Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff & Editor
Staff & Editor

Created on ‎03-27-2022 10:43 PM Edited on ‎07-27-2025 10:31 PM By Staff

Article Id 207698

Technical Tip: Assigning a VLAN via NAC policies controlled by ZTNA tags from EMS

Description

This article describes how to perform configuration on FortiGate to assign a VLAN via NAC policies based on ZTNA tags synchronized from FortiClient EMS.
Scope

FortiGate 7.0.0 +.
Solution

This article assumes the configuration of EMS connector has been done.A dditionally, ZTNA tags must have been configured as per Adding a Zero Trust tagging rule set.

 

There are 3 different categories that can be used for 'Device Patterns': Device, User, and EMS Tag.

EMS Tag (ZTNA Tag) category requires Telemetry connectivity from the onboarding VLAN to the EMS server which the endpoint is connected to.

 

This is needed for the endpoint to synchronize its tags with EMS.

Configuration steps:

  1. Configure onboard VLAN settings. By default, 'Security Mode' is enable. For this example, it is disabled since this onboarding VLAN has no access to networks other than EMS Telemetry over TCP 8013.

 

CarlosColombini_0-1648418634225.png

CarlosColombini_1-1648418726203.png

 

  1. Configure VLAN interface settings of new VLAN that will be assigned to the endpoint.

 

CarlosColombini_2-1648418832236.png

 

  1. Create a firewall policy to allow traffic from onboarding VLAN to the EMS server for TCP 8013.

    Note: If the EMS server is configured to be reachable via a FQDN (on FortiClient), ensure that DNS traffic to the DNS server as defined on the DHCP settings is permitted by Firewall policies - for the onboarding VLAN. Further, if the IP that the EMS FQDN resolves to is a public IP address (and DNATted by a VIP), ensure the policies are configured to allow traffic from the Onboarding VLAN to the EMS public IP address.

CarlosColombini_3-1648418883819.png

 

  1. Create a Firewall policy as desired to control traffic for the new VLAN assigned.

    The example below is using ZTNA tag from EMS, and Dynamic Address created by NAC Policy for source address:

 

CarlosColombini_4-1648418986350.png

 

  1. Configure onboarding VLAN under 'WiFi & Switch Controller/NAC Policies/FortiSwitchOnboarding VLANs'.

 

CarlosColombini_5-1648419012668.png

 

  1. Configure NAC Policy under 'WiFi & Switch Controller/NAC Policies/Create New'.

 

CarlosColombini_6-1648419041029.png

 

Note:

The option 'Bounce port' is required to be enabled to renew the DHCP lease for the IP of the VLAN. Otherwise, it will only happen when the DHCP lease configured on the onboarding VLAN expires (minimum 300 seconds).

  1. Optionally, 'Assign device to dynamic address' can be used to add the MAC Address of units that match this NAC policy to this Dynamic Address, which can then be used in a firewall policy for example.

  2. Configure the switch port mode to 'NAC' so the NAC policy is triggered.

 

CarlosColombini_7-1648419243040.png

 

Verification Steps:

 

With the above in place, the following should happen:

  1. Once the unit is plugged into port5 of this FortiSwitch, it will receive an IP address of the onboard VLAN as per the DHCP settings (172.16.89.20 in this example).

    The unit is then added to the onboarding mac address table:

    This can be verified with command '# diagnose switch-controller mac-device nac onboarding'.
 
 
CarlosColombini_0-1648419529313.png

 

  1. The only traffic allowed from that source is to EMS Telemetry.
 
CarlosColombini_1-1648419579883.png

 

  1. Once EMS tags are synchronized from the scheduled API call, the device will match the NAC policy and be moved from the 'onboarding' table to the 'known' table.

 

CarlosColombini_2-1648419632806.png

 

  1. Since the Dynamic Address option is enabled, it will add this device MAC Address to the address 'Compliant'.


CarlosColombini_3-1648419669493.png

 

  1. At the same time, the switchport port5 receives a bounce command and administrative status changes to down and up so new DHCP request is triggered.

    This can also be verified from 'Log & Report -> Events -> FortiSwitch Events'.

 

CarlosColombini_4-1648419716978.png

 

Dynamic Address from NAC Policy.

 

CarlosColombini_5-1648419733404.png

 

Resolved Mac Address from ZTNA Tag.

 

CarlosColombini_6-1648419746399.png

 

Matched Endpoint from the ZTNA Tag.

 

CarlosColombini_7-1648419763776.png

 

Troubleshooting commands:

 

diagnose switch-controller mac-cache show
diagnose switch-controller mac-device cache
diagnose switch-controller switch-info lldp neighbors-summary
diagnose switch-controller mac-device dynamic
diagnose switch-controller mac-device nac known
diagnose switch-controller mac-device nac onboarding
diagnose user device list
diagnose firewall dynamic list
diagnose user-device-store device memory list
diagnose user-device-store device memory query 2 mac <MAC Address of the Test PC>
diagnose endpoint ec-shm list
diagnose user-device-store unified device-query filters-and 1 0 0 2;0;<MAC Address of the Test PC>

 

Debug:

 

diagnose debug reset

diagnose debug disable

diagnose debug console timestamp enable
diagnose debug application flpold 3
diagnose debug application flcfg 7
diagnose debug cli 8
diagnose debug enable

 

Stop debugging after collecting the output:

 

diagnose debug reset

diagnose debug disable
7148
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.