Fortinet white logo
Fortinet white logo

FortiNAC Manager

9.4.0

Policy & Objects

Policy & Objects

Policies are assigned to hosts based on the user/host profile associated with each policy. User/host profiles allow you to select one or more pieces of user or host data to match with users and hosts and determine which policy is applied to that host. Policies are ranked in priority starting with number 1. When a host requires a particular service, such as network access, the host and user data are compared to the user/host profile in each policy starting with the first policy in the list. If the host and user do not match criteria in the first policy, the next one is checked until a match is found.

Types of data used to determine whether or not the host/user is a match include the following:

Data

Definition

Who/What

Attributes

A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. The attribute must be known at the time of connection. See Filter example.

RADIUS Attributes

Used to match against endpoints pre- and post-authentication.

Groups

  • Any — Matches any group.

  • Any Of — Matches any of the listed groups. Does not have to match everything, but has to match at least one group that has been selected.

  • All Of — Has to match every group that's been selected.

  • None Of — Has to match no group that's been selected.

Where

One or more port or device groups. A user/host profile can include more than one port or device group; however the connection location only needs to be contained in one of the selected groups. If the Where field is empty it is set to Any, indicating that location is not being used as criteria for the match, therefore any host connection location would be a match.

When

Allows you to create matches based on the current time. If Always is selected, then time of day is not used. If Specify Time is selected, then the current time must be within the days and times included in the list to be a match for the host.

The host/user must match at least one item in each field that contains criteria other than Any. If the host/user does not match something in all fields, the policy is not selected and the next policy is checked.

A host that has had a policy applied based on time of day, may be moved to a different policy when the window of time in the current policy has passed. For example, the host may be moved to another VLAN or disconnected from the network when the window of time in the applied endpoint compliance policy has passed. Hosts are re-evaluated frequently, such as when the device where they are connected is polled or when the Persistent Agent contacts the server. If another Policy exists that applies to this host, the host will be provided with configuration parameters from that new policy.

There may be more than one Policy that is a match for this host/user; however, the first match found is the one that is used.

Policy assignments are not permanent. Each time a host is re-evaluated by FortiNAC Manager, the user/host profile data is re-evaluated and a Policy is selected.

Note

Policy Consistency Check

FortiNAC makes the Consistency Check on Policies before applying new policies. This process is handled at the OS level to keep the integrity of the objects synchronized across the FortiNAC CA devices managed by the FortiNAC Manager.

Policy & Objects

Policy & Objects

Policies are assigned to hosts based on the user/host profile associated with each policy. User/host profiles allow you to select one or more pieces of user or host data to match with users and hosts and determine which policy is applied to that host. Policies are ranked in priority starting with number 1. When a host requires a particular service, such as network access, the host and user data are compared to the user/host profile in each policy starting with the first policy in the list. If the host and user do not match criteria in the first policy, the next one is checked until a match is found.

Types of data used to determine whether or not the host/user is a match include the following:

Data

Definition

Who/What

Attributes

A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. The attribute must be known at the time of connection. See Filter example.

RADIUS Attributes

Used to match against endpoints pre- and post-authentication.

Groups

  • Any — Matches any group.

  • Any Of — Matches any of the listed groups. Does not have to match everything, but has to match at least one group that has been selected.

  • All Of — Has to match every group that's been selected.

  • None Of — Has to match no group that's been selected.

Where

One or more port or device groups. A user/host profile can include more than one port or device group; however the connection location only needs to be contained in one of the selected groups. If the Where field is empty it is set to Any, indicating that location is not being used as criteria for the match, therefore any host connection location would be a match.

When

Allows you to create matches based on the current time. If Always is selected, then time of day is not used. If Specify Time is selected, then the current time must be within the days and times included in the list to be a match for the host.

The host/user must match at least one item in each field that contains criteria other than Any. If the host/user does not match something in all fields, the policy is not selected and the next policy is checked.

A host that has had a policy applied based on time of day, may be moved to a different policy when the window of time in the current policy has passed. For example, the host may be moved to another VLAN or disconnected from the network when the window of time in the applied endpoint compliance policy has passed. Hosts are re-evaluated frequently, such as when the device where they are connected is polled or when the Persistent Agent contacts the server. If another Policy exists that applies to this host, the host will be provided with configuration parameters from that new policy.

There may be more than one Policy that is a match for this host/user; however, the first match found is the one that is used.

Policy assignments are not permanent. Each time a host is re-evaluated by FortiNAC Manager, the user/host profile data is re-evaluated and a Policy is selected.

Note

Policy Consistency Check

FortiNAC makes the Consistency Check on Policies before applying new policies. This process is handled at the OS level to keep the integrity of the objects synchronized across the FortiNAC CA devices managed by the FortiNAC Manager.