Fortinet black logo

Administration Guide

Home FortiNAC-F 7.4.0 Administration Guide
7.4.0
7.4.0
7.2.0

Manage policies

Manage policies

Create network access policies to assign a VLAN, implement a CLI configuration or assign a VPN Group Policy when a host requires network access. Policies are selected for a connecting host by matching host and user data to the criteria defined in the associated user/host profile. The first policy that matches the host and user data is assigned.

Note

If the host does not match any policy, it is assigned the default VLAN configured on the switch.

If you create a user/host profile with fields Where set to Any, Who/What by Group set to Any, Who/What by Attribute set to Any and When set to Always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Settings

An empty field in a column indicates that the option has not been set.

Field

Definition

Rank

Policy's rank in the list of policies. Rank controls the order in which host connections are compared to Policies.

Note

Set Rank is now legacy architecture.

In 7.2, use drag and drop to reorder the rank from the left column, click edit from within the cell.

Name

User defined name for the policy.

Configuration

Contains the configuration for the VLAN, CLI configuration or VPN Group Policy that will be assigned if this Access Policy matches the connecting host. See Network access configurations.

Who/What

Attributes

A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. The attribute must be known at the time of connection. See Filter example.

RADIUS Attributes

Used to match against endpoints pre- and post-authentication.

Groups

  • Any — Matches any group.

  • Any Of — Matches any of the listed groups. Does not have to match everything, but has to match at least one group that has been selected.

  • All Of — Has to match every group that's been selected.

  • None Of — Has to match no group that's been selected.

Where

The connection location specified in the user/host profile. The host must connect to the network on a device, port or SSID contained within one of the groups shown here to be a match. When set to Any, this field is a match for all hosts or users.

When

The time frame specified in the selected user/host profile. The host must be on the network within this time frame to be a match. When set to Always this field is a match for all hosts or users.

Used By

Lists all elements which are using this component.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.
Previous
Next

Manage policies

Create network access policies to assign a VLAN, implement a CLI configuration or assign a VPN Group Policy when a host requires network access. Policies are selected for a connecting host by matching host and user data to the criteria defined in the associated user/host profile. The first policy that matches the host and user data is assigned.

Note

If the host does not match any policy, it is assigned the default VLAN configured on the switch.

If you create a user/host profile with fields Where set to Any, Who/What by Group set to Any, Who/What by Attribute set to Any and When set to Always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Settings

An empty field in a column indicates that the option has not been set.

Field

Definition

Rank

Policy's rank in the list of policies. Rank controls the order in which host connections are compared to Policies.

Note

Set Rank is now legacy architecture.

In 7.2, use drag and drop to reorder the rank from the left column, click edit from within the cell.

Name

User defined name for the policy.

Configuration

Contains the configuration for the VLAN, CLI configuration or VPN Group Policy that will be assigned if this Access Policy matches the connecting host. See Network access configurations.

Who/What

Attributes

A host or user must meet all parameters within a single filter, but is only required to match one filter in the list. The attribute must be known at the time of connection. See Filter example.

RADIUS Attributes

Used to match against endpoints pre- and post-authentication.

Groups

  • Any — Matches any group.

  • Any Of — Matches any of the listed groups. Does not have to match everything, but has to match at least one group that has been selected.

  • All Of — Has to match every group that's been selected.

  • None Of — Has to match no group that's been selected.

Where

The connection location specified in the user/host profile. The host must connect to the network on a device, port or SSID contained within one of the groups shown here to be a match. When set to Any, this field is a match for all hosts or users.

When

The time frame specified in the selected user/host profile. The host must be on the network within this time frame to be a match. When set to Always this field is a match for all hosts or users.

Used By

Lists all elements which are using this component.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.
Previous
Next