Fortinet black logo

Administration Guide

Policy details

7.4.0
Copy Link
Copy Doc ID 5c5c1a78-d02f-11ee-8c42-fa163e15d75b:752736
Download PDF

Policy details

Policy Details assesses the selected host or user and displays the specific profile and policies that apply to the host at the moment the dialog was opened. User/host profiles have a time component and hosts may be connected at different locations. Therefore, the profile and policy displayed in Policy Details now may be different than the profile and policies that display tomorrow. Each type of policy is displayed in a separate tab that also contains a Debug Log.

Note: This Debug Log can be sent to Customer Support for analysis.

To access Policy Details from Hosts:

  1. Select Users & Hosts > Hosts.
  2. Search for the appropriate host to access the context menu.
  3. Select the host and right-click.
  4. From the menu, select Policy Details.

To access Policy Details from User Accounts:

  1. Select Users & Hosts > User Accounts.
  2. Search for the appropriate user to access the context menu.
  3. Select the user and right-click.
  4. From the menu, select Policy Details.
Network Access tab settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by policy details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated network access policy and network access configuration. See User/host profiles.

Policy Name

Name of the network access policy that currently applies to the host. See Network access.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the VLAN, CLI configuration, or VPN Group Policy for the host. See Network access configurations.

Access Value/VLAN

The specific network access that would be provided to the host, such as a VLAN ID or Name.

CLI

Name of the CLI configuration that currently applies to this host or the connection port. This field may be blank.

Tags

Firewall Tags - defined in a Logical Network Configuration as part of a device's Model Configuration.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Edit Test

Opens the Test Policy dialog where you can simulate host, adapter, and user combinations to create test scenarios for policies and profiles. See Policy simulator.

Authentication tab settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated network access policy and network access configuration. See User/host profiles.

Policy Name

Name of the authentication policy that currently applies to the host.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the VLAN, CLI configuration, or VPN Group Policy for the host.

Authentication Method

When enabled, the selected authentication method will override all other authentication methods configured in the portal, guest/contractor template, and Persistent Agent credential configuration.

Authentication Enabled

Indicates whether authentication is enabled. When enabled, the user is authenticated against a directory, the FortiNAC database, or a RADIUS server when logging on to access the network.

Time in Production before Authentication

When a user is waiting to authenticate, the host remains in the production VLAN until this time expires. If the user fails to authenticate within the time specified, the host is moved to the authentication VLAN.

Time Offline before Deauthentication

Once the host is offline, the user remains authenticated for this period of time. If the host comes back online before the time period ends, the user does not have to reauthenticate. If the host comes back online after the time period ends, the user is required to re-authenticate.

Reauthentication Frequency

When set, this forces users to re-authenticate after the amount of time defined in this field passes since the last authentication regardless of the host's state. The host is moved to the authentication VLAN until the user reauthenticates.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Supplicant EasyConnect tab settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated supplicant easy connect policy and supplicant configuration. See User/host profiles.

Policy Name

Name of the most recent supplicant easy connect policy that currently applies to the host. See Supplicant EasyConnect .

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the supplicant on the host to allow access on a particular SSID. See Supplicant configurations.

SSID

Name of the SSID for which the supplicant is being configured.

Security

Type of encryption used for connections to this SSID, such as WEP or WPA.

EAP Type

Currently only PEAP is supported. Not always required. This field may be blank.

Cipher

Encryption/decryption method used in conjunction with the information in the Security field to secure this connection.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Endpoint compliance tab settings

Field

Definition

Select Platform

The platform is used to determine the agent that would be assigned to the host.

Not all platforms are displayed here. Only the platforms that support the Persistent Agent or Mobile Agent are displayed.

Profile Name

Name of the user/host profile that matched the selected host. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated endpoint compliance policy and endpoint compliance configuration. See User/host profiles.

Policy Name

Name of the endpoint compliance policy currently applied to the selected host. See Endpoint compliance policies.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the scan and agent for the host. See Endpoint compliance configurations.

Scan Name

Name of the scan currently used to evaluate this host. See Scans.

Detected Platform

The device type, such as iPhone or Android, that FortiNAC thinks the host is, based on the information currently available in the system.

Agent

Agent setting to be applied to the host. Determines whether or not an agent is used and which agent is required. Agent settings are selected in the endpoint compliance configuration.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Portal tab settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location. Host connections that match the criteria within the user/host profile are assigned the associated portal configuration. See User/host profiles.

Policy Name

Name of the portal policy that currently applies to the host. See Portal policy.

Configuration Name

Name of the portal configuration that currently applies to the host. See Portal content editor.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Policy details

Policy Details assesses the selected host or user and displays the specific profile and policies that apply to the host at the moment the dialog was opened. User/host profiles have a time component and hosts may be connected at different locations. Therefore, the profile and policy displayed in Policy Details now may be different than the profile and policies that display tomorrow. Each type of policy is displayed in a separate tab that also contains a Debug Log.

Note: This Debug Log can be sent to Customer Support for analysis.

To access Policy Details from Hosts:

  1. Select Users & Hosts > Hosts.
  2. Search for the appropriate host to access the context menu.
  3. Select the host and right-click.
  4. From the menu, select Policy Details.

To access Policy Details from User Accounts:

  1. Select Users & Hosts > User Accounts.
  2. Search for the appropriate user to access the context menu.
  3. Select the user and right-click.
  4. From the menu, select Policy Details.
Network Access tab settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by policy details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated network access policy and network access configuration. See User/host profiles.

Policy Name

Name of the network access policy that currently applies to the host. See Network access.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the VLAN, CLI configuration, or VPN Group Policy for the host. See Network access configurations.

Access Value/VLAN

The specific network access that would be provided to the host, such as a VLAN ID or Name.

CLI

Name of the CLI configuration that currently applies to this host or the connection port. This field may be blank.

Tags

Firewall Tags - defined in a Logical Network Configuration as part of a device's Model Configuration.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Edit Test

Opens the Test Policy dialog where you can simulate host, adapter, and user combinations to create test scenarios for policies and profiles. See Policy simulator.

Authentication tab settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated network access policy and network access configuration. See User/host profiles.

Policy Name

Name of the authentication policy that currently applies to the host.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the VLAN, CLI configuration, or VPN Group Policy for the host.

Authentication Method

When enabled, the selected authentication method will override all other authentication methods configured in the portal, guest/contractor template, and Persistent Agent credential configuration.

Authentication Enabled

Indicates whether authentication is enabled. When enabled, the user is authenticated against a directory, the FortiNAC database, or a RADIUS server when logging on to access the network.

Time in Production before Authentication

When a user is waiting to authenticate, the host remains in the production VLAN until this time expires. If the user fails to authenticate within the time specified, the host is moved to the authentication VLAN.

Time Offline before Deauthentication

Once the host is offline, the user remains authenticated for this period of time. If the host comes back online before the time period ends, the user does not have to reauthenticate. If the host comes back online after the time period ends, the user is required to re-authenticate.

Reauthentication Frequency

When set, this forces users to re-authenticate after the amount of time defined in this field passes since the last authentication regardless of the host's state. The host is moved to the authentication VLAN until the user reauthenticates.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Supplicant EasyConnect tab settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated supplicant easy connect policy and supplicant configuration. See User/host profiles.

Policy Name

Name of the most recent supplicant easy connect policy that currently applies to the host. See Supplicant EasyConnect .

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the supplicant on the host to allow access on a particular SSID. See Supplicant configurations.

SSID

Name of the SSID for which the supplicant is being configured.

Security

Type of encryption used for connections to this SSID, such as WEP or WPA.

EAP Type

Currently only PEAP is supported. Not always required. This field may be blank.

Cipher

Encryption/decryption method used in conjunction with the information in the Security field to secure this connection.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Endpoint compliance tab settings

Field

Definition

Select Platform

The platform is used to determine the agent that would be assigned to the host.

Not all platforms are displayed here. Only the platforms that support the Persistent Agent or Mobile Agent are displayed.

Profile Name

Name of the user/host profile that matched the selected host. This profile contains the required criteria for a connecting host, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated endpoint compliance policy and endpoint compliance configuration. See User/host profiles.

Policy Name

Name of the endpoint compliance policy currently applied to the selected host. See Endpoint compliance policies.

Configuration Name

Name of the configuration that currently applies to the host. This is the configuration for the scan and agent for the host. See Endpoint compliance configurations.

Scan Name

Name of the scan currently used to evaluate this host. See Scans.

Detected Platform

The device type, such as iPhone or Android, that FortiNAC thinks the host is, based on the information currently available in the system.

Agent

Agent setting to be applied to the host. Determines whether or not an agent is used and which agent is required. Agent settings are selected in the endpoint compliance configuration.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.

Portal tab settings

Field

Definition

Profile Name

Name of the user/host profile that matched the selected host or user when it was assessed by Policy Details. This profile contains the required criteria for a connecting host, such as connection location. Host connections that match the criteria within the user/host profile are assigned the associated portal configuration. See User/host profiles.

Policy Name

Name of the portal policy that currently applies to the host. See Portal policy.

Configuration Name

Name of the portal configuration that currently applies to the host. See Portal content editor.

Debug Log

Click this link to display a log of the policy assessment process. Text within the log can be copied and pasted into a text file for analysis by Customer Support.