FortiNAC Overview
With visibility, control, and automated response for everything that connects to the network, FortiNACTM, Fortinet’s licensed network access control solution, improves the Security Fabric. Protection from IoT threats is offered by FortiNAC, which also extends control to unaffiliated devices and plans automatic responses to a variety of networking events.
Every device and user will have network-wide visibility
The licensed FortiNAC uses various information and behavior sources to precisely identify what is on your network and offers detailed profiling of even headless devices.
Increase Third-Party Products’ Access to Network Control
Change configurations on switches and wireless products from more than 70 vendors and implement microsegmentation policies and broaden the Security Fabric’s application in diverse environments.
Response Automation
Respond quickly to network events to stop threats from spreading. When the targeted behavior is seen, FortiNAC’s extensive and adaptable set of automation policies can immediately initiate configuration changes.
Automated Reaction
Continuous network monitoring by FortiNAC will check that endpoints adhere to their profile by assessing them. To ensure that MAC address spoofing does not get past your network access security, FortiNAC will rescan devices.
The licensed FortiNAC can also keep an eye out for irregularities in traffic patterns. In conjunction with FortiGate devices, this passive anomaly detection is used. When a threat involving a compromised or exposed endpoint is identified, FortiNAC automatically launches a response to immediately contain the endpoint.
Network control that is dynamic
Once the users and devices have been identified, FortiNAC enables detailed network segmentation to give users and devices access to required resources while preventing unauthorized access. The licensed FortiNAC uses dynamic role-based network access control to logically divide networks into segments, limiting access to particular users and/or devices by grouping related applications and data together. The ability of a compromised device to move around the network and attack other assets will be constrained in this way. While ensuring compliance with internal, sectoral, and governmental regulations and mandates, FortiNAC helps to protect sensitive information and important data.
The risk and potential malware spread are reduced by checking the devices’ integrity before they connect to the network.
As a device tries to join the network, FortiNAC verifies its configuration. If it turns out that the configuration isn’t legal, the device can be handled properly, such as by a VLAN with isolated or restricted access that can’t access corporate resources.
Object Visibility
Understanding the structure of a network is essential to maintaining security in a dynamic environment. The network is completely visible thanks to FortiNAC. Your network is scanned by FortiNAC to identify every user, application, and device.
The licensed FortiGuard’s IoT Services, a cloud-based database for identification lookups, as well as calling on up to 21 different techniques, allow FortiNAC to profile each element based on observed characteristics and responses. Using permanent agents, soluble agents, or no agents at all, scanning can be done actively or passively.
Additionally, a device can be evaluated by FortiNAC to see if it conforms to accepted profiles, noting the need for software updates to fix vulnerabilities. The entire network is known after installing FortiNAC.
FortiNAC’s enhanced visibility not only has access to the entire network but can also use passive traffic analysis, using Fortinet FortiGate appliances as sensors, to spot unusual traffic patterns that may be signs of compromise that the SOC team should investigate further.
Deployment Options
Excellent Availability
For redundancy, FortiNAC offers High Availability for disaster recovery. This state is attained by combining active and passive instances, whereby the backup becomes active when the main ceases to operate normally.
Various high availability clusters that are dispersed throughout the network can be managed by FortiNAC Manager as necessary.
Architectural Centralization
Since FortiNAC is an “out of band” solution, user traffic is not affected by its presence. FortiNAC can be set up centrally and used to control a large number of remote locations thanks to this architecture. By integrating with and utilizing the capabilities of the network infrastructure, visibility, control, and response are made possible. Control can be implemented right at the network’s very edge, where connections are made, whereas security device integrations enable FortiNAC to process security alerts and use them as triggers for automated threat mitigation through a variety of customizable workflows.
Various techniques are used to collect data from various sources. The comprehensive end-to-end visibility required to build a truly secure environment can be attained using SNMP, CLI, RADIUS, SYSLOG, API, and DHCP fingerprints. Virtual machines (VMWare, Hyper-V, AWS, Azure, KVM) or physical appliances can both run FortiNAC.
Depending on how many ports they need to support, different sizes of the application and control servers can be deployed. FortiNAC is the best solution for supporting distributed architectures, including SD-Branch locations.
Licensing for FortiNAC
PRO Licensing
The PRO license level offers the highest level of response, visibility, and control. The PRO license offers comprehensive access control, automated threat response, real-time endpoint visibility, and triaged alerts with contextual information. The PRO license level is suitable for businesses that require complete endpoint visibility, a flexible NAC solution with granular controls, accurate event triage, and real-time automated threat response.
PLUS License
With improved visibility, more sophisticated Network Access Controls, automated provisioning for users, guests, and devices, reporting, and analytics, the PLUS license level expands on all of the functionality of BASE. The reporting and analytics can be very helpful in providing audit documentation of compliance. For organizations that want comprehensive endpoint visibility and granular control but don’t need automated threat response, the PLUS license level is suitable.
License for BASE
By identifying all endpoint devices on the network, automating authorization, enabling micro-segmentation, and enabling network lockdown, the BASE license level provides an easy, one-step IoT security solution to close critical endpoint security gaps. Organizations that need to secure IoT and headless devices, enable network lockdown with dynamic VLAN steering, but do not need more sophisticated user/network controls or automated threat response, should use the BASE license level.
Here are some frequently asked questions about Fortinet’s network access control solution
How does FortiNAC recognize a brand-new gadget on the network?
Device classification by FortiNAC is based on the device’s network characteristics. FortiNAC can profile a device using up to 20 different characteristics and methods, including dynamic host configuration protocol (DHCP) fingerprinting and vendor organizationally unique identifier (OUI).
Is it necessary for every location to have a FortiNAC?
No, thanks to FortiNAC’s licensed architecture, you can see everything clearly even from a distance. Many businesses use FortiNAC in the cloud, like Amazon Web Services (AWS), to offer NAC for their network.
Do the licenses take the user into account?
No, active ports or wireless devices are used to count the licenses. For instance, if only 100 of your network’s 300 users are active at any given time, you only need licenses for 100 active ports.