Fortinet black logo

Administration Guide

Sample configurations

7.4.0
Copy Link
Copy Doc ID 5c5c1a78-d02f-11ee-8c42-fa163e15d75b:758435
Download PDF

Sample configurations

The port- and host-based CLI configurations shown below are samples of different types of configurations that may help you develop your own.

Example 1: Port based configuration - port speed

The configuration shown below modifies the speed and duplex configuration of the port and then returns it to its normal state.

Commands

CLI configuration

Set

config t

interface %port%

speed 10

duplex half

exit

exit

Undo

config t

interface %port%

speed auto

duplex auto

exit

exit

Example 2: Host based CLI configuration - IP address

The configuration shown below modifies an IP address ACL on the device to switch access for the host’s IP address from the FortiNAC software DNS server to the production DNS server. When the host is restricted to the FortiNAC software DNS server, it is essentially in isolation and can be forced to register. When the host has access to the production DNS server, it can connect to the network and access the Internet.

Commands

CLI configuration

Set

config t

ip access-list extended Nac

1 deny udp host %ip% host 192.168.34.2 eq domain

2 permit ip host %ip% host 192.168.105.2

exit

ip access-list resequence Nac 10 1

end

write mem

Undo

config t

ip access-list extended Nac

no deny udp host %ip% host 192.168.34.2 eq domain

no permit ip host %ip% host 192.168.105.2

end

write mem

In the example above 192.168.34.2 is the production DNS server and 192.168.105.2 is the FortiNAC software DNS server. In the second line, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

The ip access-list resequence Nac 10 1 command is important because it controls the sequence in which the host IP addresses are entered into the ACL. Starting with line 10, each IP address is added to the beginning of the list. Addresses already in the list are incremented by one.

If FortiNAC cannot determine the IP or any data substitution value of the host, the CLI will not be run. A CLI Substitution Failure Event is generated describing the data which could not be substituted.

Example 3: Host based CLI configuration - MAC address

The configuration shown below modifies a MAC filtering ACL on the device to deny access to a particular MAC address sent by FortiNAC.

Commands

CLI configuration

Set

config t

mac access-list extended Nac

1 deny %macXXXX.XXXX.XXXX% any

exit

mac access-list resequence Nac 10 1

end

write mem

Undo

config t

mac access-list extended Nac

no deny %macXXXX.XXXX.XXXX% any

end

write mem

In the example above, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

The mac access-list resequence Nac 10 1 command is important because it controls the sequence in which the host MAC addresses are entered into the ACL. Starting with line 10, each MAC address is added to the beginning of the list. Addresses already in the list are incremented by one.

Sample configurations

The port- and host-based CLI configurations shown below are samples of different types of configurations that may help you develop your own.

Example 1: Port based configuration - port speed

The configuration shown below modifies the speed and duplex configuration of the port and then returns it to its normal state.

Commands

CLI configuration

Set

config t

interface %port%

speed 10

duplex half

exit

exit

Undo

config t

interface %port%

speed auto

duplex auto

exit

exit

Example 2: Host based CLI configuration - IP address

The configuration shown below modifies an IP address ACL on the device to switch access for the host’s IP address from the FortiNAC software DNS server to the production DNS server. When the host is restricted to the FortiNAC software DNS server, it is essentially in isolation and can be forced to register. When the host has access to the production DNS server, it can connect to the network and access the Internet.

Commands

CLI configuration

Set

config t

ip access-list extended Nac

1 deny udp host %ip% host 192.168.34.2 eq domain

2 permit ip host %ip% host 192.168.105.2

exit

ip access-list resequence Nac 10 1

end

write mem

Undo

config t

ip access-list extended Nac

no deny udp host %ip% host 192.168.34.2 eq domain

no permit ip host %ip% host 192.168.105.2

end

write mem

In the example above 192.168.34.2 is the production DNS server and 192.168.105.2 is the FortiNAC software DNS server. In the second line, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

The ip access-list resequence Nac 10 1 command is important because it controls the sequence in which the host IP addresses are entered into the ACL. Starting with line 10, each IP address is added to the beginning of the list. Addresses already in the list are incremented by one.

If FortiNAC cannot determine the IP or any data substitution value of the host, the CLI will not be run. A CLI Substitution Failure Event is generated describing the data which could not be substituted.

Example 3: Host based CLI configuration - MAC address

The configuration shown below modifies a MAC filtering ACL on the device to deny access to a particular MAC address sent by FortiNAC.

Commands

CLI configuration

Set

config t

mac access-list extended Nac

1 deny %macXXXX.XXXX.XXXX% any

exit

mac access-list resequence Nac 10 1

end

write mem

Undo

config t

mac access-list extended Nac

no deny %macXXXX.XXXX.XXXX% any

end

write mem

In the example above, Nac is the name of the ACL. ACL name is case sensitive. If the name is not correct, the ACL is not modified.

The mac access-list resequence Nac 10 1 command is important because it controls the sequence in which the host MAC addresses are entered into the ACL. Starting with line 10, each MAC address is added to the beginning of the list. Addresses already in the list are incremented by one.