Fortinet black logo

Fortinet Security Fabric/FSSO Integration

Home FortiNAC-F 7.2.0 Fortinet Security Fabric/FSSO Integration
7.2.0
7.2.0

Firewall Policy Examples

Firewall Policy Examples

Note: The following are examples. Policies will differ by network environment and organization requirements.

DNS for Authorized Hosts

Block authorized host DNS traffic to/from FortiNAC.

Name

Deny Authorized DNS to FortiNAC

Incoming Interface

Interface of managed ports

Outgoing Interface

FortiNAC interface

Source

All traffic

Applicable User Group for registered hosts

Destination

All traffic

Schedule

Always

Service

DNS

Action

DENY

Enable this policy

enable

Network Access for Authorized Hosts

Allow authorized host traffic to/from the production network.

Name

Name of policy

Incoming Interface

Interface of managed ports

Outgoing Interface

wan

Source

All traffic

Applicable User Group for registered hosts

Destination

All traffic

Schedule

Always

Service

ALL

Action

ACCEPT

NAT

May need to be enabled

Enable this policy

Enable

Network Access for Unauthorized Hosts

Allow unauthorized host traffic to/from FortiNAC.

Note: Another policy may be required to allow internet access for FortiNAC SSL certificate authentication as well as Anti-Virus/Anti-Spyware/Operating System remediation.

Name

Name of policy

Incoming Interface

Interface of managed ports

Outgoing Interface

FortiNAC interface

Source

All traffic

Destination

All traffic

Schedule

Always

Service

All

Action

ACCEPT

Enable this policy

enable

Network Access for Disabled Hosts (DeadEnd)

Disabled hosts are prevented from accessing the production network and are presented with the Captive Portal.

FortiNAC Network Access Policy

Firewall Tag: Disabled

User/Host Profile:

  • Where: (Port group with FortiGate interface containing managed ports)

  • Who/What By Attribute: Host: Access Status: Disabled

Network Access Configuration:

  • Direct Configuration

  • Firewall Tags: Disabled

Rank policy above the other policies for FortiGate Managed Ports.

Configure FortiGate Firewall Policy

  1. Navigate to Security Fabric > Fabric Connectors – apply and refresh to pull in Disabled Tag created in FortiNAC

  2. View User/Groups to see Disabled Tag was pulled in to FortiGate

  3. Navigate to User & Device > User Groups

  4. Create group type Fortinet Single Sign - On (FSSO) and add Disabled (tag pulled in from the Fabric Connector)

  5. Navigate to Policy and Objects > IPv4 Policy

  6. Create Policy to Control disabled hosts

DeadEnd Network Access

Name

Name of policy

Incoming Interface

Interface of managed ports

Outgoing Interface

wan

Source

All traffic

Disabled user group

Destination

All

Schedule

Always

Service

All

Action

DENY

Enable this policy

enable

DeadEnd DNS

Allow DNS traffic for disabled hosts to FortiNAC for Captive Portal access.

Name

Name of policy

Incoming Interface

Interface of managed ports

Outgoing Interface

FortiNAC interface

Source

All traffic

Disabled user group

Destination

All

Schedule

Always

Service

DNS

Action

ACCEPT

Enable this policy

enable

Previous
Next

Firewall Policy Examples

Note: The following are examples. Policies will differ by network environment and organization requirements.

DNS for Authorized Hosts

Block authorized host DNS traffic to/from FortiNAC.

Name

Deny Authorized DNS to FortiNAC

Incoming Interface

Interface of managed ports

Outgoing Interface

FortiNAC interface

Source

All traffic

Applicable User Group for registered hosts

Destination

All traffic

Schedule

Always

Service

DNS

Action

DENY

Enable this policy

enable

Network Access for Authorized Hosts

Allow authorized host traffic to/from the production network.

Name

Name of policy

Incoming Interface

Interface of managed ports

Outgoing Interface

wan

Source

All traffic

Applicable User Group for registered hosts

Destination

All traffic

Schedule

Always

Service

ALL

Action

ACCEPT

NAT

May need to be enabled

Enable this policy

Enable

Network Access for Unauthorized Hosts

Allow unauthorized host traffic to/from FortiNAC.

Note: Another policy may be required to allow internet access for FortiNAC SSL certificate authentication as well as Anti-Virus/Anti-Spyware/Operating System remediation.

Name

Name of policy

Incoming Interface

Interface of managed ports

Outgoing Interface

FortiNAC interface

Source

All traffic

Destination

All traffic

Schedule

Always

Service

All

Action

ACCEPT

Enable this policy

enable

Network Access for Disabled Hosts (DeadEnd)

Disabled hosts are prevented from accessing the production network and are presented with the Captive Portal.

FortiNAC Network Access Policy

Firewall Tag: Disabled

User/Host Profile:

  • Where: (Port group with FortiGate interface containing managed ports)

  • Who/What By Attribute: Host: Access Status: Disabled

Network Access Configuration:

  • Direct Configuration

  • Firewall Tags: Disabled

Rank policy above the other policies for FortiGate Managed Ports.

Configure FortiGate Firewall Policy

  1. Navigate to Security Fabric > Fabric Connectors – apply and refresh to pull in Disabled Tag created in FortiNAC

  2. View User/Groups to see Disabled Tag was pulled in to FortiGate

  3. Navigate to User & Device > User Groups

  4. Create group type Fortinet Single Sign - On (FSSO) and add Disabled (tag pulled in from the Fabric Connector)

  5. Navigate to Policy and Objects > IPv4 Policy

  6. Create Policy to Control disabled hosts

DeadEnd Network Access

Name

Name of policy

Incoming Interface

Interface of managed ports

Outgoing Interface

wan

Source

All traffic

Disabled user group

Destination

All

Schedule

Always

Service

All

Action

DENY

Enable this policy

enable

DeadEnd DNS

Allow DNS traffic for disabled hosts to FortiNAC for Captive Portal access.

Name

Name of policy

Incoming Interface

Interface of managed ports

Outgoing Interface

FortiNAC interface

Source

All traffic

Disabled user group

Destination

All

Schedule

Always

Service

DNS

Action

ACCEPT

Enable this policy

enable

Previous
Next