Trying to profile device with static IP and assigning VLAN ID based on the device profiling.
With the exception of Vendor OUI, I don't see any method that we can use in this scenario - as the equipment's IP address does not belong to the IP network initially assigned to the port, FortiNAC has no way of probing with the remaining methods, which require IP communication to/from profiled devices.
Are there any alternatives?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Antonio
You are right, the client will lose any communication if it is in the wrong VLAN, furthermore one of the profiling information is DHCP requests.. your FortiNAC will collect some useful profiling info from these requests (OS, hostname and others), or your FortiGate can do it as well and send these info to FNAC.
When you deploy FortiNAC your clients must use DHCP otherwise it will not work as expected. The exception is for servers, which are usually in data center (physical security), so usually there is no need to NAC them.
For your case I think the good thing to do for any other rogue device that connects to your network with static IP should remain systematically in isolation, unless it is set to DHCP and properly profiled, otherwise it should remain in isolation.
If end customer wants to maintain static IP in this devices, will it be safe to perform manual profiling before connecting device to role base access ports (staging) and then rely on FortiNAC profiling to keep the network safe from mac-spoofing?
Created on 04-24-2024 12:03 AM Edited on 04-24-2024 12:04 AM
I think this is not so secure. While the new device is in the prod network for profiling even for few seconds it will have enough time to do many things.
That said some customers give priority to productivity (most of them) and others give priority to security.
Having hosts using DHCP is the normal way on FNAC configurations for many reasons already mentioned.
But in your conditions you can relay a bit to the firewall (FGT is preferred). In the DPR configuration guide, page 8,9 it's mentioned how to use firewall sessions or traffic flows in order to profile devices.
For the second part, access control without changing host IP address, you can refer to the Firewall tags integration also possible with FGT. Based on the host status, network access can be limited while the host keeps the same IP and VLAN/Subnet.
In this setup, the switch ports are configured in registration VLAN by default. I guess it will not work because FGT IP is not in the same IP network of device.
As mentioned this is a limited scenario, for this to work you need to dedicate a switch to connect these hosts that have static IPs and use a single VLAN for Registration and production (the switch will work more like a hub, no VLAN switching). The network segmentation can be done through firewall tags while the hosts will share the same VLAN/Subnet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.