Fortinet white logo
Fortinet white logo

Devices Managed by FortiOS

Configuring dynamic port policy rules

Configuring dynamic port policy rules

Dynamic port policies allow you to specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties.

NOTE: Visit https://filestore.fortinet.com/product-downloads/fortilink/HTFO_list.json to see a list of values for hardware vendor, type, device family, and operating system.

When you add dynamic port policy rules to the FortiLink policy settings, the rules are processed sequentially, from the first rule to the last rule. The last rule in the FortiLink policy settings should indicate the default properties for any port that has been assigned these FortiLink policy settings.

Tooltip

To identify devices to add to a dynamic port policy rule, try the following:

  • Use the diagnose user device list command to see devices connected to your FortiGate device.

  • Use the FortiGuard Device Detection service (https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device based on its MAC address.

To configure dynamic port policy rules:
  1. Set the access mode and port policy for the port
  2. Set the FortiLink policy settings to the FortiLink interface
  3. Create the FortiLink policy settings
  4. Create the dynamic port policy rule
  5. Set how often the dynamic port policy engine runs

Set the access mode and port policy for the port

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set access-mode dynamic

set port-policy <dynamic_port_policy>

next

end

next

end

Set the FortiLink policy settings to the FortiLink interface

Enable the dynamic port policy on the FortiLink interface by specifying the FortilLink policy settings on the FortiLink interface.

config system interface

edit fortilink

set switch-controller-dynamic <FortiLink_policy_settings>

next

end

Create the FortiLink policy settings

Using the GUI
  1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.
  2. Click Dynamic Port Policies.
  3. Click Configure Dynamic Port Settings.
  4. Select the onboarding VLAN from the Onboarding VLAN dropdown list. The default onboarding VLAN is onboarding.
  5. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  6. If you are using the dynamic port policy with FortiSwitch network access control, move the Apply rule to NAC policies slider to enable it.
  7. Click Next.
  8. When devices are matched by a dynamic port policy, you can assign those devices to a dynamic port VLAN. By default, there are six VLAN templates:
    • default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
    • onboarding—This VLAN is for NAC onboarding devices.
    • quarantine—This VLAN contains quarantined traffic.
    • rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
    • video—This VLAN is dedicated for video devices.
    • voice—This VLAN is dedicated for voice devices.

    You can select one of the default VLAN templates, edit one of the default VLAN templates, or create a dynamic port VLAN.

  9. Click Submit.
Using the CLI

config switch-controller fortilink-settings

edit <name_of_this_FortiLink_configuration>

set inactive-timer <integer>

set link-down-flush {enable | disable}

config nac-ports

set onboarding-vlan <string>

set bounce-nac-port {enable | disable}

end

next

end

Create the dynamic port policy rule

Using the GUI
  1. On the Dynamic Port Policies page, select the dynamic port policy that you want to add dynamic port policy rules to.
  2. Click Edit.
  3. Click Create New.
  4. In the Name field, enter a name for the dynamic port policy rule.
  5. Make certain that the status is set to Enabled.
  6. In the Description field, enter a description of the dynamic port policy rule.
  7. If you want the device to match a MAC address, enable MAC Address and enter the MAC address to match.
  8. If you want the device to match a host name or IP address, enable Host and enter the host name or IP address to match.
  9. If you want the device to match a hardware vendor, enable Hardware vendor and enter the name of the hardware vendor to match in the Hardware vendor field.

    This option is available in FortiOS 7.0.4 and higher.

  10. If you want the device to match a device family, enable Device Family and enter the name of the device family to match.
  11. If you want the device to match a device type, enable Type and enter the device type to match.
  12. If you want to assign an LLDP profile to the device that matches the specified criteria, enable LLDP profile and select the LLDP profile.
  13. If you want to assign a QoS policy to the device that matches the specified criteria, enable QoS policy and select the QoS policy.
  14. If you want to assign an 802.1x policy to the device that matches the specified criteria, enable 802.1X policy and select the 802.1x policy.
  15. If you want to assign a VLAN policy to the device that matches the specified criteria, enable VLAN policy and select the VLAN policy.
  16. Click OK.
Using the CLI

config switch-controller dynamic-port-policy

edit <dynamic_port_policy_name>

set description <string>

set fortilink <FortiLink_interface_name>

config policy

edit <policy_name>

set description <string>

set status {enable | disable}

set category {device | interface-tag}

set hw-vendor <hardware_vendor>

set mac <MAC_address>

set type <device_type>

set family <device_family_name>

set host <host_name_or_IP_address>

set lldp-profile <LLDP_profile_name>

set qos-policy <QoS_policy_name>

set 802-1x <802.1x_policy_name>

set vlan-policy <VLAN_policy_name>

set bounce-port-link {disable | enable}

next

end

next

end

For example:

config switch-controller dynamic-port-policy

edit DPP1

set description "Policy for VMware devices"

set fortilink "flink"

config policy

edit policy1

set description "Rule applies only to VMware devices"

set status enable

set hw-vendor "VMware"

set lldp-profile "LLDPprofile1"

set bounce-port-link enable

next

end

next

end

Creating a VLAN policy

You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

config switch-controller vlan-policy

edit <VLAN_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set allowed-vlans <lists_of_VLAN_names>

set untagged-vlans <lists_of_VLAN_names>

set allowed-vlans-all {enable | disable}

set discard-mode {none | all-untagged | all-tagged}

next

end

For example:

config switch-controller vlan-policy

edit vlan_policy_1

set fortilink fortilink1

set vlan default

next

end

Set how often the dynamic port policy engine runs

In the FortiOS CLI, you can change how often the dynamic port policy engine runs. By default, it runs every 15 seconds. The range of values is 5-60 seconds.

config switch-controller system

set dynamic-periodic-interval <5-60 seconds>

end

Configuring dynamic port policy rules

Configuring dynamic port policy rules

Dynamic port policies allow you to specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties.

NOTE: Visit https://filestore.fortinet.com/product-downloads/fortilink/HTFO_list.json to see a list of values for hardware vendor, type, device family, and operating system.

When you add dynamic port policy rules to the FortiLink policy settings, the rules are processed sequentially, from the first rule to the last rule. The last rule in the FortiLink policy settings should indicate the default properties for any port that has been assigned these FortiLink policy settings.

Tooltip

To identify devices to add to a dynamic port policy rule, try the following:

  • Use the diagnose user device list command to see devices connected to your FortiGate device.

  • Use the FortiGuard Device Detection service (https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device based on its MAC address.

To configure dynamic port policy rules:
  1. Set the access mode and port policy for the port
  2. Set the FortiLink policy settings to the FortiLink interface
  3. Create the FortiLink policy settings
  4. Create the dynamic port policy rule
  5. Set how often the dynamic port policy engine runs

Set the access mode and port policy for the port

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set access-mode dynamic

set port-policy <dynamic_port_policy>

next

end

next

end

Set the FortiLink policy settings to the FortiLink interface

Enable the dynamic port policy on the FortiLink interface by specifying the FortilLink policy settings on the FortiLink interface.

config system interface

edit fortilink

set switch-controller-dynamic <FortiLink_policy_settings>

next

end

Create the FortiLink policy settings

Using the GUI
  1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.
  2. Click Dynamic Port Policies.
  3. Click Configure Dynamic Port Settings.
  4. Select the onboarding VLAN from the Onboarding VLAN dropdown list. The default onboarding VLAN is onboarding.
  5. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
  6. If you are using the dynamic port policy with FortiSwitch network access control, move the Apply rule to NAC policies slider to enable it.
  7. Click Next.
  8. When devices are matched by a dynamic port policy, you can assign those devices to a dynamic port VLAN. By default, there are six VLAN templates:
    • default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
    • onboarding—This VLAN is for NAC onboarding devices.
    • quarantine—This VLAN contains quarantined traffic.
    • rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
    • video—This VLAN is dedicated for video devices.
    • voice—This VLAN is dedicated for voice devices.

    You can select one of the default VLAN templates, edit one of the default VLAN templates, or create a dynamic port VLAN.

  9. Click Submit.
Using the CLI

config switch-controller fortilink-settings

edit <name_of_this_FortiLink_configuration>

set inactive-timer <integer>

set link-down-flush {enable | disable}

config nac-ports

set onboarding-vlan <string>

set bounce-nac-port {enable | disable}

end

next

end

Create the dynamic port policy rule

Using the GUI
  1. On the Dynamic Port Policies page, select the dynamic port policy that you want to add dynamic port policy rules to.
  2. Click Edit.
  3. Click Create New.
  4. In the Name field, enter a name for the dynamic port policy rule.
  5. Make certain that the status is set to Enabled.
  6. In the Description field, enter a description of the dynamic port policy rule.
  7. If you want the device to match a MAC address, enable MAC Address and enter the MAC address to match.
  8. If you want the device to match a host name or IP address, enable Host and enter the host name or IP address to match.
  9. If you want the device to match a hardware vendor, enable Hardware vendor and enter the name of the hardware vendor to match in the Hardware vendor field.

    This option is available in FortiOS 7.0.4 and higher.

  10. If you want the device to match a device family, enable Device Family and enter the name of the device family to match.
  11. If you want the device to match a device type, enable Type and enter the device type to match.
  12. If you want to assign an LLDP profile to the device that matches the specified criteria, enable LLDP profile and select the LLDP profile.
  13. If you want to assign a QoS policy to the device that matches the specified criteria, enable QoS policy and select the QoS policy.
  14. If you want to assign an 802.1x policy to the device that matches the specified criteria, enable 802.1X policy and select the 802.1x policy.
  15. If you want to assign a VLAN policy to the device that matches the specified criteria, enable VLAN policy and select the VLAN policy.
  16. Click OK.
Using the CLI

config switch-controller dynamic-port-policy

edit <dynamic_port_policy_name>

set description <string>

set fortilink <FortiLink_interface_name>

config policy

edit <policy_name>

set description <string>

set status {enable | disable}

set category {device | interface-tag}

set hw-vendor <hardware_vendor>

set mac <MAC_address>

set type <device_type>

set family <device_family_name>

set host <host_name_or_IP_address>

set lldp-profile <LLDP_profile_name>

set qos-policy <QoS_policy_name>

set 802-1x <802.1x_policy_name>

set vlan-policy <VLAN_policy_name>

set bounce-port-link {disable | enable}

next

end

next

end

For example:

config switch-controller dynamic-port-policy

edit DPP1

set description "Policy for VMware devices"

set fortilink "flink"

config policy

edit policy1

set description "Rule applies only to VMware devices"

set status enable

set hw-vendor "VMware"

set lldp-profile "LLDPprofile1"

set bounce-port-link enable

next

end

next

end

Creating a VLAN policy

You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

config switch-controller vlan-policy

edit <VLAN_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set allowed-vlans <lists_of_VLAN_names>

set untagged-vlans <lists_of_VLAN_names>

set allowed-vlans-all {enable | disable}

set discard-mode {none | all-untagged | all-tagged}

next

end

For example:

config switch-controller vlan-policy

edit vlan_policy_1

set fortilink fortilink1

set vlan default

next

end

Set how often the dynamic port policy engine runs

In the FortiOS CLI, you can change how often the dynamic port policy engine runs. By default, it runs every 15 seconds. The range of values is 5-60 seconds.

config switch-controller system

set dynamic-periodic-interval <5-60 seconds>

end