FortiSwitch network access control

You can configure a FortiSwitch network access control (NAC) policy within FortiOS that matches devices with the specified criteria, devices belonging to a specified user group, or devices with a specified FortiClient EMS tag. Devices that match are assigned to a specific VLAN or have port-specific settings applied to them.

NAC settings are enabled automatically on the fortilink interface when the first FortiSwitch unit is discovered. If no FortiSwitch unit has been discovered yet or the NAC configuration has been deleted from the fortilink interface, you need to configure the FortiSwitch NAC settings before defining a NAC policy. See Configuring the FortiSwitch NAC settings.

Summary of the procedure

1. Define a FortiSwitch NAC VLAN. See Defining a FortiSwitch NAC VLAN.
2. Configure the FortiSwitch NAC settings. See Configuring the FortiSwitch NAC settings.
3. Create a FortiSwitch NAC policy. See Defining a FortiSwitch NAC policy.
4. View the devices that match the NAC policy. See Viewing the devices that match the NAC policy.
5. View device statistics. See Viewing device statistics.

Defining a FortiSwitch NAC VLAN

When devices are matched by a NAC policy, you can assign those devices to a FortiSwitch NAC VLAN. By default, there are six VLAN templates:

• default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
• quarantine—This VLAN contains quarantined traffic.
• rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
• voice—This VLAN is dedicated for voice devices.
• video—This VLAN is dedicated for video devices.
• onboarding—This VLAN is for NAC onboarding devices.

You can use the default onboarding VLAN, edit it, or create a new NAC VLAN. If you want to use the default onboarding NAC VLAN, specify it when you configure the FortiSwitch NAC settings. If you want to edit the default onboarding VLAN or create a new NAC VLAN, use the following procedures.

Creating a NAC VLAN

Using the GUI:

1. Go to WiFi & Switch Controller > FortiSwitch VLANs, click Create New, and change the following settings:

   Name	VLAN name
   VLAN ID	Enter a number (1-4094)
   Color	Choose a unique color for each VLAN, for ease of visual display.
   Role	Select LAN, WAN, DMZ, or Undefined.

2. Enable DHCP for IPv4 or IPv6.
3. Set the Administrative Access options as required.
4. Click OK.

Using the CLI:

config system interface

edit <VLAN_name>

set vlanid <1-4094>

set color <1-32>

set interface <FortiLink-enabled interface>

end

Editing a NAC VLAN

You can edit the default onboarding NAC VLAN.

Using the GUI:

1. Go to WiFi & Switch Controller > FortiSwitch VLANs.
2. Select the onboarding.fortilink (onboarding) NAC VLAN.
3. Click Edit.
4. Make your changes.
5. Click OK to save your changes.

Configuring the FortiSwitch NAC settings

NAC settings are enabled automatically on the fortilink interface when the first FortiSwitch unit is discovered. If no FortiSwitch unit has been discovered yet or the NAC configuration has been deleted from the fortilink interface, you need to configure the FortiSwitch NAC settings before defining a NAC policy. See Configuring the FortiSwitch NAC settings.

You can set how many minutes that NAC devices are allowed to be inactive. By default, NAC devices can be inactive for 15 minutes. The range of values is 1 to 1,440 minutes.

When NAC devices are discovered, they are assigned to the NAC onboarding VLAN. You can specify the default onboarding VLAN or specify another existing VLAN. By default, there is no NAC onboarding VLAN assigned.

When NAC devices are discovered and match a NAC policy, they are automatically authorized by default.

Starting in FortiOS 7.0.0, you can use the set nac-periodic-interval command to specify how often the NAC engine runs in case any events are missed. The range is 5 to 180 seconds, and the default setting is 60 seconds.

When NAC mode is configured on a port, the link of a switch port goes down and then up by default, which restarts the DHCP process for that device. When a link goes down, the NAC devices are cleared from the switch port that bounced. Bouncing the switch port and restarting DHCP changes the IP addresses of hosts and invalidates firewall sessions. Starting in FortiOS 7.0.1, you can avoid these problems by assigning each VLAN to a separate LAN segment.

LAN segments prevent the IP addresses of hosts from changing but still provide physical isolation. For example, the following figure shows how four LAN segments have been assigned to four separate VLANs:

The switch controls traffic between LAN segments. Enable Block Intra-VLAN Traffic in the GUI or use the set switch-controller-access-vlan command to allow or prevent traffic between hosts in a LAN segment.

An RSPAN VLAN interface cannot be a member of a LAN segment group.

LAN segments require the following:

• FortiGate devices running FortiOS 7.0.1 or higher with managed FortiSwitch units running FortiSwitchOS 7.0.1 or higher.
• To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.

The FortiGate device supports only one LAN segment.

LAN segments on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models have the following limitations:

• After you enable LAN segments, FortiSwitchOS automatically assigns a VLAN for internal use. This VLAN cannot be used for any other purpose. If you want to assign a different internal VLAN, type set lan-internal-vlan ? to see a range of VLANs; however, these VLANs might not be available. If no VLANs are available to be used as an internal VLAN, the LAN segment configuration returns an error message.

• These models cannot be directly connected to a FortiGate device; they should be connected using another FortiSwitch model.

• FortiSwitchOS 7.2.0 or later is required.

• All LAN segment VLANs (both primary VLANs and sub-VLANs) must belong to the same STP instance. Multiple STP instances are not supported within the same LAN segment VLANs.

• For packets coming from sub-VLANs or primary VLANs, MAC learning occurs on the internal VLAN, not the primary VLAN or sub-VLAN.

Starting in FortiSwitchOS 7.2.0 and FortiOS 7.2.0, IGMP snooping and MLD snooping are supported on FortiLink NAC LAN segments.

If you want to enable IGMP snooping in a LAN segment, IGMP snooping must be enabled on all VLANs in the segment, including the primary VLAN, sub-VLANs, and onboarding VLANs. Multicast data streams are expected to come in ONLY on the primary VLAN.

To use LAN segments:

• Configure FortiSwitch VLANs without layer-3 properties (unset the IP address, set the access mode to static, unset allowaccess, and disable the DHCP server).
• Optionally, enable Block Intra-VLAN Traffic.
• Enable LAN segments.
• Specify the NAC LAN interface.
• Specify which VLANs belong to that LAN segment.

Do not make changes after assigning a VLAN to a LAN segment. Changing VLANs assigned to LAN segments might have unexpected results.

Configuring NAC settings

Using the CLI:

config switch-controller fortilink-settings

edit <name_of_FortiLink_interface>

set inactive-timer <integer>

set link-down-flush {enable | disable}

config nac-ports

set onboarding-vlan <string>

set bounce-nac-port {enable | disable}

set lan-segment {enabled | disabled}

set nac-lan-interfaces <string>

set nac-segment-vlans <VLAN_interface_name>

end

next

end

config switch-controller system

set nac-periodic-interval <5-180 seconds>

end

For example:

config switch-controller fortilink-settings

edit "fortilink"

config nac-ports

set onboarding-vlan "onboarding"

set lan-segment enabled

set nac-lan-interface "nac_segment"

set nac-segment-vlans "voice" "video"

end

next

end

config switch-controller system

set nac-periodic-interval 100

end

Using the GUI:

1. Go to WiFi & Switch Controller > NAC Policies.

2. Select a NAC LAN and click Edit.

3. For the NAC VLAN segmentation, click Enabled.

4. From the Primary Interface dropdown list, select the primary interface. The IP address and DHCP server of the primary interface are shared by the segment VLANs.

5. From the Onboarding VLAN dropdown list, select the onboarding VLAN.

6. In the Segment VLANs field, click + and select one or more segment VLANs.

7. Click OK.

Enabling NAC on a FortiSwitch port

Using the CLI:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set access-mode nac

next

end

next

end

Using the GUI:

1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Right-click a port.
3. Select Mode > NAC.

Synchronizing MAC events

config switch interface

edit <FortiSwitch_interface>

set nac enable

end

For example:

config switch interface

edit port20

set nac enable

end

Defining a FortiSwitch NAC policy

In the FortiOS GUI, you can create four types of NAC policies:

• Device—The NAC policy matches devices with the specified MAC address, hardware vendor, device family, type, operating system, and user. See Creating a device policy. Visit https://filestore.fortinet.com/product-downloads/fortilink/HTFO_list.json to see a list of values for hardware vendor, type, device family, and operating system.
• User—The NAC policy matches devices belonging to the specified user group. See Creating a user policy.
• EMS tag—The NAC policy matches devices with the specified FortiClient EMS tag. See Creating an EMS-tag policy.
• Vulnerability—The NAC policy matches devices with the specified severity level, which indicates how vulnerable an IoT device is. See Creating a vulnerability policy.

NAC policies are matched in the order that the are listed in the configuration. You can change the order of the policies in the GUI and CLI.

Using the CLI, you can specify a MAC policy to be applied to devices that have been matched by the NAC policy. See Creating a MAC policy.

Starting in FortiOS 7.0.2, you can specify FortiSwitch groups in NAC policies instead of specifying individual managed FortiSwitch units when creating a NAC policy. In FortiOS 7.0.2, the set switch-scope command has been replaced with the set switch-group command. You can select more than one FortiSwitch group in the CLI and GUI, and the same FortiSwitch unit can be included in more than one FortiSwitch group. If no FortiSwitch group is specified in the set switch-group command, all FortiSwitch groups are used for the NAC policy.

When you upgrade to FortiOS 7.0.2, the individual FortiSwitch units selected for the NAC policy are assigned to a new FortiSwitch group, and the new FortiSwitch group replaces the individual FortiSwitch units in the NAC policy. If you downgrade from FortiOS 7.0.2, the individual FortiSwitch units in the FortiSwitch group are listed in the set switch-scope command in the NAC policy, and the set switch-group command is removed from the NAC policy.

NOTE: The FortiSwitch NAC settings must be configured before defining a FortiSwitch NAC policy. See Configuring the FortiSwitch NAC settings.

Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.2 or later, NAC supports more connected devices—up to 48 times the maximum number of managed FortiSwitch units supported on the FortiGate device. You can use the diagnose switch-controller mac-device nac known command to check the number of known devices. When 95 percent of the maximum number of devices is reached, a warning icon is displayed in the Matched NAC Devices widget in the FortiOS GUI. When the maximum number is reached, a switch-controller event is logged.

Starting in FortiOS 7.4.0 with FortiSwitchOS 7.4.0, you can use the NAC to identify Internet of Things (IoT) and Operational Technology (OT) devices that need to be patched and isolate these devices in a separate VLAN segment. You can specify how severe the IoT and OT vulnerabilities must be for the devices to be isolated

This feature requires that the FortiGate device has a valid Attack Surface Security Rating service license. You can check whether the FortiGate device has the Attack Surface Security Rating service license (FGSA) in the FortiOS CLI with the diagnose test update info command. You can also check the Attack Surface Security Rating field on the System > FortiGuard page.

Creating a device policy

A device policy matches devices with the specified criteria and then assigns a specific VLAN to those devices or applies port-level settings to those devices. You can specify the MAC address, hardware vendor, device family, type, operating system, and user for the devices to match.

By default, there is a default device policy, Onboarding VLAN, which uses the default onboarding NAC VLAN. You can use the default Onboarding VLAN policy, edit it, or create a new NAC policy.

Starting in FortiOS 7.0.1, you can configure a dynamic firewall address for devices and use it in a NAC policy. When a device matches the NAC policy, the MAC address for that device is automatically assigned to the dynamic firewall address, which can be used in firewall policies to control traffic from/to these devices. Configuring a dynamic firewall address requires setting the address type to dynamic and the address subtype to swc-tag. Using the dynamic firewall address in a NAC policy requires specifying the conditions that a device must match and setting the firewall address to the name of the dynamic firewall address.

To identify devices to add to a device policy, try the following: Use the diagnose user device list command to see devices connected to your FortiGate device. Use the FortiGuard Device Detection service (https://www.fortiguard.com/learnmore#dds) to provide information about an IoT device based on its MAC address.

Using the GUI to configure a NAC policy and a dynamic firewall address:

1. Go to WiFi & Switch Controller > NAC Policies.
2. Click Create New.
3. In the Name field, enter a name for the NAC policy.

   You can enter a number as the NAC policy name, although names are string values.

4. Make certain that the status is set to Enabled.
5. Click Specify to select which FortiSwitch groups to apply the NAC policy to or click All.
6. Select Device for the category.
7. If you want the device to match a MAC address, enable MAC address and enter the MAC address to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the MAC address (for example, xx:xx:xx:**:**:**).
8. If you want the device to match a hardware vendor, enable Hardware vendor and enter the name of the hardware vendor to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the hardware vendor.
9. If you want the device to match a device family, enable Device family and enter the name of the device family to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the device family.
10. If you want the device to match a device type, enable Type and enter the device type to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the device type.
11. If you want the device to match an operating system, enable Operating system and enter the operating system to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the operating system.
12. If you want the device to match a user, enable User and enter the user name to match. Starting in FortiOS 6.4.6, you can use the wildcard * character when entering the user name.
13. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
14. If you do not want to bounce the switch port (administratively bringing the link down and then up) when NAC mode is configured, disable Bounce port.
15. To use a dynamic firewall address for matching a device, enable Assign device to dynamic address and, from the dropdown list, click Create.
    1. In the Name field, enter the name of the dynamic firewall address.
    2. To change the color, click Change and select the color used for the corresponding icon in the GUI.
    3. The address type is set to Dynamic by default and the subtype is set to Switch Controller NAC Policy Tag by default.
    4. For the interface, select the interface whose IP address is to be used.
    5. In the Comments field, enter a description of the dynamic firewall address.
    6. Click OK to save the dynamic firewall address.
16. Click OK to create the new NAC policy.

Using the CLI to configure a dynamic firewall address:

config firewall address

edit <name_of_dynamic_firewall_address>

set type dynamic

set sub-type swc-tag

next

end

For example:

config firewall address

edit "office_vm_device"

set type dynamic

set sub-type swc-tag

next

end

To view the dynamic MAC addresses attached to the firewall:

diagnose firewall dynamic list

Using the CLI to configure a NAC policy:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category device

set status enable

set mac <MAC_address>

set hw-vendor <hardware_vendor>

set type <device_type>

set family <device_family>

set os <operating_system>

set hw-version <hardware_version>

set sw-version <software_version>

set host <host_name>

set user <user_name>.

set src <source>

set switch-fortilink <FortiLink_interface>

set switch-group <list_of_FortiSwitch_groups>

set switch-auto-auth {enable | disable}

set switch-mac-policy <switch_mac_policy>

set firewall-address <name_of_dynamic_firewall_address>

end

For example:

config user nac-policy

edit "OFFICE_VM"

set hw-vendor "VMware"

set switch-fortilink "fortilink"

set switch-mac-policy "OFFICE_VM"

set firewall-address "office_vm_device"

next

end

Creating a user policy

A user policy matches devices that are assigned to the specified user group and then assigns a specific VLAN to those devices or applies port-level settings to those devices.

Using the GUI to create a user policy:

1. Go to WiFi & Switch Controller > NAC Policies.
2. Click Create New.
3. In the Name field, enter a name for the NAC policy.

   You can enter a number as the NAC policy name, although names are string values.

4. Make certain that the status is set to Enabled.
5. Click Specify to select which FortiSwitch groups to apply the NAC policy to or click All.
6. Select User for the category.
7. Select which user group that devices must belong to.
8. If you want to assign a specific VLAN to a device assigned to the specified user group, select Assign VLAN and enter the VLAN identifier.
9. Click OK to create the new NAC policy.

Using the CLI to create a user policy:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category firewall-user user

set status enable

set user-group <name_of_user_group>

set switch-fortilink <FortiLink_interface>

set switch-group <list_of_FortiSwitch_groups>

set switch-auto-auth {enable | disable}

set switch-mac-policy <switch_mac_policy>

end

Creating an EMS-tag policy

An EMS-tag policy matches devices with a specified MAC address and then assigns a specific VLAN to those devices or applies port-level settings to those devices. The MAC address is derived from an Endpoint Management Server (EMS) tag created in FortiClient.

NOTE: The FortiClient EMS server must be 6.4.1 build 1442 or higher. FortiOS must be 6.4.2 build 1709 or higher.

Before creating an EMS-tag policy on a managed FortiSwitch unit:

1. On the FortiGate device, create a firewall policy to allow FortiClient endpoints to always reach FortiClient EMS before and after matching the FortiLink NAC policy.

2. In FortiClient EMS, group FortiClient Fabric Agent endpoints with an EMS tag.
3. In FortiClient EMS, share these endpoint groups with a FortiGate unit over the EMS connector.
4. In FortiOS, add an on-premise FortiClient EMS server to the Security Fabric:

   config endpoint-control fctems

   edit <ems_name>

   set server <ip_address>

   set certificate <string>

   next

   end

   For example:

   config endpoint-control fctems

   edit EMS_Server

   set server 1.2.3.4

   set certificate REMOTE_Cert_1

   next

   end

5. In FortiOS, verify the EMS certificate. For example:

   execute fctems verify EMS_Server

6. In FortiOS, check that the FortiGate unit and FortiClient are connected:

   diagnose user device get <FortiClient_MAC_address>

7. In FortiOS, verify which MAC addresses the dynamic firewall address resolves to:

   diagnose firewall dynamic list

Using the GUI to create an EMS-tag policy:

1. Go to WiFi & Switch Controller > NAC Policies.
2. Click Create New.
3. In the Name field, enter a name for the NAC policy.

   You can enter a number as the NAC policy name, although names are string values.

4. Make certain that the status is set to Enabled.
5. Click Specify to select which FortiSwitch groups to apply the NAC policy to or click All.
6. Select EMS Tag for the category.
7. Select which FortiClient EMS tag that devices must be assigned.
8. If you want to assign a specific VLAN to a device assigned to the specified EMS tag, select Assign VLAN and enter the VLAN identifier.
9. Click OK to create the new NAC policy.

Using the CLI to create an EMS-tag policy:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category ems-tag

set ems-tag <string>

set status enable

set switch-fortilink <FortiLink_interface>

set switch-group <list_of_FortiSwitch_groups>

set switch-auto-auth {enable | disable}

set switch-mac-policy <switch_mac_policy>

next

end

For example:

config user nac-policy

edit nac_policy_1

set category ems-tag

set ems-tag MAC_FCTEMS0000108427_Low

set switch-fortilink fortilink1

next

end

Creating a vulnerability policy

To use a vulnerability policy requires to following:

• A valid Attack Surface Security Rating service license to download the IoT signature package.

• Enable device detection on the LAN interface used by the IoT devices.

• In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.

• In the CLI, enter:

  config system interface

  edit <name>

  set device-identification enable

  next

  end

• Configure a firewall policy with an application control sensor.

The NAC policy matches IoT devices with the specified severity levels, which indicate how vulnerable an IOT device is. The following severity levels are available:

• Critical (4)

• High (3)

• Medium (2)

• Low (1)

• Information (0)

Using the GUI to create a vulnerability policy:

1. Go to WiFi & Switch Controller > NAC Policies.
2. Click Create New.
3. In the Name field, enter a name for the NAC policy.

   You can enter a number as the NAC policy name, although names are string values.

4. Make certain that the status is set to Enabled.
5. For the FortiSwitches buttons, click Specify to select which FortiSwitch groups to apply the NAC policy to or click All.
6. In the Description field, enter a description of the vulnerability policy.
7. Select Vulnerability for the category.
8. For the Match buttons, click Specify and + to select one or more severity levels to match or select Severity is at least and + to specify the lowest level of severity and above to match.
9. If you want to assign a specific VLAN to the device that matches the specified criteria, select Assign VLAN and enter the VLAN identifier.
10. If you do not want to bounce the switch port (administratively bringing the link down and then up) when NAC mode is configured, disable Bounce port.
11. To use a dynamic firewall address for matching a device, enable Assign device to dynamic address and, from the dropdown list, click Create.
    1. In the Name field, enter the name of the dynamic firewall address.
    2. To change the color, click Change and select the color used for the corresponding icon in the GUI.
    3. The address type is set to Dynamic by default and the subtype is set to Switch Controller NAC Policy Tag by default.
    4. For the interface, select the interface whose IP address is to be used.
    5. In the Comments field, enter a description of the dynamic firewall address.
    6. Click OK to save the dynamic firewall address.
12. Click OK to create the new NAC policy.

Using the CLI to create a vulnerability policy:

config user nac-policy

edit <policy_name>

set description <description_of_policy>

set category vulnerability

set severity {0 | 1 | 2 | 3 | 4}

set status enable

set switch-fortilink <FortiLink_interface>

set switch-group <list_of_FortiSwitch_groups>

set switch-auto-auth {enable | disable}

set switch-mac-policy <switch_mac_policy>

next

end

For example:

config user nac-policy

edit nac_policy_1

set category vulnerability

set severity 3 4

set switch-fortilink fortilink1

next

end

Creating a MAC policy

You can apply a MAC policy to the devices that were matched by the NAC policy. You can specify which VLAN is applied, select which traffic policy is used, and enable or disable packet count.

config switch-controller mac-policy

edit <MAC_policy_name>

set description <policy_description>

set fortilink <FortiLink_interface>

set vlan <VLAN_name>

set traffic-policy <traffic_policy_name>

set count {enable | disable}

next

end

Viewing the devices that match the NAC policy

Using the GUI:

1. Go to WiFi & Switch Controller > NAC Policies.
2. Click View Matched Devices.
3. Click Refresh to update the results.

When a NAC device is matched to a NAC policy and assigned to a VLAN, an event log is created.

Using the CLI:

To show known NAC devices with a known location that match a NAC policy:

diagnose switch-controller mac-device nac known

To show pending NAC devices with an unknown location that match a NAC policy:

diagnose switch-controller mac-device nac onboarding

To view the NAC clients:

diagnose switch-controller mac-device cache

To display the NAC cache of MAC addresses on the FortiSwitch unit:

execute switch-controller get-nac-mac-cache

Viewing device statistics

Starting in FortiOS 7.2.4 with FortiSwitchOS 7.2.3, you can use the FortiOS CLI to report device statistics when NAC is enabled. The device statistics report the MAC addresses of known devices, the number of packets and bytes received, the number of seconds since the last update, and the age of the MAC counter in seconds.

Only statistics for receive counters are reported. If a device moves to a different FortiSwitch unit, the MAC counters are reallocated. If a FortiSwitch unit cannot track both bytes and packets, a zero is displayed for whichever value cannot be tracked. If a FortiSwitch unit cannot track device statistics at all, the entry will be missing from the CLI command output. This feature is supported on the following FortiSwitch models: FSR-124D, FSR-224F-FPOE, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E. Accuracy is not guaranteed.

To display device statistics:

1. Enable NAC.

   config user nac-policy

   edit <NAC_policy_name>

   set status enable

   next

   end

2. Enable packet counting in the MAC policy. By default, packet counting is disabled.

   config switch-controller mac-policy

   edit <MAC_policy_name>

   set count enable

   next

   end

3. Specify how long inactive MAC addresses are kept before being removed from the client database. By default, MAC addresses are kept for 24 hours. The range of values is 0-168 hours. If you set this option to 0, the value for the mac-aging-interval setting is used instead.

   config switch-controller global

   set mac-retention-period <number_of_hours>

   end

4. Enter the following command to display the device statistics:

   diagnose switch-controller telemetry show mac-stats

   For example:

   diagnose switch-controller telemetry show mac-stats
   
   MAC                Packets        Bytes      Last Update (secs ago)  Age
   ------------------------------------------------------------------------------------
   00:00:00:00:00:0f     234562    2356546842           41             23433
   00:00:00:00:14:21      44273        456346           68              7477
   00:03:7a:a8:82:e7      12346         34545           30            983452
   00:04:f2:f3:2b:7f       4357        345345           30             23423
   00:04:f2:f6:77:05     463453       4564564          430         362456265
   00:04:f2:f6:7a:6a      34535       1312354           30             23423
   00:04:f2:f6:7b:66      73821        345345           68            374546
   00:05:9a:3c:7a:00         43          9144           68            456725

Example of using LAN segments with NAC

In this example, devices are initially placed in the onboarding VLAN and receive IP addresses from the nac_segment DHCP server. Ports connected to the devices are configured with the NAC access mode. NAC policies are used to identify devices by OS and place them into the appropriate VLAN segment and dynamic firewall address. Firewall policies match traffic from the nac_segment interface by the dynamic firewall address and apply the appropriate security profiles to each.

1. Configure the FortiSwitch VLANs for Office 1 and Office 2.

   config system interface

   edit "Office2"

   set vdom "root"

   set device-identification enable

   set role lan

   set snmp-index 33

   set color 10

   set interface "fortilink"

   set vlanid 2000

   next

   edit "Office1"

   set vdom "root"

   set device-identification enable

   set role lan

   set snmp-index 34

   set color 5

   set interface "fortilink"

   set vlanid 2001

   next

   end

2. The following is the configuration for the nac_segment interface and its corresponding DHCP server settings. These settings are the default.

   config system interface

   edit "nac_segment"

   set vdom "root"

   set ip 10.255.13.1 255.255.255.0

   set description "NAC Segment VLAN"

   set alias "nac_segment.fortilink"

   set device-identification enable

   set snmp-index 32

   set switch-controller-feature nac-segment

   set interface "fortilink"

   set vlanid 4088

   next

   end

   config system dhcp server

   edit 5

   set lease-time 300

   set dns-service default

   set default-gateway 10.255.13.1

   set netmask 255.255.255.0

   set interface "nac_segment"

   config ip-range

   edit 1

   set start-ip 10.255.13.2

   set end-ip 10.255.13.254

   next

   end

   set timezone-option default

   next

   end

3. Add the Office 1 VLAN and Office 2 VLAN to the LAN segment VLANs.

   config switch-controller fortilink-settings

   edit "fortilink"

   config nac-ports

   set onboarding-vlan "onboarding"

   set lan-segment enabled

   set nac-lan-interface "nac_segment"

   set nac-segment-vlans "voice" "video" "Office2" "Office1"

   end

   next

   end

4. Configure the NAC policy for devices in Office 1 and Office 2.

   If you configure the NAC policy from the GUI, you can create the office2_device and office1_device dynamic firewall addresses inline. However, if you create the NAC policy from the CLI, first create the firewall addresses and then create the MAC policy and NAC policies.

   config firewall address

   edit "office2_device"

   set type dynamic

   set sub-type swc-tag

   set color 19

   next

   edit "office1_device"

   set type dynamic

   set sub-type swc-tag

   set color 10

   next

   end

   config switch-controller mac-policy

   edit "Office2_FAP"

   set fortilink "fortilink"

   set vlan "Office2"

   next

   edit "Office2_PC"

   set fortilink "fortilink"

   set vlan "Office2"

   next

   edit "Office1_PC"

   set fortilink "fortilink"

   set vlan "Office1"

   next

   end

   config user nac-policy

   edit "OFFICE2_FAP"

   set hw-vendor "Fortinet"

   set family "FortiAP"

   set os "FortiAP OS"

   set switch-fortilink "fortilink"

   set switch-group "Office2switches"

   set switch-mac-policy "Office2_FAP"

   set firewall-address "office2_device"

   next

   edit "OFFICE2_PC"

   set os "Linux"

   set switch-fortilink "fortilink"

   set switch-group "Office2switches"

   set switch-mac-policy "Office2_PC"

   set firewall-address "office2_device"

   next

   edit "OFFICE1_PC"

   set hw-vendor "VMware"

   set switch-fortilink "fortilink"

   set switch-group "Office1switches"

   set switch-mac-policy "Office1_PC"

   set firewall-address "office1_device"

   next

   end

5. Configure the firewall policy for devices in Office 1 or Office 2.

   The source of all traffic is nac_segment, but the traffic is filtered on the srcaddr by the dynamic firewall address previously assigned by the NAC policies.

   config firewall policy

   edit 5

   set name "Office1_Device"

   set uuid d3e2bbdc-d9c1-51eb-dbd3-cb534366b58d

   set srcintf "nac_segment"

   set dstintf "port1"

   set action accept

   set srcaddr "office1_device"

   set dstaddr "all"

   set schedule "always"

   set service "ALL"

   set ssl-ssh-profile "certificate-inspection"

   set logtraffic all

   set nat enable

   next

   edit 4

   set name "Office2_Device"

   set uuid a724c2fc-d9c1-51eb-e8d8-a501419308b3

   set srcintf "nac_segment"

   set dstintf "port1"

   set action accept

   set srcaddr "office2_device"

   set dstaddr "all"

   set schedule "always"

   set service "ALL_ICMP" "FTP" "FTP_GET" "FTP_PUT" "HTTP" "HTTPS" "TFTP"

   set ssl-ssh-profile "certificate-inspection"

   set logtraffic all

   set nat enable

   next

   edit 3

   set name "All_devices"

   set uuid 0accfbae-d9c1-51eb-b0bf-2ba0b00647c0

   set srcintf "nac_segment"

   set dstintf "port1"

   set action accept

   set srcaddr "all"

   set dstaddr "all"

   set schedule "always"

   set service "ALL"

   set utm-status enable

   set ssl-ssh-profile "certificate-inspection"

   set av-profile "default"

   set webfilter-profile "default"

   set dnsfilter-profile "default"

   set ips-sensor "default"

   set application-list "default"

   set logtraffic all

   set nat enable

   next

   end

6. Place the ports in NAC mode.

   config switch-controller managed-switch

   edit "S524DN4K16000116"

   config ports

   edit "port7"

   set vlan "onboarding"

   set allowed-vlans "quarantine" "nac_segment"

   set untagged-vlans "quarantine" "nac_segment"

   set access-mode nac

   next

   end

   next

   edit "S248EPTF18001384"

   config ports

   edit "port1"

   set vlan "onboarding"

   set allowed-vlans "quarantine" "nac_segment"

   set untagged-vlans "quarantine" "nac_segment"

   set access-mode nac

   next

   edit "port6"

   set vlan "onboarding"

   set allowed-vlans "quarantine" "nac_segment"

   set untagged-vlans "quarantine" "nac_segment"

   set access-mode nac

   next

   end

   next

   end

Using the FortiSwitch NAC VLAN widget

The widget shows a pie chart of the assigned FortiSwitch NAC VLANs. When expanded to the full screen, the widget shows a full list of devices grouped by VLAN, NAC policy, or last seen.

The widget is added to the Users & Devices dashboard after a dashboard reset or can be manually added to a dashboard. It can also be accessed by going to WiFi & Switch Controller > NAC Policies and clicking View Matched Devices.

The expanded view of the widget shows Assigned VLAN and Last Seen pie charts and a full device list. The list can be organized By VLAN, By NAC Policy, or By Policy Type.

Click View NAC Policies to go to WiFi & Switch Controller > NAC Policies.