FortiNAC - Rogue Host Isolation

Forum|Forum|5 months ago
December 22, 2025
2 replies
600 views

What are some of the ways you can place rogue hosts in a isolation vlan ?

I know that you can choose a managed switchport and set the port to Forced Remediation/Registration/Default. But that doesn't seem scalable. What happens if a rogue host shows up on a port that is set to "Role Based Access". In my case, it doesn't pass a Device Profiling Rule so it's just connected, potentially on a production vlan. I would like to create a User/Host Profile that identifies a rogue, and a corresponding NAC Policy to move it to the desired isolation/registration VLAN.

Any ideas ?

FortiNAC

AEK

SuperUser

You can create an additional policy at the bottom of all access policies to match all remaining cases and put them in the isolation network.

This is like an implicit deny rule in firewalling.

AEK

ebilcari

Staff

There is no need, because host state evaluation takes priority over Network access policy. If 'Forced Registration' is enforced in a port, the rogue host will be moved to the configured registration VLAN.

Some details are covered in this article: Technical Tip: 'State based Control' concept and VLAN changes

Emirjon

AEK

SuperUser

If I understand well his question, he means when the "forced states" are not active on the port, and only "role based access" is enabled.

In that case the rogue host is not isolated, right? And in this case some the policy could match the host, right?

AEK

ebilcari

Staff

There is no reason to not enforce registration on all ports, if rogue hosts are expected to be connected on a port. If registration is not enforced, than the rogue hosts should fall in the Default VLAN and not put in a production VLAN.

Emirjon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded