Fortigate Managing Devices 60 PDF
Fortigate Managing Devices 60 PDF
Fortigate Managing Devices 60 PDF
VERSION 6.0.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
FORTICAST
http://forticast.fortinet.com
FEEDBACK
Email: [email protected]
01-600-481084-20180329
TABLE OF CONTENTS
Change Log 4
Introduction 5
Before you begin 5
How this guide is organized 5
What's new in FortiOS 6.0 5
Managing “bring your own device” 6
Device monitoring 6
Custom avatars for custom devices 7
Device offline timeout 7
Device organization, device categories, and device types 8
Device Groups 8
Controlling access with a MAC Address Access Control List 8
MAC Authentication Bypass (MAB) 9
Security policies for devices 10
Creating device policies 12
Adding endpoint protection 12
Change Log
March 29, 2018 FortiOS 6.0 document release. See "What's new in FortiOS 6.0" on page 5.
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
Managing “bring your own device” describes device monitoring, devices, device groups, and device policies. The
administrator can monitor all types of devices and control their access to network resources.
The following list contains new device management features added in FortiOS 6.0. Click on a link to navigate to
that section for further information.
FortiOS can control network access for different types of personal mobile devices that your employees bring onto
your premises. You can:
l identify and monitor the types of devices connecting to your networks, wireless or wired
l use MAC address based access control to allow or deny individual devices
l create security policies that specify device types
l enforce endpoint control on devices that can run FortiClient Endpoint Control software
This chapter contains the following sections:
Device monitoring
Device Groups
Controlling access with a MAC Address Access Control List
Security policies for devices
Device monitoring
The FortiGate unit can monitor your networks and gather information about the devices operating on those
networks. Collected information includes:
l MAC address
l IP address
l operating system
l hostname
l user name
l how long ago the device was detected and on which FortiGate interface
You can go to User & Device > Device Inventory to view this information. Mouse-over the Device column for
more details.
Depending on the information available, the Device column lists the Alias or the MAC address of the device. For
ease in identifying devices, Fortinet recommends that you assign each device an Alias.
Device monitoring is enabled separately on each interface. Device detection is intended for devices directly
connected to your LAN ports. If enabled on a WAN port, device detection may be unable to determine the
operating system on some devices. Hosts whose device type cannot be determined passively can be found by
enabling active scanning on the interface.
You can also manually add devices. This enables you to ensure that a device with multiple interfaces is displayed
as a single device.
1. Go to Network > Interfaces.
2. Edit the interface that you want to monitor devices on.
3. In Networked Devices, turn on Device Detection and optionally turn on Active Scanning.
4. Select OK.
5. Repeat steps 2 through 4 for each interface that will monitor devices.
1. Go to User & Device > Device Inventory and edit the device entry.
2. Enter an Alias such as the user’s name to identify the device.
3. Change other information as needed.
4. Select OK.
end
Category Devices
Syntax
config user device
edit <category>
set category [none | android-device | blackberry-device | fortinet-device | ios-
device | windows-device]
next
end
Device Groups
You can specify multiple device types in a security policy. As an alternative, you can add multiple device types to
a custom device group and include the group in the policy. This enables you to create a different policy for devices
that you know than for devices in general.
A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP
server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as
employee devices, it is better to create a device group and specify that group in your security policies.
The Unknown MAC Address entry applies to "other" unknown, unlisted devices. Its action must be opposite to
that of the other entries. In an allow list, it must block. In a block list, it must allow.
RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC
addresses.
MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X
authentication. For example:
config system interface
edit "lan"
set ip 10.0.0.200 255.255.255.0
set vlanforward enable
set security-mode 802.1X
set security-mac-auth-bypass enable
set security-groups "Radius-group"
end
end
MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable
only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be
used. For example:
config wireless-controller vap
edit "office-ssid"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "staff"
set radius-mac-auth enable
set radius-mac-auth-server "ourRadius"
end
end
Security policies enable you to implement policies according to device type. For example:
l The policy enables traffic to flow from one network interface to another.
l NAT can be enabled.
l UTM protection can be applied.
If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum
(forum.fortinet.com). Phone support is only available for paid licenses.
VM00 200
Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.