Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.2.0 FortiLink Guide
    7.2.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Configuring dynamic port policy rules

    Configuring dynamic port policy rules

    Dynamic port policies allow you to specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties.

    NOTE: Visit https://filestore.fortinet.com/product-downloads/fortilink/HTFO_list.json to see a list of values for hardware vendor, type, device family, and operating system.

    When you add dynamic port policy rules to the FortiLink policy settings, the rules are processed sequentially, from the first rule to the last rule. The last rule in the FortiLink policy settings should indicate the default properties for any port that has been assigned these FortiLink policy settings.

    Tooltip

    To identify devices to add to a dynamic port policy rule, try the following:

    • Use the diagnose user device list command to see devices connected to your FortiGate device.

    • Use the FortiGuard Device Detection service (https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device based on its MAC address.
    To configure dynamic port policy rules:
    1. Set the access mode and port policy for the port
    2. Set the FortiLink policy settings to the FortiLink interface
    3. Create the FortiLink policy settings
    4. Create the dynamic port policy rule
    5. Set how often the dynamic port policy engine runs

    Set the access mode and port policy for the port

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <port_name>

    set access-mode dynamic

    set port-policy <dynamic_port_policy>

    next

    end

    next

    end

    Set the FortiLink policy settings to the FortiLink interface

    Enable the dynamic port policy on the FortiLink interface by specifying the FortilLink policy settings on the FortiLink interface.

    config system interface

    edit fortilink

    set switch-controller-dynamic <FortiLink_policy_settings>

    next

    end

    Create the FortiLink policy settings

    Using the GUI
    1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.
    2. Click Dynamic Port Policies.
    3. Click Configure Dynamic Port Settings.
    4. Select the onboarding VLAN from the Onboarding VLAN dropdown list. The default onboarding VLAN is onboarding.
    5. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
    6. If you are using the dynamic port policy with FortiSwitch network access control, move the Apply rule to NAC policies slider to enable it.
    7. Click Next.
    8. When devices are matched by a dynamic port policy, you can assign those devices to a dynamic port VLAN. By default, there are six VLAN templates:
      • default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
      • onboarding—This VLAN is for NAC onboarding devices.
      • quarantine—This VLAN contains quarantined traffic.
      • rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
      • video—This VLAN is dedicated for video devices.
      • voice—This VLAN is dedicated for voice devices.

      You can select one of the default VLAN templates, edit one of the default VLAN templates, or create a dynamic port VLAN.

    9. Click Submit.
    Using the CLI

    config switch-controller fortilink-settings

    edit <name_of_this_FortiLink_configuration>

    set inactive-timer <integer>

    set link-down-flush {enable | disable}

    config nac-ports

    set onboarding-vlan <string>

    set bounce-nac-port {enable | disable}

    end

    next

    end

    Create the dynamic port policy rule

    Using the GUI
    1. On the Dynamic Port Policies page, select the dynamic port policy that you want to add dynamic port policy rules to.
    2. Click Edit.
    3. Click Create New.
    4. In the Name field, enter a name for the dynamic port policy rule.
    5. Make certain that the status is set to Enabled.
    6. In the Description field, enter a description of the dynamic port policy rule.
    7. If you want the device to match a MAC address, enable MAC Address and enter the MAC address to match.
    8. If you want the device to match a host name or IP address, enable Host and enter the host name or IP address to match.
    9. If you want the device to match a hardware vendor, enable Hardware vendor and enter the name of the hardware vendor to match in the Hardware vendor field.

      This option is available in FortiOS 7.0.4 and higher.

    10. If you want the device to match a device family, enable Device Family and enter the name of the device family to match.
    11. If you want the device to match a device type, enable Type and enter the device type to match.
    12. If you want to assign an LLDP profile to the device that matches the specified criteria, enable LLDP profile and select the LLDP profile.
    13. If you want to assign a QoS policy to the device that matches the specified criteria, enable QoS policy and select the QoS policy.
    14. If you want to assign an 802.1x policy to the device that matches the specified criteria, enable 802.1X policy and select the 802.1x policy.
    15. If you want to assign a VLAN policy to the device that matches the specified criteria, enable VLAN policy and select the VLAN policy.
    16. Click OK.
    Using the CLI

    config switch-controller dynamic-port-policy

    edit <dynamic_port_policy_name>

    set description <string>

    set fortilink <FortiLink_interface_name>

    config policy

    edit <policy_name>

    set description <string>

    set status {enable | disable}

    set category {device | interface-tag}

    set hw-vendor <hardware_vendor>

    set mac <MAC_address>

    set type <device_type>

    set family <device_family_name>

    set host <host_name_or_IP_address>

    set lldp-profile <LLDP_profile_name>

    set qos-policy <QoS_policy_name>

    set 802-1x <802.1x_policy_name>

    set vlan-policy <VLAN_policy_name>

    set bounce-port-link {disable | enable}

    next

    end

    next

    end

    For example:

    config switch-controller dynamic-port-policy

    edit DPP1

    set description "Policy for VMware devices"

    set fortilink "flink"

    config policy

    edit policy1

    set description "Rule applies only to VMware devices"

    set status enable

    set hw-vendor "VMware"

    set lldp-profile "LLDPprofile1"

    set bounce-port-link enable

    next

    end

    next

    end

    Creating a VLAN policy

    You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

    config switch-controller vlan-policy

    edit <VLAN_policy_name>

    set description <policy_description>

    set fortilink <FortiLink_interface>

    set vlan <VLAN_name>

    set allowed-vlans <lists_of_VLAN_names>

    set untagged-vlans <lists_of_VLAN_names>

    set allowed-vlans-all {enable | disable}

    set discard-mode {none | all-untagged | all-tagged}

    next

    end

    For example:

    config switch-controller vlan-policy

    edit vlan_policy_1

    set fortilink fortilink1

    set vlan default

    next

    end

    Set how often the dynamic port policy engine runs

    In the FortiOS CLI, you can change how often the dynamic port policy engine runs. By default, it runs every 15 seconds. The range of values is 5-60 seconds.

    config switch-controller system

    set dynamic-periodic-interval <5-60 seconds>

    end

    Previous
    Next

    Configuring dynamic port policy rules

    Configuring dynamic port policy rules

    Dynamic port policies allow you to specify rules that dynamically determine port policies. After you create the FortiLink policy settings, you define the dynamic port policy rules. When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties.

    NOTE: Visit https://filestore.fortinet.com/product-downloads/fortilink/HTFO_list.json to see a list of values for hardware vendor, type, device family, and operating system.

    When you add dynamic port policy rules to the FortiLink policy settings, the rules are processed sequentially, from the first rule to the last rule. The last rule in the FortiLink policy settings should indicate the default properties for any port that has been assigned these FortiLink policy settings.

    Tooltip

    To identify devices to add to a dynamic port policy rule, try the following:

    • Use the diagnose user device list command to see devices connected to your FortiGate device.

    • Use the FortiGuard Device Detection service (https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device based on its MAC address.
    To configure dynamic port policy rules:
    1. Set the access mode and port policy for the port
    2. Set the FortiLink policy settings to the FortiLink interface
    3. Create the FortiLink policy settings
    4. Create the dynamic port policy rule
    5. Set how often the dynamic port policy engine runs

    Set the access mode and port policy for the port

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config ports

    edit <port_name>

    set access-mode dynamic

    set port-policy <dynamic_port_policy>

    next

    end

    next

    end

    Set the FortiLink policy settings to the FortiLink interface

    Enable the dynamic port policy on the FortiLink interface by specifying the FortilLink policy settings on the FortiLink interface.

    config system interface

    edit fortilink

    set switch-controller-dynamic <FortiLink_policy_settings>

    next

    end

    Create the FortiLink policy settings

    Using the GUI
    1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.
    2. Click Dynamic Port Policies.
    3. Click Configure Dynamic Port Settings.
    4. Select the onboarding VLAN from the Onboarding VLAN dropdown list. The default onboarding VLAN is onboarding.
    5. Move the Bounce port slider to enable it if you want the link to go down and then up when the NAC mode is configured on the port.
    6. If you are using the dynamic port policy with FortiSwitch network access control, move the Apply rule to NAC policies slider to enable it.
    7. Click Next.
    8. When devices are matched by a dynamic port policy, you can assign those devices to a dynamic port VLAN. By default, there are six VLAN templates:
      • default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
      • onboarding—This VLAN is for NAC onboarding devices.
      • quarantine—This VLAN contains quarantined traffic.
      • rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
      • video—This VLAN is dedicated for video devices.
      • voice—This VLAN is dedicated for voice devices.

      You can select one of the default VLAN templates, edit one of the default VLAN templates, or create a dynamic port VLAN.

    9. Click Submit.
    Using the CLI

    config switch-controller fortilink-settings

    edit <name_of_this_FortiLink_configuration>

    set inactive-timer <integer>

    set link-down-flush {enable | disable}

    config nac-ports

    set onboarding-vlan <string>

    set bounce-nac-port {enable | disable}

    end

    next

    end

    Create the dynamic port policy rule

    Using the GUI
    1. On the Dynamic Port Policies page, select the dynamic port policy that you want to add dynamic port policy rules to.
    2. Click Edit.
    3. Click Create New.
    4. In the Name field, enter a name for the dynamic port policy rule.
    5. Make certain that the status is set to Enabled.
    6. In the Description field, enter a description of the dynamic port policy rule.
    7. If you want the device to match a MAC address, enable MAC Address and enter the MAC address to match.
    8. If you want the device to match a host name or IP address, enable Host and enter the host name or IP address to match.
    9. If you want the device to match a hardware vendor, enable Hardware vendor and enter the name of the hardware vendor to match in the Hardware vendor field.

      This option is available in FortiOS 7.0.4 and higher.

    10. If you want the device to match a device family, enable Device Family and enter the name of the device family to match.
    11. If you want the device to match a device type, enable Type and enter the device type to match.
    12. If you want to assign an LLDP profile to the device that matches the specified criteria, enable LLDP profile and select the LLDP profile.
    13. If you want to assign a QoS policy to the device that matches the specified criteria, enable QoS policy and select the QoS policy.
    14. If you want to assign an 802.1x policy to the device that matches the specified criteria, enable 802.1X policy and select the 802.1x policy.
    15. If you want to assign a VLAN policy to the device that matches the specified criteria, enable VLAN policy and select the VLAN policy.
    16. Click OK.
    Using the CLI

    config switch-controller dynamic-port-policy

    edit <dynamic_port_policy_name>

    set description <string>

    set fortilink <FortiLink_interface_name>

    config policy

    edit <policy_name>

    set description <string>

    set status {enable | disable}

    set category {device | interface-tag}

    set hw-vendor <hardware_vendor>

    set mac <MAC_address>

    set type <device_type>

    set family <device_family_name>

    set host <host_name_or_IP_address>

    set lldp-profile <LLDP_profile_name>

    set qos-policy <QoS_policy_name>

    set 802-1x <802.1x_policy_name>

    set vlan-policy <VLAN_policy_name>

    set bounce-port-link {disable | enable}

    next

    end

    next

    end

    For example:

    config switch-controller dynamic-port-policy

    edit DPP1

    set description "Policy for VMware devices"

    set fortilink "flink"

    config policy

    edit policy1

    set description "Rule applies only to VMware devices"

    set status enable

    set hw-vendor "VMware"

    set lldp-profile "LLDPprofile1"

    set bounce-port-link enable

    next

    end

    next

    end

    Creating a VLAN policy

    You can specify a VLAN policy to be used in the port policy. In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. You can enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

    config switch-controller vlan-policy

    edit <VLAN_policy_name>

    set description <policy_description>

    set fortilink <FortiLink_interface>

    set vlan <VLAN_name>

    set allowed-vlans <lists_of_VLAN_names>

    set untagged-vlans <lists_of_VLAN_names>

    set allowed-vlans-all {enable | disable}

    set discard-mode {none | all-untagged | all-tagged}

    next

    end

    For example:

    config switch-controller vlan-policy

    edit vlan_policy_1

    set fortilink fortilink1

    set vlan default

    next

    end

    Set how often the dynamic port policy engine runs

    In the FortiOS CLI, you can change how often the dynamic port policy engine runs. By default, it runs every 15 seconds. The range of values is 5-60 seconds.

    config switch-controller system

    set dynamic-periodic-interval <5-60 seconds>

    end

    Previous
    Next