Skip to main content
filiaks1
filiaks1
Explorer III
June 16, 2025
Solved

Fortigate with NAC license vs FortiNAC for OT device discovery?

  • June 16, 2025
  • 2 replies
  • 2669 views

Hello Everyone,

 

I am wondering about Fortigate with NAC license vs FortiNAC for OT device discovery and if there is any comparison ? 

 

I know that Fortinet OT Security Service for Fortigate is for OT attacks and that for OT device discovery FortiNAC that is connected on layer 2 with the OT environment is needed as to be able to see arp, dhcp, dns, etc. and other OT related information but what about Fortigate with NAC license connected with fortilink to Fortiswitches?

 

 

From what I have found as info FortiNAC has better Advanced with profiling, behavior analysis for OT devices compared to FortGate with NAC license. But Maybe I am wrong ?

 

I also think you can't stream logs to FortiNAC from Fortigate as so the FortiNAC to not be layer 2 connected to the OT environment which is a limitation if the Fortigate is already layer 2 connected and thus the FortiNAC also needs layer 2 connection even if Fortigate is already layer 2 connected but I could be wrong :)

Best answer by ebilcari

FortiLink also simplifies integration with FortiNAC, as adding the FortiGate it automatically adds all connected FortiSwitches and Access points.

 

FortiNAC can also be deployed in L2 if need but that is rarely used. In such deployments, it can be inline with the hosts traffic but only for isolated hosts. Regular host traffic is not be routed through FortiNAC.

 

DHCP and DNS can be routed in L3 deployments (to FortiNAC isolation interface) but this services are still dedicated for isolated hosts which most probably will not be configured at all in OT environments. DHCP fingerprints that are used to profile hosts, can be routed to FortiNAC management interface.

2 replies

Stephen_G
Moderator
Stephen_G
Moderator
June 18, 2025

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Thanks,

Stephen_G - Fortinet Community Team
    ebilcari
    Staff
    ebilcari
    Staff
    June 19, 2025

    There is no documentation that directly compares the two solutions, but you can review the specifications of each individually to perform a comparison.

    Regarding the network deployment, FNAC will require SNMP, CLI and API access to network devices where the OT devices are connected but it doesn't have to be deployed at Layer 2. Also the DHCP and DNS can be routed to FNAC. You can take a look at this dedicated guide for IOT. There are also some methods that allow integration with FGT like Firewall session or Netflow, firewall tags, parsing events, etc.

    Technical Tip: Device profiling methods for IoT/OT devices and nmap scanning

    Technical Tip: FortiGate-FortiNAC NetFlow Integration

    Emirjon
      filiaks1
      filiaks1Author
      Explorer III
      June 19, 2025

      Thanks for the fast reply @ebilcari 

       

      I thought FortiNAC needs layer 2 visibility for OT device clasification and identification as to see arp , dhcp , mac addresses etc. ? How does FortiNAC get this info as from what I read there is no direct log integration so that a fortigate FW or FortiSwitch to send this data ?

        ebilcari
        Staff
        ebilcari
        Staff
        June 20, 2025

        Integration with network devices are different but they share a lot of similarities. In FNAC documentation there are dedicated Integration Guides for most of the network devices.

        To proper understand a full integration, I would suggest to read a guide for one of the devices, like this one for example: FortiSwitch FortiLink Integration

        Usually the MAC and ARP tables in the network devices are read through CLI, SNMP or API which you will find referred to as L2 and L3 polling (Meraki SW integration).

        Emirjon
          Terms & ConditionsAccessibility statement