Fortinet black logo

Administration Guide

Policy details

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:752736
Download PDF

Policy details

Policy Details assesses the selected host or user and displays the specific profile and policies that apply to the host at the moment the dialog was opened. User/host profiles have a time component and hosts may be connected at different locations. Therefore, the profile and policy displayed in Policy Details now, may be different than the profile and policies that display tomorrow. Policies displayed in this view include: network access policies, endpoint compliance policy, Supplicant Policies and Portal Policies. Each type of policy is displayed in a separate tab that also contains a Debug Log. This log can be sent to Customer Support for analysis.

To access Policy Details from Host View:

  1. Select Hosts > Host View.
  2. Search for the appropriate host.
  3. Select the host and either right-click or click Options.
  4. From the menu, select Policy Details.

To access Policy Details from user view:

  1. Select Users > User View.
  2. Search for the appropriate user.
  3. Select the user and either right-click or click Options.
  4. From the menu, select Policy Details.
Network access settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by policy details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated network access policy and network access configuration. See User/host profiles.

Policy Name

Name of the network access policy that currently applies to the host. See Network access policies.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the VLAN, CLI configuration, or VPN Group Policy for the host. See Network access configurations.

Access Value/VLAN

The specific network access that would be provided to the host, such as a VLAN ID or Name.

CLI

Name of the CLI configuration that currently applies to this host or the connection port. This field may be blank.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Edit Test

Opens the Test Policy dialog where you can simulate host, adapter, and user combinations to create test scenarios for policies and profiles. See Policy simulator.

Authentication tab settings

Field

Definition

Profile Name

Name of the User/Host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated network access policy and network access configuration. See User/host profiles.

Policy Name

Name of the network access policy that currently applies to the host. See Network access policies.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the VLAN, CLI configuration, or VPN Group Policy for the host. See Network access configurations.

Authentication Method

When enabled, the selected authentication method will override all other authentication methods configured in the portal, guest/contractor template, and Persistent Agent credential configuration.

Authentication Enabled

Indicates whether authentication is enabled. When enabled, the user is authenticated against a directory, the FortiNAC database, or a RADIUS server when logging on to access the network.

Time in Production before Authentication

When a user is waiting to authenticate, the host remains in the production VLAN until this time expires. If the user fails to authenticate within the time specified, the host is moved to the authentication VLAN.

Time Offline before Deauthentication

Once the host is offline, the user remains authenticated for this period of time. If the host comes back online before the time period ends the user does not have to reauthenticate. If the host comes back online after the time period ends, the user is required to re-authenticate.

Reauthentication Frequency

When set, this forces users to re-authenticate after the amount of time defined in this field passes since the last authentication regardless of the host's state. The host is moved to the authentication VLAN.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Supplicant EasyConnect tab settings

Field

Definition

Profile Name

Name of the User/Host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated Supplicant Policy and supplicant configuration. See User/host profiles.

Policy Name

Name of the most recent Supplicant Policy that currently applies to the selected host. See Supplicant EasyConnect policies.

Configuration Name

Name of the configuration that applies to the selected host. This is the configuration for the supplicant on the host to allow access on a particular SSID. See Supplicant configurations.

SSID

Name of the SSID for which the supplicant is being configured.

Security

Type of encryption that used for connections to this SSID, such as WEP or WPA.

EAP Type

Currently only PEAP is supported. Not always required. This field may be blank.

Cipher

Encryption/decryption method used in conjunction with the information in the Security field to secure this connection.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Endpoint compliance tab settings

Field

Definition

Select Platform

When the Policy Details option is selected from the user view, you must select the Platform of the device that the user anticipates connecting to the network. The platform is used to determine the agent that would be assigned to the host.

Not all platforms are displayed here. Only the platforms that support the Persistent Agent or Mobile Agent.

Profile Name

Name of the User/Host profile that matched the selected host. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated endpoint compliance policy and endpoint compliance configuration. See User/host profiles.

Policy Name

Name of the endpoint compliance policy currently applied to the selected host. See Endpoint compliance policies.

Configuration Name

Name of the configuration that currently applies to the selected host. This is the configuration for the Scan and Agent for the host. See Endpoint compliance configurations.

Scan Name

Name of the scan that would be used to evaluate this host. See Scans.

Detected Platform

The device type, such as iPhone or Android, that FortiNAC thinks the host is, based on the information currently available in the system.

Agent

Agent setting that would be applied to the host. Determines whether or not an agent is used and which agent is required. Agent settings are selected in the endpoint compliance configuration.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Portal tab settings

Field

Definition

Profile Name

Name of the User/Host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location. Host connections that match the criteria within the user/host profile are assigned the associated portal configuration. See User/host profiles.

Policy Name

Name of the Portal Policy that was applied to the host. See Portal policies.

Configuration Name

Name of the portal configuration that applied to the host. SeePortal content editor.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Policy details

Policy Details assesses the selected host or user and displays the specific profile and policies that apply to the host at the moment the dialog was opened. User/host profiles have a time component and hosts may be connected at different locations. Therefore, the profile and policy displayed in Policy Details now, may be different than the profile and policies that display tomorrow. Policies displayed in this view include: network access policies, endpoint compliance policy, Supplicant Policies and Portal Policies. Each type of policy is displayed in a separate tab that also contains a Debug Log. This log can be sent to Customer Support for analysis.

To access Policy Details from Host View:

  1. Select Hosts > Host View.
  2. Search for the appropriate host.
  3. Select the host and either right-click or click Options.
  4. From the menu, select Policy Details.

To access Policy Details from user view:

  1. Select Users > User View.
  2. Search for the appropriate user.
  3. Select the user and either right-click or click Options.
  4. From the menu, select Policy Details.
Network access settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by policy details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated network access policy and network access configuration. See User/host profiles.

Policy Name

Name of the network access policy that currently applies to the host. See Network access policies.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the VLAN, CLI configuration, or VPN Group Policy for the host. See Network access configurations.

Access Value/VLAN

The specific network access that would be provided to the host, such as a VLAN ID or Name.

CLI

Name of the CLI configuration that currently applies to this host or the connection port. This field may be blank.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Edit Test

Opens the Test Policy dialog where you can simulate host, adapter, and user combinations to create test scenarios for policies and profiles. See Policy simulator.

Authentication tab settings

Field

Definition

Profile Name

Name of the User/Host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated network access policy and network access configuration. See User/host profiles.

Policy Name

Name of the network access policy that currently applies to the host. See Network access policies.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the VLAN, CLI configuration, or VPN Group Policy for the host. See Network access configurations.

Authentication Method

When enabled, the selected authentication method will override all other authentication methods configured in the portal, guest/contractor template, and Persistent Agent credential configuration.

Authentication Enabled

Indicates whether authentication is enabled. When enabled, the user is authenticated against a directory, the FortiNAC database, or a RADIUS server when logging on to access the network.

Time in Production before Authentication

When a user is waiting to authenticate, the host remains in the production VLAN until this time expires. If the user fails to authenticate within the time specified, the host is moved to the authentication VLAN.

Time Offline before Deauthentication

Once the host is offline, the user remains authenticated for this period of time. If the host comes back online before the time period ends the user does not have to reauthenticate. If the host comes back online after the time period ends, the user is required to re-authenticate.

Reauthentication Frequency

When set, this forces users to re-authenticate after the amount of time defined in this field passes since the last authentication regardless of the host's state. The host is moved to the authentication VLAN.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Supplicant EasyConnect tab settings

Field

Definition

Profile Name

Name of the User/Host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated Supplicant Policy and supplicant configuration. See User/host profiles.

Policy Name

Name of the most recent Supplicant Policy that currently applies to the selected host. See Supplicant EasyConnect policies.

Configuration Name

Name of the configuration that applies to the selected host. This is the configuration for the supplicant on the host to allow access on a particular SSID. See Supplicant configurations.

SSID

Name of the SSID for which the supplicant is being configured.

Security

Type of encryption that used for connections to this SSID, such as WEP or WPA.

EAP Type

Currently only PEAP is supported. Not always required. This field may be blank.

Cipher

Encryption/decryption method used in conjunction with the information in the Security field to secure this connection.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Endpoint compliance tab settings

Field

Definition

Select Platform

When the Policy Details option is selected from the user view, you must select the Platform of the device that the user anticipates connecting to the network. The platform is used to determine the agent that would be assigned to the host.

Not all platforms are displayed here. Only the platforms that support the Persistent Agent or Mobile Agent.

Profile Name

Name of the User/Host profile that matched the selected host. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated endpoint compliance policy and endpoint compliance configuration. See User/host profiles.

Policy Name

Name of the endpoint compliance policy currently applied to the selected host. See Endpoint compliance policies.

Configuration Name

Name of the configuration that currently applies to the selected host. This is the configuration for the Scan and Agent for the host. See Endpoint compliance configurations.

Scan Name

Name of the scan that would be used to evaluate this host. See Scans.

Detected Platform

The device type, such as iPhone or Android, that FortiNAC thinks the host is, based on the information currently available in the system.

Agent

Agent setting that would be applied to the host. Determines whether or not an agent is used and which agent is required. Agent settings are selected in the endpoint compliance configuration.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Portal tab settings

Field

Definition

Profile Name

Name of the User/Host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location. Host connections that match the criteria within the user/host profile are assigned the associated portal configuration. See User/host profiles.

Policy Name

Name of the Portal Policy that was applied to the host. See Portal policies.

Configuration Name

Name of the portal configuration that applied to the host. SeePortal content editor.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.