FortiLink NAC

FortiLink NAC Whiteboard

Below is a fun simulated example of how FortiLink NAC works

FortiLink NAC

Switch Controller & Device Onboarding

FortiGate

NAC Policy: "Corp-Laptops" -> VLAN 10
NAC Policy: "IOT-Devices" -> VLAN 20

FortiSwitch

FortiLink

Corp Laptop

VLAN: Onboarding

IP Camera

VLAN: Onboarding

Onboarding Flow:

  1. 1. Device Plugs In
  2. 2. Switch reports MAC/OUI
  3. 3. FGT matches NAC Policy
  4. 4. FGT pushes VLAN to Port
SWITCH-CONTROLLER CLI
FGT # config switch-controller security-policy nac-policy
FGT (nac-policy) # edit "Corp-Access"
FGT (Corp-Access) # set vlan "VLAN10"
FGT (Corp-Access) # set mac-address 00:0c:29:*
FGT (Corp-Access) # end
FGT # _

Why FortiLink NAC?

It extends the Security Fabric down to the physical port. You don't configure VLANs on switch ports manually; you define what a "Trusted Device" looks like, and the FortiGate handles the rest.

Advanced Capabilities

OS Profiling & Device Inventory

FortiLink NAC doesn't just look at MAC addresses. It also uses DHCP fingerprinting and LLDP to profile exactly what is connecting. It can distinguish between a Windows laptop, an iPhone, or a specialized medical device, allowing for granular policy application without manual intervention.

ZTNA Tags for Device Profiles

Once a device is identified, FortiGate can apply Zero Trust Network Access (ZTNA) tags. These tags follow the device throughout the Security Fabric. If a device is tagged as "Vulnerable" due to a missing patch, NAC can dynamically shift its port to a Remediation VLAN until it is compliant.

Dynamic Port Segmentation

Traditional NAC required complex RADIUS setups. FortiLink NAC simplifies this by using the FortiGate as the single point of management. Ports are "dead" or assigned to a restricted "Onboarding" VLAN until the device is verified, preventing unauthorized physical access to sensitive network segments.

Seamless Fabric Integration

Because FortiSwitch is an extension of the FortiGate, security features like IPS, Antivirus, and Sandbox can be applied directly to the traffic entering the switch port. This creates a "Micro-Segmentation" environment where threats are stopped at the edge.

Comments

Post a Comment

Popular posts from this blog

Following Design Processes

    It is important to use proper design methodology when designing wireless networks. WiFi has evolved numerous times since it was first implemented, yet I still see very outdated or flat out wrong ways of designing a wireless network. The biggest thing I find is that many places do not follow the design process when choosing to install a new or update an existing WLAN. Essentially we are throwing hardware at a design problem and expecting it to work. In this post, I'll cover the proper way to design a wireless network according to CWNP's guidance. Thank you CWDP-303 official study guide from CWNP for providing me with the ability to do so!  Define     This might be one of the most overlooked parts of the design process. This step in the process sets the foundation for a good, well thought out design. Instead of simply getting a floor plan and jumping straight into a network planner, let's understand who or what we are designing for. During this stage, meeting ...
Read more

ExtremeCloud IQ Instant Port

Image
Instant Port enables you to automate your access layer by dynamically assigning VLANs based on the end devices MAC and/or LLDP capabilities. This document will cover the configuration of instant port and show an example.   Configuration of Instant Port is simple. First, create an Instant Port Profile within your network policy then assign that profile to your Switch Template.   ·          The Non-Forwarding VLAN will be used by default to learn the MAC and LLDP capabilities of the end device. ·          The Default Port Type will be used if you wish to provide non-matching devices layer two connectivity. ·          You can choose whether to allow non-matching devices to use either the Default Port Type or the Non-Forwarding VLAN. By using the Non-Forwarding VLAN, unknown devices will be dropped in an unused VLAN without the ability to reach other ...
Read more