1. Click System > Settings.

  2. Expand the System Communication folder.

  3. Select Addresses from the tree.

Introduced in version 9.2, address objects and address group objects are used in the following firewall integrations:

  • FortiGate (SSO or VPN)

These objects are used to determine which firewall should receive SSO messages for hosts connecting to the network. Group objects allow for control over the network ranges and scopes used to filter SSO messages to each firewall.

Address objects can be created by subnet or by IP Range, then combined into address groups. The address groups can then be used within the Model Configuration view of the applicable device to define the scope to be managed. Groups are selected within the model using the SSO Addresses and VPN Addresses drop-down menus. See Model configuration.

Object Auto-Population

By default, the Addresses tables are empty. It is up to the administrator to define the IP address scopes desired for SSO functionality.

Address and group objects will only auto-populate if SSO was configured prior to upgrading to version 9.2 or greater. This is to ensure previous SSO functionality is maintained:

  • Prior to version 9.2, FortiNAC created internal address lists for SSO functionality. The objects are created using the same rules upon upgrade.

  • These rules include reading the FortiGate interface IP scopes and VPN configurations to determine what addresses need to be created.

  • All changes to the objects after they are created must be made manually.

  • Changes take effect during the next endpoint evaluation. This occurs after the L2 poll of the device to which the affected endpoints are connected.

Add or Modify Address Object

Configure using the table below then click OK.




Name of Address object

Message Type

Subnet or IP Range


Displays when Message Type Subnet is selected.

Enter desired subnet and mask.

Required Format: <IP address>/xx (CIDR)


IP Range

Displays when Message Type IP Range is selected.

Enter IP range

<Starting IP address> – <Ending IP address>

Example: –

Add or Modify Address Group

Configure using the table below then click OK.

Field Description
Name Name of Address Group
Members Select the drill down menu for existing Address objects or select to create a new address object. Multiple objects can be selected.

Identify the Address Group Using a Specific Address Object

Select the Address Object then select In Use above the Address table.

Example Result:

Address In Use

The Address 'FGT-IT:root:VLAN-BYOD' is in use by the following:

- Network Address Groups


Identify the Device Model or VDOM Using a Specific Address Group

Select the Address Object then select In Use above the Address table.

Sending Tags for Non-local FortiGate Connections

By default, FortiNAC does not send tags to subnets that do not terminate at that FortiGate.


  • Address group: 192.168.10.x

  • Endpoint with IP address connecting to a switch downstream of the FortiGate.

  • Endpoint with IP address connecting to a port on the FortiGate.

  • Both endpoints send their traffic through the same FortiGate.

Result: FortiNAC will send a tag to the FortiGate for but not

To allow FortiNAC to send tags for endpoints not directly connected to the FortiGate, a CLI change is required. Use the global option tool to expand the scope.

  1. Login to the FortiNAC CLI as root.

  2. Type

    globaloptiontool -name sso.expand.scope -set true


  3. In the FortiNAC UI, navigate to Network > Inventory.

  4. Right-click on the FortiGate Device Model and select Resync Interfaces.