DO NOT REPRINT

© FORTINET

FortiNAC Study Guide

for FortiNAC 8.5
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training

Fortinet Document Library
http://docs.fortinet.com

Fortinet Knowledge Base
http://kb.fortinet.com

Fortinet Forums
https://forum.fortinet.com

Fortinet Support
https://support.fortinet.com 

FortiGuard Labs
http://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html

Feedback
Email: [email protected]

1/10/2020
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Getting Started with FortiNAC 4

02 Achieving Network Visibility 52
03 Identification and Classification of Rogues 89
04 Visibility, Logging, and Reports 155
05 Logical Networks, Security Fabric, and Firewall Tags 200
06 State-Based Control 228
07 Security Policies 278
08 Guest and Contractor Management 370
09 Integration Suite 395
10 Security Automation 408
 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the lab environment that you will use in the course, FortiNAC architecture,
the administrative user interface framework and navigation, and some authentication configurations. You will
also learn about administrative users—how to set them up and delegate specific capabilities to them.

FortiNAC 8.5 Study Guide 4

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiNAC 8.5 Study Guide 5

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.
By demonstrating a competent understanding of the classroom lab environment, you will be able to use the
environment to complete the labs associated with this course.

FortiNAC 8.5 Study Guide 6

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

The lab environment, shown on this slide, is configured to mimic a real-world deployment. The lab
environment includes:
• A FortiNAC connected to a data center
It is important to note that FortiNAC is not an in-band solution. That means, FortiNAC does not see or sit in
line of or see any end-user traffic. Instead, FortiNAC gathers the information that it needs through
communication with infrastructure devices that do sit in line of end-user traffic.
• A data center
• A series of remote locations, labelled building 1-N
• The Manchester facility and the Nashua facility

Each of the locations in the environment communicates back to the data center through a security device.
Several different types of security devices are used in the lab environment, some of which are fictitious. Within
each location there are infrastructure devices that come from a variety of vendors. The wide array of security
and infrastructure devices used in the lab environment demonstrate that FortiNAC has the flexibility and
capacity to interact and integrate with many different devices from many different vendors.

FortiNAC 8.5 Study Guide 7

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Good job! You now have an understanding of the lab environment you will use in the FortiNAC course.
Now, you will learn about the FortiNAC product architecture.

FortiNAC 8.5 Study Guide 8

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of the FortiNAC architecture, appliance types, and VM types,
you will be able to make appropriate decisions about FortiNAC deployment needs and options.

FortiNAC 8.5 Study Guide 9

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

You can deploy FortiNAC as a physical appliance or as a virtual machine. FortiNAC communicates with
infrastructure devices, such as wireless controllers, autonomous APs, switches, routers, and others. Because
these infrastructure devices are in line, they can see connected devices and connecting endpoints. They send
this information back to FortiNAC, or FortiNAC gathers this information from them.

FortiNAC 8.5 Study Guide 10

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

FortiNAC uses a variety of methods to communicate with and gather information from the infrastructure:
• FortiNAC uses SNMP to discover the infrastructure, complete data collection, and perform on going
management.
• SSH or Telnet through the CLI is commonly used to complete tasks related to the infrastructure. For
example, FortiNAC can use SSH to connect to a device and issue commands to gather visibility
information or execute control functions.
• FortiNAC can also use RADIUS, across a wired or wireless connection, to gather visibility information and
control access.
• FortiNAC uses Syslog to stay up to date on visibility details, such as hosts going off-line. Syslog can also
provide security device integration, giving FortiNAC the ability to log and react, if configured to do so, when
it receives a security alert.
• Depending on the vendor of the infrastructure device, FortiNAC may leverage available API capabilities to
enhance visibility and enforce control.
• FortiNAC can use DHCP, typically through fingerprinting, to identify connected devices and gain enhanced
visibility.
The communication methods that FortiNAC uses depend on the vender and model of the infrastructure device
that FortiNAC is trying to integrate with. After FortiNAC knows the type of device it is communicating with, it
determines and uses the appropriate methods and commands to gather information and maintain control.

FortiNAC 8.5 Study Guide 11

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

A FortiNAC deployment is composed of a few different VMs or appliances. FortiNAC can be deployed as a single
appliance or VM, or as multiple appliances or VMs. Multiple appliance or VM deployments are suitable for large
environments.
This slide shows two pods. Pod 1 is labelled NS Server Pair and the FortiNAC is called the network control server (NCS).
The NCS provides the following services:
• MAC-based address mapping
The NCS keeps track of where all the components in the network are connected. For example, if a laptop has a wired
connection to switch 7 on port 5, or a wireless connection to an SSID, the NCS would have that information.
• Validation assessment
The NCS provides endpoint compliance policy scanning, which you will learn more about in this lesson.
• Network provisioning
Network provisioning is a big part of what FortiNAC does. Security policies can automatically provision network
access based on the who, what, when, and where information that it collects.
• Infrastructure communications
The NCS adjusts or changes the infrastructure configuration, as required, to ensure that all endpoints get appropriate
access.
• Database functions
All the data that is collected about the infrastructure–visibility information, configuration details, adjustment, and so
on–are stored in the database that resides on the NCS.
• Authentication services
The NCS performs all authentication services, such as validating administrative users against the active directory.
• RADIUS server
The NCS handles all RADIUS communications. Any wireless authentication or integration with a wireless controller
uses the RADIUS server.
• Web services
Administrative users can access the administrative UI through a Tomcat-Admin console.
Output related to many NCS functions is collected in a log file called output.master that you can find at /bcs/logs/.

FortiNAC 8.5 Study Guide 12

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Deployments that include an NCS should also include a network application server (NAS). The NCS and NAS
work together as a pair. The NAS acts as the DHCP server, DNS server, and web server for isolated hosts.
One of the capabilities of FortiNAC is to isolate and allow for the onboarding of unknown hosts, so unknown or
untrusted hosts that attempt to connect to a network could be isolated and forced to go through an onboarding
process. If a host is deemed non-compliant, it could be provisioned to a quarantine network. A host can be
isolated when it is administratively disabled by a configured workflow or by an administrator. These control
processes are carried out by the NCS. After a host is isolated, the NAS acts as the DHCP and DNS server for
the isolated host. The DHCP response to the endpoint includes an IP address and DNS server information.
The DNS server information configures the endpoint so that the NAS is the endpoint’s DNS server. The DNS
server will respond to queries by the endpoint, to direct the endpoint to the web services on the NAS. The
NAS provides the necessary captive portal pages. You can find a log file called output.nessus containing
output related to many of these functions, at /bsc/logs/.

FortiNAC 8.5 Study Guide 13

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Another appliance option is the network control and application server. This system has the same capabilities
and responsibilities of the NCS and the NAS, combined into a single appliance. This solution is for smaller
deployments or geographically diverse deployments. The output.master and output.nesseus log files
that exist on the NCS and NAS also both exist on this appliance.

FortiNAC 8.5 Study Guide 14

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

In the example shown on this slide, there, are two separate pods. One pod is composed of a pair of
appliances and one pod is composed of a single stand-alone appliance. This type of configuration could work
in an environment that is very large or geographically diverse. In any configuration that requires multiple pods,
a network control manager (NCM) is recommended. The NCM ties together multiple pods in a distributed
environment to allow for seamless, network-wide registrations. For example, when a device is registered in a
location that's managed by one pod, and then moves to a location managed by another pod, the move is
seamless to the end user because the device is known and trusted in the first location and also known and
trusted in the second location. The global user identity database combines select database elements from the
distributed locations to make a single global database on the NCM. It offers version control, so upgrades to
the control manager can be distributed to all of the different pods. An additional capability is global element
management. Security policies, group management, and logical networks can be managed through the NCM
and those changes or configurations can be pushed down to the distributed pods. Synchronization can also
be upstream from the managed pods, meaning work done at an individual pod level can be pushed up to the
control manager, and then the control manager can distribute those changes to the other pods. The NCM
offers scalability for large deployments, so distributed management can fall back under a single interface.

FortiNAC 8.5 Study Guide 15

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 16

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Good job! You now have a basic understanding of FortiNAC and the FortiNAC architecture.

Now, you are going to learn about the administrative interface.

FortiNAC 8.5 Study Guide 17

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

After completing this section you should be able to achieve the objectives shown on this slide.

By demonstrating the ability to navigate the administrative interface and understand some initial FortiNAC
configurations, you will be able to validate some important best practice options.

FortiNAC 8.5 Study Guide 18

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

The FortiNAC uses a simple browser-based administrative user interface to get username and password
credentials. The credentials can be validated using a local administrative account or an LDAP or RADIUS
server.

FortiNAC 8.5 Study Guide 19

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

There are a set of menu options across the top of any administrative view. These menus organize the many
administrative views into groups of related options. For example, there is a Host menu that provides access
to views focused on hosts, like laptops, desktops, mobile devices, and other endpoints, such as IoT devices
like cameras or card readers.
There are views for applications and device identity information. These are all things centered around physical
endpoints that connect to the network.
The Network Devices menu provides access to the Topology view, often one of the most popular views,
where infrastructure devices such as switches, routers, and security devices are organized and displayed.
The Logs menu provides access to all of the logging views.
The Policy menu provides access to all policy-related views, and these views are where a large part of the
FortiNAC control capabilities, like network access policies and compliance policies, are configured.
The System menu provides access to two of very important options: Groups and Settings. FortiNAC relies
on the concept of groups and memberships in groups when being configured for things like control. The
Settings option contains most of the system configurations.
The Help menu provides access to the online help, system preferences, and some additional information
about FortiNAC.

FortiNAC 8.5 Study Guide 20

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

When you log in as an administrator, the first view that you see is the dashboard.

The dashboard is made up of panels. The selection of panels and how they are organized is determined by
the administrative user. Panels can be closed, minimized, and arranged in up to three different columns. The
layout of the panels is saved on a user by user basis, so the user sees the same layout each time they log in.

The title of the view is found in the upper-left corner of the window. To the left of the title there is a star. When
you click the star, it turns gold to indicate that you have bookmarked the current view. The bookmarked view
is added to the Bookmarks menu. In the example shown on this slide, the Adapter View is bookmarked and
listed in the Bookmarks menu.

Each view also has a search field, which is indicated by a magnifying glass in an orange square. The search
field allows you to search using a MAC address or an IP address. You can also search for administrative
views. For example, if you can’t remember where the topology view is, you can enter topology in the search
field. A drop-down menu will appear with the option to go to the Topology view. The drop-down menu would
also include help topics related to the Topology view. In the Bookmarks menu, when you click Manage
Bookmarks, the Manage Bookmarks dialog box opens, providing you with options to edit and delete
bookmarks.

FortiNAC 8.5 Study Guide 21

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

In the example shown on this slide, the Security Summary widget displays all security alert information that
FortiNAC has received from external security devices, such as NGFWs, IPS, or IDS solutions. The Alarms
widget displays recent alarms generated by FortiNAC. From the Alarm widget, you can view alarm details,
acknowledge alarms, or clear alarms. The Summary widget displays server information about FortiNAC. The
User Summary widget displays all types of user registrations, such as corporate users, registered guest
users, and contractors. The widget displays the total number of each type of user, as well as how many have
been enabled or disabled. If you click on an icon in this widget, a pop-up window opens containing only the
users of the appropriate type. The Host Summary widget contains a detailed breakdown of all hosts that are
currently stored in the database, organized by host type. The hosts listed in the Host Summary widget could
be registered hosts, which are also considered trusted assets. Within the registered host category there are
subcategories, such as which registered hosts have been deemed at risk because they have failed a
compliance policy scan. To the right of each host type, there are columns that break down that type by host
state. When you click on these numbers, a window opens up containing only the hosts of that type and in that
state. The Network Device Summary widget breaks down all of the different network infrastructure devices
modeled within the topology view of the FortiNAC. Each of the icons is a link that opens a window containing
only devices in the selected state. The License Information panel details the total number of licenses as well
as the number of licenses in use and those still available. There is also a small usage bar that changes from
green, to yellow, to red, depending on the percentage of licenses in use. The Persistent Agent Summary
widget shows the total number of persistent agents communicating with FortiNAC. They are broken down by
version and by operating system. The Scans widget contains a graph that can be filtered by date and displays
all endpoint compliance policy scan results.

FortiNAC 8.5 Study Guide 22

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

The Locate option under the Bookmarks menu provides access to a quick and simple search tool for
searching the database for users, hosts, or devices. The search type drop-down list at the top of the view is
where you can make that designation. The filter attribute option allows for very specific search results keying
on any stored database value.

FortiNAC 8.5 Study Guide 23

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

This slide shows an example of a simple search matching any records associated with a user ID of dgray. In the results
window, which is in the foreground, notice there are two entries. The bottom entry displays the server, FortiNAC, the
name, Gray, Dorian and the ID, dgray, which is the value that was searched for. There are no values in the fields
associated with IP, physical address, or location. There's a reason for the lack of information for that row. The Views
column contains some icons. The first icon is an individual with a red jacket, which represents a user record. This is the
user with the user ID, dgray. If you click the user icon, a pop-up window will open and display all the details about the
user that exists in the FortiNAC database.

If there is an integration with LDAP, for example, the user record displays all the information FortiNAC pulled in from the
LDAP server. To the right of the user icon, there is a second icon that resembles two game pieces. This icon displays
user group membership information for this particular user. In summary, the bottom row provides access to user
properties and group membership information.

The top row of the results table show the same information up to the point of the IP address. There is an IP address and
the All IPs column, which displays current or historic IP information for this host. A physical address and location are also
listed. In this example, it’s engineering switch, port one. In the Views column, five different icons are displayed. The first
icon represents a network adapter. The icon is green, indicating the adapter is currently on-line. If you click on the adapter
icon, a pop-up window will open showing all the properties of the adapter: physical address, IP address, and description
information. To the right of the adapter, you can see a PC icon. The screen of the PC icon is white. This icon represents
the host that owns that adapter and the white screen indicates that host is currently online. When a host is offline, the
screen is gray. If you click this icon, you will get access to property information about the host, such as the operating
system, host health, scan results, and hostname. The next icon, the same one displayed for the user, displays group
membership information for this particular host. The next icon is an RJ45 port. If you click this icon, you will get access to
the port properties of the port that this adapter is connected to. The last icon, on the far right, provides access to the
properties of the engineering switch that owns that port.

You can select items in the list using the associated check boxes. You can click the buttons on the bottom of the window
to remove the selected users, hosts, or adapters from the database.

FortiNAC 8.5 Study Guide 24

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

You can access the Manage Hosts & Ports view from the Bookmarks menu. This view contains a list of
available host and port groups. You can limit administrative user access to the hosts and ports in this view
using administrative profiles. When an administrative user accesses this view, only the groups defined in their
assigned administrative profile are visible. Select a group from the list and click Apply to view or manage the
members of the group. Click Add Host to add hosts to the database.

Administrative users who do not have full access to the administrative user interface can add hosts in the
Manage Hosts & Ports view. The administrative user's administrative profile must have permission for
Manage Hosts & Ports with Access and Add/Modify enabled.

If a host is registered in this view, the user does not have to go through the registration process elsewhere,
such as the captive portal.
A host registered as a device can be displayed in the Host View or both the Host View and Topology View.
Typically, hosts registered as devices are items such as IP phones, security cameras, alarm systems,
printers, or just about any other type of IoT device.

FortiNAC 8.5 Study Guide 25

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

The final option under the Bookmark menu is the Send Message option. This option gives an administrative
user the ability to send a pop-up message to all hosts that have the persistent agents installed, or all hosts
that are members of a particular host group. This message is a function of the persistent agent, so it's a
required component.
The message lifetime options are to send to:
• Any currently connected host, any host that connects later does not receive the message
• Targeted hosts currently connected and any targeted host that connect within a certain number of minutes
or days
• All targeted hosts currently connected and targeted host that connects before a specific date and time

FortiNAC will not send the message to the same host more than once.

FortiNAC 8.5 Study Guide 26

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Another important initial configuration is the setup of an email server. FortiNAC uses email to send
notifications through email and SMS. In order for this to work, you must configure an email server.

You configure this from the Settings option within the system menu. The email settings configuration is
located in the System Communication folder. After you configure the email server, you can validate the
settings using the Test Email Settings button. This requires that you enter a valid email address. FortiNAC
sends a test email to that address.

FortiNAC 8.5 Study Guide 27

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

The System Communications folder also contains a configuration page for the management of mobile
providers. The Mobile Providers window displays the default set of providers included in the database.
FortiNAC uses the Mobile Providers list to send SMS messages to users and administrators by sending
email to an address that is a combination of the mobile phone number and the mobile provider's email
address.

The Mobile Providers list is populated with some known mobile providers, but it is not comprehensive and it
is not updated by Fortinet. You can add, delete, or modify mobile providers as needed. You can enable or
disable mobile providers individually, to limit the number of providers displayed in drop-down lists when
selecting guests, users, or administrators mobile providers.

Another configuration page contained in the System Communication folder is an SNMP agent configuration
page that allows an administrative user to turn the FortiNAC onboard SNMP agent on. This will allow other
tools to query the FortiNAC and gather SNMP information, such as license count, interface utilization, or the
number of connecting hosts.

FortiNAC 8.5 Study Guide 28

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

FortiNAC has a built-in scheduler tool that allows administrative users to schedule the automated execution of
actions. By default, there are a series of important actions already configured within the scheduler tool. These
default actions and their purpose are as follows:

Auto-Definition Updates: Allows you to automatically update the virus definition or signature information for
the antivirus software that is permitted in scans within your endpoint compliance policies. When new versions
of operating systems and antivirus software are added using the Auto-Definition Synchronization option,
the updated versions are not automatically selected in existing scans. You must go to each scan and enable
the new options if you choose to scan for them.

Certificate Expiration Monitor: Generates warning, critical warning, and expiration events for the certificates
listed in Certificate Management.

Database Archive and Purge: Archives and purges event, connection, and alarm records that are older than
7 days. The number of days is configurable on the Database Archive page within the System Settings menu
option, in the System Management folder.

Database Backup: Backs up the FortiNAC database.

Check for OS Updates: Establishes a connection with the Fortinet FortiNAC FTP server to determine if the
local system is up to date with current OS packages.

Synchronize Users from Directory: Writes the attributes mapped in the LDAP configuration of users in the
directory to the corresponding user records in the FortiNAC database.

System Backup: Creates a backup of all system files that are used to configure FortiNAC, such as license
key and web server configurations.

FortiNAC 8.5 Study Guide 29

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

When you schedule an action, you can set it to execute at a specific time on designated days of the week, or
as a repetitive task. Repetitive tasks are configured with a repetition rate (once, minutes, hours, days) and a
next scheduled time. The action will execute at the next schedule time value and then continue to execute at
an interval equal to the repetition rate. There are two types of actions that can be scheduled: system and CLI.
There is an extensive list of system actions that can be executed. Each system action is document in the help
for this view. CLI actions are user-created CLI configurations that you will learn about in another lesson.

Many scheduled actions or CLI configurations need to be targeted so that they are carried out on a specific
group of elements. You can select the target group in the Group drop-down list. The groups available in the
Group drop-down list are based on the group type defined by the selected action.

FortiNAC 8.5 Study Guide 30

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 31

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Great job! You now have a basic understanding of the user interface layout and of some important
configuration settings.

Now, you will learn about authentication services.

FortiNAC 8.5 Study Guide 32

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

After completing this section, you will be able to achieve the objective shown on this slide.

By understanding the different authentication options and the necessary configurations for each option, you
will be able to successfully integrate the FortiNAC with an appropriate backend authentication server.

FortiNAC 8.5 Study Guide 33

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Google account authentication allows users to authenticate using a Google account. When the settings are
configured, the user logs in to the network using the Google Sign In button, instead of a username and
password. When the user is authenticated, the user's email address (username and domain) is passed to the
FortiNAC to authenticate the user with the information. Google account authentication is not an option for
administrative login accounts.

FortiNAC 8.5 Study Guide 34

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

The Directory Configuration window allows you to configure the connection to an LDAP directory, the user
attributes that you would like to import, the desired user search branches for validation of administrative users,
or end-user on-boarding credentials, and the group search branches for finding groups that can be imported
into FortiNAC. There is specific information that you must enter in each section to allow FortiNAC to connect
with the directory and import users and groups.

Click Schedule to configure the intervals for synchronizing the database with the selected directory. When
you click Schedule, the Synchronize Users from Directory scheduled task seen in the scheduler, is
updated.

Click Preview to review data in the selected directory. Click Copy to prepopulate directory configuration fields
for a new directory connection.

FortiNAC 8.5 Study Guide 35

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

To integrate with a new directory server, you will perform configurations across several tabs. FortiNAC can
automatically discovers existing directories, if there are SRV records for the directory in DNS.

The Connection tab contains the parameters required for communication with the directory. Not all fields are
required. Be sure to enter information in only those fields that apply to your directory.

To map user attributes from an LDAP-compliant directory, the user database schema must be mapped to
FortiNAC user data. If the directory type is included in the drop-down list, the default mappings for that
directory type will be automatically populated. The more complete these mappings are, the more detailed the
user records will be in the database. These values can also be leveraged within security policies.

The Group Attributes tab is used to create mappings for object class, group name, and members. This
allows FortiNAC to retrieve the group information based on the Group Search Branch configured on the
Search Branches tab. Groups created in the directory are imported into FortiNAC each time the directory
synchronization task is run, either manually, or by the scheduler.

The Search Branches tab is where the administrator enters the specific user and group search branches
information for the directory server. This tells FortiNAC where the user and group information is located in the
directory. The more specific the branches are, the more quickly the lookups can be preformed, and the less
resource-intensive the process will be.

Use the Select Groups tab to choose groups of users to be included when the directory and
the FortiNAC databases are synchronized. Users that do not already exist in FortiNAC are not imported.
However, user data for users already in the database is updated each time the synchronization task is run.
Only the user records for users in the selected groups are updated. Users in the directory that are not in a
selected group are ignored during synchronization.

FortiNAC 8.5 Study Guide 36

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Clicking Schedule in the Directories view allows the administrator to select a date, time, and poll interval for
the directory synchronization task. The scheduled task may also be paused and run manually later. This
process modifies the Synchronize Users with Directory task to the Scheduler view. When the directory
and FortiNAC are synchronized, changes made to users in the directory are written to corresponding user
records in the database. Keep in mind that when FortiNAC has to validate user credentials, the lookup to the
directory is immediate. However, when changes are made to the mapped attributes of a user within the
directory, the changes will not appear in the user’s record in the FortiNAC until the Synchronize Users with
Directory task runs. It should also be noted that the directory is considered the system of record, so changes
made there will overwrite changes made within FortiNAC.

FortiNAC 8.5 Study Guide 37

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

The Preview Directory panel allows for a real-time lookup against the integrated LDAP server using a filter.
This is a great way to verify successful LDAP server integration, as well as validate the attribute mappings. If
a value appears in the Role column with an asterisk (*), it means that no role with a name equal to this value
has been created on FortiNAC. This is a view-only list, and it is not imported into FortiNAC. The Groups tab
will display identified LDAP groups and the number of members that exist in the directory for each group.
These groups can be selected for import in to the FortiNAC groups view. It should be noted that group
members will only be added into the corresponding FortiNAC group as the user registers.

FortiNAC 8.5 Study Guide 38

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

In environments where FortiNAC manages devices configured for 802.1x, a backend RADIUS server or
servers must be configured.

FortiNAC does not terminate 802.1x traffic but, instead, acts as a proxy between the 802.1x controller, access
point, or switch. RADIUS can also be used as the backend authentication server for end users, guests,
contractors, or FortiNAC administrative users.

The RADIUS configurations screen is located in the Authentication folder within the system settings
administrative view. You can add as many RADIUS servers as necessary to the list. The RADIUS servers can
be designated for use on a device by device basis, and can be set as a primary or secondary server for each
device.

When you add a server to the list, you must supply the host name or IP address, the RADIUS secret, and the
authentication port. Optionally, you can configure the accounting port. A validation account is required for the
integration, but only used if there is more than one RADIUS server configured. The encryption method on the
server must be set to use Password Authentication Protocol (PAP).

FortiNAC 8.5 Study Guide 39

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 40

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Good job! You now understand the authentication services options available for end-users and administrators.

Now, you will learn about creating administrative users.

FortiNAC 8.5 Study Guide 41

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in creating and managing administrative uses, you will be able to support
administrative users in your network.

FortiNAC 8.5 Study Guide 42

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Admin profiles are the mechanism for defining the specific capabilities of an administrative user.
Every administrative user is required to have an admin profile and each admin profile can be assigned to
more than one administrative user.

These profiles define inactivity timers to automatically log users off after a defined number of minutes of being
inactive. Available login times are defined by days of the week and times of the day. They allow for landing
page designation after login and guest kiosk management capabilities.

Most importantly, these profiles define permission sets. A permission set is made up of one or more
administrative views, as well as the administrative privileges within those views.

FortiNAC 8.5 Study Guide 43

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

To create a admin profile, navigate to the Admin Profiles view from the Users menu. This view displays all
existing admin profiles. You can perform admin profile management using the buttons along the bottom of the
view. When you click Add, the Add Admin Profile dialog box opens.

FortiNAC 8.5 Study Guide 44

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

When you create or edit an admin profile, there are two tabs that contain the profile properties and settings.
The General tab is where you give the profile a name, configure an inactivity timer, and define login
availability. You can also use this tab to grant the ability to manage hosts and ports based on group
membership. There are three additional options that you can set:

• The Associated users do not expire option prevents the admin user from ever being purged from the
FortiNAC database.
• The Grant full permissions for new permissions on upgrade will automatically grant administrative
users full access to new permission sets added as the result of an upgrade.
• The Enable Guest Kiosk option will make the associated administrative users kiosk managers. They will
have no other capabilities other than opening a self-service kiosk for guests.

The Permission tab gives you access to all of the permission sets. This is where the administrator can select
all the desired views to be included in the admin profile. Each permission set includes these options for
administrative capabilities within that permission set: Access is read only, Add/Modify is read-write, Delete
allows for the deletion of view entries. The permission sets also include one or more administrative views that
can be individually removed from the permission set, if desired.

FortiNAC 8.5 Study Guide 45

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

New administrative users are added from the Admin Users view located under the Users menu. If you click
the Add button at the bottom of the window, a dialog box will open where you can enter the new user ID.
FortiNAC will attempt to look up the user ID using LDAP, if an LDAP server is configured. If the ID is found the
new user property window will be pre-populated with all mapped user attributes.
Each admin user property window includes an Admin Profile drop-down list that lists all of the existing admin
profiles. Selecting a profile assigns that profile and all of the permissions it grants.

FortiNAC 8.5 Study Guide 46

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

You can apply an admin profile to all members of an administrative group from the Add Admin Profile
Mapping window. You would do this in situations where you need to apply a single admin profile to an entire
group of administrative users. The admin profile mapping is created by associating the desired administrative
profile, selected from a drop-down list, to an administrator group.
In the example shown on this slide, all members of the group named Level 1 Support will be assigned the
End User Assist admin profile.

FortiNAC 8.5 Study Guide 47

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

This slide shows an example of an administrative user with limited permissions. Notice that the menu options
at the top of the view have been limited to Bookmarks, Users, Hosts, and Help. The options within each of
these menus may be limited as well, depending on the specific configuration options chosen in the admin
profile.

FortiNAC 8.5 Study Guide 48

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 49

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiNAC 8.5 Study Guide 50

 Getting Started with FortiNAC

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you got an overview of FortiNAC, its administrative
interface, navigation system, and some authentication configurations. You also learned about the lab
environment that you will use to complete the labs associated with this course.

FortiNAC 8.5 Study Guide 51

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to integrate FortiNAC with the network infrastructure. Through this
integration, the foundation of visibility, control, and response is established. Understanding how to gather
information from the infrastructure, as well as control those devices, are key components of almost all
FortiNAC capabilities.

FortiNAC 8.5 Study Guide 52

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

In this lesson you will learn about the topics shown on this slide.

FortiNAC 8.5 Study Guide 53

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in integrating FortiNAC with the network infrastructure to gather visibility
information from endpoints and control the capabilities of the integrated devices, you will have a solid
foundation for the implementation and ongoing administration of some of they key components of a FortiNAC
deployment.

FortiNAC 8.5 Study Guide 54

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Infrastructure devices, such as switches and routers, are organized within the topology tree panel of the
topology view. There is a single root container that can have any number of subcontainers created within it.
You can model devices only within the sub-containers. As a best practice, you should model infrastructure
devices within the topology tree in a manner that makes it easy to locate any network port. You can add or
remove containers at any point, and move modeled devices from one container to another at any time. Note
that deleting a container will also delete any devices modeled within that container. You can use the
containers that you build here in other parts of the product as a way to indicate location and as a way to
provide additional information for adapter points of connection.

FortiNAC 8.5 Study Guide 55

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

When you model a device, the FortiNAC system initially uses SNMP as a method of communicating with the
device to identify the device type. Using the devices sysObjectID, FortiNAC can identify the vendor and model
of the device. This, in turn, identifies the necessary command sets and methods to be used when the CLI is
used for visibility gathering and device control. These command sets are stored in files located in the
/bsc/campusMgr/master_loader/telnetMibs directory.

FortiNAC also uses collected MIB information to identify the number of ports, the administrative state of the
ports, and the physical address of each port. On the FortiNAC GUI, RJ45 port icons represent each port on a
wired infrastructure device. The same RJ45 port icons identify different things when it comes to wireless
devices. For example, when a Fortinet wireless device is modeled, the RJ45 ports will be used to represent
the different VLANs that are configured on the AP.

FortiNAC 8.5 Study Guide 56

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

In the FortiNAC GUI, the topology view, located in the Network Devices menu, is broken into two sections.
On the left side, the topology tree contains the root container and all subcontainers created within it. You can
expand each container to show the devices modeled within it. On the right side is the details panel, which
displays topology information across several tabs.

When you select a container, the possible tabs displayed are Containers, Devices, Ports, SSIDs, and
Logical Networks. The tabs displayed will depend on the selected container. For example, the Container or
Logical Networks tabs will appear only when you select the root container.

FortiNAC 8.5 Study Guide 57

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

This slide shows the information displayed on the first four tabs.
The Containers tab shows a list of all subcontainers that exist within the topology tree. This tab is displayed
only if the root container is selected. The Devices tab displays all devices within a selected sub-container.
The Ports tab displays all ports of all devices within the selected container. The SSIDs tab displays all SSIDs
from all devices within the selected container.

If you selected the root container, all elements of the topology view will be displayed for each of the tabs.

The Logical Networks tab is displayed only if you select the root container. You will learn more about logical
networks in another lesson.

FortiNAC 8.5 Study Guide 58

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

When you select an individual switch or router, only ports and property tabs associated with that device are
displayed. The following tabs will be displayed for most infrastructure devices:
• Ports
• SSIDs
• Element
• System
• Polling
• Credentials

The Virtualized Devices tab appears for FortiGate devices with VDOMs configured. A Model Configuration
tab appears for other infrastructure devices, which you will learn about in an another lesson.

FortiNAC 8.5 Study Guide 59

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

When you select a device that is modeled as a pingable device, two tabs for the device are displayed:
• The Element tab displays detailed properties of the selected device, such as the name, IP address,
physical address, and device type. It also provides some configuration options for the processing of
incoming events or integration with an SSO agent. You can assign a role value to the device from a drop-
down list. The location of the device is displayed (if it is known), and you can modify the description and
note fields with additional details. Contact status allows you to enable or disable the polling, set the interval
for polls, and displays the last successful poll as well as the last attempted poll.
• The Details tab provides a location for you to add important device-specific information.

FortiNAC 8.5 Study Guide 60

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

To rename the root container, right-click the root container and then, in the drop-down list, select Rename. A
dialog box opens and you can type the new name. After you click OK, the container updates to reflect the
change.

FortiNAC 8.5 Study Guide 61

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

To create subcontainers, right-click the root container and select Add Container. The Add Container dialog
box opens, allowing you to give the container a name and add notes. After you click OK, the new container
appears in the topology tree after a few seconds. The root container is the only container that allows the
creation of subcontainers.

FortiNAC 8.5 Study Guide 62

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

To model a single SNMP-capable device, right-click the desired sub-container and select Add Device in the
drop-down list. The Add Device dialog box opens.

At the top of the dialog box, you can choose to change the container the device will be modeled in. By default,
the device is modeled in the container that you right-clicked. Type the IP address of the device.

In the SNMP Settings section, select SNMP Protocol version 1 or version 3, and type the read/write security
string.

In the CLI Settings section, configure the User Name, Password, and Enable Password (if necessary)
settings and select the appropriate protocol: Telnet, SSH1, or SSH2.

FortiNAC will use the SNMP and CLI settings to gather visibility information and for control purposes. If the
username and password supplied do not grant access to configuration capabilities, then you must configure
the Enable Password setting. If the username and password combination do grant access to the
configuration capabilities, then you must leave the Enable Password field empty.

FortiNAC 8.5 Study Guide 63

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

In large environments, individually adding devices can be a tedious task. Instead you can right-click a
subcontainer and select Start Discovery to open the Discovery Settings dialog box.
On the IP Range tab, you can select Cisco Discovery Protocol (CDP) or address ranges. If you select CDP,
you must enter a seed device address.

On the SNMP Credentials tab, you can add SNMP V1 or V2c security strings, as well as V3 credentials.
FortiNAC tests each SNMP entry against each device, in order, until one is found that works or the list is
exhausted.

FortiNAC 8.5 Study Guide 64

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

On the CLI Credentials tab, you can configure a list of user names, passwords, enable passwords settings,
and protocol settings. FortiNAC attempts each entry in the list, in order, until valid credentials are found or the
list is exhausted.

The Confirm Discovery tab summarizes all the container and IP range information you entered on the IP
Range tabs. Click OK to initiate discovery.

FortiNAC 8.5 Study Guide 65

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Because each physical address is unique, FortiNAC can identify hosts as they connect to the network.
FortiNAC uses the information that it gathers when it identifies a host to fill in the physical address and
location information in the database.
The information is gathered through polling of the infrastructure device acting as the point of connection for
the endpoint, or through the receipt of a MAC notification trap or RADIUS request sent to FortiNAC from the
device that an endpoint has connected to.
The physical address that was learned, the time it was learned, and where it was learned from, provide the
beginnings of endpoint visibility in the form of what, where, and when information.

FortiNAC 8.5 Study Guide 66

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

The three ways that L2 polling is triggered are:

• Manual polling: Manual polling is initiated when an administrative user right-clicks the switch in the
topology tree and selects L2 (IPMAC), or clicks Network Devices > L2 Polling (Resync Hosts).
• Scheduled: L2 polling is scheduled in the L2 Polling (Resync Hosts) view, which you select in the
Network Devices drop-down list. You can change the default scheduled intervals.
• Link Traps: Link traps received from an edge device trigger FortiNAC to perform an L2 poll to update its
awareness of devices that are connected on that edge device. The traps that trigger the poll are: Linkup,
Linkdown, WarmStart, and ColdStart. This trigger keeps FortiNAC up to date in real-time as devices
connect to and disconnect from edge devices.

You can also collect L2 data from MAC notification traps. When an edge device issues a MAC notification trap
to FortiNAC, the notification contains the MAC address that was just learned or removed from the MAC
address table of the edge device, as well as the port that MAC address was associated with. FortiNAC can
then update its database with the new information.

MAC notification traps are the preferred method for learning and updating this L2 information and you should
always use them when they are an option. Receiving and processing MAC notification traps is much less
resource intensive than having to contact and query an edge device.

You should not configure link traps to be sent to FortiNAC on devices that have MAC notification traps
configured. You should not configure MAC notification traps on interfaces that are uplinks.

FortiNAC 8.5 Study Guide 67

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

To manually initiate an L2 poll on a single device, right-click the device in the topology tree and select Poll for
L2 (Hosts) Info. FortiNAC will immediately perform an L2 poll and update the host’s entries in the database.

FortiNAC 8.5 Study Guide 68

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

To schedule FortiNAC to perform L2 polls or manually perform an L2 poll on one or more devices, use the
Network Devices menu to select L2 Polling (Resync Hosts). This opens the L2 Polling (Resync Hosts)
administrative view. This view contains a list of all layer 2-capable devices that have been modeled in the
topology tree. These devices are displayed here because they exist in the L2 Network Devices system group.

You can manage these layer 2-capable devices using the buttons at the bottom of the screen. The Add To
Group and Remove From Group buttons allow for group management of all selected devices. Use Set
Polling to enable and schedule automatic polling intervals for selected devices, and Poll Now to trigger an
immediate poll of all selected devices.

FortiNAC 8.5 Study Guide 69

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

MAC notification traps offer, with specific vendors, an alternative and preferred method of Layer 2 data
gathering. A MAC notification trap is generated by the infrastructure device when a new MAC address is
learned or removed from its MAC address table.

There are a couple of reasons why MAC notification traps are preferred over link up and link down traps and
why you should always use them whenever possible:
• First, FortiNAC no longer needs to establish a connection to the infrastructure device each time a link up or
link down trap is received because the required information is included in the MAC notification trap. This
makes database updates faster and demands fewer resources.
• Second, hosts and devices that connect through hubs or IP phones will be seen immediately, even if the
device they connected to can’t generate link up or link down traps.

FortiNAC 8.5 Study Guide 70

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Regardless of the method used, once layer 2 information is gathered or received, FortiNAC can update the
device locations by point of connection. There are any number of different icons that can be used to display
what is connected. Some of the common default icons are shown on this slide. On the far left, you can see an
icon representing an unknown device connected to port 1. On port N, you see an icon representing a single
host in addition to a connected IP phone.

The two wireless ports representing VLAN_100 and VLAN_230 are showing a cloud icon, which is used by
FotiNAC to indicate that more than a single host connected. When represented in the topology view, you can
click these clouds to see each element that makes up the cloud.

FortiNAC 8.5 Study Guide 71

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

L3 IP address information is a critical piece of network visibility and is a necessary component for some
FortiNAC capabilities. As devices are added or discovered, they are automatically added into the L2 Wired
Devices or L2 Wireless Devices groups. These groups are nested as subgroups of the L2 Network Devices
group. A default L3 (IP --> MAC Devices) group is created by FortiNAC, but is not automatically populated.
You must add your L3 devices to this group. The polling of devices in the L3 device group is performed on a
scheduled basis and the correlated IP address is added to the database record for the corresponding MAC
address.

FortiNAC 8.5 Study Guide 72

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

To schedule FortiNAC to perform L3 polls, click Network Devices menu and select L3 Polling (IP  MAC).
This opens the L3 Polling (IPMAC) window, where you can manually perform or schedule the poll.

Only devices that are members of the L3 (IPMAC) system group appear in this window. Display options at
the top of the window and buttons along the bottom of the window allow you to add devices to that group from
this view.

Use Set Polling to enable and schedule automatic polling intervals for selected devices, and Poll Now to
trigger an immediate poll of all selected devices.

FortiNAC 8.5 Study Guide 73

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Configuring FortiNAC as an additional DHCP server using DHCP relays throughout an environment will result
in FortiNAC receiving copies of DHCP discovery and request packets. FortiNAC will never respond to the
packets forwarded to it from production networks because it should never have DHCP scopes configured on it
for those networks. Once received, FortiNAC can parse the contents of each DHCP discovery or request and
identify, based on parameters in the packet, the originating host’s hostname and operating system. This
information will be used to update and enhance the visibility information stored in the database.

This added visibility can also be used to generate notifications when hostnames or host operating systems
change.

In deployments that use FNC-C Control and FNC-A Application servers, these DHCP relays should be
targeted to Eth1 on the application server. For FNC-CA single appliance or VM FortiNACs, the relays should
target Eth1.

FortiNAC 8.5 Study Guide 74

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Endpoint visibility is the information gathered about endpoints connected or previously connected to the
network. Endpoint visibility information usually includes all or some of following information:
• The MAC or physical address, which is gathered using L2 polling or MAC notification traps
• The network or IP address, which is gathered using L3 polling
• Its current or last location on the network, which is known through L2 polling
• Connection status (connected or disconnected) and the connect and disconnect times, which is based on L2
polling
• The vendor name, which is based on the vendor OUI of the MAC address. (FortiNAC has a current list of
vendor OUIs in the database.)
• The hostname and operating system, which is gathered from DHCP fingerprinting
Endpoint visibility and details do not define device trust. Trust is defined through the classification of each
endpoint. You will learn more about methods and process for classification in another lesson.
Note that you can also gather most of this information using FortiNAC agent technology. You will explore
agents in an another lesson.

FortiNAC 8.5 Study Guide 75

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

This slide shows some common port icons that you will see in the topology view. In the upper left corner, you
can see an RJ45 port icon. RJ45 ports are used to represent physical ports on wired devices. An empty port,
like the one shown here, indicates that, based on L2 poll results, no devices are physically connected. If the
port icon is green, it indicates that, when the interfaces were originally read from the switch, the port was in an
admin link-up state. The same RJ45 port icons are used for wireless devices, but may represent different
things, such as an access group or a VLAN.
The icon on the lower left corner identifies the point of connection for FortiNAC. FortiNAC will recognize its
own physical address when it performs an L2 poll and will represent itself using this small circular icon.
The icon on the upper right corner indicates multiple devices on the same port. If an L2 poll determines that
more than one MAC address is concurrently connected to a single port, in a wireless network, or more than
one MAC address is connected as part of the same group or on the same VLAN, FortiNAC represents the
multiple connected devices as a cloud. You can view all connected hosts individually using the Adapters tab
in the topology view. If one of the connected devices has been classified as an IP phone, a small IP phone
icon will be shown in the cloud icon.
Administratively disabled RJ45 ports are represented by the port icon with an X through it, as shown on the
lower right corner.
The icon shown in the center of the slide and is called an uplink. Uplink ports are represented by a small RJ45
cable. Uplink ports change the way FortiNAC gathers information from the port and how it controls the port.
During L2 polling, all physical addresses learned on an uplink port will be ignored because they aren’t actually
connected on that port. FortiNAC will not perform any control operations (changing VLANs, changing port
state, and so on) on a port that is designated as an uplink.
There are three ways a port can be designated an uplink:
• A physical address owned by a port on another infrastructure device is shown as being learned on the
port being polled
• More than 20 (default setting) physical addresses are seen as being concurrently connected to a port
• An administrative user manually designates a port as an uplink

FortiNAC 8.5 Study Guide 76

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Devices modeled in the topology view have a set of properties. When you right click a device in the topology
tree, you can select Properties, to view the device properties. You can also click the Element tab properties
related to system information about the selected model. Information such as name, vendor and version, is
gathered during the initial modeling process using SNMP.
There are also some options that affect the management behavior for this device. If VLAN Switching
Enabled is not selected, FortiNAC will never change a VLAN on this device.
Next, if PA Optimization is enabled, VLAN changes will be performed more efficiently for hosts with the
persistent agent installed. In most situations, it is beneficial to select this option even when the persistent
agent is not deployed, because the network changes will still occur using the default method.
The third option is MAC Filtering Enabled. When you select this option, FortiNAC logs in to the switch and
configures the switch to filter the MAC address of that device so that the host will not have any access. Roles
can be assigned, but that is not very common. Roles can be leveraged to automatically provision access for a
device modeled in the topology view. The description information is pulled during the initial modeling. You can
use options to do L2 and L3 polling through SNMP instead of the CLI, if that is the default option for this type
of switch. You can also add the device to a device group.
Click the System tab to see information obtained from the switch’s management information base (MIB).
Name is the sysName, Contact is the sysContact, and Location is the sysLocation. The Polling tab displays
polling schedules for each type of polling FortiNAC may perform. Contact Status Polling, which defaults to
every 10 minutes, verifies the device is still pingable. L2 (Hosts) Polling is the frequency at which connecting
endpoint or host information is gathered. An L3 capable device will display the L3 polling interval for IP
address gathering.
The Credentials tab displays device communication credentials.

FortiNAC 8.5 Study Guide 77

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

The Network Devices settings allow you to configure global properties that are specific to network devices
and VLANs. Only some of the settings are covered on this slide.

Min Trap Period (Sec): This is the number of seconds FortiNAC waits after receiving a linkup trap before
reading the forwarding table from the switch associated with the trap. The default is 10.

Max Number of Trap Periods: This is the maximum number of trap periods that the appliance waits before
reading the switch forwarding tables.
If the switch does not have the MAC address information for the port that generated the linkup trap, the
appliance places the switch back into the queue. Once Min Trap Period has expired, the forwarding table on
the switch is read again. If another linkup trap is generated by the same switch, the trap period time is reset.
The default is 4.
For example, if Min Trap Period is set to 20 seconds and Max Number of Trap Periods is set to 2, the
longest the appliance will wait to read the switch forwarding tables is 40 seconds.

System Defined Uplink Count: When the number of MAC addresses on a port exceeds this value, the port
is changed to an uplink. Setting this value to a higher number can help to indicate multiaccess points. For
example, setting this value to 7 changes the port to an uplink if a minihub with eight ports is connected on the
port. The default is 20.

Telnet/SSH Connection Timeout (Sec): When you use telnet to contact devices, this setting determines how
long the server waits for a response from the device before timing out. The default is 12 seconds.

MAC Address Spoof Time Delay (Minutes): This is the number of minutes after which, if the same MAC
address has been detected on two devices/ports simultaneously, the possible MAC address spoof event is
generated. The default is 5 minutes.

FortiNAC 8.5 Study Guide 78

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Enable Multi-Access Detection: When this option is enabled, the appliance looks for multiple MAC
addresses on ports each time a switch is read. This setting is disabled by default. To generate an event when
multiple MAC addresses are detected on a port, you must also enable Multi-Access Point Detected;
however, if the detected port is in the Authorized Access Points group, an event is not generated.

Enable Cisco Discovery Polling: When enabled, this option allows FortiNAC to query devices about other
connected devices on the network using Cisco Discovery Polling (CDP). This setting is enabled by default. If
this discovery protocol is enabled on a device, it gathers and stores information about devices it manages and
devices it can contact on the network. Only devices with Enable Cisco Discovery Polling will respond to a
CDP query.
This is a global setting for the system. If this setting is enabled, devices can be set individually on the Polling
tab of the Device Properties view. If this setting is disabled, the device setting is ignored and CDP is not
used when polling a device. Devices that have the capacity for CDP must have the feature configured on the
device's firmware.

Maximum Cisco Discovery Depth: This setting limits the number of layers from the original device that will
be queried using CDP.

Ignore MAC Notification Traps for IP Phones: When this setting is enabled, FortiNAC will not process MAC
notification traps for IP phones. This setting is enabled by default.

FortiNAC 8.5 Study Guide 79

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 80

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Good job! You now understand the modeling of network infrastructure devices.

Now, you will learn how to manage FortiNAC groups.

FortiNAC 8.5 Study Guide 81

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

After completing this section you should be able to achieve the objectives shown on this slide.

By demonstrating competence working with groups, you will be able to appropriately plan and use them to
achieve your desired deployment and management goals.

FortiNAC 8.5 Study Guide 82

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Groups are collections of elements. Groups are a fundamental part of FortiNAC operations. There are six
different types of groups and the groups type defines what can be a member of that group. The different group
types are: administrator, device, host, IP phone, port, and user.

A set of preconfigured groups, called system groups, are identified by an owner type that is set to System.
Most of these groups enforce some form of control or enable some functionality on all members.

Any groups created by administrative users, or imported as a result of an LDAP integration, will be assigned
an owner of User. These groups are used to organize elements and do not enforce any type of control or
functionality directly.

Groups of the same type can be nested within one another. As a best practice, administrative users create
groups to identify elements in a way that allows them to nest those groups into appropriate systems groups, to
satisfy enforcement needs.

There are more than 25 different system groups on FortiNAC, and several of the most commonly used groups
are covered in another lesson. You can find a definition for each system group in help.

A small set of system groups are automatically populate. These groups are:
• Rogue hosts
• Registered hosts
• L2 wired devices
• L2 wireless devices

FortiNAC 8.5 Study Guide 83

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

The examples on this slide show some common methods for organizing ports. The first example is a simple
geographical organization of ports through the use of four individual port groups. The first three groups have
ports directly added to them as members and are named Building-1 1st floor, Building-1 2nd floor, and
Building-1 3rd floor. These three port groups are added as subgroups to the fourth group called Building 1.
This organization of ports provides the ability to enforce control on a floor-by-floor basis or by the building as a
whole.

The second example shows a group of ports organized by function. The conference room ports contained
within the group named Conference Room Ports may have no geographic similarities at all; however, they all
serve the same function and can now be managed together.

The final example shows a combination of the previous two examples. In this example, the conference room
ports are organized based on a geographic location, and the ports are named Bldg 1, Bldg 2, and Bldg 3. As
a group based on function, the group is named All Conference Room Ports. These ports can now be
managed by function, all conference room ports, or by function and location, building 1 conference room
ports.

The FortiNAC method of management through groups allows for an extremely granular means of control,
down to the exact point of connection in these examples.

FortiNAC 8.5 Study Guide 84

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

To create a port group that is a combination of geographic location and function, click the System tab and
select Groups to open the Groups administrative view.

Click Add to open the Add Group dialog box. Type a group name that indicates the group contents, such as
Conference room ports in building one. In this example, you would set the Member Type to Port.
Remember that the group type defines what can be a member of that group. The Members tab displays the
topology tree from the topology view, which highlights the importance of setting up of the topology tree in a
logical way that makes sense for your environment. In this example, the Building 1 container has been
expanded and a switch has been selected. Each port that is a conference room port in this building is
selected. Use the arrow button to move ports from All Members to Selected Members. Click OK to make the
ports members of the Conference Room Ports in Building 1 group. Repeat this process two more times, for
the second and third buildings. There will now be three individual port groups representing each of the three
buildings.

You can create a fourth group, called All Conference Room Ports, and, in place of ports being added
directly to the group, the previously created groups could be added from the Groups tab.

Groups are a critical part of any FortiNAC deployment and the ability to nest the groups provides both
granularity of management, as well as the ability to scale to any size environment.

FortiNAC 8.5 Study Guide 85

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 86

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiNAC 8.5 Study Guide 87

 Achieving Network Visibility

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to integrate FortiNAC with the network
infrastructure, how information is gathered from the infrastructure, and how to create and manage groups.

FortiNAC 8.5 Study Guide 88

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the endpoint identification and classification process as well as the tools
and methods used to expedite the process.

The identification and classification of rogues is an extremely important component of any FortiNAC
deployment.

FortiNAC 8.5 Study Guide 89

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiNAC 8.5 Study Guide 90

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating knowledge of the difference between rogues and classified devices, you will be able to
better understand the process used, as well as the need for classification.

FortiNAC 8.5 Study Guide 91

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

A rogue device is a physical address that has been seen on the network but has not been associated with an
existing known host and is therefore considered unknown. On the GUI, FortiNAC represents a rogue device
as a laptop image with a question mark on the screen. Rogue devices are often referred to as unknown or
untrusted endpoints. The default logical network called Registration is the method used to isolate rogue
hosts at the point of connection when enforcement is enabled.

FortiNAC 8.5 Study Guide 92

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

A foundation of visibility is created from the information that FortiNAC gathers from endpoints. Endpoints are a
collection of elements: IP addresses, physical addresses, vendor names, statuses, and so on. However,
having this information about endpoints does not classify them as trusted devices. One method used to
classify connected devices is the device profiling tool. The device profiling tool uses administratively created
rules that identify what's connected to the network using one or more methods that identify the type of device.
In the example shown on this slide, there is a rule called printers that uses NMAP to scan open TCP ports.
This scans devices as they come to look for specific open TCP ports, and allows you to change the
classification of unknown rogue device to a trusted device, in this case, a printer.

You can create rules, as needed, for each different type of device that requires classification. An IP phone
rule, for example, may use NMAP active, which means an NMAP scan looks at the operating system details
for matched values. When FortiNAC evaluates the gathered information and compares it to a pre-set list in
the database to determine if it is a match for the selected device type. You can also enter a user-defined value
to allow for detailed device-specific customizations.

You can use multiple methods for more robust rule creation. For example, the rule shown on this slide uses
both open TCP port and vender OUI requirements.

End points that are classified are also known as registered hosts, because they are now considered
registered in the system and trusted.

FortiNAC 8.5 Study Guide 93

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 94

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Good job! You now understand the difference between rogue devices and classified (registered) devices.

Now, you will learn how to create device profiling rules to identify and classify rogue devices.

FortiNAC 8.5 Study Guide 95

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

FortiNAC 8.5 Study Guide 96

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

When a rogue device record is created, the device is evaluated against the enabled device profiling rules.
FortiNAC evaluates a device against each rule until a fail or pass result is reached.

The following is an example list of rules and the methods used to validate each rule. They are prioritized for
efficient processing and specific identification:
• Rule 1, called Cameras, uses a single validation method: Vendor OUI
• Rule 2, called Axis Cameras, uses three methods: Vendor OUI, open TCP ports and a HTTP query
• Rule 3, called IP Phone, uses a single method: HTTP query
• Rule 4, called Printer, uses a single method: TCP ports and is keying upon two ports being open: 515 and
9100
• Rule 5, called Printer, uses a single method: TCP ports and is keying upon a single port being open: 9100
• Rule 6, called IP Phone, uses a single method: DHCP fingerprint

Next, you will take a closer look at the components of a device profiling rule.

FortiNAC 8.5 Study Guide 97

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Device profiling rules are used to evaluate and classify rogue devices. You can configure profiling rules to
automatically, manually, or through sponsorship, evaluate and classify unknown, untrusted devices as they
are identified and created.

Device profiling leverages rules comprising classification settings and methods used for evaluation.

FortiNAC uses the rule methods to evaluate devices to test for a pass or fail result. If all selected methods
result in a pass result, then FortiNAC applies the rule-defined classification settings of device type, grouping,
and attribute values.

FortiNAC 8.5 Study Guide 98

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The methods shown on this slide are used to evaluate connected rogue devices. If more than one method is
selected, the selected methods are logically anded when determining if the rule is matched. Match criteria are
configured for each method, as the methods are selected.

The general settings outline how FortiNAC will configure the connected device and how it will appear in the
GUI. You can leverage the device type, role, and group membership for policy enforcement. You can use
access availability settings to grant networks access during specific days and times, and the Rule
Confirmation option to revalidate previously profiled devices.

FortiNAC 8.5 Study Guide 99

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Efficient and specific ranking of the rules is required so that a device is evaluated against all of the available
rules.
FortiNAC evaluates a device against each rule until a pass, fail, or cannot evaluate (because of insufficient
data) result is reached.
• A rule evaluation result of pass classifies the device as defined by the rule classification settings.
• A rule evaluation result of fail continues the device evaluation process with the next ranked rule.
• A rule evaluation result of cannot evaluate stops the device evaluation process. This occurs when a
method within the rule requires data that is not available or able to be validated as current.

As a best practice, categorize rules fall into the three prioritized groups, which should, in most cases, follow
these guidelines:
• Place rules with vendor OUI and/or location methods only in the Already Collected group, which is why the
Cameras rule is ranked first.
• Place rules with one or more IP-based methods in the Needs to be Read group, which is why the Axis
Cameras, IP Phones and two Printer rules are ranked after the Camera rule.
• Place any rules that use DHCP methods in the Must be Received group, which is why IP Phone rule 6 is
ranked last.

FortiNAC 8.5 Study Guide 100

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Within each group organize the rules based on granularity.

Here is the result of following those guidelines with these example rules:
• Rule 1 OUI evaluation result is the simplest path to failure, resulting in the lowest overhead to validate.
• Rule 2 Evaluation of TCP ports and HTTP is done only if OUI matches. This prevents unnecessary
processing of devices that don’t have the correct vendor OUI.
• Rule 3 uses a single IP-reliant method.
• Rule 4 and 5 are specifically ordered with the most granular rule first. If a host has only TCP port 9100
open, it will fall through to rule 5.
• Rule 6 is efficiently ordered because DHCP fingerprint receipt is not controlled by FortiNAC and could stop
rule evaluation if no fingerprint is received.

FortiNAC 8.5 Study Guide 101

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

You can access the Device Profiling Rules window by clicking Hosts, and then Device Profiling Rules.

The Device Profiling Rules window displays the default set of rules provided. Use this window to modify the
default rules or to create your own set of rules. Default rules vary depending on the version of the software
and the firmware installed. Upgrading to a newer version of the software does not add or modify default rules.

In multi-method, rules evaluate OUI, location, and IP range before any other methods. This is so that you can
write profiling rules to specifically target specific devices while excluding others.

Disabled rules are ignored when processing rogues. Device profiling rules are disabled by default and are set
not to register devices. When you are ready to begin profiling, enable the rule or rules you want to use.

Notice that the rules are ranked, which you can modify, for the order in which the rules should be applied.

Run the rules to evaluate rogues that already exist in the database.

FortiNAC 8.5 Study Guide 102

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Creation of a device profiling rule begins with configuring the general settings that define the registration
settings, rule confirmation settings, and other general attributes. At the top of the Add Device Profiling Rule
window, there is an option to enable the rule. Only rules that are enabled will process rogues to see if they
match. The rule needs a name and can also have an optional description. At the bottom of the selected area,
there is an option to notify a sponsor. Any rule can be set up so that a sponsor is notified when a rule is
matched. A sponsor is an administrative user. This can be configured on a rule-by-rule basis and is configured
within an administrator profile.
The middle section is where you configure the registration settings. The very first option is to have the settings
carried out automatically or as a manual process. If set to Automatic, FortiNAC will carry out all the following
registration steps as soon as the rule is matched. If set to Manual, the rule is still matched, the device is
profiled, however, the registration settings are not processed until a sponsor logs into the GUI and manually
registers the device. The next setting to configure is the device type. There are many pre-existing device
types. However, administrative users can also create their own types, which provides complete flexibility,
regardless of the types of devices in any given environment. A role can be assigned to a device and this value
could then be leveraged in a policy. For example, there could be a network access policy configured to
provision devices with a role of camera to a particular network, depending on the point of connection. The
Register as: field is where you can define were the device is placed. The options are, in the host view, the
topology view, or both. The most common option is the host view.

You can also assign device ownership for BYOD devices if user information is known. For devices that are in
the host view, they can automatically be added to a host group. However, for devices that are in the topology
view, you need to select a topology container. The Access Availability option lets the administrative user
define specific days and times the profiled device is allowed on the network.

FortiNAC 8.5 Study Guide 103

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

When a rogue device is processed by a rule and found to be a match, FortiNAC remembers the matching
rule. Going forward, FortiNAC revalidates that the device still matches the rule, each time the device connects
to the network, and/or at a user-defined time interval. If the device fails to match the rule on revalidation, you
can configure FortiNAC to automatically disables the device. This is a safeguard against impersonation of a
previously-profiled end point.

FortiNAC 8.5 Study Guide 104

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The Active method is an NMAP scan of a connected host. There is a device database that will match on the
operating system detail information that is gathered during the NMAP scan. There is a second option to match
a custom value. You can use the key values that you find in the NMAP scan results instead of using the
existing database entries. Therefore, you can use an exact string match or regular expression, which lets you
customize the Active method for almost any environment.

FortiNAC 8.5 Study Guide 105

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The DHCP Fingerprinting method evaluates a DHCP discovery or request packet that was received by the
FortiNAC device. Similar to the NMAP scan, the FortiNAC device has a DHCP fingerprint database that
contains a large list of fingerprints. These fingerprints are identified using option lists and parameters seen in
the DHCP discovery or request. When using the Match Custom Attributes, option fields that are left blank
are ignored. The custom attributes supported are: DHCP message type, option list, vendor class (DHCP
option 60), host name (DHCP option 12), parameter list (DHCP option 55) and operating system.

FortiNAC 8.5 Study Guide 106

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The HTTP/HTTPS method configures the FortiNAC device so that it attempts to open a connection with the
device it is trying to profile on a particular port of your choosing, and using the selected protocol. Optionally, it
can attempt to load a page and/or enter designated credentials. A matching value is specified and the page
contents are parsed for those values. If multiple response values are entered, it will attempt to match any of
them.

FortiNAC 8.5 Study Guide 107

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The IP Range method results in a match if the IP address of a device falls within one of the ranges. You must
specify at least one IP range. This method requires the FortiNAC device to know the current IP address of the
device that is profiled, and will trigger an L3 (IP to MAC) poll to gather this information.

FortiNAC 8.5 Study Guide 108

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The Location method will find a match if the device connects to the selected location on your network. The
options are: anything within a container in the topology view, anything in a port group, or anything in a device
group. In this example, if the end point being evaluated is connected to a port in the Building 1 First Floor
Ports group or any port of any device in the Building 3 container, then it will satisfy the location criteria.

FortiNAC 8.5 Study Guide 109

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The Passive method uses p0f, which is a passive TCP/IP fingerprinting tool. It requires communication to
take place between the FortiNAC device and the device being profiled. This determines the operating system
of the endpoint by analyzing specific fields in the received packets. There is nothing to set on the Methods
tab. This method uses the selected device type on the General tab to determine a match.

FortiNAC 8.5 Study Guide 110

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The Persistent Agent method matchs if the device type that is selected on the General tab corresponds to the
operating system of the device being profiled, and if the device has an agent installed, such as the persistent
agent or mobile agent. The agent is used to determine the operating system of the device. To register hosts
running the persistent agent using this method, you must disable registration from the Credential
Configuration page for persistent that are agents located under the system settings . If you do not, the
persistent agent may register the host before the device profiler has the opportunity to register it.

FortiNAC 8.5 Study Guide 111

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The SNMP method matches if the device successfully responds to an SNMP GET request for the specified
OID. SNMP security credentials are required. If there are multiple security credentials, each set of credentials
will attempt to find a potential match. There is an optional field to match the response string value. If multiple
string values are entered, it will attempt to match any of them.

FortiNAC 8.5 Study Guide 112

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The SSH method attempts to open a client session with the endpoint. User name and password credentials
are required. If there are multiple credentials, each set of credentials will attempt to find a potential match. The
commands are used to automate interaction with the device. The command options are expect and send.
Expect is used by the FortiNAC device to determine when the endpoint is ready for commands to send and is
a regular expression string that matches the response from the device. The send command sends a string to
the device. Send has two optional keywords that you can use to pass the defined credentials,
%USERNAME% and %PASSWORD%, as part of the user-defined command. There is an optional field to
match the response string value. If multiple string values are entered, it will attempt to match any of them.

FortiNAC 8.5 Study Guide 113

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The TCP method matches if the device provides a service on all of the ports specified. You must specify at
least one port, but all specified ports must match. Multiple ports are entered, separated by commas, such as,
162, 175, 188. A range of ports are entered using a hyphen, such as 204-215. The FortiNAC device uses
NMAP to perform the port scan.

FortiNAC 8.5 Study Guide 114

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Similar to the the SSH method, the Telnet method matches if the device successfully responds to a Telnet
client session request. User name and password credentials are not required. If there are multiple credentials,
each set of credentials will attempt to find a potential match. The commands are used to automate interaction
with the device. The possible commands are expect and send. The expect command is a regular expression
string that matches the response from the device. The send command sends a string to the device. The send
command has two keywords %USERNAME% and %PASSWORD% for the username and password. There
is an optional field to match the response string value. If multiple string values are entered, it will attempt to
match any of them.

FortiNAC 8.5 Study Guide 115

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The UDP method works similar to the TCP method. The TCP method matches if the device provides a service
on all of the specified ports. You must specify at least one port, but all specified ports must match. Multiple
ports are entered separated by commas, such as, 162, 175, 188. A range of ports are entered using a
hyphen, such as 204-215.

FortiNAC 8.5 Study Guide 116

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The Vendor OUI method matches if the vendor OUI for the device corresponds to the OUI information
selected for the method. At least one vendor option must be specified. If there are multiple entries, the device
only has to match one entry to match this rule. Options include:
Vendor Code — A specific vendor OUI selected from the list in the FortiNAC database. To select the OUI,
begin typing the first few characters. A list of matching OUIs is displayed in a drop-down list.
Vendor Name — A single vendor name selected from the list in the FortiNAC database. To select the name,
begin typing the first few characters. A list of matching vendors appear in a drop-down list. You can use an
asterisk as a wildcard at the beginning and/or end of a vendor name to match all variations of a name.
Vendor Alias —A vendor alias is an administratively-defined string that you can assign to one or more vendor
OUIs, across multiple vendors. You can define the alias values in the Vendor OUIs settings page, located in
the Identification folder, which you can find in the system settings.
Device Type — Select a device type from the drop-down list provided. Includes items such as Alarm System
or Card Reader. If this option is selected, the device type associated with the vendor OUI of the connecting
device must match the device type for the OUI in the FortiNAC vendor database. You can see the device type
in the vendor database, and override it in the vendor OUIs settings page, located in the Identification folder
in the system settings.

Note that it is a best practice to use the Vendor OUI method in conjunction with other methods to avoid
undesired matches due to MAC address spoofing.

FortiNAC 8.5 Study Guide 117

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The WinRM method matches if the device successfully responds to a WinRM client session request. User
name and password credentials are required. If there are multiple credentials, each set of credentials attempt
to find a potential match. The commands are used to automate interaction with the device. Each command is
run through Powershell. There is an optional field to match the response string value. If multiple string values
are entered, it attempts to match any of them.

FortiNAC 8.5 Study Guide 118

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The WMI profile method matches if the device successfully responds to a WinRM or SSH client session
request and successfully creates a profile through various Powershell commands, primarily querying WMI.
User name (user principal name format, such as [email protected]) and password credentials are
required. If there are multiple credentials, each set of credentials attempt to find a potential match. Additional
options help you to match specific versions of Microsoft Windows, installed applications, Windows Service
statuses, running processes, serial number, and asset tag (with wildcard matching).

This method requires Windows Management Framework 3.0.

FortiNAC 8.5 Study Guide 119

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

When a device matches a profiling rule it appears in the Profiled Devices list, located under the Hosts menu.
This view displays the device name, the profiling rule that was matched, the type of device it is or will be
registered as, role assignment, IP address and physical address, location, and several other pieces
information. If the rule was configured to automatically register the device there is nothing more you need to
do. It appears as registered in the Registered column. If the rule was set for manual registration , it also
appears in the Registered column. However, an administrative user or sponsor needs to select the device in
the Profiled Devices view, and click Register as Device to complete the process.

FortiNAC 8.5 Study Guide 120

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Access the Device Types editor by clicking System > Settings and expanding the Identification folder.

An important part of classifying devices is to accurately portray the many diverse endpoints that connect to an
environment. Device type is commonly used for running inventory reports or creating security policies. There
is a default set of pre-existing device types that you can use during the classification process. You can view
the list from the System Settings menu, within the Identification folder Use the Device Types editor to
modify or create new device types. This helps you to customize device types to fit any environment.

To create a new device, click the Add button. Give the device type a name. Then upload icons of the
appropriate size, or select a small and large icon pair from the archive list of almost 2,000 icon pairs. After you
create a new device type it appears in the list and works exactly like the default device types.

FortiNAC 8.5 Study Guide 121

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Access the vendor OUIs view by clicking System > Settings and expanding the Identification folder. From
this view you can locate specific vendor OUIs using the filter, and you can modify specific attributes of the
selected OUI. To configure an alias, select an entry and click Modify. You learned about alias attributes when
you learned about device profiling configurations.

You can set the alias in the Vendor Alias field. You can also make configuration changes for default role
assignment and registration type. The default role assignment is the value assigned if the device is registered
using a portal page. The registration type is a default device type association and is used with the vendor OUI
method of a device profiling rule. You can override the registration type when the type set by the FortiNAC
device does not reflect what is seen in a specific environment.

Vendor OUI information is kept up to date by the auto-definition synchronizer scheduled task that exists in the
scheduler tool.

FortiNAC 8.5 Study Guide 122

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 123

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Good job! You now understand how to create and use device profiling rules.

Now, you will explore how you can use agent technology to assist in the classification of rogue devices.

FortiNAC 8.5 Study Guide 124

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After completing this section you should be able to achieve the objectives shown on this slide.

By understanding the ways that you can use agents to securely classify endpoints, you will be able to use
appropriate options for classification.

FortiNAC 8.5 Study Guide 125

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The passive agent registers and scans end stations that are joined to a domain when a domain user logs in.
You can deploy the agent using a login script and use administrative templates to configure it. The
administrative templates are installed and configured on the domain controller with the fully qualified domain
name of the FortiNAC device. As a result, when the agent runs, it knows where to send the results. Place the
agent executable in a user accessible location, and configure the login/logoff script to execute the agent. If the
end station is configured to register at login, it registers the first time and remains registered until it expires
based on configurable aging timers. You can also use the passive agent to track users as they login and out
of domain machines.

FortiNAC 8.5 Study Guide 126

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Access the passive agent rules by clicking Policy > Passive Agent Configurations.

Passive agent registration helps you create customized configurations that register and scan hosts that are
associated with network users contained in your LDAP or Active Directory. Scanning requires an agent,
however, the agent does not need to be installed by the user. The agent is provided using an external method,
such as group policy objects, and launched when the user logs into the domain.

When a user connects to the network and logs in, FortiNAC determines the directory group to which the user
belongs. Based on that group, a passive agent configuration is used. The configuration registers the user and
the associated host in FortiNAC. If enabled, the agent scans the host to verify that it is in compliance with the
appropriate endpoint compliance policy. You can specify the scan in the configuration, or FortiNAC can
determine it, based on the user/host profile of the user or host.

You can also use a passive agent configuration to track user login and logoff on hosts with the Persistent
Agent installed. To create a passive agent configuration that does not apply to any domain group members,
leave the check box un checked. The different configurations can be ranked with the more specific ones first.

FortiNAC 8.5 Study Guide 127

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The FortiNAC persistent agent is an install and stay resident agent. There are several different types
of persistent agents for use, depending on the method of deployment. The .exe, .dmg, .deb, and .rpm
are normally deployed from within the captive portal environment during end station on-boarding.
This enables the configuration of the agents through server communication, as they are installed.
The .msi is typically deployed as part of the group policy or by some other software distribution
mechanism. When an agent is deployed as part of the group policy, the administrative templates can
be installed on the Active Directory for agent configuration. When being deployed by other means, a
set of registry key entries must be deployed or configured as well.

The behavior of the agent, and the FortiNAC server it communicates with, is configured in the registry
on Windows systems. Similar configurations are used on Mac systems and DNS SRV records can be
used. Installation scripts can be run on Linux systems for configuring these values.

FortiNAC 8.5 Study Guide 128

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After the persistent agent is deployed, it initiates communication back to the FortiNAC server every 15
minutes. The persistent agent performs scheduled scans in the background that are transparent to the end
user. To use system messaging, go to the Bookmarks menu or you can right-click a specific host in the host
view and select Host Health.

FortiNAC 8.5 Study Guide 129

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 130

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Good job! You know understand how to use agent technology to classify end points.

Now, you will explore MDM integration.

FortiNAC 8.5 Study Guide 131

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

FortiNAC 8.5 Study Guide 132

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

MDM services helps you configure the connection or integration between FortiNAC and a mobile device
management (MDM) system. The FortiNAC device and the MDM system work together to share data through
an API to secure the network. FortiNAC leverages the data in the MDM database and registers hosts using
that data as they connect to the network. You can pull down device application inventories from some MDMs
to enhance the visibility of connecting mobile devices. You can use email addresses to make user
associations between existing users and newly added devices. You can also leverage security policies by
matching on attributes that are passed down from the MDM, and see additional host information that is
available within the host view.
The supported vendors are: AirWatch, FortiClient EMS, Google G-Suite, MaaS360, Microsoft In Tune, Mobile
Iron, and XenMobile.

FortiNAC 8.5 Study Guide 133

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Access the passive agent rules by clicking System > Settings and expanding the System Communication
folder.

The MDM integration is performed from the System menu, Settings option. On the left side of the system
settings view, within the System Communication folder, is the MDM services configuration view. Click the Add
button to create a new MDM integration. Select the vendor from the drop down menu. Name the integration
and fill in the appropriate communication parameters for your MDM.
Use the appropriate behavioral options for the integration:
• Enable On Demand Registration triggers the FortiNAC to query the MDM whenever a host reaches the
captive portal for onboarding. If the host is found in the MDM, it is registered using the data obtained from
the MDM.
• Revalidate Health Status on Connect prompts FortiNAC to query the MDM for host compliance
whenever hosts connect to the network. This is disabled by default, and can generate a lot of overhead for
the MDM.
• Remove Hosts Deleted from the MDM Server prompts FortiNAC to remove hosts from its database, if
they have been deleted from the MDM server.
• Enable Application Updating prompts FortiNAC to retrieve and store the application inventory for hosts
that are in the FortiNAC database.
• Enable Automatic Registration Polling sets the time interval for MDM server polling by the FortiNAC.

FortiNAC 8.5 Study Guide 134

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 135

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Good job! You now understand how you can use MDM integration to define trust and enhance visibility.

Now, you will learn how you can use manual registration to assign trust to end points.

FortiNAC 8.5 Study Guide 136

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

FortiNAC 8.5 Study Guide 137

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

To register a host as a device, select the option from the right-click menu. The Manage in drop-down list
helps the administrative user decide how the registered device is viewed and managed after registration.
 The Device in Host View option will model the device as a host, and it will appear and be managed in the
host view.
 The Device in Topology view will display the host in the topology tree. Note that security policies are not
applied to devices modeled using the Device in Topology option.
 The Device in Host View and Topology option will display the device in both locations.
 The Device Type drop-down list is used to manually assign the device type and will include all default and
administratively created device types.

FortiNAC 8.5 Study Guide 138

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Another option for manual registration is the Register as Host option, which is available from the right-click
menu.

Use the filter to locate the device you want to register, right-click the device, and select Register as Host.
Register Host to User is the default option and should be selected if the host and a user record need to have
a permanent association. This is normally the case in BYOD situations, such as guests and contractors.

The Register Host as Device option does not make a permanent association between a particular user and
the host, and this is typically used for corporate assets or IoT devices. This is equivalent to the Device in
Host View option from the previous slide.

FortiNAC 8.5 Study Guide 139

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 140

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Good job! You now know how to manually register endpoints.

Now, you will learn how importing of endpoints works.

FortiNAC 8.5 Study Guide 141

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

FortiNAC 8.5 Study Guide 142

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

To add hosts, users, devices, or IP phones, create a comma separated value (CSV) file using any text editor
or spreadsheet tool. If you are using a text editor to create the file, use commas to separate the fields when
you enter the data. Use carriage returns to separate records.

You can mix the types of records you are importing. For example, you can import hosts, users and IP Phones
in the same file as long as you have all of the appropriate fields in the header row.

The first row in the file is a header row and must contain a comma separated list of the database field names
that are included in the import file. The order of the fields does not matter. For example, to import hosts and
their corresponding adapters, the header row could have the following columns:
adap.mac, adap.ip, host.owner, host.host, and siblings.

There are a couple required columns, depending on what is being imported.

For hosts, the adap.mac column is required, and for users, the user.uid column is required.

Note that fields are case sensitive, and if you import something that already exists in the database, the
existing record is updated with the new data from the import.

The fields displayed on this slide are some of the most commonly used. A more complete list exists in the
help.

FortiNAC 8.5 Study Guide 143

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After you create a CSV file with all the required fields and entries, you can import into the database by clicking
Import and then clicking Choose File. Navigate to and choose the CSV file and click OK. The entries will
appear in an Import Results window. Click OK to close the window. The imported records will now be
searchable within the different visibility views.

FortiNAC 8.5 Study Guide 144

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 145

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Good job! You now understand how you can use importing to classify devices.

Now, you will learn about the system management settings.

FortiNAC 8.5 Study Guide 146

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

FortiNAC 8.5 Study Guide 147

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The system management settings are located in the System menu, Settings option. The individual settings
pages are contained in the System Management folder. The first settings are for database archive
parameters. These settings help preserve disk space and help specific administrative views to load more
quickly. This is achieved by removing the data that is stored for the indicated views from the database and
archiving it to local files.

The first option sets how long the FortiNAC device will keep the local copy of the archived data. The default is
90 days.
The next three options define at what age the data is removed from those views and archived. The listed
views are: connections, events, alarms, and scan results. They tend to fill very quickly with entries. If those
entries aren’t removed periodically, the views may take a long time to load.

The Schedule Database Archive and Purge settings help an administrator perform the archive manually
(use the Run Now button) or modify the scheduled interval (use the Modify Schedule button). Modifying the
schedule will update the scheduled entry in the scheduler tool for the Database Archive and Purge action.

The Database Backup/Restore settings window is where you can define the following:
• Length of time that local backup copies of the database are kept
• The interval by which the database is backed
This is also where existing copies of database backups are restored. When a back copy of the database is
restored, a current backup is made automatically.

FortiNAC 8.5 Study Guide 148

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The High Availability settings view is for the configuration of FortiNAC high availability installation settings.
You can configure high availability (HA) deployments in a Layer 2 manner using a shared IP address with
both the primary and the secondary system on the same subnet. You can also configure an HA deployment in
a Layer 3 configuration where by the two systems are separated by a router. The Layer 2 option allowa for
management to be performed using a single interface address, whereas the Layer 3 option uses two different
interface addresses: one for the primary, and one for the secondary. The secondary interface is available for
admin access only after a failover.

The License Management view displays the following information about the FortiNAC server:
• Eth0 IP address
• Eth0 MAC address
• UUID
• Serial number
• Server type

The License Key Detail section displays the license name, such as Fortinet Base, Plus or Pro. It also
displays the number of concurrent licenses and any additional licensed features. Use the Modify License
Key button to install a new license.

FortiNAC 8.5 Study Guide 149

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

The NTP and Time Zone settings view is where you can configure the NTP server and time zone for each
appliance, depending on the deployment. If you have a control server and an application server pair, both
servers appear in the list. In an HA environment this includes up to four servers, two control servers and two
application servers.

Use the Power Management view settings to properly reboot or power off the appliance.

FortiNAC 8.5 Study Guide 150

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

An extremely important part of data preservation is to keep important data backed up on remote systems. By
default, the FortiNAC device backs up the database and other important configuration files locally. The
Remote Backup Configuration window helps you set up a remote system or system. Using FTP or SSH, the
FortiNAC device transfers a copy of the backed up data each time the database or system backup tasks are
run.

Use the System Backups configuration view to set the backup frequency of system information that is not
included in the database set. This will update the System Backup Action task in the scheduler tool.

FortiNAC 8.5 Study Guide 151

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 152

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiNAC 8.5 Study Guide 153

 Identification and Classification of Rogues

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about the endpoint identification and
classification process, as well as the tools and methods used to expedite the process.

FortiNAC 8.5 Study Guide 154

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to access and manage user and endpoint information quickly and efficiently.
You will understand the basic visibility hierarchy that the FortiNAC uses to organize and relate different
elements.

FortiNAC 8.5 Study Guide 155

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiNAC 8.5 Study Guide 156

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in understanding how information is stored, how to use views and filters, and
access the information available in those views, you will be able to view and use the information in your
network.

FortiNAC 8.5 Study Guide 157

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Network visibility is the first step to building a comprehensive network security solution that will profile and
track all the endpoints accessing your network.

User information is gathered through integrations with LDAP or RADIUS servers, or stored locally in the
FortiNAC database. Users can be associated with hosts as the current logged in user, in the case of user
tracking, or as the owner of a particular device, in the case of BYOD. The user records contain a variety of
user property information and this makes up the who component of visibility.

Host and adapter information is gathered from communication with the infrastructure, DHCP fingerprints and
agent technology. Hosts will have associated adapters and a variety of host properties, such as hostname,
operating system and expiration dates. This host information makes up part of the What component of
visibility.

Adapters are associated with hosts and contain a set of properties as well, such as physical address and IP
address information. This adds additional information to the what component. Communication with the
infrastructure adds in where a particular adapter is connected and when it is or was connected. This fills in the
Where and When information.

Application information is gather from agent communication or MDM integrations.

The gathered information can then be enhanced by information contained in the database, such as vendor
identification based on adapter OUI. This information is organized and stored as attributes of the entities they
are associated with. There are four levels of visibility available within FortiNAC, arranged as a visibility
hierarchy, and there is a dedicated visibility view for each: users, hosts, adapters and applications.

Application details, such was what applications are installed and their versions, enhances the what
information further. We will explore each of these views in this lesson.

FortiNAC 8.5 Study Guide 158

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Endpoint devices represented in the database can have varying levels of attributes. A simple headless IoT
device, for example, may have nothing more than an adapter associated to it. An end station, however, may
have a user associated to it, either as an owner in the case of BYOD or as the current user of a corporate
asset. It may have applications such as web browsers, mail clients and agents. It may have wired, wireless
adapters, or both. These two examples are most often displayed in the Host View with the IoT device being
referred to as a device, and the end station as a host. This visibility can be broken down into four simple
categories: users, hosts (this includes the IoT devices), adapters, and applications.

FortiNAC 8.5 Study Guide 159

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The four specialized visibility views:

• Users
• Hosts
• Adapters
• Application

The user visibility view is available from the Users menu while all others are options within the Hosts menu.
The visibility views are really just separate tabs within the same view, so regardless of which view you initially
choose to access all of the other views will be readily available.

A very important feature of each view is the filtering capabilities. In a typical environment, there are thousands
or tens of thousands of users, hosts, and so on. It is crucial that you are able to find what you’re looking for as
quickly and easily as possible. Another important component is easy access to control actions. When an
administrative user is searching for a user, host, or adapter, it’s normally because they need to gather
information about that entity or take action on that entity, such as disabling a host and denying it network
access. Control actions provide that capability.

FortiNAC 8.5 Study Guide 160

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The filtering tool that is available in the User, Host, and Adapter views looks and works the same way in
each view.

In each view the filter tool is located in the upper right of the view. When you load the view, the filter field is
highlight in blue, indicating that it is waiting for you to add filter criteria. This default option is Quick Filter. Any
values entered in as a quick filter will be searched against the IP address, MAC address, hostname,
username and user ID of all users, hosts, and adapters. Wild cards can be used in the quick filter. For
example, a value of 192.168.102.* would return all adapters or hosts, depending on the current tab, with
those numbers as the first 24 bits of their IP address. There are more available for search customizations. For
example, [attribute1, attribute2, attribute3] will return results that match any of the three attributes listed.
Wildcards can be used within each of the attribute options and an ! (exclamation point) at the front of any
search will invert the search to display all entities that do not match the parameters.

The Custom Filter and New Filter options open filter configuration windows that allow for the creation of
extremely granular filters. Custom filters and new filters work in much the same way, and can both be saved
for future use. The difference is that a new filter will automatically be saved and can be designated as private
(available to this user only) or shared (available to all admin users), while custom filters, by default, are not
saved. If you do save a custom filter, it will have the same private and shared options. Any saved filters are
listed below the gray break line in the filter drop-down list. Saved filters can be edited or deleted using the
icons to the right of each filter.

The filter for applications uses a different style of filter, like the one seen in most of the other views, built one
criteria at a time in the upper left of the view. You will learn more about the Applications view.

FortiNAC 8.5 Study Guide 161

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

When you select the Custom Filter option, the Custom Filter configuration window opens. When you select
the New Filter option, you must assign a name to the filter, and designate the filter as shared or private before
the Custom Filter configuration window opens.

The Custom Filter configuration window consists of four tabs, each focused on the attributes of the four
different levels of visibility: Adapter, Hosts, Users, and Applications.

The Adapter tab allows you to select the attributes that will be filtered on and specify the values desired for
those attributes. In some cases, when the options are finite, you can select the values from drop-down list. In
other cases, you will type the values into the fields. When you type in the values, you can also use the
wildcard and other options that were available in the quick filter. All selected attributes are logically ANDed
together.

FortiNAC 8.5 Study Guide 162

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Configuring the host filter options works the same way as the adapter options did. Attributes with finite options
have drop-down selections and the other attributes require manual configuration. When values are entered
manually, the wildcard and other options that were available in the quick filter are also available here. All
selected attributes are logically ANDed together.

A simple, yet useful, function shown on this slide is the ability to create a filter to return a specific type of
device, in this case, a camera. This capability allows you to create quick and easy real-time inventory reports
based on device type. As you can see in the Status section, you can customize the reports to display the total
number of cameras or just online or offline cameras.

FortiNAC 8.5 Study Guide 163

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The filter attribute options on the User tab are specific to user record attributes, often information
synchronized from LDAP.

FortiNAC 8.5 Study Guide 164

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Application tab stays consistent with all the other tabs in the way that it functions. There are no drop-
down options, so you must type in each value.

FortiNAC 8.5 Study Guide 165

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The User View is the first of the four visibility views you will learn about in this lesson. Notice the filter is
located in the upper right of the view. You can use the User View to add, delete, modify, locate, and manage
users on your network. Users include network users, guest or contractor users, and administrative users.
Administrative users can also be managed from the Admin Users View. Administrative users may also be
network users; therefore, they are included in the User View with a slightly different icon, a person wearing a
red jacket. The normal network users are represented with almost the same icon, except with a blue jacket.
Guest users are represented with a small notepad and pencil icon, and contractors are represented with a
briefcase. Regardless of the icon used to represent a user, the first column lets you expand the user record to
display all hosts currently registered to the user, or currently logged onto by the user. A registered designation
indicates ownership of that device to that user, typically BYOD devices. A designation of logged-on
demonstrates user tracking.

If you hover over an icon in the Status column, a pop-up window opens displaying details about that user.
You can pin these pop-up windows, and have more than one open at a time. The remaining columns are
configurable by the administrative user, and can include any of the available user properties. Any displayed
users can be exported in CSV, EXCEL, RTF, or PDF format.

The Options button provides access to the right-click menu for selected users. You can use the remaining
buttons–Add, Modify, Delete, and Disable–to manage user records.

FortiNAC 8.5 Study Guide 166

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

This slide shows an example of an individual user record. You can expand any user record to display any
hosts that are associated with that user. Information specific to each host is displayed to the right of the host.
Under the Actions header, there are a set of icons that you can use to perform an immediate action.

The icons, in the order they appear from left-to-right, are: disable host, view or edit host properties, view or
edit group memberships, force the host to be scanned for compliance (requires FortiNAC agent), send a pop-
up message (requires a persistent agent installed on the host), delete host from the database (deleted hosts
identified as rogue the next time they are on network unless autoregistration is configured), and got to host.
Clicking the last icon changes the view from User View to the Host View, and that view is prefiltered to
display just the selected host.

FortiNAC 8.5 Study Guide 167

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

You can right-click any column header in the User View to select which columns will be displayed in the view.

You can right-click an individual user to see user properties and all administrative actions that you can take on
that user, such as delete, disable, enable, view or edit group membership, and so on.

You can click any column header to sort on that column.

FortiNAC 8.5 Study Guide 168

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The user properties view provides access to detailed information about a single user. You can update user
information in this view, but, keep in mind, if the original information was populated from an LDAP server, the
updated information that you entered will be overwritten the next time the directory synchronization scheduled
task runs.

You can also configure expiration settings for the user here as well. You can access associated host
properties clicking the adapter's physical address, displayed in the Registered Hosts or Logged In Hosts
tabs.

FortiNAC 8.5 Study Guide 169

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Host View is laid out in the same way as the User View. The filter tool is located in the upper right
portion of the window, like in the User View. The Host View can be used to add, modify, delete, enable, or
disable hosts. Hosts include virtually all network connected devices not modeled in the topology tree.
Everything from endstations, like laptops and desktops, to mobile devices, like phones and tablets, to service
type systems, like cameras, environmental units, IP phones, and so on, can be found in the Host View. The
systems seen here will be represented with a variety of different icons, even ones administratively created
using the device type editor. Regardless of the icon used to represent a host, the first column lets you expand
the host record to display all adapters currently associated with that host. Remember, there is a hierarchy of
relationships; users own or log on to hosts, and hosts have associated adapters. If you hover over the icon in
the Status column, a pop up window opens, displaying details about that host. You can pin these pop-up
windows and have more than one be open at a time. The remaining columns are configurable by the
administrative user, and can include any of the available host properties. Any displayed hosts can be exported
in CSV, EXCEL, RTF, or PDF format.

Click Option to access the right-click menu for selected hosts. You can use the remaining buttons–Add,
Modify, Delete, Enable, and Disable–to manage host records.

FortiNAC 8.5 Study Guide 170

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

You can expand each host record to display any adapters that are associated with that host. On this slide, you
can see information about each adapter, as well as a set of actions that you can take just by clicking the
appropriate icon.

The icons, listed in order are, disable adapter, view or edit adapter properties, view properties of the port the
adapter is connected to (adapter must be online), and go to adapter. If you click the last icon, the view current
view will change from the host view to the adapter view, and that view will be pre-filtered to display just the
selected adapter.

FortiNAC 8.5 Study Guide 171

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Right-click any column header in the Host view to select which columns are displayed in the view.

Right-click an individual host to access host properties, and all administrative actions that you can take on that
host, such as delete, disable, enable, view or edit group memberships, view health details, initiate a scan, and
so on. You can also move backwards up the hierarchy to any associated user.

Click any column header to sort on that column.

FortiNAC 8.5 Study Guide 172

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The host properties view provides access to detailed information about a single host. You can update host
information in this view, but, keep in mind, if the information was populated from communication with an
agent, the updated information that you entered is overwritten the next time the agent communicates.
Expiration settings for the host can be configured here as well.

Tabs across the bottom of the view provide access to the following information:
• Adapters: Show adapter properties when you click the adapter physical address.
• Passed Tests: Show the details of any successful policy scans
• Notes: A notes field for administrative notes about the host
• Health: Shows all the possible policy and admin scans that could be or have been performed or assigned,
and the results
• Patch Management: Displays information on patches that have been applied to the host by its associated
patch management server, patch manager vendor name, and ID number of the most recently applied patch
• Logged In Users: Displays the user name of any user logged in to this host–user tracking must be
ongoing for this information to be available.

If the host has a persistent agent installed, a Send Message button will be available for sending messages to
the host. The Groups button allows an administrative user to view and modify host group membership. The
Apply button commits any changes, and the Reset button undoes any changes made since the last commit.

FortiNAC 8.5 Study Guide 173

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Adapter View behaves in the same way as the User View and Host View. The filter tool is located in the
upper-right portion of the window. You can use the Adapter View to enable, disable, or modify adapter
records. Adapters are represented with a network interface card (NIC) icon that is green, if the adapter is
online. The icon is gray, if the adapter is offline.
The host that is associated with this adapter is represented with it’s device type icon in the Host Status
column. Hovering over the icon in the Status column opens a pop-up window that displays details about that
adapter. You can pin these pop-up windows and have more than one open at a time. Remember that there is
a hierarchy of relationships; users own or log on to hosts and hosts have associated adapters, but adapters
don’t have any downstream associations. Because of this, the adapters can’t be expanded as a branch, like
the users and hosts can.

The administrative user can configure the remaining columns and include any of the available adapter
properties. Any displayed adapters can be exported in CSV, EXCEL, PDF, or RTF format. Click Options to
access the right-click menu for the selected adapter.

FortiNAC 8.5 Study Guide 174

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Right-click any column header in the Adapter View to select which columns are displayed in the view.

Right click an adapter to access adapter properties and all administrative actions that can be taken on that
adapter, such as disable, enable, modify, view connected port properties, and so on. You can also move
backwards up the hierarchy and view or modify information on the associated host.

The right-click menu includes the following options that can useful when developing and testing device
profiling rules:
• Create Device Profiling Rule: This option opens the Add Device Profiling Rule window, which is
populated with information known about the device, as well as any known method information—most often
vendor OUI and DHCP fingerprint.
• Run NMAP Scan: FortiNAC runs an NMAP scan against the endpoint and displays the results in a
window. This can help with determining values that can be used with the active method.
• Test Device Profiling Rule: This option allows an administrate user to validate the selected adapter and
its corresponding host against an existing device profiling rule with a Match or Does Not Match result.

Click any column header to sort on that column.

FortiNAC 8.5 Study Guide 175

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The adapter properties view displays detailed information about the selected adapter.
The information displayed includes:
• IP address
• Physical address
• Location
• Media type
• Adapter status
• Description

In the Media Type drop-down list, an administrator can select Wired, Wireless, or Unknown. In the Adaptor
Status field, the administrator can select Enable or Disable. A description can be typed in the Description
field.

Click Apply to commit any changes and Reset to undo any changes made since the last commit.

FortiNAC 8.5 Study Guide 176

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Application View is set up a little differently than the other view. One of the most notable differences is
how you add a filter. To add a filter, you start in the upper left of the window and then add one criteria at a
time. The criteria is the information available across the columns. Another difference is that, even if you
remove all hosts that have a particular application from the system, the application will remain in the view until
unless you delete it. This function can be useful when you want to leverage application information in
situations where an existing host with that application is not needed, as part of a security policy, for example.
Each application gets a unique entry, if any portion of it’s details make it unique. So, for example, you may
have the same version of a particular application, but the applications were learned from systems with
different operating systems. This allows for maximum visibility granularity.

Right-click an application to see the following options:

• Show Hosts: Changes the view to the host. View pre-filtered, to display only hosts with the selected
application installed.
• Delete: Remove the selected application or applications from the database.
• Set Threat Override: Allows an administrator to designate a particular application as trusted and safe or
untrusted and dangerous.

The same options are available from the buttons along the bottom of the view.

FortiNAC 8.5 Study Guide 177

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Aging users and hosts from the database can be an important part of database management. Located under
System > Settings, the User/Host Management folder contains a settings page for aging.

Aging values can be set for three different database elements:

• Unregistered Hosts: These settings apply to unknown end points, also called rogues
• Registered Hosts: These settings apply to registered or known endpoints
• Users: These settings apply to users
When you apply aging to users, you can remove all hosts that are registered to an expiring user with the user.

The settings for each user are:

• Days Valid: Number of days a record remains in the FortiNAC database before it is deleted
• Days Inactive: Number of days a user or host can be inactive before the record is deleted from the
database

FortiNAC 8.5 Study Guide 178

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The same aging settings can be configured on a group-by-group basis. Right click a host or user group to
select the Set Aging option. Aging set at a group level overrides the global settings for all members of that
group.

FortiNAC 8.5 Study Guide 179

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Like the Aging window, the MAC Address Exclusion window located under System > Settings, in the
User/Host Management folder. You can create a list of MAC addresses that will be ignored when they
connect to the network. If a device or host with one of the designated MAC addresses connects to the
network, FortiNAC ignores the connection and allows the host or device onto the production network.
An event, "Found Ignored MAC Address", is generated each time a host or device connects with a MAC
address in this list. You can create an alarm for the event, with email notification to alert administrators. The
event can also be disabled, if notification is unnecessary.

Default settings:
By default, the Exclude Microsoft LLTD Addresses and Exclude Multicast MAC Addresses options are
selected and Microsoft LLTD and multicast MAC addresses are ignored indefinitely. When a MAC address
that falls within either the Microsoft LLTD or multicast address range connects, FortiNAC does the following:
• Creates a "Found Microsoft LLTD or Multicast Address" event and an alarm alerting the administrator that
FortiNAC has seen a Microsoft LLTD or multicast address on the network for the first time. This critical alarm
warns administrators that if these addresses should continue to be ignored, they must configure the MAC
Address Exclusions list or the MAC addresses will be treated as rogues.
• Sets a timer that expires in 48 hours.
• While that timer is active, continues to ignore Microsoft LLTD and multicast MAC addresses. Events and
alarms continue to be created for each connection from one of these MAC addresses. If the administrator has
not configured the MAC Address Exclusions list, when the 48-hour timer expires, FortiNAC no longer ignores
Microsoft LLTD and multicast MAC addresses. FortiNAC creates rogues for each MAC address that connects,
just as it would any other MAC address.

FortiNAC 8.5 Study Guide 180

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 181

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Good job! You now understand user and endpoint visibility and the administrative views dedicated to that
visibility and the management of those users and endpoints.

Now, you will learn about the different logging and reports views available on FortiNAC.

FortiNAC 8.5 Study Guide 182

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.
By demonstrating competence viewing, using, and understanding logs, you will be able to use logs to better
understand and solve issues in your network.

FortiNAC 8.5 Study Guide 183

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The ability to track changes made to a system by administrative users can be vital.
The admin auditing log, located under the Logs menu, tracks all changes made to an item in the system.
Users with admin auditing permissions will see a change in the admin auditing log whenever data is added,
modified, or deleted. Users can see what was changed, when the change was made, and who made the
change. Changes can be filtered by the name of the item that was changed, the action taken, the date when
the change occurred, the user ID for the user who made the change, and the type of item that was changed.

Changes made through the CLI are also tracked in the admin auditing log; however, the user ID for the user
who made the change will appears as CLI Tool.

FortiNAC 8.5 Study Guide 184

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

In addition to the admin auditing view located under the Logs menu, administrative users, with the appropriate
permissions, can access admin auditing information directly from elements within the UI.

By right clicking a supported element type, such as groups, alarms and events, topology view components,
users, hosts, adapters, device profiling rules, and security policies, the admin user can view a pre-filtered
admin auditing log displaying changes made to only that particular element. This tool quickly identifies who
made a change and when.

FortiNAC 8.5 Study Guide 185

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Connections View, located under the Logs menu, displays the contents of the connection log. The
connection log contains a list of historical host and user connections to the network. Each time a host or user
comes online, a connection record is started. When that host or user goes offline, the connection record is
completed. The information contained in the log includes date and time of the connection and disconnection,
the user ID (available with user tracking), the owner ID (BYOD devices), hostname, physical address, and
MAC address. The filter tool allows for specific searches based on any of the displayed criteria, providing the
information is centered around who, what, where, and when. For example, you can quickly determine what
host had a particular IP address at a particular date and time, and where that host was connected. Connection
data that is older than the defined database archive age time is removed from the database (and
subsequently, the view), and stored to file each time the Purge Events task runs.

FortiNAC 8.5 Study Guide 186

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Events View is located under the Log menu and displays the contents of the events log. The events log
is an audit trail of significant network and FortiNAC incidents. Events are logged when they are enabled in the
Events Management View. These events can provide important details to an administrator about the
FortiNAC device, or the environment it’s deployed in. There are over 400 events that can be generated on
current FortiNAC servers. Event information includes the date and time the event was generated; the element,
such as the host, device or user that caused the event to be generated; and the specific event message.
Notes can be added to any event by an administrative user, and events can be exported.

There is a filter tool in the upper left of the event log to assist in quickly locating logged events.

FortiNAC 8.5 Study Guide 187

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Event Management View is accessed from the Logs menu. Event management allows you to specify
which of the over 400 available events to generate, and whether to log the event records on another server, in
addition to the local appliance.

Click Options to set the logging designation for a selected event, and access the following options:
• Disable Logging: The event will not be generated.
• Log Internal: The event will be logged only to the FortiNAC event view.
• Log External: The event will be logged to external systems defined on the Log Receivers settings page.
• Log Internal and External: The event will be logged in both the FortiNAC event view and the designated
external systems.

You can limit the number of events generated by selecting a group for each event. Event messages are
created only when the event is generated by an element within the specified group. This feature is commonly
used to locate missing assets. For example, the Host Connected event could be configured to generate only
when the connecting host is a member of a specific host group, such as a group called Missing Assets. The
event will include the point of connection for the host.

FortiNAC 8.5 Study Guide 188

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Specify threshold values for self-monitoring events by clicking Event Thresholds. The different types of
thresholds are displayed on these three tabs:
• License: This tab displays warning and critical threshold values for the current license usage thresholds.
• Hardware: This tab displays warning and critical threshold values for hardware-specific parameters, such
as hard disk usage and memory usage.
• Software: This tab displays warning and critical threshold values for software-specific parameters, such as
specific process thread counts or memory usage.

These thresholds affect the Performance Summary Panel on the Dashboard. You can edit them here or
from the Performance Summary Panel. Some events are generated frequently and may not be necessary
for day-to-day operations. Review the list of events and determine which ones to enable to provide you with
the most useful feedback.

FortiNAC 8.5 Study Guide 189

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Alarms View, located under the Logs menu, is used to view and manage the contents of the alarm log,
which is a list of all current alarms. Alarms are generated as a result of an event being generated, so every
alarm that is generated has a trigger event that was mapped to generate the alarm. You will learn more about
how these events are mapped, in this lesson. The alarm view can display the following information about an
alarm:
• Severity: Indicates how serious the alarm is. Severity levels include: critical, minor, warning, and
informational.
• Date: The date and time the alarm was generated
• Alarm: The alarm by name
• Element: The device, admin user, server, or process that triggered the event that generated the alarm
• Trigger Rule: The rule that determines the conditions under which an alarm is triggered based on an
event. The options are: One Event to One Alarm, All Events to One Alarm, Event Frequency, and
Event Lifetime. These options are detailed on the Alarm Mappings slide.
• Acknowledge Date: The date and time an alarm was acknowledged, if an administrator has chosen to
acknowledge the alarm.

Alarms can be removed from the log in two ways:

• Manually: When an administrative user selects an alarm and clears it using the right-click menu or the
button on the bottom of the view.
• Automatically: When the clear event defined in alarm mapping occurs.

FortiNAC 8.5 Study Guide 190

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Mapping events to alarms is the process of configuring an alarm to be generated when a particular event is
generated and the trigger rule is satisfied. If an event is mapped to an alarm, the alarm notification system and
other automated actions can be triggered. Some events are mapped to alarms by default. Events are mapped
to alarms from the Event to Alarm Mappings view found under the Logs menu. The view will display all
current event to alarm mappings and give the ability to add new mappings, modify existing mappings, or
delete existing mappings. Click Enable or Disable to quickly enable or disable a mapping. You can use the
Options button to access the same capabilities, as well as logging options. To add a new event to alarm
mapping, click Add. The Add Event to Alarm Mapping window will open. On the Add Event to Alarm
window, select Enable to enable mapping. The Trigger Event drop-down list contains all 400+ available
events seen in the event management window. The Alarm to Assert field contains the name automatically
assigned by FortiNAC. In the Severity drop-down list, select the alarm severity: Informational, Minor,
Warning, or Critical. The Clear on Event option instructs FortiNAC to auto clear an existing alarm if a
specific event occurs on the same element. The Send Alarm to External Log Hosts option works like the
event option for logging externally. The Send Alarm to Custom Script option executes a selected command
line script, such as a perl script, and passes the alarm information as an argument to the script. A script must
be located in the /home/cm/scripts directory to be available in this drop-down list. The Apply To option
works the same way as the Filter by Group option on the Event Management window. The alarm will be
generated only if the element responsible for it’s generation is a member of a selected group or has been
selected individually.

FortiNAC 8.5 Study Guide 191

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Use the options in the Notify User drop-down list to configure the alarm details that are sent, select whether
they are send by email or text, and select the administrator group that they are sent to.
The Trigger Rule drop-down list contains the following options:
• One Event to One Alarm: A unique alarm is generated on every occurrence of the event.
• All Events to One Alarm: An alarm is generated the first time the event occurs.
• Event Frequency: An alarm occurs only if the trigger event is generated a specified number of times
within a specified time frame.
• Event Lifetime: An alarm is generated when a trigger event is generated and no clear event is generated
within a user-specified period of time.

Select Action to allow automated actions to run when the selected alarm is generated. The action options
vary depending on the trigger event, but can include host state actions, CLI script actions, notification actions,
port state actions, and so on.

FortiNAC 8.5 Study Guide 192

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Sending event information, or alarm information, or both to an external system, such as a syslog server or
SIEM, is a valuable capability. The configuration settings page for these external systems, called log
receivers, is located under System > Settings in the System Communication folder on left side of the view.

To configure a new log receiver, define the following settings:

Type: The format the message should be sent in. Supported formats in the drop-down list are: Syslog CSV,
Syslog CEF, SNMP Trap, and FortiAnalyzer.
IP Address: The IP address of the server that will receive event and alarm messages.
Port: The connection port on the server. For syslog CSV and syslog CEF servers, the default is port 514. For
SNMP trap servers, the default is 162.
Facility (for syslog options): The syslog facility. The default value is Authorization.
Security String (for SNMP trap and FortiAnalyzer): The security string sent with the event and alarm
messages.

FortiNAC 8.5 Study Guide 193

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

The Reports branch groups together settings for reports that are generated directly from the FortiNAC
database.
The settings in the Local Reporting window configure the default record limits for the local reporting tool. The
local reporting options are focused around the number of records to be displayed for report previews, or
reports scheduled to run and how long generated reports should be kept on the system.

FortiNAC 8.5 Study Guide 194

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Local report generation can be done using a default template or a custom template.
The template report options are:
• Guest Registrations: This report provides you with a list of guest accounts created between the specified
dates.
• Registrations: This report provides you with the number of host registrations by operating systems,
between the specified dates.
• Scan Results: This report provides success and failure rates for each scan in your database. Data is
broken out by operating system.
The templet reports are simple, fast, and high level, while the custom reports allow for more specific data
selection and presentation.

The custom report options are:

• Registrations
• Registration Failures: This report provides failed attempts at registration and login errors, displayed
based on the selected criteria.
• Scan Results
• Connection Logs: This report provides host connections usage information, displayed based on the
selected criteria.
The custom reports allow for the modification of included and displayed content.

Reports can be scheduled and automatically exported in HTML, CSV, EXCEL, XML, RTF, or PDF format. The
exported report can be automatically attached to an email and sent to all members of a designated
administrator group.

The Archives tab provides access to past reports.

FortiNAC 8.5 Study Guide 195

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Presented here is a simple example of customer report generation. The report type is selected from the
available options. In this example, a connections log report is being created. The report is given a name and
export format. Next, a set of columns is selected to present the desired output information. The output
information can then be further defined by filtering based on host information, device information, or
connection time. In this example, the desired results are filtered to an individual physical address over the
course of two days. The report output will display the filtered results.

FortiNAC 8.5 Study Guide 196

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 197

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

Congratulations! You’ve completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiNAC 8.5 Study Guide 198

 Visibility, Logging, and Reports

DO NOT REPRINT
© FORTINET

This slide lists the objectives that you covered in this lesson. By mastering the objectives covered in this
lesson, you learned how to access and manage user and endpoint information quickly and efficiently.

FortiNAC 8.5 Study Guide 199

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiNAC logical networks, how to integrate FortiNAC in to the Security
Fabric for dynamic access control, and how to create and configure firewall tags.

FortiNAC 8.5 Study Guide 200

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiNAC 8.5 Study Guide 201

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiNAC logical networks, you will be able to explain what a logical network
is, describe how logical networks are used, and create and define logical networks.

FortiNAC 8.5 Study Guide 202

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

On FortiNAC, logical networks are representations of network configurations. Logical networks can represent
different physical configurations for different infrastructure devices.

Logical networks are used to apply network access policies. Logical networks also translate logical access
values to the physical values of infrastructure devices, decoupling policies from network configurations.

FortiNAC then uses the decoupled configuration values to provision the appropriate network access.
One logical network can represent <N> physical network segments; thereby simplifying the configuration of
network access policies.

Device-specific configurations for network infrastructure devices are performed on the device, or sets of
devices, that associate the configuration values with the devices. This simplifies network access policy
management by reducing the number of policies.

Logical networks allow network access policy support in the Network Control Manager, enabling global
administration in distributed environments.

FortiNAC 8.5 Study Guide 203

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

This slide shows an example of how logical networks can be used.

In the example, six network access policies have been developed to support the required endpoint-based
segmentation on five infrastructure devices.

As you can see, a device identified as a camera, and assigned to the logical network Camera is provisioned
to VLAN 80, if it connects to Switch-1; is provisioned to VLAN 81, if it connects to Switch-2; and so on. The
values designated in the AP-1 column are access values that may be vendor specific, depending on the
vendor of the wireless access point (AP) or controller. These values could also be VLAN names, groups,
roles, interfaces names, and so on.

The Firewall column could represent a firewall tag that would result in the camera matching a specific firewall
policy.

You can use logical networks to greatly decrease the number of network access policies, resulting in
simplified policy creation and management.

These same network access policies work for environments that have tens, hundreds, or even more
infrastructure devices.

FortiNAC 8.5 Study Guide 204

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

You can view existing logical networks by navigating to the topology view, selecting the root container in the
topology tree, and then selecting the Logical Networks tab. On this tab you can create, modify, or delete
logical networks.

Click Add to create a new logical network and assign a name. The name must be unique to the logical
network you are creating. Optionally, you can add a description to the logical network to help clarify its
purpose or use.

After you create the logical network, it appears within the model configuration of each infrastructure device
that is modeled in the topology tree.

FortiNAC 8.5 Study Guide 205

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

Logical networks appear in device Model Configuration views. Note that four default logical networks pre-
exist in each device model configuration. These logical networks—registration, quarantine, dead end, and
authentication—are used for endpoint isolation, based on that endpoint’s state or status. You can also apply
all logical network configurations across any number of selected devices with a single configuration. You will
learn more about this capability, as well as the use of the default logical networks, in another lesson.

Depending on the vendor and model of the infrastructure device, you may be able to identify a logical network
value as is Alias. Making this designation allows FortiNAC to leverage VLAN names for that logical network.
For example, if an organization has more than one guest network across multiple facilities, guests can be
provisioned on the appropriate VLAN by name, as long as the name is consistent at each facility.

FortiNAC 8.5 Study Guide 206

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

You can define logical networks on a device-by-device basis within each device model configuration. The
assigned access values can be VLAN IDs, which is almost always the case for wired infrastructure devices, or
a vendor-specific value, which is often the case when configuring wireless APs or controllers. On specific
model types, user-created logical networks can contain an alias value.

FortiNAC will provision any device that a network access policy defines as a card reader, to VLAN 645, when
that device connects to a port on Switch-1.

The decoupling of the access value from the network access policy, provides you with the flexibility to
provision the network access desired for a specific type of endpoint, across any number of locations, within a
single policy.

FortiNAC 8.5 Study Guide 207

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 208

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiNAC logical networks.

Now, you will learn about FortiNAC Security Fabric integration.

FortiNAC 8.5 Study Guide 209

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding FortiNAC fabric integration and how locally assigned group
and tag information is passed to FortiGate devices, you will be able to fully leverage FortiNAC’s capabilities as
a fabric connector.

FortiNAC 8.5 Study Guide 210

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

The FortiNAC fabric connector on FortiGate enables FortNAC to communicate directly with FortiGate and
FortiGate to communicate directly with FortiNAC.

Fabric connector integration is the key to enabling FortiNAC to automatically associate tags to devices and
hosts, and pass those tags to FortiGate, so that FortiGate can enforce firewall policies using FSSO groups,
enabling intent-based segmentation.

When FortiNAC is configured as an (FSSO) agent fabric connector, you can transfer FortiNAC firewall
tags and group names to one or more FortiGate devices.

FortiNAC 8.5 Study Guide 211

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

Once transferred to FortiGate, the group names and firewall tags are listed as FSSO groups sourced from
FortiNAC. You can then use these groups to define members of local FortiGate FSSO groups.

FortiNAC sends automatic updates about group membership to the FortiGate devices when any of the
following occur:
• An endpoint connects or disconnects from the network.
• A host type or status changes, such as unknown or untrusted to known or trusted.
• There is an ownership change, such as BYOD, guest, staff, type of employee such as accounting,
engineering, student, and so on.
• The health status of an endpoint changes, such as compliant to non-compliant.
• A user change, such as the owner or logged on user.
• The IP address of a host changes.

Other situations that can define which FortiGate devices are updated include the following:

• If a device or host is directly connected to a FortiGate port then the FSSO message is only sent to that
FortiGate.

• Upon startup, FortiNAC collects all configured interface IPs and IP scopes defined on all modeled
FortiGate devices. FortiNAC uses that list of IPs or network scopes to identify which FortiGate devices to
update, based on an endpoint’s IP.

This tight integration allows FortiNAC to manage device connections from Layer 1 to Layer 3, while FortiGate
applies granular segmentation at Layer 3 to Layer 7, resulting in the ability to dynamically manage from the
core to the edge.

FortiNAC 8.5 Study Guide 212

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

To create the security fabric integration, you must configure the FSSO communication settings on FortiNAC.
You can do this by clicking System > Settings > System Communication > Fortinet FSSO Settings.

The configuration port defaults to 8000, but you can change that value. You can define a subnet to limit the
FortiGate devices that FortiNAC will update. The password that you set here must be the same password
that you used when defining the FortiNAC as an FSSO agent.

FortiNAC 8.5 Study Guide 213

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

FortiNAC is added as a fabric connector on FortiGate as an FSSO agent. This configuration requires the IP
address of FortiNAC as well as the password that you configured on FortiNAC on the Fortinet FSSO
Settings page. In the Collector Agent AD access mode field, select Standard. After you apply the settings,
FortiNAC appears as an Active Directory connector (DC Agent).

FortiNAC 8.5 Study Guide 214

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

When you apply and refresh the integration to register FortiGate with FortiNAC, all the existing user names,
host group names, and firewall tags are brought in. These items are shown in the Collector Agent Group
Filters list. FortiGate must be registered with FortiNAC in this way in order for FortiGate to receive updates
from FortiNAC.

FortiNAC 8.5 Study Guide 215

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

You can map FortiNAC group filters to FortiGate FSSO user groups as a way of defining membership for that
group. Because FortiNAC will be dynamically adding and removing hosts or users from these groups as
defined by FortiNAC security policies, group memberships, or host statuses, these groups will become
dynamic.

FortiNAC 8.5 Study Guide 216

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

You can use the FSSO groups in IPv4 policies on FortiGate. Because FSSO groups are being dynamically
updated by FortiNAC, dynamic firewall enforcement is possible. FortiGate can then manage endpoints at
Layers 3 to 7. In another lesson, you will learn how FortiNAC can instantly update groups or tags based on
security information passed to FortiNAC from almost any security solution. The security policies on FortiNAC
can manage hosts at Layers 1 to 3. The tight integration between FortiNAC and FortiGate, as well as
FortiNAC’s ability to receive alert information from almost any security device, creates a dynamic solution that
can quickly mitigate threats by leveraging control at Layers 1 to 7.

FortiNAC 8.5 Study Guide 217

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 218

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiNAC Security Fabric integration.

Now, you will learn about FortiNAC firewall tags.

FortiNAC 8.5 Study Guide 219

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in firewall tags, you will be able to create firewall tags and assign them within a
network access configuration.

FortiNAC 8.5 Study Guide 220

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

A firewall tag is a value created by an administrator that is used to identify hosts or devices. FortiNAC
dynamically assigns firewall tags to hosts or devices based on a security policy or logical network. For
example, you could apply a firewall tag to any device that is identified by a device profiling rule, resulting in
printer tags, card reader tags, environmental unit tags, and so on. Firewall tags can also be applied as the
result of a security alert received by FortiNAC from a security device, or because a host or device became a
member of a specific group.

Firewall tags are passed to FortiGate for dynamic FSSO group membership updates.

FortiNAC 8.5 Study Guide 221

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

This slide shows how a firewall tag can be assigned based on a network access configuration. Network
access configurations are applied based on user/host profiles. So, any host or device that matches the
user/host profile associated with a particular network access configuration will have all the firewall tags
defined in the configuration applied.

In the example shown on this slide, any device that has the Printer Access Configuration applied will have
the Printer-Tag firewall tag assigned to it. This information will be passed to FortiGate, if the Security Fabric
configurations have been completed, for possible policy enforcement at the firewall.

FortiNAC 8.5 Study Guide 222

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

You can assign firewall tags through logical networks defined on FortiGate model configurations. In the
example shown on this slide the logical network Printers will be used to provides access for any device
classified as a printer. You can then configure the Printers logical network to assign the Printer-Tag at the
FortiGate model configuration.

FortiNAC 8.5 Study Guide 223

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

This slide shows a firewall tag being associated with a logical network in the FortiGate model configurations.
Continuing the printer example from the previous slide, the firewall tag could define the connected printer as a
member of a FortiGate FSSO group, and IPv4 policies could then enforce any necessary access
requirements.

FortiNAC 8.5 Study Guide 224

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 225

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiNAC 8.5 Study Guide 226

 Logical Networks, Security Fabric, and Firewall Tags

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to integrate FortiNAC into the Security
Fabric for dynamic access control, and how to create and configure firewall tags.

FortiNAC 8.5 Study Guide 227

 State-Based Control

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about state-based endpoint control. This includes how FortiNAC uses its live
inventory of network-connected endpoints in conjunction with its ability to manage the infrastructure at the
point of connection for automated access control and isolation, as well as the different network side
configurations for deployment.

FortiNAC 8.5 Study Guide 228

 State-Based Control

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiNAC 8.5 Study Guide 229

 State-Based Control

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By understanding the concepts of access control and the way in which it is enforced, you will be able to
competently apply endpoint enforcement in your environment.

FortiNAC 8.5 Study Guide 230

 State-Based Control

DO NOT REPRINT
© FORTINET

Enforcement of access control is the provisioning of network access by dynamically leveraging the network
infrastructure to secure and segment endpoints appropriately. Access is provisioned based on the point of
connection, and the host state in the FortiNAC database. The point of connection is a location parameter
defined by a port group in the case of wired ports, or within a controller, AP, or SSID for wireless devices.

In its most basic form, often referred to as “Friend or Foe”, the FortiNAC policy engine is used to determine if
a host connecting at a particular location should be allowed access to a production network, or if it should be
isolated to a captive network. The state of the host determines the captive network a host is isolated to.

FortiNAC 8.5 Study Guide 231

 State-Based Control

DO NOT REPRINT
© FORTINET

There are two situations when FortiNAC will configure network access for a host:
• Enforcement based on a host state
• Application of a network access policy

This lesson covers only enforcement based on state. As the name implies, the decision to enforce is based on
the host’s state in the FortiNAC database. Abnormal host state examples include: Rogue, At-Risk, Not
Authenticated, and Disabled. A host state is assigned by FortiNAC and is a database attribute.
Each of these states is defined as follows:
• A state of Rogue is assigned if the device is not classified in the FortiNAC database. It could be anything—
a printer, a card reader, an end station, and so on. Rogue devices are represented with an icon depicting a
laptop with a question mark on the screen.
• A state of At-Risk indicates the host has failed a scan. This could be a policy compliance scan or an
administrative scan. At-risk hosts are represented with an icon of a laptop with a red cross on the upper-
right corner of the laptop screen.
• A state of Disabled indicates that the host has been administratively disabled within FortiNAC. This could
be done manually by an administrative user, or as the result of an automated action. A disabled host is
represented with an icon depicting a laptop with an X over it.
• A state of Not Authenticated indicates that no user record is currently associated as logged in to that
host. User tracking with agents is one way to gather information about currently logged on users. A not
authenticated host is represented with an icon depicting a laptop with a red A in a circle on the upper-left
corner of the laptop screen.

Network access policies are enforced when a user or host matches a policy. State-based enforcement takes
precedence over policy-based provisioning. Policies are created by the administrator and will be discussed in
a separate lesson.

FortiNAC 8.5 Study Guide 232

 State-Based Control

DO NOT REPRINT
© FORTINET

Isolation networks are used to enforce access based on the state of a host. Each isolation network uses a
captive portal web page to inform and assist the end user. In wired environments, these isolation networks are
defined as VLAN IDs. In wireless environments, how they are defined may vary from vendor to vendor. The
isolation network values used will depend on how traffic is segmented by that vendor. For example, Fortinet
wireless access would be defined using a VLAN name, while Aruba would use a role value. Note that host
state alone does not cause isolation. Isolation occurs only if the host point of connection is configured for
enforcement for the current host state.

Registration is the process of on-boarding a host. This process will convert a host from being a rogue to being
classified. The registration process, when carried out as an on-boarding exercise, takes place in the
registration isolation network. The portal page is configured to provide on-boarding options.

The Quarantine isolation network is where hosts with an at-risk state are isolated. Remediation is the process
of an at-risk host resolving the issues that caused it to be marked as at-risk. The portal page is configured to
provide remediation steps to assist the user in clearing the at-risk state.

The Dead End isolation network is where hosts that have been designated as disabled are moved. There is
normally no external exit from the Dead End network. The Dead End portal page is configured to inform the
end user that they have been denied access to the network.

The Authentication captive network is where hosts that have no logged in user are isolated. The
authentication portal is configured to provide end-user authentication.

FortiNAC 8.5 Study Guide 233

 State-Based Control

DO NOT REPRINT
© FORTINET

The Isolation network is a special network that will handle hosts of any of the abnormal states. This means
hosts of different states can all be isolated to a single network but continue to get customized captive portal
pages based on their state.

The Shared Media network is another special purpose semi-captive network. Within this network, all hosts are
designated as being in one of two groups: hosts that are in any state other than normal, and hosts that are in
the normal state. For hosts that are in an abnormal state, this network works like the isolation network, with
each host getting the appropriate captive portal for its state. Hosts that are trusted will be granted production
access. This special network allows for access control to be extended to non-managed points of connection,
such as unsupported or non-manageable switches or access points.

FortiNAC 8.5 Study Guide 234

 State-Based Control

DO NOT REPRINT
© FORTINET

The logic used by FortiNAC when making the decision to isolate a host is summarized on this slide.
When an endpoint connects to the network, FortiNAC looks it up in the database to determine its state. If the
host does not exist in the database, and it does not match any enabled device profiling rules, it will be added
and assigned the state of rogue. FortiNAC uses the first column as the column to key on, starting at the top
and working down. For example, if a host with a state of rogue connected to the network, FortiNAC would use
the third row down to determine if isolation is necessary. Once the appropriate row has been identified,
FortiNAC then reads to the right, applying AND logic between the first and second columns. If column one and
column two, in the same row, are both true, then the host will be moved to the captive network shown in
column three. On the GUI, the host will be represented with the icon in column four.

For example, if a host with the state of rogue connects to a port in the Forced Registration port group,
FortiNAC will isolate that host by moving it into the registration captive network. The top four rows all function
in the same way, with the slight exception of the first row, where the location parameter is defined by a device
group, not a port group.

The bottom three rows consist of two special captive networks discussed earlier, and a row where hosts with
a state of normal are provisioned.

FortiNAC 8.5 Study Guide 235

 State-Based Control

DO NOT REPRINT
© FORTINET

A determining factor for when an endpoint is isolated because of its state, is the point of connection to the
network. You define this component using System Groups.

The example on this slide shows five user-created groups. The first four of these groups are defining a
geographic location, broken down to a desired level of granularity. There are three port groups representing
the first, second, and third floors of Building 1. These groups have port models added as members, and have
been nested within a fourth group called Building 1. These groups were created in this way to enforce
registration and remediation on a floor-by-floor level or at the building level.

The fifth user-created group is named Conference Room Ports. This is a grouping based on functionality.
These groups, organized as they are, do not enforce any type of control, they only organize the port elements.
Enforcement is enabled when you add these groups to the appropriate System Groups.

For example, the Building 1 group is added to the Forced Registration system group. Then the second and
third floor ports are added to the Forced Remediation system group.

The result of this process is as follows:

Unknown or rogue endpoints that connect to any port in Building 1, which is any port in any of the three floor
groups, will be isolated to the registration captive network. A host that has failed a policy or administrative
scan, and has had its host state changed to at-risk, would be isolated to the quarantine captive network if it
connected to any port in the second or third-floor port groups. Any other host state would result in the host
being granted default network access. A change in the point of connection could also change the provisioned
access. For example, a rogue host connecting to a Conference Room Port it would be granted default access.
An at-risk host connecting to a Conference Room Port or a first-floor port would also be granted default
access. Those examples assume that the ports within the Conference Room Ports group are not also
members of any other group. The logic that applies to these results was shown on the previous slide in the
logic table.

FortiNAC 8.5 Study Guide 236

 State-Based Control

DO NOT REPRINT
© FORTINET

When hosts have been assigned to a captive network, they will be directed to a captive portal page. The page
presents the user with additional information and/or capabilities, to resolve the non-normal host state. For
example, a rogue host isolated to the registration captive network will be presented, by default, with a
registration page that provides options for onboarding the host. The onboarding process will classify the host.

When a host is isolated on a wired port, FortiNAC will shut down the port causing the host’s link to drop, the
VLAN to change, and the port to be re-enabled. This will result in the host requesting a new IP address, which
begins the captive portal page presentation process. This process is shown on the slide as a timeline going
from left to right.

First, the host gets a new IP address appropriate for the captive network it is in, with a DNS address that is
the FortiNAC captive portal interface.

When the host attempts to resolve a domain by name, FortiNAC, which has been designated as the DNS
server, will respond with its own address, masquerading as the domain the host is attempting to resolve. This
is the result of special root.hint files on FortiNAC.

FortiNAC will then present the appropriate captive portal page to the isolated host.

Note that there are ways to allow specific sites to resolve correctly, which you will explore later in this lesson.

FortiNAC 8.5 Study Guide 237

 State-Based Control

DO NOT REPRINT
© FORTINET

You can customize onboarding options for different types of isolated hosts. Allowing users to transition a
rogue or non-authenticated device to a classified or authenticated device is an important capability of
FortiNAC in many environments.

You can develop separate processes with unique content to support various types of user-driven onboarding
procedures.

For example, a rogue connecting to an enforced point of access is isolated and presented with the appropriate
onboarding portal content. The portal content presented can be customized based on location, time, OS,
and/or user choice criteria, or a combination of any of these.

During the onboarding of a host, the state will change from rogue to normal, and an association will be made
between the host and the user that on-boarded it. The host will then be granted the appropriate access.

This method of onboarding is most often used for BYOD devices, typically those of guests, contractors,
students, and so on.

FortiNAC 8.5 Study Guide 238

 State-Based Control

DO NOT REPRINT
© FORTINET

A useful administrative tool for validating appropriate enforcement is the Control Access Network Summary
view. This view is accessible from the Topology view by right-clicking the root container in the topology tree.

This view summarizes the percentage of devices within each topology container that have some level of
enforcement enabled, and the percentage of ports under enforcement on a device-by-device level.

In the example shown on this slide, Building 4 has enforcement applied on 100% of the devices in that
container. Switch-4, within that container, has 90% of its ports in enforcement system groups, such as Forced
Registration.

This view is used to validate that nothing is left unintentionally unenforced. For example, a new switch could
be modeled in the topology, and the ports accidentally left out of any enforcement group.

An administrative best practice would be to check this view frequently.

FortiNAC 8.5 Study Guide 239

 State-Based Control

DO NOT REPRINT
© FORTINET

You configure certificate management and captive portal security settings on the System tab by clicking
Settings in the Security folder.

The Certificate Management page provides the ability to manage certificates with different encoding
schemes and file formats. The Certificate Management view displays the certificates that are currently
installed on FortiNAC.

FortiNAC 8.5 Study Guide 240

 State-Based Control

DO NOT REPRINT
© FORTINET

The Portal SSL page is used to set the SSL Mode and the Fully-Qualified Host Name of FortiNAC.
The web server listens on both port 80 and port 8443 for web traffic coming into the portal. The SSL Mode
setting determines how the web traffic is directed when reaching the captive portal.

The SSL Mode setting options are:

• Valid SSL Certificate: Directs web traffic from port 80 to port 8443 and presents a certificate authority-
signed Valid SSL Certificate.
• Self-Signed SSL Certificate: Directs traffic from port 80 to port 8443 and presents a Self-Signed SSL
Certificate.
• Disabled: Directs all traffic to port 80 and presents a Self-Signed SSL Certificate.

You must configure the Fully-Qualified Host Name field with the fully qualified hostname of FortiNAC. If the
device or VM is an NCS–NAS pair, the fully qualified hostname you enter should be the host name of the
NAS. This is because it is the application server that communicates with hosts on the isolation networks, and
presents the portal pages.

FortiNAC 8.5 Study Guide 241

 State-Based Control

DO NOT REPRINT
© FORTINET

On the System tab, click Settings to view the Control folder, which groups together configurations related to
access control. On this slide, you will examine the Allowed Domains settings and the Quarantine settings.

The Allowed Domains view specifies the allowed domains and the DNS server or servers that isolated hosts
use when resolving those domains. These settings will grant access to domains other than the isolation
domain while within the isolation network.

Note that, by default, the Dead End isolation network does not allow access to these domains. The
Production DNS IP Address(es) field is where the DNS servers that will be used for DNS lookups of all
allowed domains are listed, comma separated if there are more than one. The Enable Proxy Auto Config
section is for environments that use a proxy server. This populates the wpad.dat file with the information that
allows a host to learn about the proxy server.

The Domains section lists all allowed domains. Any host attempting to perform a DNS lookup for one of the
domains in the list, while in a captive network (other than the Dead End), will have the lookup forwarded to the
DNS server(s) designated in the Production DNS IP Address(es) section, and the results of the query will be
passed back to the host. This allows the host to learn the IP address of the actual domain and not be
redirected to the captive portal.

The Quarantine settings allow the administrator to globally enable or disable quarantine VLAN switching, or
set the risk state of all hosts to safe. Setting the risk state of all hosts to safe can be useful in the event that a
scan profile generates significant numbers of false negatives, which could result in hosts being set to at-risk.

FortiNAC 8.5 Study Guide 242

 State-Based Control

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 243

 State-Based Control

DO NOT REPRINT
© FORTINET

Good job! You now understand how to enforce access control.

Now, you will learn how to configure state-based isolation networks.

FortiNAC 8.5 Study Guide 244

 State-Based Control

DO NOT REPRINT
© FORTINET

After completing this section you should be able to achieve the objectives shown on this slide.

By demonstrating an understanding of how state-based isolation networks function, you will be able to
appropriately plan and use them for network access control.

FortiNAC 8.5 Study Guide 245

 State-Based Control

DO NOT REPRINT
© FORTINET

The FNC-A or FNC-CA uses the Eth 1 interface as the captive portal interface. This is the physical interface
that isolated hosts will be communicating with when state-based provisioning is enforced. In a Layer 2
implementation, the Eth1 port is configured as a VLAN trunk. The tagging for the port will be for each VLAN
used for isolation purposes. For example, if there are registration, quarantine, dead-end, and authentication
captive networks used for state-based isolation, the Eth1 port will handle traffic for any one of those VLANs.

As a result:
The physical interface has a logical interface on each captive portal VLAN.
The logical interface is within the same broadcast domain as any hosts assigned to that VLAN, and the
captive portal interface has an IP address for each separate isolation network subnet.

FortiNAC 8.5 Study Guide 246

 State-Based Control

DO NOT REPRINT
© FORTINET

This slide shows how a Layer 2 implementation is configured on the network. Registration will be the only
isolation VLAN in this example, but it functions the same way for the other isolation VLANs. Note that the
registration VLAN is portrayed by a broken green line.

The registration VLAN in Building 2 is 120. The registration VLAN in Building 3 is also 120. VLAN 120 is a flat
network that spans the entire environment and exists in Building 1. Ethernet 1 on FortiNAC is configured with
a virtual interface on VLAN 120, and has an IP address of 192.168.120.2 with a 24-bit mask.

In the configuration shown on this slide, a host that has been provisioned to isolation VLAN 120 in Building 1,
2, or 3 will be in the same broadcast domain as the FortiNAC interface for that VLAN.

FortiNAC has a DHCP scope defined for VLAN 120, and it should be the only DHCP server available to hosts
on that VLAN. The end result is that any host connected to VLAN 120 should get an IP address assigned by
FortiNAC and a DNS server configuration of the FortiNAC IP for that VLAN, in this example, 192.168.120.2

FortiNAC 8.5 Study Guide 247

 State-Based Control

DO NOT REPRINT
© FORTINET

A Layer 3 implementation differs from a Layer 2 implementation, primarily in the configuration of the isolation
interface and what needs to be configured on the network.

Ethernet 1 is still the captive portal interface on the FNC-A and FNC-CA, just as it was with a Layer 2
implementation, but the configuration of the port is very different.

The interface exists on a single VLAN that is probably not any one of the isolation VLANs.

The isolation interface is probably not within the same broadcast domain as a host assigned to an isolation
VLAN, as it was with a Layer 2 implementation.

The isolation interface has multiple IP addresses within the same subnet. The individual IP addresses are
used when setting up the captive portal configurations during installation. This is the primary difference from a
Layer 2 implementation, as far as the Ethernet 1 configuration goes. Instead of having several VLAN
interfaces with IP addresses in separate subnets, it exists in a single VLAN with several IP addresses
appropriate for that VLAN.

DHCP helper addresses need to be configured on each isolation VLAN so that DHCP requests on those
VLANs are forwarded to Ethernet1.

FortiNAC 8.5 Study Guide 248

 State-Based Control

DO NOT REPRINT
© FORTINET

The example on this slide shows how a Layer 3 implementation functions. Registration is the only isolation
VLAN in this example, but it would work the same for the other isolation VLANs.

Note that there are three different registration VLANs, one for each building in this example.

Building 2 has VLAN Reg2 designated for registration, and a helper address has been configured on that
VLAN to forward DHCP requests back to Ethernet 1 on FortiNAC. VLAN 2 does not exist beyond Building 2,
meaning it is not tagged beyond that building, as it would have been in a Layer 2 implementation.

Building 3 has VLAN Reg3 designated for registration. Just like in Building 2, a helper address has been
defined so DHCP requests get forwarded to, and serviced by FortiNAC. This isolation VLAN exists only in
Building 3.

Building 1 is configured in the same manner, with VLAN Reg1 being designated as the registration VLAN.

The FortiNAC Ethernet 1 is connected to any given VLAN, and has one of its several IP addresses defined as
the helper address on the various registration VLANs.

The DHCP configuration file on FortiNAC will have scopes configured for each of the registration VLANs
defined at each building. FortiNAC will respond with an appropriate IP address, and a DNS server
designation. The DNS server will be one of the Ethernet 1 addresses. In this example, the address returned
would be 192.168.200.10.

FortiNAC 8.5 Study Guide 249

 State-Based Control

DO NOT REPRINT
© FORTINET

Access Point Management is used in environments where control over host VLAN access is not possible,
for example, when hosts are connecting to the network through devices that do not support VLANs, such as
non-intelligent switches or access points. With VLAN-based control, hosts of different states are on different
VLANs, physically separated at Layer 2. Access point management controls hosts through IP address
assignment. In this configuration, all hosts are on the same VLAN, but abnormal state hosts will be presented
with captive portal pages appropriate for their state. FortiNAC provides all DHCP service on the access point
management VLAN and, for non-normal state hosts, it also provides DNS services.

The configurations needed for access point management differ from the other examples shown.

Like the other isolation networks, the interface must be enabled and an IP address and mask configured.
However, because of the way access point management functions, there are two address pools for this
isolation VLAN. The first defines the DHCP scope and DNS server for hosts that have a state of normal.

When a host connects to a port that is on the access point management VLAN, and issues a DHCP request,
FortiNAC consults the list of all normal state hosts, which it maintains within its configuration. If the host is
found in the list, FortiNAC will assign an IP address from the authenticated address pool and assign a
production DNS server. The host will now have access to any site that can be resolved by that DNS server.

The second scope will be created for hosts that have any state other than normal. There is no DNS server
defined for this scope. FortiNAC will automatically assign itself for DNS wildcarding and presentation of the
appropriate isolation pages.

FortiNAC 8.5 Study Guide 250

 State-Based Control

DO NOT REPRINT
© FORTINET

A CLI configuration is a set of commands that are normally issued through the CLI of a device, such as a
switch or router. The CLI Configuration window allows you to create individual sets of commands, name
them, and then reuse them as needed. When a CLI configuration is applied, the commands contained within it
are sent to the designated device. The configurations are created within the CLI Configuration view located
on the Network Devices tab. Use the Add button to create a new configuration. On the CLI Configuration
window you can designate the MAC address format. This is important if the configuration is going to use the
%mac% variable and inject a MAC address as part of a CLI command. You give the configuration a name, and
then, in the Commands to Set field, enter each command just as it would be if you were entering them
directly through the CLI of the device. You can insert variables into the commands and FortiNAC will replace
these variables with the appropriate values, depending on the way in which the CLI configuration is triggered.

There are three ways a CLI configuration can be triggered:

• State-based isolation of a host
• Policy-based access configuration.
• The scheduler tool

The first two triggers can leverage the %port%, %vlan%, %ip%, and %mac% variable options as long as the
selected variables would be known as a result of the trigger.

When using the scheduler tool to trigger a CLI configuration, no variables can be used as part of the
configuration, because a specified date and time does not include any information relatable to the variable
options.

You cannot use the Commands to Undo (optional) field for CLI configurations triggered by a scheduled
task. However, for state-based triggering, the commands in this field are carried out when the host state
changes. For policy-based access configurations, these commands are carried out when the host
disconnects, or when the policy no longer applies.

FortiNAC 8.5 Study Guide 251

 State-Based Control

DO NOT REPRINT
© FORTINET

You can access some global network device settings that apply to several aspects of control on the System
tab by clicking Settings.

The following settings are on the Network Device page:

Registration Delay: The number of seconds FortiNAC waits before switching a host from the registration or
authentication VLANs to a production VLAN. This allows the user time to be redirected to a success page.
The default setting is 5 seconds.

Note that another host connects to the same switch during the Registration Delay time, the switch updates
and the port is switched to the production VLAN without waiting for the delay time to expire.

VLAN Reset Delay (Sec): The number of seconds FortiNAC waits before resetting the VLAN of a port that
has no connected hosts or devices. The port must be a member of the Reset Forced Registration port group
or the Reset Forced Default port group. If the port is a member of both groups, the Reset Forced
Registration group takes precedence. The default setting is 60 seconds.

VLAN Switching Delay (Sec): The number of seconds FortiNAC waits between disabling and re-enabling a
wired port when changing VLANs. The default setting is 8 seconds. If this value is set too low, the host may
have an invalid IP on the new VLAN.

FortiNAC 8.5 Study Guide 252

 State-Based Control

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 253

 State-Based Control

DO NOT REPRINT
© FORTINET

Good job! You now have an understanding of how state-based isolation networks function.

Now, you will learn about model configurations.

FortiNAC 8.5 Study Guide 254

 State-Based Control

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of model configurations, you will be able to appropriately deploy
state-based enforcement.

FortiNAC 8.5 Study Guide 255

 State-Based Control

DO NOT REPRINT
© FORTINET

To set model configurations for a device, locate the desired device in the topology tree and right-click it. The
right-click menu will display a list of options, with configuration settings at the bottom. Clicking Model
Configuration opens the Model Configuration screen for the selected device. The fields available for
configuration will vary, depending on the type of device.

The example on this slide shows most of the possible configuration options. The first two sections, General
and Protocol, should already be configured because this information was entered during the initial modeling
of the device. The VLAN ID section is where the isolation networks are defined for this device. The layout of
this section may vary from device to device. For example, the VLAN display format options may not be
available within all model configurations. If they are not, you must enter the isolation VLAN IDs manually.

The Default setting is a little different, and does not define an isolation VLAN, but instead defines the default
VLAN for each port on this device. Default VLANs are automatically assigned for each port to the VLAN the
port was on when the device was initially modeled. Setting a value for the default VLAN here will override the
initial VLAN delegations for all the ports.

It is important to keep in mind that the isolation VLANs are defined device-by-device, and default VLANs can
be defined at the port or device level.

The Voice section is rarely displayed. If there are voice VLANs defined on this device, and this field appears,
that indicates that FortiNAC cannot automatically determine the data VLAN. Listing the voice VLANs here,
comma separated if there are more than one, will prevent FortiNAC from assigning the voice VLAN as the
default VLAN for any port.

FortiNAC 8.5 Study Guide 256

 State-Based Control

DO NOT REPRINT
© FORTINET

You can apply the FortiNAC CLI configuration capabilities, covered in a previous lesson, during the state-
based isolation of a host. The CLI Configurations section of the model configuration window offers three
options: None, Port Based, and Host Based. Port Based CLI configurations are applied while a port is being
transitioned to an isolation VLAN. The configurations will stay applied while the host is in the isolation VLAN.

Host Based CLI configurations will prevent FortiNAC from making the VLAN change, and instead it will only
apply the CLI configuration. Host-based CLI configurations are designed to dynamically insert or remove ACL
entries, enforcing isolation using ACLs.

FortiNAC 8.5 Study Guide 257

 State-Based Control

DO NOT REPRINT
© FORTINET

Configuring model configuration screens on a device-by-device basis in a large environment would be a time-
consuming and tedious process. To assist with these large deployments there's another option in the right-
click menu called Global Model Configuration. At the top of the Global Model Configuration screen, you
will see all modeled devices that share the same configuration options. You can select one or more of these
devices, and configure the settings at the same time. The settings will then apply to all the selected devices.

In addition, there are two radio buttons: Save all values for selected device models and Save only
changed values for selected device models. These allow you to change values and have only the modified
fields applied to the selected devices. This makes model configuration in large environments quick and easy.

FortiNAC 8.5 Study Guide 258

 State-Based Control

DO NOT REPRINT
© FORTINET

You can access model configuration screens for wireless devices in the same way as wired devices. The
Model Configuration screen contains some of the familiar sections, such as General and Protocol, which
will already be configured because that information was supplied during the initial discovery of the device.

There is also a RADIUS section for setting primary and secondary RADIUS servers. You must configure a
radius secret here as well. The RADIUS secret must be the same as the secret configured on the AP or
controller and the selected RADIUS server(s).

The Network Access section includes a Read Roles button that will trigger FortiNAC to retrieve values used
by the device for network segmentation. These could be VLAN IDs, roles, groups, or interface names. The
value returned will depend upon the vendor of the device.

Enabling enforcement on a wireless device is different than on a wired device. On a wired device, ports are
placed in system port groups to enable enforcement, but wireless hosts don't connect through physical ports,
so enforcement is enabled in the Network Access section of the model configuration. The desired access
enforcement for the different host state options are:
Deny: A host of that state will be denied access through a RADIUS reject.
Bypass: FortiNAC will ignore the host state and allow default or policy-based access.
Enforce: FortiNAC will respond to the wireless AP or controller with the access value indicated in the Access
Value field.

These enforcement configurations, when applied to the AP or controller model, will apply to any SSID
controlled by that device that uses FortiNAC as its RADIUS server.

FortiNAC 8.5 Study Guide 259

 State-Based Control

DO NOT REPRINT
© FORTINET

To allow for a more granular configuration, you can set RADIUS and network access configurations on
individual SSIDs. On the topology view, select the SSIDs tab, and then right-click any SSID. Then select SSID
Configuration.

These enforcement settings will override those configured on the AP or controller model.

As a best practice during deployment, create a test SSID and validate enforcement settings through that SSID
only. Once validated, begin to configure the settings on production SSIDs.

FortiNAC 8.5 Study Guide 260

 State-Based Control

DO NOT REPRINT
© FORTINET

You can set model configurations on a group of user-selected devices on the Devices tab in the Topology
view. Right-clicking after device selection will open the Set Model Configuration window. The Set Model
Configuration window provides a drop-down list for selection of model configuration categories. By default,
the Credentials category is shown. Note that just to the left of the category selection drop-down list, the
number of devices selected is displayed.

FortiNAC 8.5 Study Guide 261

 State-Based Control

DO NOT REPRINT
© FORTINET

You can set model configurations on a single device in the Topology view by right-clicking the device in the
topology tree and selecting Set Model Configuration. This opens the Set Model Configuration window.
The Set Model Configuration window provides a drop-down list where you can select of model configuration
categories. By default, the Credentials category is shown. Note that just to the left of the category selection
drop-down list, a single device is shown as selected.

FortiNAC 8.5 Study Guide 262

 State-Based Control

DO NOT REPRINT
© FORTINET

You can group the available categories in the drop-down list into five different types. These types are:
• Detailed configuration
• Isolated logical networks for wired devices
• Isolated logical networks for wireless devices
• User-created logical networks
• Vendor-specific configurations

You can add any of the available categories to the Set Model Configuration window. Each one that you add
will be displayed as an additional tab, and all settings for that category will be available. Note that settings
configured for devices that do not support them will not be applied. For example, if you selected several
devices, some wired switches, and some wireless APs, and configured both isolation logical networks for
wired devices and isolation logical networks for wireless devices, the isolation logical networks for wired
devices settings would apply only to the wired switches, while the isolation logical networks for wireless
devices would apply only to the APs. This provides the ability to configure all the desired settings across any
number of different devices at one time.

FortiNAC 8.5 Study Guide 263

 State-Based Control

DO NOT REPRINT
© FORTINET

In the detailed configuration, if the Enable Secure Ports option is enabled for ports on this device, you can
designate a secure/static port, which becomes the equivalent of a dead end VLAN. When a host is disabled
either manually or by an alarm action, a message is sent to the device indicating that the MAC address has
been disabled. The MAC address is placed in a list on the device, which indicates it has permission to use
only the port designated as secure or static. If the host connects on any other port it will have no access.

The Wireless AP Container option allows you to designate a Topology view container to be the default
modeling location for APs learned by FortiNAC as a result of modeling a controller.

The Manage Captive Portal option applies to Meru controllers only. If the captive portal setting on any
security profile for any SSID is set to WebAuth, indicating that the SSID is being managed by the internal
captive portal (ICP) on the Meru controller and this check box is selected, all SSIDs set to WebAuth will be
managed by FortiNAC.

The HWC Connection Portal option is for an external captive portal that was configured by the user on the
device during the initial device setup.

The HWC Connection Port is required for FortiNAC to send commands to the device. Consult the
manufacturer for assistance in locating this port number.

The Enable RADIUS option provides the ability to select a backend RADIUS server, and will allow access to
the switch ports to be controlled by RADIUS.

FortiNAC 8.5 Study Guide 264

 State-Based Control

DO NOT REPRINT
© FORTINET

The isolation logical networks for wired devices provides access to all possible settings for a wired isolation
network. All but one of these settings have been covered in the beginning of this section. The setting that has
not been covered, Access Value is an Alias, is only relevant on specific types of devices. This setting allows
the Access Value/VLAN field to be read as a string, and the string is used to match a VLAN by name on the
device. The VLAN is then assigned. If the selected device does not support this function, you should not
select this check box.

Enabling enforcement on a wireless device is different than on a wired device. On a wired device, ports are
placed in system port groups to enable enforcement, but wireless hosts don't connect through physical ports,
so enforcement is enabled in the Network Access section of the model configuration. The desired access
enforcement for the different host state options are:
Deny: A host of that state will be denied access through a RADIUS reject.
Bypass: FortiNAC will ignore the host state and allow default or policy-based access.
Enforce: FortiNAC will respond to the wireless AP or controller with the access value indicated in the Access
Value/VLAN field.

The value entered in the Access Value/VLAN field will depend on the vendor of the wireless controller or AP.

FortiNAC 8.5 Study Guide 265

 State-Based Control

DO NOT REPRINT
© FORTINET

The user-created logical networks category gives access to all the available logical network settings. These
settings allow for specific, granular access control of end points. An Access Value/VLAN can be configured
for Layer 2 provisioning, either by VLAN ID or any defined value, which could be a vendor-specific value or an
alias. As discussed earlier, the Access Value is an Alias setting allows you to use an access value as a
means to identify a VLAN ID by the VLAN name. This is supported only on select devices.

You can use the Send Groups to the Firewall setting to pass group name information to a FortiGate that has
FortiNAC integrated as an FSSO agent. The Selected Groups setting allows you to specify that only specific
groups be sent. Firewall tags can be created and passed as well. The capabilities of these values being
passed to FortiGate were covered in a previous lesson.

The CLI Configuration Type and selected CLI Configuration work in the same way as they did with the
previously discussed model configuration views.

FortiNAC 8.5 Study Guide 266

 State-Based Control

DO NOT REPRINT
© FORTINET

There are three vendor-specific categories that contain settings for a few specific device types. The Vendor
Specific – Router Credentials is where you can configure User Name, Password, Enable Password, and
Session ID information for specific devices that require the additional login information.

The Vendor Specific – Chassis Configuration settings are specific to the Enterasys chassis, which requires
a Chassis IP Address and Chassis Slot Letter information.

The Vendor Specific – Vertical Horizon Secure Ports settings are for configurations specific to Enterasys
Vertical Horizon switch configurations

FortiNAC 8.5 Study Guide 267

 State-Based Control

DO NOT REPRINT
© FORTINET

The Model Configurations tab allows you to configure any supported settings for the selected device in the
topology tree. The settings that you can configure are the same as those accessible from the other
configuration locations.

FortiNAC 8.5 Study Guide 268

 State-Based Control

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 269

 State-Based Control

DO NOT REPRINT
© FORTINET

Good Job! You now understand FortiNAC model configuration settings.

Now, you will learn about FortiNAC host inventory management.

FortiNAC 8.5 Study Guide 270

 State-Based Control

DO NOT REPRINT
© FORTINET

After completing this section you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiNAC host inventory management, you will be able to delegate BYOD
host management end users, allowing them to manage their own devices.

FortiNAC 8.5 Study Guide 271

 State-Based Control

DO NOT REPRINT
© FORTINET

Configure host inventory management through the Portal Configuration view located on the System tab. As
a best practice, create a new portal specifically for host inventory management, by using the drop-down list on
the lower-left portion of the view.

Select Create New Portal Configuration to create a new portal, and give that new portal a name. In this
example, the new portal page is named HostInventory.

Under the Global branch on the Content Editor tab, click the Settings branch. Set the Standard User Login
Type to the appropriate authentication source. Change the Success Page Type to Host Inventory.
Changing the Success Page Type is what changes the purpose of the portal page from an on-boarding only
page to an inventory management page.

FortiNAC 8.5 Study Guide 272

 State-Based Control

DO NOT REPRINT
© FORTINET

Next, under the Host Inventory branch on the Content Editor tab, configure the text and control options you
want available to the user for host management.

The example on this slide shows the controls options, which define the capabilities available to the end user
when they access the inventory page.

FortiNAC 8.5 Study Guide 273

 State-Based Control

DO NOT REPRINT
© FORTINET

You must make the host inventory management page available to end users, typically through an internal web
page.

The example shown on this slide shows a host inventory management screen with buttons for control. The
Register Another Host option allows the user to register additional devices. The Delete button to the right of
each device provides the ability to delete a device that has already been registered. This screen allows the
end user of BYOD devices such as guests, contractors, or students to have complete control over their on-
boarded equipment.

The login screen that you must make available to end users is shown here. The URL of this screen is case-
sensitive, and the portal name must match the name given on the Portal Configuration view, as discussed
on the previous slide.

FortiNAC 8.5 Study Guide 274

 State-Based Control

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 275

 State-Based Control

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiNAC 8.5 Study Guide 276

 State-Based Control

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to configure FortiNAC to provide dynamic
access control, and how to allow end users to manage their own assets.

FortiNAC 8.5 Study Guide 277

 Security Policies

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiNAC security policies. It is through security policies that FortiNAC
provides customized on-boarding options, simplified security configuration for wireless access, detailed
network access provisioning, endpoint compliance validation, and customizable backend authentication
services.

FortiNAC 8.5 Study Guide 278

 Security Policies

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiNAC 8.5 Study Guide 279

 Security Policies

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By understanding the concepts and necessary configurations of security policies, you will be able to plan,
create, and enforce security policies in your environment.

FortiNAC 8.5 Study Guide 280

 Security Policies

DO NOT REPRINT
© FORTINET

A security policy is composed of two different pieces. The first is the user/host profile, which is the piece that
identifies if a user or host matches a particular policy. The second piece is the configuration, which is the
policy-specific settings applied if the associated user/host profile is matched.

User/host profiles are a set of FortiNAC visibility parameters—the who, what, where, and when information
discussed in the Visibility lesson. These profiles can range from general to very specific, keying upon
individual attributes, and applying AND, OR, and NOT logic.

You can associate five different types configurations with a user/host profile:
• Portal
• Authentication
• Network Access
• Endpoint Compliance
• Supplicant EasyConnect

Hosts and users are continuously evaluated to identify if a user/host profile matches. Whenever FortiNAC
identifies a match, the highest ranked security policy of each type, if any, will be applied.

For example, if a user matches a user/host profile that identifies guest users, and that user/host profile is
associated with a network access configuration, the configuration settings will be applied, provisioning the
access appropriately.

FortiNAC 8.5 Study Guide 281

 Security Policies

DO NOT REPRINT
© FORTINET

You can create user/host profiles on the User/Host Profiles view by selecting the Policy tab, and then
clicking the Policy Configuration option. The resulting view will have a list of tabs on the left side, with the
default tab being the User/Host Profiles tab. Click the Add button to create a new user/host profile. The Add
User/Host Profile window will open.

FortiNAC 8.5 Study Guide 282

 Security Policies

DO NOT REPRINT
© FORTINET

You will need to name the new profile. In the example shown on this slide, the name is Guest – Wired. It is
helpful when creating user/host profiles that will be used for network access policies, to include the type of
access, such as wired or wireless, in the name of the user/host profile.

You can use the Where (Location) field to add location-based parameters. For example, guests could be
provisioned differently in building 1 than in building 2. You can add location components as needed by
selecting them from available port groups. When you add more than one port group, they are logically ORed
together. If you set the location to Any, all locations will match the location requirement.

The Who/What by Group field works in the same way as the location field, except the component groups that
you can add are user or host groups instead of port groups. For example, you could target a user/host policy
to apply to only card readers by selecting a host group created and populated by all card readers.

FortiNAC 8.5 Study Guide 283

 Security Policies

DO NOT REPRINT
© FORTINET

The Who/What by Attribute field works a little differently than the other field options. The Add button to the
right of the field will open the Filter window. This window is the same Filter window used in the user, host,
and adapter visibility views. The filter window has four tabs: Adapter, Host, User, and Application. Each tab
has fields for all available attributes of each category. The logic used within this field depends how the
attributes are designated. If a single attribute is designated, shown on this slide with the first entry in the field,
Host [Security & Access Value: Guest], that requirement will be ORed to any other entries in this field. If
the multiple attributes are designated, shown on this slide with the second entry in the field, Host [Role:
Guest] User [Role: Guest], the entry will be ORed to any other entries, like the first one, but the multiple
attributes within this entry will be ANDed. For example, the Who/What by Attribute field shown on this slide
will match if a host had a Security & Access field set to Guest, OR if the host AND user both had role
attributes of Guest.

You can use the When field to designate days of the week or times of the day. For example, you could have a
particular policy apply from 6:00 AM to 6:00 PM, and have a different policy apply from 6:00 PM to 6:00 AM.

FortiNAC 8.5 Study Guide 284

 Security Policies

DO NOT REPRINT
© FORTINET

Once the FortiNAC policy engine identifies that a user or host matches a user/host profile, it will then apply
any configurations associated with that profile. If a single profile is associated with more than one
configuration of the same type, the highest ranked configuration is applied. Because of this, you should not
assign a single user/host profile to more than a one configuration of each type.

There five different configuration types, and what they consist of is shown on this slide.

A Portal Configuration consists of a captive portal page that will be displayed to users with isolated hosts. This
is most typically a location-based profile. For example, you could create different guest login pages for
Building 1, Building 2, and Building 3. Then, depending upon a host’s point of connection, a customized on-
boarding portal page could be displayed.

An Authentication Configuration defines an authentication source for authenticating or on-boarding users. The
available options are LDAP, RADIUS, Google, Local, and None.

An Endpoint Compliance Configuration defines the required compliance scan criteria and FortiNAC agent
technology to be used for compliance validation.

A Supplicant EasyConnect Configuration results in the creation of a wireless configuration on the endpoint to
access a designated wireless network. The configuration can apply the following security options:
• Open
• WEP (PSK) and WEP Enterprise
• WPA (PSK), WPA Enterprise (PEAP), WPA2 (PSK), and WPA2 Enterprise (PEAP)

A Network Access Configuration will provision the defined VLAN, wireless access value, and/or CLI settings.

FortiNAC 8.5 Study Guide 285

 Security Policies

DO NOT REPRINT
© FORTINET

As discussed previously, policy configurations of each type are ranked. When a host connects to the network,
that host is evaluated against each user/host profile. If FortiNAC finds a user/host profile match, it then
evaluates the configurations of each policy type. In the example shown on this slide, if a user or host
connected and matched the Wired Engineering Contractor and the Wired Corporate Trusted user host profile,
it will be provisioned as a network access VLAN of 650, because that is the higher ranked configuration.

This example also shows why the same user/host profile would not be associated with more than one
configuration of each policy type. The lower ranked configuration would never be applied.

FortiNAC 8.5 Study Guide 286

 Security Policies

DO NOT REPRINT
© FORTINET

You create policies on the same view as the User/Host Profiles. On the left side of the view, there is an
expandable branch for each of the five types of policies. Selecting the branch for a particular policy type and
clicking Add will open the add policy window. The example on this slide shows the Add Portal Policy
window.

Remember that a policy is the association between a User/Host Profile and a configuration, in this example,
a Portal Configuration. Note that within the Portal branch there is a sub-branch named Configuration,
which is where you can manage all portal configurations.

FortiNAC 8.5 Study Guide 287

 Security Policies

DO NOT REPRINT
© FORTINET

The Add Portal Policy window is where you associate the desired User/Host Profile with the appropriate
Portal Configuration. You must give each policy a unique Name. In the example shown on this slide, the
policy is named Guest in Building 1. The User/Host Profile field is a drop-down list that contains all currently
existing user/host profiles. The two icons to the right of the drop-down list allow for the creation of a new
user/host profile or to edit the currently selected user/host profile.

The Portal Configuration field is a drop-down list of all existing portal configurations. The Note field is
provided for adding comments about the policy.

FortiNAC 8.5 Study Guide 288

 Security Policies

DO NOT REPRINT
© FORTINET

Selecting the Configuration sub-branch under Portal will display the portal configuration window.

The Content Editor tab will display a series of branches, with each containing settings for portal
customization. The first branch, named Global, contains settings that apply to the overall functionality of the
portal pages.

The remaining branches in the Content Editor tree group together all the possible isolation portal pages by
type. For example, the Registration branch contains configuration settings for all possible isolation portal
pages that could be displayed to a host isolated because of its state being rogue, and the Remediation
branch contains configuration settings for all possible isolation portal pages that could be displayed to a host
isolated because of its state being at risk, and so on.

The Images tab provides the ability to upload or delete images that can be used on the pages.

Located just above the Apply button, there is a drop-down list. This list allows you to switch between existing
portal configurations, set a default portal to be used when no policy-based portal exists, and create a new
portal configuration.

FortiNAC 8.5 Study Guide 289

 Security Policies

DO NOT REPRINT
© FORTINET

All isolation pages use style sheets for uniform page presentation across all pages. You can modify these
style sheets on the Styles sub-branch within the Global branch. The Styles view provides a GUI interface for
modification of the default style sheets.

Any modifications you make to the style sheets will apply to all web pages, across all contexts, for the
selected portal configuration.

FortiNAC 8.5 Study Guide 290

 Security Policies

DO NOT REPRINT
© FORTINET

You can export and import portal pages on the portal configuration window. When you export a portal page,
the pages, style sheets, and images are all included in the export. A compressed .zip file will be downloaded
to the endpoint that performed the export.

The Import option will restore the pages and images from a previous export, and will overwrite any existing
pages.

FortiNAC 8.5 Study Guide 291

 Security Policies

DO NOT REPRINT
© FORTINET

You create each type of policy in the same way. Selecting the branch for a particular policy type and clicking
Add will open an add policy window. The example on this slide shows the Add Authentication Policy
window, which is almost identical to the Add Portal Policy window you just learned about.

FortiNAC 8.5 Study Guide 292

 Security Policies

DO NOT REPRINT
© FORTINET

The Add Authentication Policy window is where you associate the desired User/Host Profile with the
appropriate Authentication Configuration. You must give each policy a unique Name. In the example
shown on this slide, the policy is named All Contractors. The User/Host Profile field is a drop-down list
that contains all currently existing user/host profiles. The two icons to the right of the drop-down list allow you
to create a new user/host profile or to edit the currently selected user/host profile. Authentication policies
include the same icons for adding a new or editing an existing Authentication Configuration.

The Authentication Configuration field is a drop-down list of all existing authentication configurations. The
Note field is provided for adding comments about the policy.

FortiNAC 8.5 Study Guide 293

 Security Policies

DO NOT REPRINT
© FORTINET

An authentication configuration consists of detailed settings for an authentication server that will override any
default authentication servers for users and hosts that match the associated user/host profile. As with all
policy configurations, you must assign a unique name to the authentication configuration. In the example
shown on this slide, the Name field has been set to Contractor Auth Server.
In the example shown on this slide, the Authentication Method is set to LDAP. The available options are
LDAP, RADIUS, Local, Google, and None. You can configure the server integrations on the System tab, by
clicking Settings, and then opening the Authentication folder.
The Invalid Credentials Message will be presented to an authenticating user if they supply invalid
credentials.
Select the Enable Authentication check-box to allow users to authenticated against a directory, the
FortiNAC database, or a RADIUS server when logging in to access the network.
Time in Production before Authentication allows you to define a period of time, in minutes, that a non-
authenticated host will be allowed to remain in a production VLAN. If the user fails to successfully authenticate
the host within that time period, the host will be moved to the authentication isolation network. Note that the
host will only move to the isolation network if the point of connection is under enforcement for authentication.
Time Offline before Deauthentication allows you to designate how long, in minutes, an offline host will
remain authenticated. This can limit the number of times a user would need to authenticate as their host
moves from one point of connection to another, such as when transitioning between APs.
Reauthentication Frequency allows you to define a frequency, in hours, for forced re-authentication. As
mentioned previously, the host will move to the isolation network only if the point of connection is under
enforcement for authentication.

FortiNAC 8.5 Study Guide 294

 Security Policies

DO NOT REPRINT
© FORTINET

Network access policies are normally the most common type of policy. These policies are used to dynamically
provision access to connecting endpoints, based on the matched user/host profiles associated with the
network access configurations.

In the example shown on this slide, FortiNAC is evaluating endpoints as they connect to the network. The
evaluation identifies if a connected endpoint matches a user/host profile. Printers, corporate assets, guests,
and card readers are all given dynamically provisioned network access based on FortiNAC’s evaluation, and
the associated network access configuration.

FortiNAC 8.5 Study Guide 295

 Security Policies

DO NOT REPRINT
© FORTINET

In the same manner as the previous two examples, selecting the Network Access branch and clicking Add
will open the Add Network Access Policy window.

FortiNAC 8.5 Study Guide 296

 Security Policies

DO NOT REPRINT
© FORTINET

The Add Network Access Policy window, like the previous examples, is where you associate the desired
User/Host Profile with the appropriate Network Access Configuration. In the example shown on this slide,
the policy is named Printers using logical configuration. The User/Host Profile field is a drop-
down list that contains all currently existing user/host profiles. The two icons to the right of the drop-down list
allow you to create a new user/host profile or edit the currently selected user/host profile. Network access
policies include the same icons for adding a new or editing an existing Network Access Configuration.

The Network Access Configuration field is a drop-down list of all existing network access configurations.
The Note field is provided for adding comments about the policy.

FortiNAC 8.5 Study Guide 297

 Security Policies

DO NOT REPRINT
© FORTINET

There are two different types of network access configurations, Logical Network and Direct Configuration.
The example on this slide shows the configuration type set to Logical Network.

Recall from a previous lesson that logical networks are an abstract concept that decouple a policy from a
specific access value. The logical network value is defined on a device-by-device level in the Model
Configuration of a device, the same way that an isolation network, such as Registration, is defined.

For example, a user could create a Printer logical network, and define, for that logical network, an access
value of 100 on one set of switches, and 200 on another set of switches. Then a single network access policy
could assign the logical network of Printer to any printer on the network.

The printers would have the same network access policy applied to them, but be provisioned differently based
on the point of connection. This concept can significantly reduce the number of network access policies
needed, and simplify network access policy management.

The two icons to the right of the drop-down list allow you to create a new logical network or to edit the
currently selected logical network.

FortiNAC 8.5 Study Guide 298

 Security Policies

DO NOT REPRINT
© FORTINET

The Direct Configuration network access configuration type, provides the same configuration options
available for logical network configurations as they are defined within a device’s Model Configuration. This
type of configuration is applied as it is defined here, bypassing the logical network abstraction layer.

The Access Value/VLAN is a VLAN ID or a vendor-specific value. Wired access configurations will be done
by VLAN ID in almost every case. The vendor-specific value depends on how the device vendor segments
hosts, and will most often apply to wireless devices. For example, the value entered for a FortiAP would be in
the form of a VLAN name, such as VLAN_100.

The CLI Configuration, Send User and Host Groups to the Firewall, Selected Groups, and Firewall
Tags were each covered in previous lessons.

FortiNAC 8.5 Study Guide 299

 Security Policies

DO NOT REPRINT
© FORTINET

In the same manner as the previous examples, selecting the Endpoint Compliance branch and clicking Add
will open the Add Endpoint Compliance Policy window.

FortiNAC 8.5 Study Guide 300

 Security Policies

DO NOT REPRINT
© FORTINET

The Add Endpoint Compliance Policy window, like the previous examples, is where you associate the
desired User/Host Profile with the appropriate Network Access Configuration. In the example shown on
this slide, the policy is named Corporate End-station Compliance Policy. The User/Host Profile
field is a drop-down list that contains all currently existing user/host profiles. The two icons to the right of the
drop-down list allow you to create a new user/host profile or edit the currently selected user/host profile.
Endpoint compliance policies include the same icons for adding a new or editing an existing Endpoint
Compliance Configuration.

The Endpoint Compliance Configuration field is a drop-down list of all existing network access
configurations. The Note field is provided for adding comments about the policy.

FortiNAC 8.5 Study Guide 301

 Security Policies

DO NOT REPRINT
© FORTINET

The Add Endpoint Compliance Configuration window presents several configuration settings and options
across two tabs, General and Agent.

On the General tab, as with all previous policy configurations, you must give the endpoint compliance
configuration a unique name. In the example shown on this slide, the Name is Corporate End-station
Compliance Configuration.

The Scan field is a drop-down list of all existing scan configurations. The two icons to the right of the drop-
down list allow you to create a new scan configuration, or edit the currently selected scan configuration. Scan
creation will be covered later in this lesson.

One way to further enhance endpoint visibility is to collect installed application information. There are two
ways that application information can be gathered: an integration with MDMs that support application
gathering, or through the use of FortiNAC agent technology. The Collect Application Inventory option will
use agent technology to gather all installed applications on an endpoint.

The Advanced Scan Controls option allows you to take actions based upon the results of the scan. You can
take these actions On Success, On Failure, or On Warning. Actions will be covered in a future lesson.

FortiNAC 8.5 Study Guide 302

 Security Policies

DO NOT REPRINT
© FORTINET

The Agent tab is where you specify which type of agent, if any, will be provided to hosts within the isolation
captive portal. The agent type is specified by operating system, and there are six available options:

• FortiNAC Persistent Agent – Available for Windows, Mac OS X and Linux operating systems
• FortiNAC Dissolvable Agent – Available for Windows, Mac OS X and Linux operating systems
• FortiNAC Mobile Agent – Available for the Android operating system
• None – Bypass – This option will grant the host access with no scan performed, and is available to all
operating systems
• None – Deny Access – This option will deny access with no scan performed, and is available to all
operating systems

The Settings for Operating Systems without Agents branch displays a list of all operating systems that
FortiNAC can identify, but has no agent for. These include operating systems like iOS, BlackBerry OS, Kindle,
and so on. The agent options for these operating systems can only be set to None – Bypass or None – Deny
Access.

FortiNAC 8.5 Study Guide 303

 Security Policies

DO NOT REPRINT
© FORTINET

Each of the three agents available for deployment to isolated hosts provides slightly different capabilities and
functionality. Regardless of the agent type, however, each provides the ability to scan the endpoint for policy
compliance, gather installed applications, and report host and interface details to FortiNAC.

The persistent agent is installed and stays resident on the endpoint. Note that this agent is normally deployed
by either being pushed out as part of a group policy or some other software management application, or as
part of an image. Deployment through a captive portal requires the end user to manually install the agent.

The dissolvable agent is a run once agent, and requires manual end-user interaction within the captive portal.
Once it completes and it reports its results, it dissolves and leaves no footprint on the endpoint. This is a
common choice for guests, contractors, or BYOD devices.

The mobile agent is installed manually within the captive portal during the on-boarding process and is the only
agent option for Android devices.

FortiNAC 8.5 Study Guide 304

 Security Policies

DO NOT REPRINT
© FORTINET

The next several slides will cover settings specific to the persistent agent. Each of these settings views are
accessed by clicking the System tab, selecting the Settings option, and expanding the Persistent Agent
folder.

The Agent Update page is where you configure automated global updates to previously installed persistent
agents. Selected hosts can be excluded from the global updates by being added to the Global Agent Update
Exceptions host group. A button is provided at the top of this view for modification of that group’s
membership.

In the Global Agent Update section, selecting the Update Windows Agent to Version or the Update Mac
OS X Agent to Version option, and then selecting a persistent agent version from the drop-down list, will
update all Windows and/or Mac hosts with a persistent agent installed, to the selected version. This will only
run if the installed version is older than the version selected in the drop-down list. You can install a lower
agent version if you select the Allow Installation of a Previous Version check box.

If an agent update fails, FortiNAC will continue update attempts, up to the number specified in the Maximum
Global Update Attempts setting. If the Maximum Global Update Attempts specification is reached,
FortiNAC will stop attempting to update that agent. An event, Agent Update Failure, will be generated. The
reset counter option will configure FortiNAC to retry failed agent updates, up to the specified number of
Maximum Global Update Attempts.

In the Schedule Auto-Definition Updates section, you can set the schedule for FortiNAC to automatically
update the virus definition or signature information for the anti-virus software options within endpoint
compliance scans.

FortiNAC 8.5 Study Guide 305

 Security Policies

DO NOT REPRINT
© FORTINET

The Credential Configuration view allows you to configure options for rogue host registration through the
persistent agent.

The Enable Registration option allows you to automatically register any host with a persistent agent that has
established communication with FortiNAC. Typically, this is disabled when rogues are being registered by the
Device Profiler. When you clear the Enable Registration check box, Register as Device and
Authentication Type are disabled.

The Register As Device option will automatically register all rogue hosts using the hostname in the ID field in
the host record. If the check box is cleared, all rogue hosts who use the Persistent Agent are presented with
a login screen to enter their credentials. The credentials are verified by the method selected in the
Authentication Type field.

If the Register As Device check box is not selected, the Authentication Type defines the backend
authentication server for authentication when tracking users. Note that the authentication type selected must
match the authentication method selected in the Portal Configuration window.

FortiNAC 8.5 Study Guide 306

 Security Policies

DO NOT REPRINT
© FORTINET

The Security Management view provides access to a large number of Persistent Agent settings. Several of
the settings are focused on the text that appears for different agent notification windows. All settings are
normally configured early on in a FortiNAC deployment.
Primary Host Name: The host name of the primary FortiNAC server for agent communication. If FortiNAC is
deployed as a pair of appliances, this will be the authentication server.
Secondary Host Name: The host name of the high availability (HA) FortiNAC. This field will not appear if
FortiNAC is not licensed for HA.
Host Group for on-connect Host Name update: When hosts in this group connect to the network, they are
given this persistent agent host name for communication between the host and the persistent agent server.
This provides the ability to dynamically update agent configurations on endpoints.
Require Connected Adapter: If enabled, the server will require one of the adapters reported by the agent to
be connected to a device managed by FortiNAC in order to communicate. This eliminates the need to use
ACLs to block access to FortiNAC when the host is connecting on a device managed by a different FortiNAC.
Allowed IP Subnets: This option is available only if the Require Connected Adapter check box is selected.
This will allow hosts with an IP address within the designated subnet to communicate with FortiNAC without a
connected adapter. This can be useful when FortiNAC needs to communicate with hosts that do not have a
connected adapter, for example, hosts connected by VPN.
Expiration: If enabled, the persistent agent uninstalls itself from the host once the date and time selected
have passed.
The next several settings are for customization of text displayed in persistent agent message windows.
CRL Cache Strategy: Defines the amount of time that a certificate revocation list (CRL) will be cached before
retrieving a new CRL. The default setting retrieves a new copy of the CRL when the date defined by the
certificate authority in the CRL has expired.

FortiNAC 8.5 Study Guide 307

 Security Policies

DO NOT REPRINT
© FORTINET

The Agent Contact Window on Connect: option defines the time after host connection before an agent must
connect or communicate successfully with the server. If this time expires without the agent having
communicated, the No Contact flag is set and the Persistent Agent Not Communicating event is generated.
The No Contact flag will be displayed as a red lightning bolt in the Persistent Agent column of the host view.

The Agent Contact Window on Agent Disconnect: is the time after the agent disconnects or
communication is lost. If this time expires without the host disconnecting or the agent having communicated,
the No Contact flag is set and the Persistent Agent Not Communicating event is generated.

The Agent Contact Window on Host Disconnect: is the time a host can be disconnected before FortiNAC
clears the No Contact flag. This prevents an immediate clearing if the host disconnects for a short period of
time.

FortiNAC 8.5 Study Guide 308

 Security Policies

DO NOT REPRINT
© FORTINET

The Status Notification view allows you to change the icon that appears on the taskbar based on the state of
the host in the FortiNAC database.

This slide shows the two possible icon states, Normal and Requires Action, that can be displayed in an
endpoint’s task bar.

Each host state can be selected individually so that only the desired host states change the icon. A second
option within each icon display option is for a pop-up balloon notification to appear in addition to the changing
of the icon. This will allow the end user to interact with balloon text and assist the user with non-normal state
resolution. The text that appears in the pop-up balloons is customizable in each associated field.

FortiNAC 8.5 Study Guide 309

 Security Policies

DO NOT REPRINT
© FORTINET

The Transport Configuration view allows you to configure Packet Transport Configurations and TLS
Service Configurations for persistent agent communication with FortiNAC.

The Packet Transport Configuration settings are used to modify existing, or create new TCP or UDP
settings for Bind Address, Port, TLS Service Configuration, and other settings for agent and server
communication.

The TLS Service Configurations define the certificates, TLS protocols, and ciphers used for secure
communication. You can upload the certificate using the Certificate Management view. By selecting the
Automatically Update Ciphers and Protocols on Upgrade check box, the settings for both ciphers and
TLS protocols will become managed by FortiNAC.

FortiNAC 8.5 Study Guide 310

 Security Policies

DO NOT REPRINT
© FORTINET

The USB Detection view allows you to configure FortiNAC to be notified in the event that a USB device was
plugged into a host on the network. When a USB drive is detected, FortiNAC events can be mapped to alarms
to specify an action based on the host where the USB drive is connected. You can also indicate which drives
should be ignored by the system, regardless of the hosts they are connected to.

The Event to Alarm Mappings options allows you to map events to generate alarms when a USB drive is
detected, added, or removed.

The Allowed USB Drives section provides a means to create a list of USB drives that will not generate
events or alarms when detected, added, or removed.

FortiNAC 8.5 Study Guide 311

 Security Policies

DO NOT REPRINT
© FORTINET

Another ability of the persistent agent is to display a message on the desktop of an endpoint. Endpoint targets
for the message can be an individual host, a group of hosts, or all hosts with the persistent agent installed.
The messaging options are available by right-clicking an individual host, or on the Bookmarks tab, by
selecting Send Message.

You can enter message content in the Message field, and use the optional Web Address field to include a
URL as a link in the message.

The Message Lifetime settings provide the following options:

Expires after sending to currently connected hosts: The message will be sent only to all currently
connected hosts.
Expires after: The message will be sent to all currently connected hosts and all hosts that connect within the
defined time period.
Expires at: The message will be sent to all currently connected hosts and all hosts that connected before the
designated date and time.

Note that a message will be sent only once to each hosts, even if the host disconnects and reconnects within
a designated message time setting.

FortiNAC 8.5 Study Guide 312

 Security Policies

DO NOT REPRINT
© FORTINET

Once a message is sent, it will appear on the desktop of the targeted host or hosts. If a URL was included as
part of the message, it will appear as a link that can be clicked by the end user.

FortiNAC 8.5 Study Guide 313

 Security Policies

DO NOT REPRINT
© FORTINET

You can configure the FortiNAC persistent agent icon to be displayed on the taskbar of a Windows host, or
hidden. When displayed, the icon is a small circle with a green check mark.

End users can right-click the icon and view detailed agent version information by selecting About. The Show
Messages option will display a Messages window with all messages received by the agent since the last time
it was restarted. You can double-click any message in the list to open the message pop-up that was received.

FortiNAC 8.5 Study Guide 314

 Security Policies

DO NOT REPRINT
© FORTINET

The dissolvable agent is an agent that runs only once and then removes itself upon scan completion. This is
used as part of the on-boarding process—the default behaviour of the dissolvable agent is to register the host
after a successful scan. The dissolvable agent option is a popular choice when it comes to on-boarding
guests, contractors, and BYOD devices.

The agent is deployed through the captive portal page in the registration network during on-boarding, and
through the quarantine captive portal page during scheduled rescans of previously on-boarded hosts.

The agent runs on the endpoint, gathers the host information and scan result details, and returns them to
FortiNAC.

Because the dissolvable agent does not stay resident on the endpoint, rescans are performed by changing the
host state to at-risk and moving the host to the quarantine isolation network. There, the remediation page will
give the user the ability to download and run the agent.

As a best practice for performing rescans with dissolvable agents, schedule them to occur off hours, so that
the isolation of the host does not happen while the host is in use. Another available option for dissolvable
agent rescanning, which will be covered later in this section, is called proactive scanning.

FortiNAC 8.5 Study Guide 315

 Security Policies

DO NOT REPRINT
© FORTINET

The mobile agent is for Android devices only, and provides the following functionality:
• The ability to detect if a device has been rooted
• The retrieval of an application inventory
• Device registration

You should deploy the mobile agent within the captive portal environment. Configuration settings are supplied
by FortiNAC, and FortiNAC must be the DNS server during installation.

FortiNAC 8.5 Study Guide 316

 Security Policies

DO NOT REPRINT
© FORTINET

When creating policy scans for endpoint compliance validation, you can create optional custom scans. You
can use custom scans within the actual policy scan configurations, allowing for specific OS-based criteria for
Windows, Mac OS X, and Linux systems.

You can create custom scans using the Custom Scans button on the Scans tab on the Policy
Configuration window. There are no default custom scans.

FortiNAC 8.5 Study Guide 317

 Security Policies

DO NOT REPRINT
© FORTINET

Use the Add button on the Custom Scans window to open the Add Custom Scan window.
There are two drop-down lists at the top of the window: Operating System and Scan Type. The Operating
System drop-down list contains the three operating systems that FortiNAC can create custom scans for. The
Scan Type drop-down list contains each of the different types of custom scans that can be created for the
selected operating system.
The following fields are common to all scans:
Scan Name: Each scan must have a unique name.
Label: This label appears in the results page information to identify which scan the host failed.
Web Address: The URL of the remediation page. This is a user-created web page and must be stored in:
/bsc/Registration/registration/site. When completing this field you must enter part of the path
for the page, not just the page name, such as: site/pagename.jsp.
Severity: Each scan can have a severity of Required or Warning. A severity of Required will mark a host at-
risk upon failure and, if enforcement is enabled, the host will be moved to the quarantine isolation network. If
the severity is set to Warning, the host will not be marked at risk but a Policy Warning event will be
generated.
The specific fields for the Cert-Check scan type are:
CRL Revocation Checking: If enabled, CRL Revocation Checking ensures the certificate has not been
revoked by the CA. If the certificate is revoked, the host fails the custom scan.
Extended Key Usage Restrictions: This optional setting defines how the private key may be used. Multiple
extensions must be comma separated. The options are:
Disabled: There are no restrictions on key usage extensions.
All of: The certificate must include all of the specified extensions.
One or more of: The certificate must include on the specified extensions.
None of: The certificate must include at least one of the specified extensions.
Exactly: The certificate must not include one of the specified extensions.

FortiNAC 8.5 Study Guide 318

 Security Policies

DO NOT REPRINT
© FORTINET

The Domain-Verification custom scan verifies that the host joined the appropriate domain when it connected
to the network.

Enter a comma-separated list of the NetBIOS domain names that are required or permitted for the specific
operating system(s).

FortiNAC 8.5 Study Guide 319

 Security Policies

DO NOT REPRINT
© FORTINET

The File custom scan checks for the presence of a file. The scan specific configurations are:
File Name: The name of the file you are searching for
File Contains String: Content that must be present within the file. For example, version information within a
configuration file.
Registry Key: Enter the registry key that points to the value name containing the file, for example,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService when validating msmsgs.exe.
Registry Value Name: Enter the value name that contains the path to the file you are searching for.
Execute: Allows you to have the agent execute the file if it is found, and pass Command-Line Options
Wait for Execution to Complete Before Continuing: The policy scan will pause until the executed file
completes. The default setting is No.
File Version: The version of the file must be greater than or equal to the number entered here.
Windows OS: Select the box next to the versions of Windows for which this key is required.
Prohibit this product: If the file is found, the host will fail the scan.

FortiNAC 8.5 Study Guide 320

 Security Policies

DO NOT REPRINT
© FORTINET

The HotFixes custom scan will check for the installation of a specific hot fix by HotFix ID. For example, the
hotfix identified by KB123456.

The Bypass Service Pack option will allow a host to pass the scan without the designated hotfix installed if it
has a service pack greater than or equal to the number entered in the field.

You set the hotfix requirement for specific operating systems by selecting the check box to the right of the
desired operating system.

FortiNAC 8.5 Study Guide 321

 Security Policies

DO NOT REPRINT
© FORTINET

The Process custom scan checks for a running process. The process name being searched for can be
different for each of the available operating systems. The host fails the scan if the process is not detected.
Leaving the field blank for an operating system will not require, or search for, a process on that operating
system.

FortiNAC 8.5 Study Guide 322

 Security Policies

DO NOT REPRINT
© FORTINET

The Prohibited-Domain-Verification custom scan is used to verify the domain a host is attempting to join,
and prohibit access to the network based on that domain. Operating systems with no value entered will not be
scanned.

FortiNAC 8.5 Study Guide 323

 Security Policies

DO NOT REPRINT
© FORTINET

The Prohibited-Processes custom scan works in the opposite way as the Required-Process custom scan.
If a process is running, the host will fail the scan. Operating systems with no value entered will not be
scanned.

FortiNAC 8.5 Study Guide 324

 Security Policies

DO NOT REPRINT
© FORTINET

The Registry-Keys custom scan validates details for the designated registry key, and either requires or
prohibits hosts with the designated values.

FortiNAC 8.5 Study Guide 325

 Security Policies

DO NOT REPRINT
© FORTINET

The Registry-Version custom scan verifies that a specific version of an application, such as Microsoft Edge,
is installed on the host.

FortiNAC 8.5 Study Guide 326

 Security Policies

DO NOT REPRINT
© FORTINET

The Service custom scan checks for the current state of a service. You specify the service by name and the
desired state of that service, either running or stopped. Hosts will fail the scan if the service is not found, or
the desired state does not match.

The custom scans for Mac OS X and Linux work in the same way as those for Windows, but with OS-specific
options.

FortiNAC 8.5 Study Guide 327

 Security Policies

DO NOT REPRINT
© FORTINET

Custom scans can be used within policy scans. Existing policy scans are listed in the Scans view, and scans
are created by clicking Add.

FortiNAC 8.5 Study Guide 328

 Security Policies

DO NOT REPRINT
© FORTINET

The Add Scan window is made up of five tabs: General, Windows, Mac-OS-X, Linux, and Summary.

The General tab contains a variety of agent-specific settings that define agent behaviour, as well as
remediation page presentation options. The Scan Settings section provides the following agent-specific
options:
Scan On Connect: FortiNAC performs a policy validation scan each time a host’s state changes from offline
to online. A host must be registered and have the persistent agent installed to use this option.
Renew IP: The agent will initiate a release and renewal of the host’s IP address at the completion of the scan.
This option applies only to Windows or Mac OS hosts using the dissolvable agent.
Jailbreak Detection: Determines if an iOS device has been jail broken. This option applies only to iOS
devices using the iOS agent. Note that this setting is for backward compatibility of devices using the iOS
agent, which has been deprecated.
Root Detection: Determines if an Android device has been rooted. This option applies only to Android
devices that have the mobile agent.
Remediation: There are three options for how a host will be treated when a scan is failed. On Failure will
move the host to the quarantine isolation network immediately. Delayed will move the host to the quarantine
isolation network after a user-defined period of time, if the failure has not been addressed. Audit Only will
report scan results to FortiNAC, but the host state will not change and the host will not be isolated. The
Agent Order of Operations option is only available if Remediation is set to On Failure. Scan Before
Registering will scan the host in the registration isolation network. There are two additional options with this
setting: Do Not Register, Remediate keeps the host in the registration network until the scan is passed, and
Register and mark At Risk registers the host and moves it to the quarantine isolation network. The Register,
then Scan (if the scan fails, Remediate) registers the host in the registration isolation network, and then
moves the host to the quarantine isolation network for downloading of the agent and scanning. The
Remediation options apply only to dissolvable agents.

FortiNAC 8.5 Study Guide 329

 Security Policies

DO NOT REPRINT
© FORTINET

The Portal Page Settings provide presentation options for the remediation page displayed within the
quarantine isolation network to hosts that have failed the policy scan.

The Label for Scan Failure Link is the link text that isolated users will see on the initial remediation page,
and it will direct them to the detailed remediation page with the necessary specifics to bring the host into
compliance. The default setting is Use Scan Name. In the example shown on this slide, the default value has
been overridden and the URL text presented will be Click Here to Continue.

The Instructions for Scan Failure allows you to provide the user with a set of instructions. These
instructions will be presented within the detailed remediation page.

The Patch URL for Dissolvable Agent Re-Scan provides the path to the page that dissolvable agent hosts
will be directed to when they are moved into the quarantine isolation network for a scheduled rescan. The
default value is common/CSAPatchNoLogin.jsp. This is the dissolvable agent download page.

FortiNAC 8.5 Study Guide 330

 Security Policies

DO NOT REPRINT
© FORTINET

The Windows tab is where you select all of the policy requirements, category by category, for Windows
hosts. The Category drop-down list contains the following options:
• Anti-Virus
• Custom
• Miscellaneous
• Operating-System
• Monitors

The Anti-Virus category displays all supported antivirus applications. You can apply logic to require Any or
All of the applications selected from the list. Note that Any is the default setting, which you should use except
in extremely rare situations. When you select one or more antivirus applications, the Preferred drop-down list
will display each of the selected options. The preferred application will be the only displayed application on the
remediation page, if a host fails for all selected applications. If you do not set a preferred option, an entry will
be displayed for every selected application.

Selecting the check box next to an application will designate it as one that will satisfy the category
requirement.

FortiNAC 8.5 Study Guide 331

 Security Policies

DO NOT REPRINT
© FORTINET

Clicking on an application’s name will open a detailed product window with settings for just that application.
These settings will vary from application to application, however, the following are the most likely to be
modified:

Virus Definition Date is the date of the required antivirus definitions files.
Program Version is the currently installed application version.

Both the Virus Definition Date and Program Version fields will update automatically when the Auto-
Definition Synchronizer scheduled task runs, as long as the fields have not been modified by a user.

Web Address is the remediation page that will be displayed when you click the link for the selected product
while in the quarantine isolation network, if the product is not installed.

Definitions Web Address is the remediation page that will be displayed when you click the link for the
selected product while in the quarantine isolation network, if the definition files are out of date.

The Windows OS options allow you to designate which versions of Windows are considered in compliance
when the selected application is detected.

The Prohibit this product option fails the host if the product is detected.

FortiNAC 8.5 Study Guide 332

 Security Policies

DO NOT REPRINT
© FORTINET

The Custom Scans tab will display all existing custom scans, organized by scan type. None of the custom
scans will be selected by default, meaning they won’t add any additional requirements to the current
application.

When a custom scan is selected from within this tab, the custom scan requirements will be added as
additional requirements for the application. In the example shown on this slide, a host will pass the antivirus
component of the policy scan, with Avast as the installed product, only if the host also satisfies the Required
Process custom scan.

FortiNAC 8.5 Study Guide 333

 Security Policies

DO NOT REPRINT
© FORTINET

The Custom Scan category will display all existing custom scans organized by scan type. Scans selected
here will become policy requirements, just like an antivirus application or any other application. This allows
you to create your own mandatory policy requirements in addition to the pre-existing ones.

FortiNAC 8.5 Study Guide 334

 Security Policies

DO NOT REPRINT
© FORTINET

The Miscellaneous category works in exactly the same way as the previous categories. The product options
listed on this slide did not fall neatly into any of the other categories.

FortiNAC 8.5 Study Guide 335

 Security Policies

DO NOT REPRINT
© FORTINET

The Operating System category functions the same way as the previous categories. A host will pass the
policy requirement if it has any selected operating system installed. Note that selecting no operating systems
will allow all operating systems. Clicking an operating system by name will open the detail settings for that
operating system. The options available will differ from one operating system to the next but will include
settings like disable bridging, and require critical updates.

FortiNAC 8.5 Study Guide 336

 Security Policies

DO NOT REPRINT
© FORTINET

Monitors is the final scan category in the drop-down list. Monitors are custom scans that you can choose to
continually evaluate without performing a complete compliance scan. All existing custom scans will appear in
the Monitor the Following list by name. Selecting the check box for a custom scan will enable the monitor,
and selecting a Period from the drop-down list will define the evaluation interval. This interval can range from
fifteen seconds to one hour. Only hosts with the persistent agent installed can be monitored.

In the example shown on this slide, hosts that match this policy, and have the persistent agent installed, will
be evaluated for compliance with the two selected custom scans. The Required Process will be validated
every 5 minutes, and the Windows Firewall every 10 minutes.

FortiNAC 8.5 Study Guide 337

 Security Policies

DO NOT REPRINT
© FORTINET

The policy scan configurations for Mac-OS-X and Linux function in the same manner as those configured for
Windows. The only differences are the application options available.

FortiNAC 8.5 Study Guide 338

 Security Policies

DO NOT REPRINT
© FORTINET

The evaluation of hosts for policy compliance, beyond the initial validation during on-boarding, is scheduled on
the Scan view using the Schedule button. Select the scan you want to schedule from the list, and then click
the Schedule button. The scheduled tasks window for the selected scan will open.

The hosts to be rescanned can be defined by Target Agent Type (Dissolvable or Persistent), Host
Group, and Security and Access Attribute Value.

For hosts that use the dissolvable agent, you can enable Proactive Scanning. This option allows hosts that
scan within a user-defined period, before the scheduled date and time, to avoid being provisioned to the
quarantine isolation network.

FortiNAC 8.5 Study Guide 339

 Security Policies

DO NOT REPRINT
© FORTINET

The Proactive Scanning settings allow you to designate a Scan History Interval that defines the leeway
given to a host who’s scheduled rescan time has arrived. For example, you could exempt a host from the
scheduled rescan, if that host had successfully scanned at any point in the last two days.

If there has been no successful scan performed during the designated Scan History Interval, the host will be
marked at risk and, if enforcement is enabled, moved to the quarantine isolation network and presented with
the common/CSAPatchNoLogin.jsp remediation page. Another option available is to expire the host,
deleting it from the database.

If a successful scan has been performed during the designated Scan History Interval, the host, by default,
will have no action taken on it. Another option is to extend the expiration date of the host by Hours, Days, or
Weeks.

FortiNAC 8.5 Study Guide 340

 Security Policies

DO NOT REPRINT
© FORTINET

As you learned earlier, each type of policy is created in the same way. Selecting the branch for a particular
policy type and clicking Add will open the add policy window. The example on this slide shows the Add
Supplicant EasyConnect Policy window and is almost exactly the same as the previous policy creation
windows.

FortiNAC 8.5 Study Guide 341

 Security Policies

DO NOT REPRINT
© FORTINET

The Add Supplicant EasyConnect Policy window is where you associate the desired User/Host Profile
with the appropriate Supplicant Configuration. Each policy must be given a unique Name. In the example
shown on this slide, the policy is named Contractor EasyConnect. The User/Host Profile field is a drop-
down list that contains all currently existing user/host profiles. The two icons to the right of the drop-down list
allow you to create a new user/host profile, or edit the currently selected user/host profile. The Supplicant
Configuration field includes the same icons for adding a new or editing an existing configuration.

FortiNAC 8.5 Study Guide 342

 Security Policies

DO NOT REPRINT
© FORTINET

The Add Supplicant Configuration window is where SSID and SSID security settings are configured. The
SSID field is where you designate the SSID for the following configurations. You create a wireless
configuration for this SSID on the host. For Windows and Mac OS X hosts, you must use an agent to create
the configuration. Dissolvable agents must be version 3.0.2.8 or higher, and persistent agents must be version
3.1 or higher. Note that because an agent is used for these operating systems, there must be a matching
endpoint compliance policy that, at a minimum, designates the agent to deploy by operating system. iOS
devices do not use an agent for configuration. Instead they will be prompted to download the configuration
from the captive portal.

The Security options are:

• Open
• WEP (PSK) and WEP Enterprise
• WPA (PSK), WPA Enterprise (PEAP), WPA2 (PSK), and WPA2 Enterprise (PEAP)

The required security settings displayed will depend on the selected Security option, and will include
Password, Cipher, EAP Type, CA Certificate, and so on.

FortiNAC 8.5 Study Guide 343

 Security Policies

DO NOT REPRINT
© FORTINET

Knowing which policies are being applied to a user or host at any given point in time, and why they are being
applied, is essential to testing, troubleshooting, and validating any type of policy.

In the example shown on this slide, a host was located within the Host View, and the Policy Details window
was accessed by right-clicking the host, and then selecting Policy Details.

The Policy Details window has a tab for each type of policy: Network Access, Authentication, Supplicant
EasyConnect, Endpoint Compliance, and Portal. Each tab shows the Profile Name of the User/Host
Profile being matched, the Policy Name of the policy being applied, the Configuration Name of the
configuration attached to the policy, and any configuration settings that make up the configuration.

This information is dynamic and real-time, updating as matched profiles change.

Each policy tab has a Debug Log branch located at the bottom of each policy detail. Expanding this branch
displays detailed information about why the current policy is being applied at this moment.

In the example shown on this slide, the details of the currently applied Network Access and Authentication
policies are displayed.

FortiNAC 8.5 Study Guide 344

 Security Policies

DO NOT REPRINT
© FORTINET

In the example shown on this slide, the details of the currently applied Supplicant EasyConnect and
Endpoint Compliance policies are displayed.

FortiNAC 8.5 Study Guide 345

 Security Policies

DO NOT REPRINT
© FORTINET

The example on this slide shows a host that does not match any portal policy and, as a result, the Profile
Name, Policy Name, and Configuration Name are all blank.

FortiNAC 8.5 Study Guide 346

 Security Policies

DO NOT REPRINT
© FORTINET

When hosts are scanned for policy compliance, detailed scan result information is obtained by FortiNAC and
stored in the database. You can then retrieve and view this information from multiple views in the GUI.

You can access a global repository of scan results on the Hosts tab, by selecting Scan Results. A filter tool
allows the user to display only the desired scan results, and the Show Details button displays result details.
The Details window shows all Ethernet Cards reported back to FortiNAC by the scanning agent, as well as
each policy requirement component that has a status of pass or fail.

Two buttons at the bottom of the view allow you to archive scan result information in the database, and
remove it from the view. This keeps a copy of the results available for import, if needed, while allowing the
view to load more efficiently.

FortiNAC 8.5 Study Guide 347

 Security Policies

DO NOT REPRINT
© FORTINET

Another way to view scan results is to locate a host in the host view, then right-click the host, and then select
Host Health.

The Health tab on the Host Health window displays the status of each endpoint compliance policy scan the
host had to comply with, as well as all administrative scans. The Status field is assigned by FortiNAC based
on the last scan result or, in the case of administrative scans, the last system or user assignment. You can
manually assign this field, and the options are:
• Initial: The host has not been scanned. The host will not be marked at risk.
• Failure: The host has failed the scan requirements. The host state will be set to at risk for this scan.
• Success: The host has satisfied all scan requirement. The host will not be marked at risk.

The History tab displays past scan results and the date and time that the scan was performed. The
Script/Profile column shows the scans by name. Each name is a link to the detailed scan results, as they
were reported by the agent when the scan was preformed. The details contain physical address information
for each discovered interface, host and scan information, and a policy requirement component with pass or
fail status.

Recall that an additional way to view scan result information is through the Health tab within the host
properties, as discussed in the visibility lesson.

FortiNAC 8.5 Study Guide 348

 Security Policies

DO NOT REPRINT
© FORTINET

Any time FortiNAC changes network access for an endpoint, the change is documented on the Port Changes
view. This provides an administrator with valuable information when validating control configurations and
enforcement.

A global list of port changes is available on the Logs tab, by clicking Port Changes. You can use a filter to
locate specific port change events.

The view displays:

• The date and time a change was made
• Whether a CLI configuration was executed at the time of the change
• The reason the change was made
• The roll or access policy that caused the change (only displayed if a role or access policy was the cause of
the change)
• The port that was changed
• The VLAN the port was changed to

The Port Changes tab in the topology view, discussed in a previous lesson, and the Port Changes option in
the right-click menu of any port, shows the same information prefiltered for the selected port

FortiNAC 8.5 Study Guide 349

 Security Policies

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 350

 Security Policies

DO NOT REPRINT
© FORTINET

Good job! You now understand security policies and how to configure them.

Now, you will learn about vulnerability scanner integration.

FortiNAC 8.5 Study Guide 351

 Security Policies

DO NOT REPRINT
© FORTINET

After completing this section you should be able to achieve the objectives shown on this slide.

By demonstrating competence in integrating vulnerability scanners, you will be able to leverage existing
Nessus and Qualys systems in your environment.

FortiNAC 8.5 Study Guide 352

 Security Policies

DO NOT REPRINT
© FORTINET

Integrating with vulnerability scanners enables FortiNAC to request and process scan results from the
scanners.

The Vulnerability Scanners view displays a list of scanners that are configured, and allows you to add,
modify, delete, and test a scanner connection, and configure polling for scanner results.

FortiNAC supports integration with Tenable (Nessus) servers and Qualys in-network scanner hosts.

FortiNAC 8.5 Study Guide 353

 Security Policies

DO NOT REPRINT
© FORTINET

Perform integrations for both Tenable and Qualys on the Vulnerability Scanners settings page. Use Add to
create a new integration. The General tab is where you select the Vendor, Tenable or Qualys, and configure
the communication settings for FortiNAC.

Use the Name field to identify each vulnerability scanner integration listed on the Vulnerability Scanners
view.

The Request URL is the URL FortiNAC will use to retrieve scan results from the scanner.

The User Name and Password fields are for supplying the credentials FortiNAC will need to log in to the
scanner.

You can set the frequency with which FortiNAC polls for scan results in Hours or Days.

The example shown on this slide is for a Tenable server integration.

FortiNAC 8.5 Study Guide 354

 Security Policies

DO NOT REPRINT
© FORTINET

The Scans tab allows you to select which scans, from the total retrieved from the scanner, you want FortiNAC
to process results for. At each vulnerability poll, FortiNAC retrieves and processes the results for each scan in
the Selected Scans list that has completed since the previous poll of the scanner. Multiple scans can target a
host.

Scan thresholds define a value that, when exceeded for any host, results in the host being identified as failing
the scan, and triggers the creation of a Vulnerability Scan Failed event. If a host’s results do not exceed a
defined threshold, a Vulnerability Scan Passed event will be generated.

The Vulnerability Scan Failed and Vulnerability Scan Passed events will be used to move failed hosts into,
and out of, the quarantine isolation network.

FortiNAC 8.5 Study Guide 355

 Security Policies

DO NOT REPRINT
© FORTINET

Configuring an integration with a Qualys vulnerability scanner is preformed in the same way as the Tenable,
with one small exception. Qualys relies on scanner appliances to perform the scans. As a result, there is an
Appliance tab added to a Qualys configuration, allowing the administrative user to select the desired scanner
appliance host.

FortiNAC 8.5 Study Guide 356

 Security Policies

DO NOT REPRINT
© FORTINET

The quarantining of hosts as a result of an exceeded vulnerability scan result threshold works differently than
when a host is marked at risk for failing a policy scan. Instead of the host automatically being marked at risk
by FortiNAC, an administrative user must create an Event to Alarm Mapping for the Vulnerability Scan
Failed event. Within the alarm mapping, you must designate a host security action to mark the host at risk.
This process was described in an earlier lesson. Once a host is marked at risk, and enforcement for at risk
hosts is being enforced, the host will be moved to the quarantine isolation network.

To customize the vulnerability scan information displayed on the Remediation Portal page, edit the content
on the Global > Failure Information page in the Portal Content Editor.

The remediation portal page shows details for the vulnerability scan that failed. Users can click the scan to
see details of the failed scan provided by the vulnerability scanner, and solutions to fix the vulnerability. After
remediation, users click the Rescan button to rescan the host. To automate the process of returning an
isolated host to a production network, as the result of a successful rescan, you will need to create a second
Event to Alarm Mapping for the Vulnerability Scan Passed event.

Hosts that are members of the Vulnerability Scanner Exceptions host group will not generate the
Vulnerability Scan Failed event.

FortiNAC 8.5 Study Guide 357

 Security Policies

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 358

 Security Policies

DO NOT REPRINT
© FORTINET

Good Job! You now understand vulnerability scanner integration.

Now, you will learn about FortiNAC control processes.

FortiNAC 8.5 Study Guide 359

 Security Policies

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating an understanding of the processes used by FortiNAC to control access, you will be able to
effectively plan and implement FortiNAC control.

FortiNAC 8.5 Study Guide 360

 Security Policies

DO NOT REPRINT
© FORTINET

When a host attempts to access the network through a FortiNAC managed point of connection using 802.1x
authentication, FortiNAC acts as a proxy for the RADIUS communication, and does not terminate the RADIUS
requests. It identifies the requests as 802.1x and will pass them, unaltered, to a backend RADIUS server and
wait for that server’s response.

Recall that you configure communication settings for external RADIUS servers on the System tab, by clicking
Settings, and then clicking the Authentication folder. The RADIUS server that will be used for validation is
defined within the Model Configuration or the SSID Configuration settings discussed earlier.

If the backend RADIUS server responds with an accept response, FortiNAC will consult its database and
determine if the host needs to be provisioned based on its state or a Network Access Policy, or by a default
VLAN or access value. It will then modify the RADIUS accept packet and return it to the requesting device.

If the backend RADIUS server responds with a reject response, FortiNAC will pass the rejection, unaltered, to
the requesting device.

FortiNAC 8.5 Study Guide 361

 Security Policies

DO NOT REPRINT
© FORTINET

This slide shows the process of a host accessing an 802.1x environment managed by FortiNAC.
1. The host associates with the SSID.
2. The device generates a RADIUS request to FortiNAC.
3. FortiNAC proxies the request to the RADIUS server defined in the device model configuration or SSID
configuration set in the topology view.
4. The RADIUS server issues an accept or reject response. If the response is a reject, FortiNAC proxies it
unchanged back to the requesting device.
5. If the response is an accept, FortiNAC looks up the user or host in the database and determines the
access that should be provisioned based on the state of the user or host, on a matched security policy, or
a default VLAN/access value.
6. FortiNAC modifies the RADIUS response and forwards it to the requesting device.
7. Post connection, FortiNAC keeps connection information up-to-date using RADIUS accounting or Syslog
information.

FortiNAC 8.5 Study Guide 362

 Security Policies

DO NOT REPRINT
© FORTINET

When a host attempts to access the network through a FortiNAC managed point of connection configured for
MAC authentication, FortiNAC will receive the RADIUS request from the switch, AP, or controller, and process
the request. FortiNAC terminates the RADIUS request and performs a database lookup to determine if the
host needs to be provisioned based on its state, a Network Access Policy, or by default VLAN or access
value. It will then modify the RADIUS accept packet and return it to the requesting device.

The only time FortiNAC will issue a reject response is if the Enforcement option configured in the Model
Configuration of the device is set to Deny.

FortiNAC 8.5 Study Guide 363

 Security Policies

DO NOT REPRINT
© FORTINET

This slide shows the process of a host accessing an environment managed by FortiNAC and configured for
MAC authentication.
1. The host associates with the SSID.
2. The device generates a RADIUS request to FortiNAC.
3. FortiNAC looks up the host in the database and determines the access that should be provisioned based
on the state of the host, on a matched security policy, or a default VLAN/access value.
4. FortiNAC generates a RADIUS response, and forwards it to the requesting device.
5. Post connection FortiNAC keeps connection information up-to-date using RADIUS accounting or Syslog
information.

FortiNAC 8.5 Study Guide 364

 Security Policies

DO NOT REPRINT
© FORTINET

This slide shows the process of a host connecting in a wired environment configured to use MAC notification
traps.
1. The host connects to, or disconnects from, a wired port.
2. The device issues a MAC notification trap to FortiNAC. This could be a MAC Added or MAC Removed
trap.
3. FortiNAC processes the trap and identifies the MAC address that was added or removed, as well as the
associated port.
4. If it was a MAC added trap, FortiNAC looks up the host in the database and determines the access that
should be provisioned based on the state of the host, on a matched security policy, or a default
VLAN/access value.
5. FortiNAC makes the appropriate configuration changes to provision the host.

FortiNAC 8.5 Study Guide 365

 Security Policies

DO NOT REPRINT
© FORTINET

This slide shows the process of a host connecting in a wired environment configured to use link traps.
1. The host connects to, or disconnects from, a wired port.
2. The device issues a link trap to FortiNAC. This could be a LinkuUp or LinkDown trap.
3. FortiNAC performs a Layer 2 poll of the device and identifies the MAC address that was added or
removed, as well as the associated port.
4. If it was a LinkUp trap, FortiNAC looks up the host in the database and determines the access that should
be provisioned based on the state of the host, a matched security policy, or a default VLAN/access value.
5. FortiNAC makes the appropriate configuration changes to provision the host.

FortiNAC 8.5 Study Guide 366

 Security Policies

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 367

 Security Policies

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiNAC 8.5 Study Guide 368

 Security Policies

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about FortiNAC security policies. It is through
security policies that FortiNAC provides customized on-boarding options, simplified security configuration for
wireless access, detailed network access provisioning, endpoint compliance validation, and customizable
backend authentication services.

FortiNAC 8.5 Study Guide 369

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiNAC’s guest and contractor management capabilities. The
combination of visibility and control make FortiNAC the perfect solution for on-boarding and managing BYOD
devices.

FortiNAC 8.5 Study Guide 370

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topic shown on this slide.

FortiNAC 8.5 Study Guide 371

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in the concepts and configurations used to manage BYOD devices, you will be
able to effectively use FortiNAC to securely on-board unknown devices.

FortiNAC 8.5 Study Guide 372

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Guest and contractor management begins with an administrative user creating a Guest/Contractor
Template. These templates define the details of the guest or contractor accounts created from them. If you
were going to have two different types of guests and four types of contractors in your environment, you would
create six different templates.

Any administrative user can be given the ability to create and manage these accounts. In this lesson, you will
learn how to create an Administrative Profile that limits associated administrative users to having guest and
contractor management capabilities only. These types of administrators are often called sponsors, and this
allows for safe delegation of guest and contractor-related tasks. You can designate access to specific guest or
contractor templates within the Administrative Profile.

FortiNAC 8.5 Study Guide 373

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Sponsors can then select any guest or contractor template they have been allowed access to in the Admin
Profile, and create accounts. After you have created an account, you can provide the sponsor with the ability
to manage the account through the Admin Profile.

FortiNAC 8.5 Study Guide 374

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

The user icons used by guest and contractor accounts differ from those used for standard network users or
administrative users. Accounts created from Guest/Contractor Templates with a Visitor Type set to Guest
will have a user icon depicting a notebook and pencil. Accounts created from Guest/Contractor Templates
with a Visitor Type set to Contractor will have a user icon depicting a briefcase. There is no other difference
between a guest or contractor user icon and the standard user icons. Hosts that registered to those accounts
will appear within the user branch, like you saw in the Visibility lesson.

Guests are typically accounts with short account durations, often less than 24 hours, while contractors may
have accounts that last months. Note that although the account types seen on this slide are represented by
different icons, there is no difference in how they function. These icons allow quick identification of guests in
the User view.

FortiNAC 8.5 Study Guide 375

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

There are five different ways that guest accounts can be created in FortiNAC.

Single accounts are created by a sponsor. The sponsor fills in all fields defined by the selected
Guest/Contractor Template.

Bulk accounts are one or more accounts either entered in a comma-separated list, one account per line, or
imported from a file by a sponsor. All the accounts will share an Account Start Date and Account End Date.
The account fields selected in the Guest/Contractor Template will define the information that needs to be
entered in the comma-separated list.

Conference accounts are auto-generated by FortiNAC. The creation of the accounts is initiated by a sponsor.
The sponsor sets a Conference Type which defines the user name and password format. The available
options are Individual User Name/Individual Passwords, Individual User Name/Shared Password,
Shared User Name/Shared Password. Conference accounts will all share the same Conference Start Date
and Conference End Date.

When creating single, bulk, or conference accounts, the sponsor selects the Guest/Contractor Template that
will be used. Recall that the sponsor will see only the templates made available to them in their administrative
profile.

A self-registered guest account is an account the guest creates themselves from the registration isolation
network. These accounts can be automatically approved by FortiNAC, or they can generate emails to one or
more sponsors who then can approve or deny the account.

A kiosk is a dedicated workstation where guests can create their own accounts, normally located in a public
area, such as a reception desk. Accounts created from the kiosk are automatically approved by FortiNAC. The
kiosk workstation is enabled when a sponsor, assigned an administrative profile that has the Enable Guest
Kiosk box selected on the General tab, logs in to the FortiNAC admin page.

FortiNAC 8.5 Study Guide 376

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

This slide shows the first step of guest and contractor management, as defined on the Concepts of Guest and
Contractor Management slides, the creation of a guest/contractor template.
On the Users tab, select Guest/Contractor Templates. The view will display all existing templates. Clicking
Add will open the Add Guest/Contractor Template window.

FortiNAC 8.5 Study Guide 377

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Each guest and contractor template has three tabs: Required Fields, Data Fields, and Note. The Required
Fields tab is where template settings that define account capabilities are set. Each template must have a
unique name, and this is defined in the Template Name field.

The Visitor Type sets the type of user icon that will represent any guest or contractors created from this
template. The options are:
• Guest—This account type is used to represent short term accounts, normally lasting one day or less. The
user icon used to represent a guest account is a notepad and pencil.
• Contractor—This account type is used to represent a temporary employee, that may last weeks or months.
The contractor icon used to represent a contractor icon is a briefcase.
• Conference—This account type is used to create a group of short or long-term accounts that all share the
same account duration settings. These accounts can have unique usernames and passwords, shared
usernames and passwords, or unique usernames with a shared password. The user icon used to
represent conference accounts is the same person with a blue jacket used for standard network users.
• Self-Registered Guest—This account type is used to represent accounts created by the guest through the
guest self-registration portal. The user icon used to represent conference accounts depicts the same
person with a blue jacket used for standard network users.

The Role field, by default, will populate with the Template Name but can be selected from a list of existing
roles. Roles can be created on the Policy tab by selecting Roles. The role value of a guest and contractor
template will populate the Role field of any account created from the template. The Security & Access Value
field can be used to designate any value an administrator desires, to populate the Security & Access Value
field of any account created from the template. Both the Role and Security & Access Value field values can
be used to create User/Host Profiles for use in security policies, such as a network access policies.

FortiNAC 8.5 Study Guide 378

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

The Username Format is always Email, and account information can be sent to end users over email or
SMS. If SMS is going to be used, the account information defined in the Data Fields must include Mobile
Provider and Mobile Number. The Password Length field is where the exact length of each FortiNAC auto-
generated password can be defined. The value must be between 5 and 64.

Password exclusions are characters that will not be used in the auto-creation of passwords. By default, this
field is populated with all non-numeric and non-alphanumeric characters. This default list of exclusions can be
repopulated by clicking Use Mobile-Friendly Exclusions.

If a Reauthentication Period is defined, the host will be isolated when the designated time expires and the
user will need to re-authenticate in order to get out of isolation. Authentication method options are Local,
LDAP, or RADIUS. Local is the default option and is usually the case when creating short-term accounts
such as guests or self-registered guests.

Account Duration and Login Availability provide the administrator with a way to define when the account
will be deleted from the database, or what days of the week and times of day the account will be enabled.

The URL for Acceptable Use Policy is an optional field that provides a link to an acceptable use policy page.

FortiNAC 8.5 Study Guide 379

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

The Data Fields tab is where guest account fields are selected. Each pre-existing field can be set to:

Ignore—Fields set to ignore will not appear on the guest account creation page.
Required—Fields set to required will have to be filled in during account creation and an error will be
generated if a required field is left blank.
Optional—Fields set to optional will appear on the account creation view but can be left blank.

Data fields can be added or deleted from the list with the exception of the Email field. This is a mandatory
field and will act as the username. All fields can be reordered.

The selected fields defined within the template will make up the account creation page for the sponsor to
complete, or for the guest to complete in the case of a kiosk or self-registration page.

FortiNAC 8.5 Study Guide 380

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Recall that administrator profiles define the capabilities of the administrative users they are assigned to. In this
lesson, you will learn how to create an administrative user that is limited to the creation and management of
guest accounts. This type of administrative user is often called a sponsor.

As you learned in a previous lesson, administrative profiles are created from within the Admin Profiles view
located on the Users tab. Clicking Add will open the Add Admin Profile window.

FortiNAC 8.5 Study Guide 381

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Recall from a previous lesson that each profile will have a unique name, a logout after setting for inactivity
timeout, and login availability options to specifically define when administrators assigned this profile can log in
to FortiNAC. The Enable Guest Kiosk check box will provide a drop-down list of all available templates as
well as a field for entering the welcome text that will be displayed on the kiosk screen. The Permissions tab
will not be displayed for administrative profiles that have the Enable Guest Kiosk box selected.

When a administrator assigns a kiosk-enabled profile log to the FortiNAC GUI, the page that loads will be a
registration page where guests can build accounts for access.

FortiNAC 8.5 Study Guide 382

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

The Permissions tab is where you can select which permission sets to define the capabilities of a sponsor. In
the example shown on this slide, only the Guest/Contractor permission set has been selected using the
Access check box. Then the Custom check box, indicated on this slide with a red arrow, can be selected to
provide detailed account creation capabilities. When the Custom check box is selected, the Manage Guests
tab will appear, indicated on this slide by a green arrow.

The Manage Guests tab contains the following settings:

Guest Account Access: This drop-down list defines the guest or contractor accounts that can be managed.
All Accounts, No accounts, or Own Accounts, the final option meaning only accounts created by this
sponsor. Management of a guest account means that the account can be enabled, disabled, or the password
reset.

The types of accounts the sponsor can create are selected from the list of Account Types check boxes.
Control of how far in advance a sponsor can create accounts, as well as how long those accounts will exist
before expiration can also be defined on the Manage Guests tab.

The Allowed Templates drop-down list will define if all Guest/Contractor Templates will be available for
use or if only Specific Templates will be made available. The Specify Templates portion of the window will
allow you to specifically select which templates will be available to the sponsor.

FortiNAC 8.5 Study Guide 383

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

You can create guests and contractor accounts on the Guest/Contractor Accounts view located on the
Users tab. When adding a single, bulk, or conference account, you must select a Template from the drop-
down list. The available templates in the list will be made up of the allowed templates as defined in the Admin
Profile.

For a single account, the remaining fields will be all of the required and optional fields in addition to the
Account Start Date and Account End Date settings.

FortiNAC 8.5 Study Guide 384

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Bulk accounts are one account per line, and information is comma separated. The selected template will
define the columns and column order for manual entry or file import. Click Import From File… to select a pre-
created list of accounts. Regardless of the manner of entry, all columns must be represented, with columns
being left blank identified with two commas. For example, if the data being imported was First Name, Last
Name, Address, Email, and Reason, but street address was optional and left empty, it would look something
like this: [email protected],John,Doe,,Interview. All bulk accounts will share the
same Account Start Date: and Account end Date:.

FortiNAC 8.5 Study Guide 385

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Conference accounts are initiated by a sponsor but actually auto-generated by FortiNAC. The Conference
Type drop-down list is used to define if each auto-generated account should have unique or shared user
names and passwords. The name of the conference will be used as part of the account names. The maximum
number of attendees is defined within the template and any number up to that can be entered. The
Conference Start Date and Conference End Date will be the same for all generated accounts.

FortiNAC 8.5 Study Guide 386

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

You can manage guest and contractor accounts on the Guest/Contractor Accounts view. Depending on the
settings configured in the admin profile, an administrator or sponsor may have the ability to manage any
account, no accounts, or only accounts they created. Each account is presented with its account attributes as
well as the user ID of the sponsor who created the account. This is the same view where account creation is
performed.

You can modify, delete, view selected accounts, as well as reset passwords. Viewing an account will display
all the information shown on the main page in addition to the account password. On the View Accounts
window, you can email, send by SMS, and print account information, as well as create badges.

FortiNAC 8.5 Study Guide 387

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

A self-self registered guest account is created by the guest who wants to on-board a host. The self-
registration page is presented to rogue hosts that have been isolated in the registration isolation network. The
user, once presented with the isolation portal page, can fill in the required fields as defined in the
Guest/Contractor Template associated with the page, and submit the request. You can configure FortiNAC
to require approval from a sponsor, or to automatically approve the request. If sponsor approval is required,
one or more sponsors can be notified of the request through an email message, and the request can be
approved or denied from within the email. Sponsors can be required to enter FortiNAC credentials in order to
approve or deny a request. Automatic approval results in the guest being immediately notified within the portal
that their request was approved, and they will be able to on-board from the approval page.

FortiNAC 8.5 Study Guide 388

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

If you want to create a new registration isolation network portal page, select Portal Configuration from the
System tab. Then select Create New Portal Configuration from the drop-down list. In this example, the new
page is named SelfRegisteredGuest and is indicated by the blue arrow. Select Login Menu on the
Registration branch of the Content Editor tree. The blue callout box identifies the Self Registration Guest
Login Enabled check box. This example would create a page with only one option for guests presented with
the registration isolation portal. As you learned earlier, this portal could then be presented using a Portal
Policy. A common deployment configuration would present this portal to all rogue hosts that connect to a
specific SSID, such as an open guest SSID.

FortiNAC 8.5 Study Guide 389

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Also within the Registration branch of the Content Editor is the configuration screen for the Self
Registration Login page. This is the page that will be presented to isolated users when they click the Self
Registration Login option on the registration portal page. The text that appears on the page can be modified
within this view as well as options that define the behavior as it applies to the on-boarding process. The
following settings apply important behaviour options:
• Default Sponsor Email—You can configure this field in three different ways. First, you can enter a single
email address designating a single sponsor, who will receive all self-registration requests. Another option
would be to enter multiple emails, comma separated, so that each self-registration request will be sent to
each sponsor in the list. Finally, you can leave the field empty, which will result in the self-registration page
having an empty field, allowing the guest requesting access to enter the email of the sponsor. Note that
any email entered must be associated with a sponsor account on FortiNAC.
• Require Sponsor Approval—Select this check box to require a sponsor to approve a self registration
request. If the check box is not selected, all requests will be automatically approved without the need for
sponsor interaction. By default, the check box is not selected.
• Guest Request Expiration (minutes)—This option defines how long, in minutes, a request that requires
approval will be valid. If the time expires with the guest not having been approved or denied by a sponsor,
the guest will need to submit a new request.

FortiNAC 8.5 Study Guide 390

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

The lower portion of the Self Registration Login page provides access to these additional common settings:
• Sponsor Approval Link Requires Login—The sponsor must enter valid FortiNAC credentials to
successfully approve or deny a request.
• Notify User via Portal Page—When a request is processed by a sponsor, the result is displayed in the
captive portal page notifying the guest.
• Show Password in Portal Page Notification—The notification page for an approved guest will include
the username and password on the login form, allowing the user to submit the form and on-board their host
without having to note the information.

Options also exist for guest notification, such as SMS or email, as well as acceptable use policy
configurations. As with all methods of guest account creation, the Guest/Contractor Template is selected
from a drop-down list to define the self-registration accounts.

FortiNAC 8.5 Study Guide 391

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 392

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objective that you covered in this lesson.

FortiNAC 8.5 Study Guide 393

 Guest and Contractor Management

DO NOT REPRINT
© FORTINET

This slide shows the objective you covered in this lesson.

By mastering the objective covered in this lesson, you learned how to use FortiNAC as a tool to create and
manage guest and contractor access.

FortiNAC 8.5 Study Guide 394

 Integration Suite

DO NOT REPRINT
© FORTINET

In this lesson you will learn about FortiNAC’s ability to integrate with third-party devices using Syslog or
SNMP traps.

FortiNAC 8.5 Study Guide 395

 Integration Suite

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topic shown on this slide.

FortiNAC 8.5 Study Guide 396

 Integration Suite

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in integration using Syslog and SNMP input, you should be able to leverage
existing infrastructure devices to trigger FortiNAC notifications and responses.

FortiNAC 8.5 Study Guide 397

 Integration Suite

DO NOT REPRINT
© FORTINET

In a previous lesson, you learned how an event can be mapped to an alarm, and that alarms can have actions
attached to them. This slide shows the complete flow, beginning with an event trigger and ending with an
action. Event triggers are a set of criteria that, when satisfied, cause an event to be generated. By default,
there are approximately 430 different event triggers. This is a one-to-one association. Each time the trigger is
satisfied, the event is generated. Recall that events are displayed in the Events view located on the Logs tab.

You can then map events to generate alarms. By default, there are about 55 events mapped to generate
alarms. Events that generate alarms are not necessarily mapped in a one-to-one association, like event
triggers are to events. You can define events to generate alarms using a Trigger Rule with the following
options:

One Event to One Alarm: This option will generate an alarm each time the event is generated.
All Events to One Alarm: This option will generate an alarm only the first time the event is generated. No
further alarms will generated until the previous alarm is cleared.
Event Frequency: This option will generate an alarm only if the event occurs a user-defined number of times
within a user-defined time period configured in seconds, minutes, or hours.
Event Lifetime: This option will generate an alarm if a user-defined clear event is not triggered within a user-
defined period of time, designated in seconds, minutes, or hours.

You can then map alarms to automatically trigger actions. By default, no alarms will trigger actions. These
must be configured by an administrator. The available actions that can be triggered will depend on the event
that triggered the alarm to be generated. For example, actions that affect hosts would be available only if the
trigger event was host based and could identify the host, such as the Host Connected event. Alarm-to-action
mappings have a one-to-one association.

FortiNAC 8.5 Study Guide 398

 Integration Suite

DO NOT REPRINT
© FORTINET

The focus of this lesson is to learn how to create event triggers from input received from third-party devices.
The input can be in the form of a Syslog message or an SNMP trap. Once the trigger has been created, the
event-to-alarm-to-action flow can be configured to notify administrators or end users, as well as take host
access control actions. A fundamental part of this process is the creation of a parser, so that FortiNAC can
accurately identify the key components of the input it receives. A parser is then associated with the device that
will be sending the input.

FortiNAC 8.5 Study Guide 399

 Integration Suite

DO NOT REPRINT
© FORTINET

You can create Syslog Files for Syslog messages that are in comma separated value (CSV) format, common
event format (CEF), or Tag/Value format. When using the CSV format, you can use one of three characters to
designate the delimiter: a comma, space, or vertical bar. The Syslog File is created to parse the content of
the message, column by column, or to identify the tag-to-value mapping.

Any device that will send Syslog messages to FortiNAC must be modelled in the Topology view. FortiNAC
will not process Syslog or trap messages it receives unless the source address belongs to a topology-
modelled device. As part of the modelling process, the Incoming Events field on the device Element tab
must be set to Syslog so that FortiNAC understands the type of message to expect from that device. A
second drop-down list will contain all Syslog files, and you should select the appropriate one for accurate
Syslog parsing.

FortiNAC 8.5 Study Guide 400

 Integration Suite

DO NOT REPRINT
© FORTINET

To create a new Syslog file, navigate to System > Settings, and select Syslog Files from the System
Communication branch. Click Add to open the Add Syslog Files window. You must select the Processing
Enabled check box for FortiNAC to process any Syslog messages using this Syslog file. You must give each
Syslog file a unique name, and you must complete the following fields:

Event Label: This will be the name of the new event that will be generated. The name should contain only
alphanumeric characters and cannot be the same as a pre-existing event.
Format: The Syslog message format as described previously, CSV, CEF, or Tag/Value. If CSV is selected, a
Delimiter must be selected as well. Syslog files with a Format set to CSV will use the word Column in the
following settings, while those with a Format set to Tag/Value or CEF will use Tag.
IP Column or Tag: The column or tag that contains the IP address of the host that caused the device to send
the Syslog message.
Filter Column or Tag: The column or tag used to identify the data in the Syslog message that FortiNAC
should evaluate for a match against the Filter Values field.
Filter Values: The value FortiNAC will match against the data found in the column or tag identified in the
Filter Column or Tag field.
Severity Column or Tag: The column or tag that contains a severity value. This value will be compared
against the values in the Severity Values fields.
Severity Values: The values that will be compared against the value in the Severity Column or Tag field. If a
match is found, the event will be generated. Three possible events can be generated depending on the tab the
value was found on. The example shown on this slide would generate a ContentViolation Low Severity
event if column 32 contained a value of one, two, or three.

FortiNAC 8.5 Study Guide 401

 Integration Suite

DO NOT REPRINT
© FORTINET

The Event Column field is where you can build a variable index by indicating the fields that contain the
information you want to include in the generated event. The fields that appear in the list will be represented by
their index location, starting with the first entry being numbered as 0 and counting up.

For example, this slide shows that the contents of column 6 will be represented by variable 0, and the
contents of column 14 will be represented by variable 1.

The Event Format is the message that is displayed when the event is generated. Variables are inserted into
the event text by enclosing the desired variable number in curly brackets. Events will appear in the Logs >
Events view.

FortiNAC 8.5 Study Guide 402

 Integration Suite

DO NOT REPRINT
© FORTINET

When a device is modelled in the Topology view as a Pingable Device, it will have an Element tab with a list
of settings. For Syslog integration, the Incoming Events field, indicated on this slide with a red arrow, will
have Syslog selected in the drop-down list. This defines for FortiNAC the type of message this device will
send. The drop-down list on the right side will contain all of the Syslog files. Select the appropriate one for
parsing Syslog messages from this device.

FortiNAC 8.5 Study Guide 403

 Integration Suite

DO NOT REPRINT
© FORTINET

FortiNAC can also process SNMP version 1 or 2 traps, and use them as event triggers. A MIB is created and
will contain one or more custom traps. As a best practice, generate and capture the trap to assist in the
creation of the mapping. The Label field is where the event name is entered. This will be the name of the new
event that will be generated. This label should be alphanumeric, and not be the same as any existing event.
The Specific Type will be a number that defines the trap as it relates to the vendor of the device. Enterprise
OID identifies the enterprise or manufacturer of the device. For example, Fortinet has an enterprise OID of
1.3.6.1.12356. The combination of these two values will uniquely identify the trap.

Traps will contain a varbind list. A varbind made up of an OID for an object and the data value associated with
that object. FortiNAC can extract IP address, MAC address, or userid information from a trap to identify the
host that caused the trap to be issued. This will allow FortiNAC to use end-user notification or host control
capabilities. Only one of the fields needs to be used.

The Alarm Cause is for a textual description of the probable cause of the alarm. The Event Format (Java
Message API) field is for a textual description of the event, and it can include variables pulled from varbinds
within the trap. The variables are inserted by enclosing the varbind number in curly brackets. The varbind
number is determined by counting down the varbind list, starting at zero. For example, the data associated
with the fifth varbind down would be represented using {4}.

FortiNAC 8.5 Study Guide 404

 Integration Suite

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 405

 Integration Suite

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objective that you covered in this lesson.

FortiNAC 8.5 Study Guide 406

 Integration Suite

DO NOT REPRINT
© FORTINET

This slide shows the objective that you covered in this lesson.

By mastering the objective covered in this lesson, you learned how to integrate third-party devices with
FortiNAC, making it possible to be notified and trigger automated responses.

FortiNAC 8.5 Study Guide 407

 Security Automation

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiNAC security automation. Security automation combines the core
FortiNAC features of visibility and control with security device integrations, to create an automated response
and immediate threat mitigation solution. You can build workflows to carry out detailed notification and host
access control processes based on the threat detected.

FortiNAC 8.5 Study Guide 408

 Security Automation

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiNAC 8.5 Study Guide 409

 Security Automation

DO NOT REPRINT
© FORTINET

After completing this section you should be able to achieve the objectives shown on this slide.

By understanding the concepts and configurations of security automation, you should be able to leverage
FortiNAC to integrate with security devices and execute workflows for dynamic threat mitigation and control in
your environment.

FortiNAC 8.5 Study Guide 410

 Security Automation

DO NOT REPRINT
© FORTINET

The ability to orchestrate network security processes with FortiNAC empowers an organization to
automatically control network access, and respond using detailed workflows designed around received
security alerts.

Visibility provides the context necessary to correlate received alerts, and control provides the ability to
mitigate or notify based on administrator-defined work flows. The ability to integrate with nearly any device
expands the endpoint-based visibility to include real-time knowledge of potentially threatening behaviour. The
integration is bi-directional, meaning FortiNAC can pass detailed information upstream as well as receive it.

FortiNAC 8.5 Study Guide 411

 Security Automation

DO NOT REPRINT
© FORTINET

The policy-based platform, leveraging complete end-to-end visibility with the integration of these tools enables
the creation of preventative network access and threat triage processes to automate NOC provisioning and
SOC threat response procedures.

Security orchestration is the combining of the visibility, detection, control, and response capabilities to create
automated prevention processes. The detailed workflows are created to notify, update, log, and provision
based on our alerts received from external sources in conjunction with visibility details stored in the FortiNAC
database.

FortiNAC 8.5 Study Guide 412

 Security Automation

DO NOT REPRINT
© FORTINET

FortiNAC processes the inbound security events, correlates the contextual visibility information, performs
detailed analysis of the events against defined security rules, and performs the appropriate action or response
to take for that specific incident.

The development of these security rules follows a circular process. Security alerts are processed. The
organization determines the desired response to the specific situation, for example, a particular security alert
caused by a specific host or user. Then a security rule is created to respond the next time the situation occurs.

Then the process begins again. As more and more security roles are created, there'll be fewer and fewer
alerts that need to be manually processed or evaluated.

FortiNAC 8.5 Study Guide 413

 Security Automation

DO NOT REPRINT
© FORTINET

The example shown on this slide displays some of the information that may be received by FortiNAC in the
form of a security alert. This information will be combined with the visibility information that exists within the
FortiNAC database and will include all of the host and user attributes. For example, you would know the host
by name, physical address, IP address, location, and so on, as well as the user information, such as name,
email, and phone extension. This provides important information to those that are making the decisions on
how to handle this particular type of alert, and helps determine what type of work flow should be designed.

The key attribute that makes the association between the security alert and the host is the IP address. The
user information can be both the user that registered the device in a BYOD situation, and the currently logged
on user.

FortiNAC 8.5 Study Guide 414

 Security Automation

DO NOT REPRINT
© FORTINET

Adding the detailed contextual information can be done by directing security alerts to FortiNAC. FortiNAC
could then be configured to forward the combined information, alert, host, and user details upstream by
designating a log host, as discussed in a previous lesson.

FortiNAC 8.5 Study Guide 415

 Security Automation

DO NOT REPRINT
© FORTINET

Security automation is enabled through the creation of security rules. These rules can include the actions, or
work flows, desired for automated response. Each security rule can execute any number of associated tasks,
allowing you to create responses with varying levels of detail. Security rules are ranked and each received
security alert is evaluated against each rule in the ranked order until a match is found. If no match is found, no
action is taken.

The example shown on this slide depicts two security rules, each with multiple associated actions. If a security
alert is received by FortiNAC that matches security rule 1, the associated host will be moved to the quarantine
isolation network, the alert, host, and user information will be logged on the SIEM and a notification with those
details will be sent to the SOC. If security rule 2 is matched, the alert, host, and user information will be sent to
the SIEM and passed along for further analysis.

Security alert information passed along for further analysis is normally the starting point for new rule creation.
As the alerts are more fully understood, new work flows can be created to automate the responses and new
rules can be created to leverage those work flows.

FortiNAC 8.5 Study Guide 416

 Security Automation

DO NOT REPRINT
© FORTINET

Understanding the terminology used, and a fairly detailed explanation of the process, goes a long way in
understanding how the FortiNAC security rules work, and simplifies their development.

Starting with the top row in the example shown on this slide, and reading left to right, the process begins with
the receipt of a security alert. A security alert is the Syslog message received from an integrated security
device. The alert is processed by FortiNAC, which means that the message contents are parsed and each
component evaluated. The contents are then compared to all existing filters.

A filter is a user-created set of criteria. For example, a filter could simply look at the contents of column 35 of
the parsed security alert and check to see if the value matches the defined requirement. Or, it could require
the match of many columns of information. If no filter is matched, the process exits and nothing occurs. If a
filter is matched, a security event is generated.

In this next step, FortiNAC evaluates all security triggers. A security trigger is made up of one or more filters.
Logic can be applied if there is more than one filter making up a trigger, for example, one, all, or a subset of
the filters may need to be matched within a defined period of time. If all criteria are matched for the trigger to
be satisfied, FortiNAC evaluates any associated User/Host Profiles. These are the same
profiles covered in the security policy lesson. Just as before, they are used here to leverage who, what,
where, and when visibility information. The inclusion of a user/host profile allows an administrator to create
different workflows for different endpoints, even if the trigger being matched is the same. If both the trigger
and any associated user/host profile are satisfied, a security alarm is created.

The final step is were the workflows can be defined. If the security rule has an associated action, that action
can be carried out in an automated or manual manner. Actions are one or more activities. These activities are
the automated responses, and can include notification actions, network access actions, or script execution.

FortiNAC 8.5 Study Guide 417

 Security Automation

DO NOT REPRINT
© FORTINET

To summarize what was discussed on the previous slide:

A filter is a set of defined criteria evaluated against the contents of a parsed security alert. Any field contained
in the security alert can be used as part of a filter. Some fields are normalized, meaning they are mapped to
specific field names, such as Severity, Source Address, and so on. Other fields will be identified using column
numbers or tag values. When a filter is evaluated, all designated criteria must match for a true result. When a
filter evaluation returns a true result, a Security Event is generated.

A trigger is one or more filters. A time occurrence requirement can be configured defining a window of time
setting for two or more filters. For example, the trigger could be satisfied if all or a subset of the filters are
matched within 2 minutes. If all trigger criteria are satisfied, a user/host profile requirement can be added.

The logic that can be applied to the user/host profile requirement options are:
• None: No user/host profile requirement
• Match: The user or host element associated with the security event must match the profile
• Do Not Match: The user or host element associated with the security event must not match the profile

If the trigger is satisfied, and the user/host profile requirement is met, a Security Alarm is generated and any
associated actions are executed. An action consists of one or more activities. Activities are the wide variety of
tasks FortiNAC can perform. For example, an action could consist of the activities needed to mark a host at
risk, change the host’s role value, and/or send a message to the host.

Security rules are evaluated in order of priority.

The examples shown on the bottom of this slide highlight the components of a Security Rule as well as those
of a Security Filter.

FortiNAC 8.5 Study Guide 418

 Security Automation

DO NOT REPRINT
© FORTINET

Any time a filter is matched, a security event is generated. Security events will contain the following
information about the host that caused the security alert to be issued:
• Date and time
• Source IP
• Source Mac
• Destination IP
• Location
The security event will also contain the Alert Type, Subtype, Severity, Threat ID, and Event Description of the
security alert.

A security alarm will contain the host MAC, alarm date and time, the security rule that was matched, and any
actions taken.

Note, that for each security alarm generated, there will be at least one associated security event. Recall that a
trigger could contain more than one filter, and each matched filter would generate a security event. For
example, a trigger that requires two filters to be matched, would have two security events associated with the
security alarm each time the trigger was satisfied.

FortiNAC 8.5 Study Guide 419

 Security Automation

DO NOT REPRINT
© FORTINET

Security rules are created in the Policy Configuration view, accessible from the Policy tab. This is the same
view that security policies are created in. On the left side of the screen, select Security Rules, and click the
Add button to open the Add Security Rule window. This window will allow you to enable the rule, give the
rule a name, and then select or build each of the different components that make up a security rule. The icons
to the right of each component allow you to create new components or edit the existing selected component.
You can define notification settings to notify administrative group members each time the rule is matched,
each time an associated action is taken, or both.

FortiNAC 8.5 Study Guide 420

 Security Automation

DO NOT REPRINT
© FORTINET

The manual configuration of a Security Trigger consists of entering a Name, defining the associated
Security Filters requirements, any Time Limit requirements in Seconds, Minutes, or Hours, and the Filter
Match criteria.

The Name must be unique among existing security triggers.

Create Security Filters by clicking the Add button. Each filter will consist of the necessary values, by field,
required to identify a matching security event. You must define one or more of the fields, and all defined fields
are logically ANDed together.

The Time Limit setting is used in conjunction with the Filter Match setting, defining if Any filter match will
result in satisfying the trigger, or if a subset of filters, matched within the Time Limit, will be required.

You can simplify trigger creation by building the filters directly from existing security events, which will be
described later in this lesson.

FortiNAC 8.5 Study Guide 421

 Security Automation

DO NOT REPRINT
© FORTINET

The User/Host Profile setting is primarily used to create different responses based on the same Trigger
being satisfied by different types of users. For example, you may want to handle an alert differently if it were
caused by a guest, as opposed to if it were caused by a contractor, or employee. These User/Host Profiles
are the same ones used by security policies, and any existing profiles will be available from the drop-down
list. Icons to the right of the drop-down list allow you to add a new profile, or modify the currently selected
profile. Recall from earlier in this lesson that the profile requirement can be set to None, Match, or Do Not
Match.

FortiNAC 8.5 Study Guide 422

 Security Automation

DO NOT REPRINT
© FORTINET

The Action drop-down list within a security rule offers three options, None, Automatic, and Manual. These
options define if and when the associated action will be performed. A setting of None will not perform any
action, Automatic will perform the action as soon as the security alarm is generated, Manual will not perform
the action until it is initiated by an administrator.

The second drop-down list will contain all of the existing actions, if any. To the right of the second drop-down
list are two icons that provide the ability to edit the currently selected action or to create a new action.

The creation of an action begins with providing a unique Name, and setting the On Activity Failure
configuration. The On Activity Failure setting defines how FortiNAC will proceed with the execution of
Activities in the event an activity fails to execute successfully. Activities are organized in a ranked order and
executed in that order. The options are to Continue Running Activities, ignoring the failed one, or to Stop
Running Activities.

Activities are added to the list using the Add button. There is a long list of available options ranging from
administrator or user notifications to port-based and host access control.

FortiNAC 8.5 Study Guide 423

 Security Automation

DO NOT REPRINT
© FORTINET

Security events are generated whenever a Security Filter is matched, even if the filter is used within a
Security Trigger that is not satisfied. For example, if a Security Trigger requires two Security Filters to be
matched in order to be satisfied, and only one filter is matched, the matched filter will generate a Security
Event, however, the trigger is not satisfied.

Security events can be used to create new security filters and security triggers. Right-clicking a security event
and selecting View Details will open the Event Details window. The Event Details window shows the
complete contents of the parsed security alert. The data presented first in this view are all the normalized
fields, meaning FortiNAC maps the content to the appropriate filed, such as Source IP, or Event Date. This
view is helpful for determining which attributes to key on in order to create a filter that will identify this security
alert, if it is received again.

FortiNAC 8.5 Study Guide 424

 Security Automation

DO NOT REPRINT
© FORTINET

Security filters can be created from existing security events, allowing administrators to create triggers quickly.
Right-clicking a security event and selecting Create Event Rule will open the Create Event Rule window. On
the left side of the window, in the Available Fields list, the entire contents parsed from the received security
alert will be displayed. Normalized Fields will be shown at the top of the list while all other data will be
displayed as Additional Attributes. The administrator can select any fields on the left and move them to the
right using the arrows that are shown between the fields. Clicking OK will open the Add Security Trigger
window with a Security Filter automatically created from the selected fields. Any selected field will associate
that field with the value that currently exists in the parsed security alert. For example, if the Severity field in
the selected event contains a value of Critical, the resulting security filter will evaluate that field for that value.

FortiNAC 8.5 Study Guide 425

 Security Automation

DO NOT REPRINT
© FORTINET

An administrator can view the Security Filter from within the Add Security Trigger window. The Modify
Security Filter window will show each of the selected fields from the previous step, as well as the contents of
each field. In the example shown on this slide, the normalized fields, and the values associated with them, will
appear in the top portion of the window with a check box preceding each field name. The Custom Fields
portion of the window will display all selected fields that were not normalized by FortiNAC.

The mapping that determines which fields will be normalized is defined in the security event parser
configuration window, which will be discussed in the upcoming slides. Clicking Add in the security trigger
window will allow an administrator to create security filters manually.

FortiNAC 8.5 Study Guide 426

 Security Automation

DO NOT REPRINT
© FORTINET

A security alarm looks like the example shown on this slide. The host MAC appears in the first column, then
the alarm date, which rule was matched, if any action was taken and the time, who took the action, and so on.
Then, at the bottom of the screen, you see what events were generated that go along with this alarm.
Remember, an event is generated whenever a filter is matched, a trigger is satisfied, and a user host profile is
matched. So, if a trigger had multiple filters in it, then there could be multiple events being matched in order to
result in the trigger being satisfied and, ultimately, this alarm being displayed.

At the bottom of the window, you can select the Actions Taken tab to view which actions were taken. In the
example on this slide, the Mark Host At Risk action was completed. As shown on the upper section of the
window, the host that caused this alert to be sent is identified by its MAC address. That host is now marked as
disabled, and may be moved to the dead end VLAN or to a quarantine VLAN. It depends on how those
settings are configured on FortiNAC

FortiNAC 8.5 Study Guide 427

 Security Automation

DO NOT REPRINT
© FORTINET

You can see all of the existing Security Event Parsers under System > Settings. The Security Event
Parsers settings page is located in the System Communication folder.

A security event parser will exist for each supported vendor, and administrators can delete or modify any of
the existing parsers. Adding a new Security Event Parser allows the administrator to support almost any
device that issues Syslog messages in CSV, CEF, or Tag/Value format.

Note that you must model any security device that sends alerts to FortiNAC in the Topology view, using the
IP address that will be the source of the alerts. You must also set the Incoming Events field to Security
Events.

FortiNAC 8.5 Study Guide 428

 Security Automation

DO NOT REPRINT
© FORTINET

Creating a new, customized event parser, allows FortiNAC to parse and integrate with any vendor or device
that can pass Syslog messages to it, as long as they are in CSV, CEF, or Tag/Value format. This will allow
FortiNAC to extend Security Rules, and automated response and threat mitigation offerings across a diverse
infrastructure, allowing it to use the individual strengths and capabilities of each device.

Clicking Add in the Security Event Parsers view opens the Add Security Event Parser window. The
Populate from Received Syslog button will display a list of Syslog messages FortiNAC has received. The
administrator can then designate a format and delimiter, and map the appropriate columns or tags to the
available normalized fields. The normalized field options are:
• Source IP
• Destination IP
• Type
• Subtype
• Threat ID
• Description
• Severity

The example shown on this slide has the parsed Syslog populating the Source IP field with the value
contained in column 32, the Destination IP field with the value contained in column 33, and so on. The last
normalized field in the list is Severity, and it is populated with the value from column 18. FortiNAC needs to
be configured to map severity field values to numeric values in order to create a standardized method for
evaluating severity. The Severity Mappings example shown on this slide will assign a severity value of 3 if
column 18 contains the word Low, the value of 5 if it contains the word Medium, and so on. This capability
provides integration flexibility across vendors who may not share the same terms for indicating severity.

FortiNAC 8.5 Study Guide 429

 Security Automation

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 430

 Security Automation

DO NOT REPRINT
© FORTINET

Good Job! You now understand security automation and how to configure security rules.

Now, you will learn about admin scans.

FortiNAC 8.5 Study Guide 431

 Security Automation

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the creation and use of admin scans, you will be able to assign hosts to the
quarantine isolation network and present customized portal content.

FortiNAC 8.5 Study Guide 432

 Security Automation

DO NOT REPRINT
© FORTINET

Admin scans are a means to change a host’s state to at risk. This can be performed manually, by an
administrator, or as part of an automated action. The purpose of the admin scan is so that when the host is
isolated to the quarantine network, FortiNAC knows what page to present to the end user. Recall that a host
state is changed to at risk when it has failed a scan. Policy scans are preformed by FortiNAC agents, and a
failed result has the necessary information contained within the policy to define what isolation portal page
should be displayed.

Admin scans are also used to change the state of a host to at risk, but there is no policy to define the isolation
portal page that should be displayed, so the portal page is defined within the admin scan. Typically, these
pages contain information to inform the end user why they have been isolated and assist them with steps for
remediation.

FortiNAC 8.5 Study Guide 433

 Security Automation

DO NOT REPRINT
© FORTINET

To create an admin scan, on the Policy menu, select Remediation Configuration. All existing scans will be
displayed. You can modify or remove each one by selecting the scan and clicking the appropriate button.
Clicking Add will open the Add Scan window.

FortiNAC 8.5 Study Guide 434

 Security Automation

DO NOT REPRINT
© FORTINET

The admin scan creation process requires the new scan to be given a Scan Script/Profile value to uniquely
differentiate it from any other admin scans. The Scan Script/Profile is the only required field. If a host has its
state changed to at risk because of an assigned admin scan that does not have a Patch URL field set, the
host will be isolated but the isolation page will be a default page that does not include specific information to
assist the end user. The Patch URL field is often the only other field configured in an admin scan, and it
defines the isolation page that should be presented to the end user. The isolation page should be placed in
the /bsc/Registration/registration/site directory on the FortiNAC Application server or Control
and Application server. The path for webroot is /bsc/Registration/registration so the configuration
set in the Patch URL field only needs to contain the final directory in the path. The example shown on this
slide, would direct any host that has had its status changed to at risk using this admin scan, to the isolation
portal page named MyRemPage.jsp.

FortiNAC 8.5 Study Guide 435

 Security Automation

DO NOT REPRINT
© FORTINET

FortiNAC 8.5 Study Guide 436

 Security Automation

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiNAC 8.5 Study Guide 437

 Security Automation

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to deploy dynamic security automation
capabilities, leveraging input from external sources using FortiNAC.

FortiNAC 8.5 Study Guide 438

DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.