NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Article Id 266446


This article describes an example of how to set up FortiNAC in a simplified network. It additionally covers how to connect the ports and how to handle IP addressing. This is an example of Stage 2 from this article: Technical Tip: Comprehensive guide for a simple FortiNAC deployment.


The same schema can be also used for larger setups as long as the network provides routing and IP connectivity between the nodes.




All FortiNAC and FortiGate/FortiSwitch (VLAN change without RADIUS).




  1. Network design and IP planning.

The recommended and most used type of deployment for FortiNAC is L3 deployment. Below is an example:

FNAC - L3 simple setup.png

FortiNAC will need two separate interfaces in two different subnets that need to be routed in the network. Usually, the management interface (eth0/port1) should be reachable by network devices (SSH/SNMP/API/RADIUS) and from users that are in the production network (Agent, notifications, and scans).

The Isolation interface (eth1/port2) should be reachable from the managed network devices (DHCP relay) and directly from isolated hosts (DHCP/DNS/Portal access/Agent).


Routing and firewall policies on the network devices in between need to be implemented to allow this type of traffic.


FortiNAC will apply these network configurations while following the ConfigWizard steps:


  1. Configuring eth0 (management interface):

  2. Configuring eth1 (isolation interface) and DHCP pools with network details for isolations networks:








  4. Routes for these isolation networks (DHCP pools) are automatically created and can be checked in Additional Routes section:




From the CLI, it is possible to check the configuration after applying ConfigWizard:


> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast

eth1:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast

eth1:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast


and the routes:


> ip route
default via dev eth0 dev eth0 proto kernel scope link src dev eth1 proto kernel scope link src via dev eth1 via dev eth1 via dev eth1


This configurations are described in the FortiNAC deployment guide: FortiNAC deployment guide.


  1. Adding FortiGate in FortiNAC.

After adding a switch to FortiGate or making other changes like adding VLAN interface resynchronization is needed, 'right-click' on the FortiGate and 'Resync Interfaces'. In model configuration (Virtualized Devices) the VLANs need to be tied to the isolation network:




Group membership at the port level to enforce Registration and VLAN assignments:




When a host connects to the switch in port3 and the host is unknown to FortiNAC (Rogue) it will be put in registration VLAN:



  1. Configuring FortiGate/FortiSwitch and following the network changes.

In this example, RADIUS is not configured on the switch so no security policy is applied in the ports of the switch. All the configurations are done in FortiGate only. 


In order to have a high response time on VLAN changes and better visibility, Syslog is recommended to be configured as a quick and effective solution. The configuration is done via FortiGate CLI:


config log syslogd setting
    set status enable
    set server ""
    set source-ip ""
config switch-controller global
    set mac-event-logging enable
config log syslogd filter
    config free-style
       edit 1
       set category event
       set filter "(logid 0115032615 0115032616 0115032617)"


If syslogd is already configured for another syslog server than syslogd2 or syslogd3 can be configured for FortiNAC.


Configuring the isolation VLAN in FortiGate for the managed Switch (port5 is the FortiLink port in this setup):




In order for the portal redirection to happen smoothly DHCP server must be configured as relay.


Here it is possible to see that FortiNAC has enforced Registration VLAN (512) on the switch port (as Native) when an unknown device is connected to that port:


reg enforced vlan.PNG


A firewall policy needs to be created to allow communications with FortiNAC eth1 interface only and block other access.


Here is shown the screen of the Guest host: '> ipconfig /all' output and browser page redirection (done via DNS) to the Registration portal page: 


isolated host.png

After successful login the host is redirected to the Guest VLAN (enforced by FortiNAC ) and the port of the switch is bounced to trigger an IP release on the end host:




The host now will receive an IP from VLAN 560 and the browser will be redirected to the custom success page.


These configurations are also explained in the integration guide for FortiLink mode: FortiSwitch Integration.


Port changes history as seen from FortiNAC, from Default to Registration and Guest VLAN:


port changes.PNG

Additional configurations are required in FortiNAC to do the portal login or guest self-registration.


Related article:

Technical Tip: FortiNAC Guest Captive Portal configuration and workflow.