Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC 9.4.0 Administration Guide
    9.4.0
    9.4.0
    9.2.0
    9.1.0
    8.8.0
    8.7.0
    8.6.0
    8.5.2
    8.3.0

    Sample configurations

    Sample configurations

    The port- and host-based CLI configurations shown below are samples of different types of configurations that may help you develop your own.

    Example 1: Port based configuration - port speed

    The configuration shown below modifies the speed and duplex configuration of the port and then returns it to its normal state.

    Commands

    CLI configuration

    Set

    config t

    interface %port%

    speed 10

    duplex half

    exit

    exit

    Undo

    config t

    interface %port%

    speed auto

    duplex auto

    exit

    exit
    Example 2: Host based CLI configuration - IP address

    The configuration shown below modifies an IP address ACL on the device to switch access for the host’s IP address from the FortiNAC software DNS server to the production DNS server. When the host is restricted to the FortiNAC software DNS server, it is essentially in isolation and can be forced to register. When the host has access to the production DNS server, it can connect to the network and access the Internet.

    Commands

    CLI configuration

    Set

    config t

    ip access-list extended Nac

    1 deny udp host %ip% host 192.168.34.2 eq domain

    2 permit ip host %ip% host 192.168.105.2

    exit

    ip access-list resequence Nac 10 1

    end

    write mem

    Undo

    config t

    ip access-list extended Nac

    no deny udp host %ip% host 192.168.34.2 eq domain

    no permit ip host %ip% host 192.168.105.2

    end

    write mem

    In the example above 192.168.34.2 is the production DNS server and 192.168.105.2 is the FortiNAC software DNS server. In the second line, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

    The ip access-list resequence Nac 10 1 command is important because it controls the sequence in which the host IP addresses are entered into the ACL. Starting with line 10, each IP address is added to the beginning of the list. Addresses already in the list are incremented by one.

    If FortiNAC cannot determine the IP or any data substitution value of the host, the CLI will not be run. A CLI Substitution Failure Event is generated describing the data which could not be substituted.

    Example 3: Host based CLI configuration - MAC address

    The configuration shown below modifies a MAC filtering ACL on the device to deny access to a particular MAC address sent by FortiNAC.

    Commands

    CLI configuration

    Set

    config t

    mac access-list extended Nac

    1 deny %macXXXX.XXXX.XXXX% any

    exit

    mac access-list resequence Nac 10 1

    end

    write mem

    Undo

    config t

    mac access-list extended Nac

    no deny %macXXXX.XXXX.XXXX% any

    end

    write mem

    In the example above, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

    The mac access-list resequence Nac 10 1 command is important because it controls the sequence in which the host MAC addresses are entered into the ACL. Starting with line 10, each MAC address is added to the beginning of the list. Addresses already in the list are incremented by one.

    Previous
    Next

    Sample configurations

    Sample configurations

    The port- and host-based CLI configurations shown below are samples of different types of configurations that may help you develop your own.

    Example 1: Port based configuration - port speed

    The configuration shown below modifies the speed and duplex configuration of the port and then returns it to its normal state.

    Commands

    CLI configuration

    Set

    config t

    interface %port%

    speed 10

    duplex half

    exit

    exit

    Undo

    config t

    interface %port%

    speed auto

    duplex auto

    exit

    exit
    Example 2: Host based CLI configuration - IP address

    The configuration shown below modifies an IP address ACL on the device to switch access for the host’s IP address from the FortiNAC software DNS server to the production DNS server. When the host is restricted to the FortiNAC software DNS server, it is essentially in isolation and can be forced to register. When the host has access to the production DNS server, it can connect to the network and access the Internet.

    Commands

    CLI configuration

    Set

    config t

    ip access-list extended Nac

    1 deny udp host %ip% host 192.168.34.2 eq domain

    2 permit ip host %ip% host 192.168.105.2

    exit

    ip access-list resequence Nac 10 1

    end

    write mem

    Undo

    config t

    ip access-list extended Nac

    no deny udp host %ip% host 192.168.34.2 eq domain

    no permit ip host %ip% host 192.168.105.2

    end

    write mem

    In the example above 192.168.34.2 is the production DNS server and 192.168.105.2 is the FortiNAC software DNS server. In the second line, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

    The ip access-list resequence Nac 10 1 command is important because it controls the sequence in which the host IP addresses are entered into the ACL. Starting with line 10, each IP address is added to the beginning of the list. Addresses already in the list are incremented by one.

    If FortiNAC cannot determine the IP or any data substitution value of the host, the CLI will not be run. A CLI Substitution Failure Event is generated describing the data which could not be substituted.

    Example 3: Host based CLI configuration - MAC address

    The configuration shown below modifies a MAC filtering ACL on the device to deny access to a particular MAC address sent by FortiNAC.

    Commands

    CLI configuration

    Set

    config t

    mac access-list extended Nac

    1 deny %macXXXX.XXXX.XXXX% any

    exit

    mac access-list resequence Nac 10 1

    end

    write mem

    Undo

    config t

    mac access-list extended Nac

    no deny %macXXXX.XXXX.XXXX% any

    end

    write mem

    In the example above, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

    The mac access-list resequence Nac 10 1 command is important because it controls the sequence in which the host MAC addresses are entered into the ACL. Starting with line 10, each MAC address is added to the beginning of the list. Addresses already in the list are incremented by one.

    Previous
    Next