FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oarslan
Staff
Staff
Description
Dynamic port policies allow the user to specify rules that dynamically determine port policies. 

After the FortiLink policy settings is created, define the dynamic port policy rules. 
When a rule matches the specified device patterns, the switch-controller actions control the portʼs properties.

When dynamic port policy rules are added to the FortiLink policy settings, the rules are processed sequentially, from the first rule to the last rule. 
The last rule in the FortiLink policy settings should indicate the default properties for any port that has been assigned these FortiLink policy settings.

Solution
To configure dynamic port policy rules.

1) Set the access mode and port policy for the port.

2) Set the FortiLink policy settings to the FortiLink interface.

3) Create the FortiLink policy settings.

4) Create the dynamic port policy rule.

5) Set how often the dynamic port policy engine runs.

Set the access mode and port policy for the port.

# config switch-controller managed-switch
edit <FortiSwitch_serial_number>
# config ports
edit <port_name>
set access-mode dynamic
set port-policy <dynamic_port_policy>
next
end
next
end

Set the FortiLink policy settings to the FortiLink interface.

Enable the dynamic port policy on the FortiLink interface by specifying the FortilLink policy settings on the FortiLink interface.

# config system interface
edit fortilink
set switch-controller-dynamic <FortiLink_policy_settings>
next
end

Create the FortiLink policy settings.

From GUI.

1) Go to WiFi & Switch Controller -> FortiSwitch Port Policies.

2) Select 'Dynamic Port Policies'.

3) Select 'Configure Dynamic Port Settings'.

4) Select the onboarding VLAN from the Onboarding VLAN dropdown list. The default onboarding VLAN is onboarding.

5) Move the Bounce port slider to enable to go down and then up when the NAC mode is configured on the port.

6) If  the dynamic port policy is used with FortiSwitch network access control, move the Apply rule to NAC policies slider to enable it.

7) Select 'Next'.

8) When units are matched by a dynamic port policy, it is possible to assign those units to a dynamic port VLAN. By default, there are six VLAN templates:
- default—This VLAN is assigned to all switch ports when the FortiSwitch unit is first discovered.
- onboarding—This VLAN is for NAC onboarding units.
- quarantine—This VLAN contains quarantined traffic.
- rspan—This VLAN contains RSPAN and ERSPAN mirrored traffic.
- video—This VLAN is dedicated for video units.
- voice—This VLAN is dedicated for voice units.

It is possible to select one of the default VLAN templates, edit one of the default VLAN templates, or create a dynamic port VLAN.

9) Click Submit.

Using the CLI.

# config switch-controller fortilink-settings
edit <name_of_this_FortiLink_configuration>
set inactive-timer <integer>
set link-down-flush {enable | disable}
# config nac-ports
set onboarding-vlan <string>
set bounce-nac-port {enable | disable}
end
next
end

Create the dynamic port policy rule.

From GUI.

1) On the Dynamic Port Policies page, select the dynamic port policy  to add dynamic port policy rules to.

2) Select 'Edit'.

3) Select 'Create New'.

4) In the Name field, enter a name for the dynamic port policy rule.

5) Make certain that the status is set to 'Enabled'.

6) In the Description field, enter a description of the dynamic port policy rule.

7) To match a MAC address, move the MAC Address slider and enter the MAC address to match.

8) To match a host name or IP address, move the Host slider and enter the host name or IP address to match.

9) To match a device family, move the Device Family slider and enter the name of the unit family to match.

10) To match a device type, move the Type slider and enter the unit type to match.

11) To assign an LLDP profile to the device that matches the specified criteria, move the LLDP profile slider and enter the name of the LLDP profile.

12) To assign a QoS policy to the unit that matches the specified criteria, move the QoS policy slider and enter the name of the QoS policy.

13) To assign an 802.1x policy to the device that matches the specified criteria, move the 802.1X policy slider and enter the name of the 802.1x policy.

14) To assign a VLAN policy to the unit that matches the specified criteria, move the VLAN policy slider and enter the name of the VLAN policy.

15) Select 'OK'.

Using the CLI.

# config switch-controller dynamic-port-policy
edit <dynamic_port_policy_name>
set description <string>
set fortilink <FortiLink_interface_name>
# config policy
edit <policy_name>
set description <string>
set status {enable | disable}
set category {device | interface-tag}
set mac <MAC_address>
set type <device_type>
set family <device_family_name>
set host <host_name_or_IP_address>
set lldp-profile <LLDP_profile_name>
set qos-policy <QoS_policy_name>
set 802-1x <802.1x_policy_name>
set vlan-policy <VLAN_policy_name>
set bounce-port-link {disable | enable}
next
end
next
end

Creating a VLAN policy.

It is possible to specify a VLAN policy to be used in the port policy. 
In the VLAN policy, you can specify the native VLAN to be applied, the allowed VLANs, and the untagged VLANs. 

It is possible to enable or disable all defined VLANs and select whether to discard untagged or tagged frames or to not discard any frames.

# config switch-controller vlan-policy
edit <VLAN_policy_name>
set description <policy_description>
set fortilink <FortiLink_interface>
set vlan <VLAN_name>
set allowed-vlans <lists_of_VLAN_names>
set untagged-vlans <lists_of_VLAN_names>
set allowed-vlans-all {enable | disable}
set discard-mode {none | all-untagged | all-tagged}
next
end
 
For example:

# config switch-controller vlan-policy
edit vlan_policy_1
set fortilink fortilink1
set vlan default
ext
end

Set how often the dynamic port policy engine runs.
In the FortiOS CLI, it is possible to change how often the dynamic port policy engine runs.
By default, it runs every 15 seconds. The range of values is 5-60 seconds.

# config switch-controller system
set dynamic-periodic-interval <5-60 seconds>
end

Contributors