Endpoint Nac; Configuring Endpoint Nac Overview - Fortinet FortiGate Series Administration Manual

Endpoint NAC

Endpoint NAC

Configuring Endpoint NAC overview

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Endpoint Network Access Control (NAC) enforces the use of the FortiClient End Point
Security (Enterprise Edition) application on your network. It can also allow or deny network
access to endpoints based on the applications installed on them.
FortiClient enforcement can check that the endpoint is running the most recent version of
the FortiClient application, that the antivirus signatures are up-to-date and that the firewall
is enabled. An endpoint is most often a single PC with a single IP address being used to
access network services through a FortiGate unit.
You enable endpoint NAC in a firewall policy. When traffic attempts to pass through the
firewall policy, the FortiGate unit runs compliance checks on the originating host on the
source interface. Non-compliant endpoints are blocked. If web browsing, the endpoints
are redirected to a web portal that explains the non-compliance and provides a link to
download the FortiClient application installer.
You can monitor the endpoints that are subject to endpoint NAC, viewing information
about the computer, its operating system and detected applications.
This section describes:
• Configuring Endpoint NAC overview
• Configuring FortiClient installer download and version enforcement
• Configuring application detection lists
• Configuring Endpoint NAC profiles
• Monitoring endpoints
Endpoint NAC requires that all hosts using the firewall policy have the FortiClient Endpoint
Security application installed. Make sure that all hosts affected by this policy are able to
install this application. Currently, FortiClient Endpoint Security is available for Microsoft
Windows 2000 and later only.
To set up endpoint NAC, you need to
• Enable Central Management by the FortiGuard Analysis & Management Service if you
will use FortiGuard Services to update the FortiClient application or antivirus
signatures. You do not need to enter account information. See
on page 285.
• Configure the minimum required version of FortiClient and the source of FortiClient
installer downloads for non-compliant endpoints. See
download and version enforcement" on page
• Define application detection lists to specify which applications are allowed or not
allowed. Optionally, you can deny access to endpoints that have applications installed
that are not on the detection list.
• Configure Endpoint NAC profiles which specify the FortiClient enforcement settings
and the application detection list to apply. You select the Endpoint NAC profile to use
when you enable Endpoint NAC in the firewall policy.
• Enable endpoint NAC in firewall policies.
Configuring Endpoint NAC overview
"Central Management"
"Configuring FortiClient installer
696.
695