Fortinet black logo

Administration Guide

Network access policies

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:926300
Download PDF

Network access policies

A network access policy consists of one user/host profile and one network access configuration. The user/host profile is used to determine the users and hosts to which this policy might apply. The network access configuration assigns the treatment those users and hosts receive when they connect to the network.

Note

Network access policies are used for registered hosts only.

The network access configuration specifies the VLAN, CLI configuration or VPN Group Policy that apply to a host that requires network access. If the user or host matches the selected user/host profile they are given the network access defined in the configuration.

Network access policies follow a pattern, such as, when anyone in group X of people connects to a device in group Y of devices only put those users on VLAN 10. Devices that are end-stations, such as a gaming device, a printer or a medical device can be treated as if they were people. For example, if a gaming device that matches the specified user/host profile is connected to a switch that also matches the user/host profile it can be moved to a special VLAN for gaming devices defined in the network access configuration.

Network access policies are very flexible and can be used in more complex situations. For example, network access policies can be created for medical devices that are end stations. When a medical device is connected to any port in the hospital, FortiNAC can use a network access policy that contains a CLI configuration to reduce the rate of data transfer on those ports.

Network access policies can also be used to pass a group policy to a user connecting through a VPN concentrator. When a user connects through a VPN you do not want to disconnect the user in order to move the user from one VLAN to another. However, when the user is authenticated and the authentication is returned to the VPN concentrator, FortiNAC can also send a group policy for that user. The policy can then restrict the user's network access to certain areas. Group policies are configured on the VPN concentrator. When the name of the Group policy is entered into the Access Value/VLAN field on the Network Access Configuration window, that VPN group policy is then enforced for the connecting user.

Policies are assigned based on matching data when a host requires network access. The host/user and the connection location are compared to each network access policy starting with the first policy in the list. When a policy is found where the host and user data and the connection location match the selected user/host profile, that policy is assigned. Policy assignments are not permanent. Hosts are re-evaluated frequently, such as when a switch is polled or the Persistent Agent contacts the server. When host and user data are re-evaluated a different network access policy may be selected.

Note

There may be more than one network access policy that is a match for this host/user, however, the first match found is the one that is used.

If you create a user/host profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Network access policies

A network access policy consists of one user/host profile and one network access configuration. The user/host profile is used to determine the users and hosts to which this policy might apply. The network access configuration assigns the treatment those users and hosts receive when they connect to the network.

Note

Network access policies are used for registered hosts only.

The network access configuration specifies the VLAN, CLI configuration or VPN Group Policy that apply to a host that requires network access. If the user or host matches the selected user/host profile they are given the network access defined in the configuration.

Network access policies follow a pattern, such as, when anyone in group X of people connects to a device in group Y of devices only put those users on VLAN 10. Devices that are end-stations, such as a gaming device, a printer or a medical device can be treated as if they were people. For example, if a gaming device that matches the specified user/host profile is connected to a switch that also matches the user/host profile it can be moved to a special VLAN for gaming devices defined in the network access configuration.

Network access policies are very flexible and can be used in more complex situations. For example, network access policies can be created for medical devices that are end stations. When a medical device is connected to any port in the hospital, FortiNAC can use a network access policy that contains a CLI configuration to reduce the rate of data transfer on those ports.

Network access policies can also be used to pass a group policy to a user connecting through a VPN concentrator. When a user connects through a VPN you do not want to disconnect the user in order to move the user from one VLAN to another. However, when the user is authenticated and the authentication is returned to the VPN concentrator, FortiNAC can also send a group policy for that user. The policy can then restrict the user's network access to certain areas. Group policies are configured on the VPN concentrator. When the name of the Group policy is entered into the Access Value/VLAN field on the Network Access Configuration window, that VPN group policy is then enforced for the connecting user.

Policies are assigned based on matching data when a host requires network access. The host/user and the connection location are compared to each network access policy starting with the first policy in the list. When a policy is found where the host and user data and the connection location match the selected user/host profile, that policy is assigned. Policy assignments are not permanent. Hosts are re-evaluated frequently, such as when a switch is polled or the Persistent Agent contacts the server. When host and user data are re-evaluated a different network access policy may be selected.

Note

There may be more than one network access policy that is a match for this host/user, however, the first match found is the one that is used.

If you create a user/host profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.