Remediation

Any

Any

Host State = At Risk

Always

Host connects to the network. If the host state is At Risk, it is assigned this policy.

VPN

Any

Any

Host = VPN Client

Always

Host connects to the network. If the host is a VPN Client, it is assigned this policy.

Time of Day

Any

Any

None

Monday -
Friday 9 am to 5 pm

Host connects to the network. If the connection time is on any day Monday through Friday and between 9 am and 5 pm, it is assigned this policy.

Default or
Catch All

Any

Any

None

None

This policy will match ALL hosts and users. Host connects to the network. If the host does not match any other policy, it is assigned this policy. When this policy is reached, no other policies after it will be considered.

Example endpoint compliance policy

The example below outlines how FortiNAC would choose an endpoint compliance policy for a specific host.

Assume the Host has the following characteristics:

  • Connects on a port that is contained within the Library Ports group.
  • Host is a member of the Accounting Group and the Finance Group.
  • Host is running a Persistent Agent.
  • Logged in user has a Role called Management.
  • Logged in user has a Security and Access Attribute value of Accounting.

Rank

Policy

Location

Groups

Attributes

Process

1

Policy A

Port Group = Lobby Ports

Accounting

Filter1=User Role "Staff"

Location - Not a match

Group - Matches

Attribute1 - Not a Match

Go to the next policy.

2

Policy B

Port Group = Library Ports

Accounting

Filter1=User Role "Management" and User Security and Access Value "Human Resources"

Filter2=User Role "Staff"

Location - Matches

Group - Matches

Filter1 - Does not match both pieces of data.

Filter2 - Does not match.

Go to the next policy.

3

Policy C

Port Group1 = Lobby Ports

Port Group2 = Second Floor Ports

Finance

Admin

Filter1=User Role "Staff" and User Security and Access Value "Accounting"

Filter2=User Role "Management" and Host has Persistent Agent

Location - Not a match for either location.

Group - Matches Finance group

Filter1 - Does not match both pieces of data.

Filter2 - Matches all data.

In this case, the fact that the neither location matches prevents the host from getting this policy.In the Group field, the host or user need only match one group. In the filter field, the host or user need only match one filter as long as it matches all parts of the filter.

Go to the next policy.

4

Policy D

Any

Finance

Admin

Filter1=User Role "Management" and Host has Persistent Agent

Filter2=User Role "Executives" and Host has Persistent Agent

Location - No location selected so this field is not used.

Group - Matches Finance group

Filter1=Matches all data

Filter2=Does not match both pieces of data

This policy is selected for the host because Location is irrelevant, one group matches and one filter matches.

5

Policy E

Port Group1 = Library Ports

Port Group2 = Second Floor Ports

Finance

Admin

Filter1=User Role "Management" and Host has Persistent Agent

Filter2=User Role "Executives" and Host has Persistent Agent

Location - Matches Port Group1

Group - Matches Finance group

Filter1=Matches all data

Filter2=Does not match both pieces of data

This policy is not selected because policies are checked in order by rank. The policy in rank 4 has already been selected even though this policy matches on more points. You must be careful about the order of the policies to ensure that the correct policy is applied to a host.