Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fvazquez
New Contributor III

Created on ‎10-13-2023 10:49 AM Edited on ‎10-13-2023 11:19 AM

How to block a specific network in FortiNAC?

Hello, everyone.

 

Is there a way in  FortiNAC  to prevent a host with persistent agent to connect to, for example, a guest network SSID if they had previously signed in into a corporate network SSID?

 

 

Thank you all!

Felipe Vázquez - ET Com, Operations Engineer
Felipe Vázquez - ET Com, Operations Engineer
Labels:
1678
0 Kudos
2 Solutions
AEK
SuperUser
SuperUser
In response to fvazquez

Created on ‎10-16-2023 11:28 AM Edited on ‎10-16-2023 11:29 AM

In that case it is simple, just add a policy similar to this one:

  • Who: Any host with persistent agent
  • Where: Guest SSID
  • Put in logical network: isolation or similar

So any host with persistent agent connecting to Guest SSID will find itself in isolation network.

AEK

View solution in original post

AEK
1613
ebilcari
Staff
Staff
In response to fvazquez

Created on ‎10-18-2023 08:56 AM

You can do it as suggested or change the User/Host profile for the Guests to limit only for the GuestSelfRegistration role (existing users will have a different role) and no Agent communicating like shown below:

uhp.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

1573
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎10-14-2023 02:08 PM

Hello

You can do so only if your Guest SSID is controlled by FortiNAC.

But in some installation the Guest SSID may not be controlled by FortiNAC (for license optimization or to simplify Guest SSID usage). In that case, your FortiNAC can't control who can or who can't connect to it.

However you should be able to do this restriction at lease by blocking traffic at firewall level, by enabling tags between FortiNAC & your FortiGate, then by denying traffic coming from the Guest VLAN for the specific hosts/users.

AEK
AEK
1650
0 Kudos
fvazquez
New Contributor III
In response to AEK

Created on ‎10-16-2023 09:01 AM

Hello, AEK

 

Thanks for your response. Indeed we have both the guest and production SSIDs controlled by FortiNAC. What we are trying to achieve is to let our coworkers that have the persistent agent to connect to the production SSID (which has limited Internet access) but prevent them from connecting to the guests SSID that is Internet "free".

 

 

Thanks!

Felipe Vázquez - ET Com, Operations Engineer
Felipe Vázquez - ET Com, Operations Engineer
1619
0 Kudos
AEK
SuperUser
SuperUser
In response to fvazquez

Created on ‎10-16-2023 11:28 AM Edited on ‎10-16-2023 11:29 AM

In that case it is simple, just add a policy similar to this one:

  • Who: Any host with persistent agent
  • Where: Guest SSID
  • Put in logical network: isolation or similar

So any host with persistent agent connecting to Guest SSID will find itself in isolation network.

AEK
AEK
1614
ebilcari
Staff
Staff
In response to fvazquez

Created on ‎10-18-2023 08:56 AM

You can do it as suggested or change the User/Host profile for the Guests to limit only for the GuestSelfRegistration role (existing users will have a different role) and no Agent communicating like shown below:

uhp.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1574
fvazquez
New Contributor III

Created on ‎10-18-2023 09:22 AM

Thanks!

Felipe Vázquez - ET Com, Operations Engineer
Felipe Vázquez - ET Com, Operations Engineer
1567
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.