Skip to main content
Luca_
Luca_
New Member
December 22, 2025
Question

FortiNAC-F Host not isolated when Untrusted application is detected

  • December 22, 2025
  • 3 replies
  • 930 views

We are using FortiNAC Pro (v7.6.5) with an agent installed on a test device (Windows 10 / Persistent Agent) that collects the applications. We marked one application as Untrusted, but the host is not being isolated. Port groups for quarantine are correctly set. What needs to be configured so that the host is automatically isolated when an Untrusted application is detected and the administrator receives a notification.

Any guidance on the required policy settings or integration steps would be appreciated.

3 replies

AEK
SuperUser
AEK
SuperUser
December 22, 2025

I didn't test it but I guess that isolating such host should be configurable either in UHP, or in host compliance, or in event mapping.

AEK
    Luca_
    Luca_Author
    New Member
    December 22, 2025

    I have checked everywhere. Under the network access rules, there is an option to select an application, but it is not possible to select “untrusted” there only the threat score. Otherwise, I have not found any other option, and there is also no documentation about this.

    Is this even possible?

    AEK
    SuperUser
    AEK
    SuperUser
    December 22, 2025

    Then it should be threat score. 

    AEK
      earingfabulous
      earingfabulous
      New Member
      December 22, 2025

      If a host marked Untrusted isn’t being isolated, it usually means the quarantine/enforcement policy isn’t fully applied. In FortiNAC you must:

      1. Ensure the host state (like At‑Risk/Untrusted) is mapped to a quarantine VLAN or enforcement action in your policy.

      2. Confirm the port enforcement group (e.g., Forced Remediation/Quarantine) and VLANs are correctly configured so FortiNAC can place the host into isolation when the violation is detected.

      In short: the host state → isolation VLAN mapping and enforcement groups must be set so FortiNAC can actually switch the port when a violation occurs.

      https://docs.fortinet.com/document/fortigate/7.6.5/administration-guide/188426 steal a brainrot

        Luca_
        Luca_Author
        New Member
        January 2, 2026

        It is not a host that is marked as untrusted, but an application. Under User & Hosts > Applications, there I have marked an application as untrusted and want all hosts that run this application to be automatically isolated. I have already fully configured FortiNAC, and the isolation works for example, when a host fails a compliance scan.

        bruzogiri
        bruzogiri
        New Member
        December 27, 2025

        I think isolation has to be on its own interface in the NAC. So one interface for mgmt/radius/dot1x, another interface for isolation/registration stuff.

          Terms & ConditionsAccessibility statement