Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fvazquez
New Contributor II

How to block a specific network in FortiNAC?

Hello, everyone.

 

Is there a way in FortiNAC to prevent a host with persistent agent to connect to, for example, a guest network SSID if they had previously signed in into a corporate network SSID?

 

 

Thank you all!

Operations Engineer
Operations Engineer
2 Solutions
AEK
Honored Contributor

In that case it is simple, just add a policy similar to this one:

  • Who: Any host with persistent agent
  • Where: Guest SSID
  • Put in logical network: isolation or similar

So any host with persistent agent connecting to Guest SSID will find itself in isolation network.

AEK

View solution in original post

AEK
ebilcari

You can do it as suggested or change the User/Host profile for the Guests to limit only for the GuestSelfRegistration role (existing users will have a different role) and no Agent communicating like shown below:

uhp.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

5 REPLIES 5
AEK
Honored Contributor

Hello

You can do so only if your Guest SSID is controlled by FortiNAC.

But in some installation the Guest SSID may not be controlled by FortiNAC (for license optimization or to simplify Guest SSID usage). In that case, your FortiNAC can't control who can or who can't connect to it.

However you should be able to do this restriction at lease by blocking traffic at firewall level, by enabling tags between FortiNAC & your FortiGate, then by denying traffic coming from the Guest VLAN for the specific hosts/users.

AEK
AEK
fvazquez
New Contributor II

Hello, AEK

 

Thanks for your response. Indeed we have both the guest and production SSIDs controlled by FortiNAC. What we are trying to achieve is to let our coworkers that have the persistent agent to connect to the production SSID (which has limited Internet access) but prevent them from connecting to the guests SSID that is Internet "free".

 

 

Thanks!

Operations Engineer
Operations Engineer
AEK
Honored Contributor

In that case it is simple, just add a policy similar to this one:

  • Who: Any host with persistent agent
  • Where: Guest SSID
  • Put in logical network: isolation or similar

So any host with persistent agent connecting to Guest SSID will find itself in isolation network.

AEK
AEK
ebilcari

You can do it as suggested or change the User/Host profile for the Guests to limit only for the GuestSelfRegistration role (existing users will have a different role) and no Agent communicating like shown below:

uhp.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
fvazquez
New Contributor II

Thanks!

Operations Engineer
Operations Engineer
Labels
Top Kudoed Authors