Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor II

Not Isolating Despite Not Matching Any Network Policy

If a host is registered manually or by device profiling but does not match any network policy, the correct VLAN is still assigned. For example, even though the role for that host requires the "Persistent Agent - Yes" condition to be set in the User/Host Profiles, it still gets assigned to the correct VLAN even if the host does not have a persistent agent. I came across a comment suggesting that a default VLAN should be defined and the "Reset Forced Default" option should be enabled in the all ports settings. For instance, if I define the default VLAN as an isolated VLAN ID and enable "Reset Forced Default" in the port settings, the cookbook says "Ports that return to the default VLAN when hosts disconnect." for reset forced default setting. This implies that the task is not being accomplished as intended. Could you please explain it?

1 REPLY 1
AEK
SuperUser
SuperUser

When a host is not in isolation state (registration, authentication, ...) then it follows policy. But when no policy matched then it is put in the default VLAN that you configured in the port properties.

When you set "Reset Forced Default" then when you disconnect the host, the port back to the default VLAN after 1 minute (the delay can be customized).

Personally I usually set the production VLAN as default VLAN on ports that are usually used by Corp hosts, just in case the NAC goes down. This is when you need to prioritize productivity over security.

AEK
AEK
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors