Hi Guys.
I am wondering if a host is registered via device profiling but not maching any user policy than why it is still getting an IP from any other vlan than isolation ?
Also if no nap is matched does fortinac should put this user into either remediation or isolation ?
As my user still has production vlan IP instead of going into isolation on a user profile match failure or even any criteria failure
example if a user doesnt have persistent agent he should be not getting an ip from production
does my queries sound right or I am not understanding how the product works in such use cases?
@FortiKoala @ebilcari
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If a registered host will not match a network policy than it will be put in the default VLAN that is configured on that port. FNAC will not put this host in isolation since it is considered in a normal state.
To block access for these hosts (not hitting any NAP) you can change the default VLAN to some blackhole VLAN of the switch or create a Network Access Policy to catch all these hosts and create a logical network to move these hosts to the same blackhole VLAN or on one of the isolation VLANs.
So if you want to perform a strict NAC, you can put your default vlan as your isolation ? it is recommended or a good practice ?
Created on 11-01-2023 06:23 AM Edited on 11-01-2023 06:28 AM
Yes, based on my experience, depending on your environment you can use the following as default VLAN to spare the initial VLAN change when the host is connected in the network for the first time:
- Registration, when you have frequent turn over of new devices presented in the network
- Remediation, when existing hosts change their compliance frequently
- Dead End or a black hole VLAN if you want full isolation of the hosts
To do this with a single change at device level follow the steps as shown below:
Also enable "Reset Forced Default" on group membership for all the ports.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1071 | |
751 | |
443 | |
219 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.