Technical Tip: FortiNAC automated incident response does NOT change port status
Description
FortiNAC shows in the 'Security Alarms' that some action has been performed for example 'Disable port' or 'Disable Host' but nothing actually happens with the host or the switchport.
Related document.
https://docs.fortinet.com/document/fortinac/8.6.0/administration-guide/328047/automated-threat-response-atr
External resource.
https://www.youtube.com/watch?v=S2C44BFVlAw
Solution
Make sure the unit where the host is connected is a member of 'Physical Address Filtering' group.
1) Go to 'Topology' view.
2) Select the unit where hosts are connected.
3) Select 'Group Membership'.
4) Make sure 'Physical Address Filtering' group is selected (see example):
FortiNAC shows in the 'Security Alarms' that some action has been performed for example 'Disable port' or 'Disable Host' but nothing actually happens with the host or the switchport.
Related document.
https://docs.fortinet.com/document/fortinac/8.6.0/administration-guide/328047/automated-threat-response-atr
External resource.
https://www.youtube.com/watch?v=S2C44BFVlAw
Solution
Make sure the unit where the host is connected is a member of 'Physical Address Filtering' group.
1) Go to 'Topology' view.
2) Select the unit where hosts are connected.
3) Select 'Group Membership'.
4) Make sure 'Physical Address Filtering' group is selected (see example):
Related Articles