Fortinet black logo

Administration Guide

Implementation

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:321494
Download PDF

Implementation

  • Determine which device(s) will be used to support a specific network access policy.
  • Configure the device(s) with the VLAN or Interface ID information for the network access policy. Note: Network Access Policy application to switches without the specified VLAN configured may cause unexpected results.

  • Create a device group and add the device(s) for each set of devices that will be used for network access policies. For example, you might have a group of devices that provide network access in Building A. That group of devices will provide different types of access than the devices in Building B, therefore you would create two separate device groups. See Groups view for information on groups.
  • If only some ports on a device or devices will be used for network access policies, you can place just the required ports in a Port group specifically for use in network access policies. First, determine which ports will participate in network access policies and place those ports in the Role Based Access Group. Ports that are not in this group cannot apply policies. Once ports are in the Role Based Access group, place them in groups that will be associated with specific user/host profiles and network access policies. See Groups view for information on groups.

    Ports that are designated as connection locations for network access policies are typically included in the Role Based Access Group. If a port is used in a policy but is not included in the Role Based Access Group, devices connecting to that port are placed in the default VLAN entered on model configuration for that device. They are not placed on the VLAN defined for the network access policy.

  • Determine which hosts or users will receive which network access. Create user/host profiles that would match each set of Users or Hosts that require different treatment. For example, if you want your Executives on VLAN 10 and you Admin Staff on VLAN 20 you must create a user/host profile for each set of users. See User/host profiles.
  • Create a network access configuration for each VLAN, CLI configuration or VPN Group Policy that you wish to assign to connecting hosts. See Network access configurations.
  • Create your network access policies by mapping a user/host profile to a network access configuration. See Network access policies.

Implementation

  • Determine which device(s) will be used to support a specific network access policy.
  • Configure the device(s) with the VLAN or Interface ID information for the network access policy. Note: Network Access Policy application to switches without the specified VLAN configured may cause unexpected results.

  • Create a device group and add the device(s) for each set of devices that will be used for network access policies. For example, you might have a group of devices that provide network access in Building A. That group of devices will provide different types of access than the devices in Building B, therefore you would create two separate device groups. See Groups view for information on groups.
  • If only some ports on a device or devices will be used for network access policies, you can place just the required ports in a Port group specifically for use in network access policies. First, determine which ports will participate in network access policies and place those ports in the Role Based Access Group. Ports that are not in this group cannot apply policies. Once ports are in the Role Based Access group, place them in groups that will be associated with specific user/host profiles and network access policies. See Groups view for information on groups.

    Ports that are designated as connection locations for network access policies are typically included in the Role Based Access Group. If a port is used in a policy but is not included in the Role Based Access Group, devices connecting to that port are placed in the default VLAN entered on model configuration for that device. They are not placed on the VLAN defined for the network access policy.

  • Determine which hosts or users will receive which network access. Create user/host profiles that would match each set of Users or Hosts that require different treatment. For example, if you want your Executives on VLAN 10 and you Admin Staff on VLAN 20 you must create a user/host profile for each set of users. See User/host profiles.
  • Create a network access configuration for each VLAN, CLI configuration or VPN Group Policy that you wish to assign to connecting hosts. See Network access configurations.
  • Create your network access policies by mapping a user/host profile to a network access configuration. See Network access policies.