Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
filiaks1
Contributor II

Created on ‎06-15-2025 11:57 PM Edited on ‎06-16-2025 03:26 AM

Fortigate with NAC license vs FortiNAC for OT device discovery?

Hello Everyone,

 

I am wondering about Fortigate with NAC license vs FortiNAC for OT device discovery and if there is any comparison ? 

 

I know that Fortinet OT Security Service for Fortigate is for OT attacks and that for OT device discovery FortiNAC that is connected on layer 2 with the OT environment is needed as to be able to see arp, dhcp, dns, etc. and other OT related information but what about Fortigate with NAC license connected with fortilink to Fortiswitches?

 

 

From what I have found as info FortiNAC has better Advanced with profiling, behavior analysis for OT devices compared to FortGate with NAC license. But Maybe I am wrong ?

 

I also think you can't stream logs to FortiNAC from Fortigate as so the FortiNAC to not be layer 2 connected to the OT environment which is a limitation if the Fortigate is already layer 2 connected and thus the FortiNAC also needs layer 2 connection even if Fortigate is already layer 2 connected but I could be wrong :)

506
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to filiaks1

Created on ‎06-25-2025 02:33 AM

FortiLink also simplifies integration with FortiNAC, as adding the FortiGate it automatically adds all connected FortiSwitches and Access points.

 

FortiNAC can also be deployed in L2 if need but that is rarely used. In such deployments, it can be inline with the hosts traffic but only for isolated hosts. Regular host traffic is not be routed through FortiNAC.

 

DHCP and DNS can be routed in L3 deployments (to FortiNAC isolation interface) but this services are still dedicated for isolated hosts which most probably will not be configured at all in OT environments. DHCP fingerprints that are used to profile hosts, can be routed to FortiNAC management interface.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

266
9 REPLIES 9
Stephen_G
Moderator
Moderator

Created on ‎06-18-2025 10:48 AM

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Thanks,

Stephen - Fortinet Community Team
457
ebilcari
Staff
Staff

Created on ‎06-19-2025 07:12 AM Edited on ‎06-19-2025 07:14 AM

There is no documentation that directly compares the two solutions, but you can review the specifications of each individually to perform a comparison.

Regarding the network deployment, FNAC will require SNMP, CLI and API access to network devices where the OT devices are connected but it doesn't have to be deployed at Layer 2. Also the DHCP and DNS can be routed to FNAC. You can take a look at this dedicated guide for IOT. There are also some methods that allow integration with FGT like Firewall session or Netflow, firewall tags, parsing events, etc.

Technical Tip: Device profiling methods for IoT/OT devices and nmap scanning

Technical Tip: FortiGate-FortiNAC NetFlow Integration

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
433
filiaks1
Contributor II
In response to ebilcari

Created on ‎06-19-2025 09:06 AM

Thanks for the fast reply @ebilcari 

 

I thought FortiNAC needs layer 2 visibility for OT device clasification and identification as to see arp , dhcp , mac addresses etc. ? How does FortiNAC get this info as from what I read there is no direct log integration so that a fortigate FW or FortiSwitch to send this data ?

409
ebilcari
Staff
Staff
In response to filiaks1

Created on ‎06-20-2025 05:26 AM Edited on ‎06-20-2025 05:30 AM

Integration with network devices are different but they share a lot of similarities. In FNAC documentation there are dedicated Integration Guides for most of the network devices.

To proper understand a full integration, I would suggest to read a guide for one of the devices, like this one for example: FortiSwitch FortiLink Integration

Usually the MAC and ARP tables in the network devices are read through CLI, SNMP or API which you will find referred to as L2 and L3 polling (Meraki SW integration).

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
377
filiaks1
Contributor II
In response to ebilcari

Created on ‎06-22-2025 03:48 AM Edited on ‎06-22-2025 10:00 AM

Thanks for the replies @ebilcari  just a final question. Fortilink is intergration just between Fortigate and FortiSwitch/AP/Extender from what I understand it is not used by a dedicated FortiNAC device?

 

Other than that when I asked AI chatgpt it thinks FortiNAC has more capabilities for OT detection/clasification than Fortigate

with intergrated NAC but hey that is Chatgpt, but it sounds logical to me :)

 

 

Screenshot 2025-06-22 135208.png

 

By the way also saw FortiGate and FortiNAC Integration in For... - Fortinet Community and L3 polling | FortiNAC-F 7.6.0 | Fortinet Document Library so I see that usually l3 polling is usually based on SNMP or CLI (ssh)  or API (fortigate integration) and l2 polling usually is based on cli, snmp or syslog (fortiswitch managed by fortigate where the fortigate sends the L2 data.).

 

I suspect that fortinac still needs to be in the data path even if not layer 2 to see DNS requests from the OT devices or DHCP messages (with DHCP relay where the DHCP server is not in the layer 2 segmet.). Maybe there is more to this ?

345
0 Kudos
ebilcari
Staff
Staff
In response to filiaks1

Created on ‎06-25-2025 02:33 AM

FortiLink also simplifies integration with FortiNAC, as adding the FortiGate it automatically adds all connected FortiSwitches and Access points.

 

FortiNAC can also be deployed in L2 if need but that is rarely used. In such deployments, it can be inline with the hosts traffic but only for isolated hosts. Regular host traffic is not be routed through FortiNAC.

 

DHCP and DNS can be routed in L3 deployments (to FortiNAC isolation interface) but this services are still dedicated for isolated hosts which most probably will not be configured at all in OT environments. DHCP fingerprints that are used to profile hosts, can be routed to FortiNAC management interface.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
267
filiaks1
Contributor II
In response to ebilcari

Created on ‎06-25-2025 05:29 AM Edited on ‎06-25-2025 05:32 AM

I still think Fortinet should have a comparison public documentation between the FortiNAC and Fortigate with NAC license expecially for OT visibility.

 

Also to increase the OT classification precission it needs to be mentioned which protocols are needed as there were articles that actually recommended that FortiNAC to be one of the DHCP helpers/relays as to see the DHCP traffic between the devices and the DHCP servers. Maybe DHCP and DNS like the other layer 3 data need to be pulled by the FortiNAC but it seems not well documented for OT discovery to as accurate as possible what needs to be forwarded and how when FortiNAC is not in the Layer 2 path.

 

Still thanks for the help @ebilcari and I got that if I feed it FortiNAC all traffic with layer 2 or Layer 3 pulling it can do OT clasifications without being Layer 2 connected to the OT environment even if I feel it needs to be documented a little more.

 

Maybe even if I marked your answer as a solution final question is can fortinac be DCHP relay not just for isolated traffic or as the OT is initialy being discovered it is in the Isolated Vlan only then DHCP request and responses are needed ? Also what about DNS?

244
ebilcari
Staff
Staff
In response to filiaks1

Created on ‎06-25-2025 07:00 AM

For device fingerprinting, the DHCP relay can be configured to forward requests to the production DHCP servers along with the management IP of FNAC. In this case, FNAC operates in listen-only mode, passively collecting host information without responding to DHCP requests or assigning IP addresses

 

For hosts in isolation networks, the DHCP relay is configured to forward requests exclusively to the isolation IP of FNAC. In this scenario, FNAC functions as a standard DHCP server and also advertises its own IP address as the DNS server.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
224
filiaks1
Contributor II
In response to ebilcari

Created on ‎06-25-2025 08:57 AM Edited on ‎06-25-2025 02:35 PM

Thanks for the fast reply again :) About the isolation network I saw your article DNS service for isolation network - Fortinet Community

 

I suspect if the FortiNAC is configured to get from the Fortigate the DNS logs with API or log forwarding (layer 3 pulling) when the Fortigate is the DNS proxy (FortiGate DNS Server works as DNS proxy - Fortinet Community) or if the FortiNAC is just in between the DNS request and DNS responses then that is how DNS can be captured as well. I think the DNS logs being send by the Fortigate seem the more native approach.

 

 

Also RADIUS | FortiNAC-F 7.6.0 | Fortinet Document Library   using MAC Authentication Bypass (MAB) and 802.1X in OT environments to forward the layer 2 data  seems nice (the Radius credentials from the switch are the MAC addresses) as that is something I just reviewed and I am sharing it.

191
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.