Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    FortiVoice tag dynamic address

    FortiVoice tag dynamic address

    When a FortiVoice-supplied MAC or IP address is used in a firewall policy, a FortiVoice tag (MAC/IP) dynamic address is automatically created on the FortiGate that contains all the provisioned FortiFones registered with FortiVoice. The dynamic address can be used in firewall policies to restrict rules to authorized FortiFones only. This is useful for large voice deployments that require security and efficiency. See Example of a firewall policy.

    FortiVoice tag dynamic addresses can also be applied to a NAC policy. See Example of a NAC policy.

    Example of a firewall policy

    In this example, two FortiFones are registered to FortiVoice and are assigned names and extension numbers. A FortiVoice Fabric connector has been authorized to join the Security Fabric. The dynamic FortiVoice tags are applied to a firewall policy.

    To use a FortiVoice tag dynamic firewall address in a policy:

    1. Configure and authorize the FortiVoice Fabric connector (see Configuring FortiVoice for more information).

    2. Go to Policy & Objects > Addresses to view the newly created dynamic firewall address objects:

      1. Expand the FortiVoice Tag (IP Address) section.

        There is one entry, FOV-500000002732_Registered_Phones, which matches 192.168.12.10 to 192.168.12.11.

      2. Expand the FortiVoice Tag (MAC Address) section. There is one entry, MAC_FOV-500000002732_Registered_Phones, which matches two devices. Hover over the device serial number to view the tooltip that contains the MAC address and additional information.

    3. Go to Policy & Objects > Firewall Policy and click Create new or edit an existing policy.

    4. In the Source field, click the + and add the FOV-500000002732_Registered_Phones and MAC_FOV-500000002732_Registered_Phones addresses.

    5. In the Destination field, click the + and add the FOV-500000002732_Registered_Phones address.

    6. Configure the other settings as needed.

    7. Click OK.

    Example of a NAC policy

    In this example, a dynamic FortiVoice tag MAC address (MAC_FOV-500000003139_Registered_Phones) is applied to a NAC policy on the FortiGate. Subsequently, the connected FortiSwitch port is moved to vlan12, where traffic can be controlled for registered FortiFones. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes that the FortiVoice Fabric connector is authorized to join the Security Fabric and vlan12 is already configured. See Configuring FortiVoice for more information.

    To configure FortiVoice Tag MAC address on NAC policies:

    1. Configure the NAC policy:

      1. Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.

      2. In the Device Patterns section:

        • Set Category to FortiVoice tag.

        • Set FortiVoice tag to MAC_FOV-500000003139_Registered_Phones.

      3. In the Switch Controller Action section, enable Assign VLAN and select vlan12.

      4. Configure the other settings as needed.

      5. Click OK.

    2. Enable NAC mode on the desired FortiSwitch ports (port6 in this example):

      1. Go to WiFi & Switch Controller > FortiSwitch Ports.

      2. Select port6, then right-click and set the Mode to NAC.

    3. Configure firewall policy that is used to control outbound internet access for FortiFones (vlan12 to wan1):

      1. Go to Policy & Objects > Firewall Policy.

      2. Click Create New.

      3. Name the policy and configure the following parameters:

        Incoming Interface

        vlan12

        Outgoing Interface

        wan1

        Source

        all

        Destination

        all

        Schedule

        always

        Service

        ALL

        Action

        ACCEPT

      4. Configure the other settings as needed.

      5. Click OK.

    4. Generate traffic from the FortiFone.

    5. Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.

      FortiFone is also shown on Dashboards > Assets & Identities in the Matched NAC Devices widget.

    6. Go to WiFi & Switch Controller > FortiSwitch Ports and locate the port that the FortiFone is connected to. The port has been dynamically assigned vlan12.

    To configure FortiVoice Tag MAC address on NAC policies in the CLI:

    1. Configure the NAC policy:

      config user nac-policy
    edit "nac-policy-1"
        set category fortivoice-tag
        set fortivoice-tag "MAC_FOV-500000003139_Registered_Phones"
        set switch-fortilink "fortilink"
        set switch-mac-policy "mac-policy-
    next
end

    2. Configure the VLAN in the MAC policy:

      config switch-controller mac-policy
    edit "mac-policy-1"
        set fortilink "fortilink"
        set vlan "vlan12"
    next
end

    3. Enable NAC mode on the desired FortiSwitch ports:

      config switch-controller managed-switch
    edit "Access-FSW-C”
        config ports
            edit "port6"
                set access-mode nac
            next
        end
    next
end

    4. Configure the firewall policy:

      config firewall policy
    edit 1
        set name "c_fov_fon"
        set srcintf "vlan12"
        set dstintf "wan1" 
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end
    Previous
    Next

    FortiVoice tag dynamic address

    FortiVoice tag dynamic address

    When a FortiVoice-supplied MAC or IP address is used in a firewall policy, a FortiVoice tag (MAC/IP) dynamic address is automatically created on the FortiGate that contains all the provisioned FortiFones registered with FortiVoice. The dynamic address can be used in firewall policies to restrict rules to authorized FortiFones only. This is useful for large voice deployments that require security and efficiency. See Example of a firewall policy.

    FortiVoice tag dynamic addresses can also be applied to a NAC policy. See Example of a NAC policy.

    Example of a firewall policy

    In this example, two FortiFones are registered to FortiVoice and are assigned names and extension numbers. A FortiVoice Fabric connector has been authorized to join the Security Fabric. The dynamic FortiVoice tags are applied to a firewall policy.

    To use a FortiVoice tag dynamic firewall address in a policy:

    1. Configure and authorize the FortiVoice Fabric connector (see Configuring FortiVoice for more information).

    2. Go to Policy & Objects > Addresses to view the newly created dynamic firewall address objects:

      1. Expand the FortiVoice Tag (IP Address) section.

        There is one entry, FOV-500000002732_Registered_Phones, which matches 192.168.12.10 to 192.168.12.11.

      2. Expand the FortiVoice Tag (MAC Address) section. There is one entry, MAC_FOV-500000002732_Registered_Phones, which matches two devices. Hover over the device serial number to view the tooltip that contains the MAC address and additional information.

    3. Go to Policy & Objects > Firewall Policy and click Create new or edit an existing policy.

    4. In the Source field, click the + and add the FOV-500000002732_Registered_Phones and MAC_FOV-500000002732_Registered_Phones addresses.

    5. In the Destination field, click the + and add the FOV-500000002732_Registered_Phones address.

    6. Configure the other settings as needed.

    7. Click OK.

    Example of a NAC policy

    In this example, a dynamic FortiVoice tag MAC address (MAC_FOV-500000003139_Registered_Phones) is applied to a NAC policy on the FortiGate. Subsequently, the connected FortiSwitch port is moved to vlan12, where traffic can be controlled for registered FortiFones. For more information about NAC policies, see Defining a FortiSwitch NAC policy in the FortiLink Administration Guide. This example assumes that the FortiVoice Fabric connector is authorized to join the Security Fabric and vlan12 is already configured. See Configuring FortiVoice for more information.

    To configure FortiVoice Tag MAC address on NAC policies:

    1. Configure the NAC policy:

      1. Go to WiFi & Switch Controller > NAC Policies and click Create New, or edit an existing policy.

      2. In the Device Patterns section:

        • Set Category to FortiVoice tag.

        • Set FortiVoice tag to MAC_FOV-500000003139_Registered_Phones.

      3. In the Switch Controller Action section, enable Assign VLAN and select vlan12.

      4. Configure the other settings as needed.

      5. Click OK.

    2. Enable NAC mode on the desired FortiSwitch ports (port6 in this example):

      1. Go to WiFi & Switch Controller > FortiSwitch Ports.

      2. Select port6, then right-click and set the Mode to NAC.

    3. Configure firewall policy that is used to control outbound internet access for FortiFones (vlan12 to wan1):

      1. Go to Policy & Objects > Firewall Policy.

      2. Click Create New.

      3. Name the policy and configure the following parameters:

        Incoming Interface

        vlan12

        Outgoing Interface

        wan1

        Source

        all

        Destination

        all

        Schedule

        always

        Service

        ALL

        Action

        ACCEPT

      4. Configure the other settings as needed.

      5. Click OK.

    4. Generate traffic from the FortiFone.

    5. Once the NAC policy is matched, go to WiFi & Switch Controller > NAC Policies to view the device matched to the policy.

      FortiFone is also shown on Dashboards > Assets & Identities in the Matched NAC Devices widget.

    6. Go to WiFi & Switch Controller > FortiSwitch Ports and locate the port that the FortiFone is connected to. The port has been dynamically assigned vlan12.

    To configure FortiVoice Tag MAC address on NAC policies in the CLI:

    1. Configure the NAC policy:

      config user nac-policy
    edit "nac-policy-1"
        set category fortivoice-tag
        set fortivoice-tag "MAC_FOV-500000003139_Registered_Phones"
        set switch-fortilink "fortilink"
        set switch-mac-policy "mac-policy-
    next
end

    2. Configure the VLAN in the MAC policy:

      config switch-controller mac-policy
    edit "mac-policy-1"
        set fortilink "fortilink"
        set vlan "vlan12"
    next
end

    3. Enable NAC mode on the desired FortiSwitch ports:

      config switch-controller managed-switch
    edit "Access-FSW-C”
        config ports
            edit "port6"
                set access-mode nac
            next
        end
    next
end

    4. Configure the firewall policy:

      config firewall policy
    edit 1
        set name "c_fov_fon"
        set srcintf "vlan12"
        set dstintf "wan1" 
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end
    Previous
    Next