Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Addresses

  1. Click System > Settings.
  2. Expand the System Communication folder.
  3. Select Addresses from the tree.

This view provides a list of address objects and address group objects that can be created and modified with your desired address scopes. Address objects can be created by subnet or by IP Range, then combined into address groups. Address groups can be selected within the SSO and VPN configurations of the virtualized devices configuration view. See Virtualized Devices.

Address objects and address group objects are used to determine which FortiGate should receive SSO messages from hosts connecting to the network. Group objects allow for control over the network ranges and scopes used to filter SSO messages to each FortiGate.

Note

Previous versions of FortiNAC automatically created forwarding tables from interface addresses that existed on each FortiGate using these rules:

  1. If a host adapter was directly connected to a FGT (this included FGT ports, FortiLink FSW ports, FortiAPs, and VPN), FNAC would only send SSO messages to that FGT, regardless if other FGTs had interfaces whose IP addresses matched the same IP address scope as the host adapter.
  2. If a host adapter was connected to some non-FGT network device that was being managed by FNAC, SSO messages would be sent to only those FGTs that contained an interface with an IP in the same network scope as the host adapter.

Note: The above two rules could be overridden for individual FGTs by the use of a FNAC device model attribute named ForceSSO. When added to a FGT model and set to true, it would indicate that the FGT should receive all SSO messages without any IP interface filtering.

The first time each FortiGate is accessed by FortiNAC, as the system starts, FortiNAC will automatically populate the address and address group tables using the same process in previous versions of FortiNAC. In order to expand the scope of FortiGates to which SSO messages should be sent for those direct connections, an option can be configured. This can be done with the command (run from the FNAC command shell):

globaloptiontool -name sso.expand.scope -set true

These objects can then be utilized or modified to the user's preferences.

Note that addresses are only read from FortiGates that have Fabric Connectors configured for FortiNAC. If no such Fabric Connectors exist, no addresses will be read and created. This is only done once for each FortiGate, so once the addresses are created for a FortiGate, changes to that FortiGate do not affect changes to the existing address objects. All changes to the address objects after they are initialized must be made manually.

Addresses

  1. Click System > Settings.
  2. Expand the System Communication folder.
  3. Select Addresses from the tree.

This view provides a list of address objects and address group objects that can be created and modified with your desired address scopes. Address objects can be created by subnet or by IP Range, then combined into address groups. Address groups can be selected within the SSO and VPN configurations of the virtualized devices configuration view. See Virtualized Devices.

Address objects and address group objects are used to determine which FortiGate should receive SSO messages from hosts connecting to the network. Group objects allow for control over the network ranges and scopes used to filter SSO messages to each FortiGate.

Note

Previous versions of FortiNAC automatically created forwarding tables from interface addresses that existed on each FortiGate using these rules:

  1. If a host adapter was directly connected to a FGT (this included FGT ports, FortiLink FSW ports, FortiAPs, and VPN), FNAC would only send SSO messages to that FGT, regardless if other FGTs had interfaces whose IP addresses matched the same IP address scope as the host adapter.
  2. If a host adapter was connected to some non-FGT network device that was being managed by FNAC, SSO messages would be sent to only those FGTs that contained an interface with an IP in the same network scope as the host adapter.

Note: The above two rules could be overridden for individual FGTs by the use of a FNAC device model attribute named ForceSSO. When added to a FGT model and set to true, it would indicate that the FGT should receive all SSO messages without any IP interface filtering.

The first time each FortiGate is accessed by FortiNAC, as the system starts, FortiNAC will automatically populate the address and address group tables using the same process in previous versions of FortiNAC. In order to expand the scope of FortiGates to which SSO messages should be sent for those direct connections, an option can be configured. This can be done with the command (run from the FNAC command shell):

globaloptiontool -name sso.expand.scope -set true

These objects can then be utilized or modified to the user's preferences.

Note that addresses are only read from FortiGates that have Fabric Connectors configured for FortiNAC. If no such Fabric Connectors exist, no addresses will be read and created. This is only done once for each FortiGate, so once the addresses are created for a FortiGate, changes to that FortiGate do not affect changes to the existing address objects. All changes to the address objects after they are initialized must be made manually.