Fortinet white logo
Fortinet white logo

Administration Guide

OT and IoT virtual patching on NAC policies NEW

OT and IoT virtual patching on NAC policies NEW

OT and IoT virtual patching can be applied to a NAC policy by setting the category to Vulnerability and configuring the Match criteria based on severity. Devices that match the criteria can be assigned and isolated to a NAC VLAN.

Example

In this example, a device with a certain vulnerability severity is detected by the NAC policy on the FortiGate. Subsequently, the FortiSwitch port in which it is connected to is moved to vlan300 where traffic can be controlled for vulnerable devices. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes the vlan300 has already been configured.

The following settings are required for IoT device detection:

  • A valid IoT Detection Service license to download the IoT signature package.

  • Enable device detection on the LAN interface used by IoT devices.

    • In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.

    • In the CLI, enter:

      config system interface
          edit <name>
              set device-identification enable
          next
      end
  • Configure a firewall policy with an application control sensor.

To configure virtual patching on NAC policies
  1. Configure the NAC policy:

    1. Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.

    2. In the Device Patterns section, set Category to Vulnerability.

    3. Set Match to Severity is at least and select a severity level (Information is used in this example).

    4. In the Switch Controller Action section, enable Assign VLAN and select vlan300.

    5. Configure the other settings as needed.

    6. Click OK.

  2. Enable NAC mode on the desired FortiSwitch ports (port6 in this example):

    1. Go to WiFi & Switch Controller > FortiSwitch Ports.

    2. Select port6, then right-click and set the Mode to NAC.

  3. Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.

  4. Go to WiFi & Switch Controller > FortiSwitch Ports and locate the port that the vulnerable device is connected to. The port has been dynamically assigned vlan300.

  5. Configure a firewall policy to limit access for devices in this VLAN (vlan300).

To configure virtual patching on NAC policies in the CLI:
  1. Configure the VLAN in the MAC policy:

    config switch-controller mac-policy
        edit "IoT"
            set fortilink "fortilink"
            set vlan "vlan300"
        next
    end
  2. Configure the NAC policy:

    config user nac-policy
        edit "IoT"
            set category vulnerability
            set severity 0 1 2 3 4
            set switch-fortilink "fortilink"
            set switch-mac-policy "IoT"
        next
    end
  3. Enable NAC mode on the desired FortiSwitch ports:

    config switch-controller managed-switch
        edit "S248E***********"
            config ports
                edit "port6"
                    set access-mode nac
                next
            end
        next
    end
  4. Configure a firewall policy to limit access for devices in this VLAN (vlan300).

OT and IoT virtual patching on NAC policies NEW

OT and IoT virtual patching on NAC policies NEW

OT and IoT virtual patching can be applied to a NAC policy by setting the category to Vulnerability and configuring the Match criteria based on severity. Devices that match the criteria can be assigned and isolated to a NAC VLAN.

Example

In this example, a device with a certain vulnerability severity is detected by the NAC policy on the FortiGate. Subsequently, the FortiSwitch port in which it is connected to is moved to vlan300 where traffic can be controlled for vulnerable devices. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes the vlan300 has already been configured.

The following settings are required for IoT device detection:

  • A valid IoT Detection Service license to download the IoT signature package.

  • Enable device detection on the LAN interface used by IoT devices.

    • In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.

    • In the CLI, enter:

      config system interface
          edit <name>
              set device-identification enable
          next
      end
  • Configure a firewall policy with an application control sensor.

To configure virtual patching on NAC policies
  1. Configure the NAC policy:

    1. Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.

    2. In the Device Patterns section, set Category to Vulnerability.

    3. Set Match to Severity is at least and select a severity level (Information is used in this example).

    4. In the Switch Controller Action section, enable Assign VLAN and select vlan300.

    5. Configure the other settings as needed.

    6. Click OK.

  2. Enable NAC mode on the desired FortiSwitch ports (port6 in this example):

    1. Go to WiFi & Switch Controller > FortiSwitch Ports.

    2. Select port6, then right-click and set the Mode to NAC.

  3. Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.

  4. Go to WiFi & Switch Controller > FortiSwitch Ports and locate the port that the vulnerable device is connected to. The port has been dynamically assigned vlan300.

  5. Configure a firewall policy to limit access for devices in this VLAN (vlan300).

To configure virtual patching on NAC policies in the CLI:
  1. Configure the VLAN in the MAC policy:

    config switch-controller mac-policy
        edit "IoT"
            set fortilink "fortilink"
            set vlan "vlan300"
        next
    end
  2. Configure the NAC policy:

    config user nac-policy
        edit "IoT"
            set category vulnerability
            set severity 0 1 2 3 4
            set switch-fortilink "fortilink"
            set switch-mac-policy "IoT"
        next
    end
  3. Enable NAC mode on the desired FortiSwitch ports:

    config switch-controller managed-switch
        edit "S248E***********"
            config ports
                edit "port6"
                    set access-mode nac
                next
            end
        next
    end
  4. Configure a firewall policy to limit access for devices in this VLAN (vlan300).