FortiNAC: Network Access Control
Security for networks with IoT
-
Appliance
-
Virtual Machine
FortiNAC Overview
The proliferation of Internet of Things (IoT) devices, has made it necessary for organizations to improve their visibility into what is attached to their networks. They need to know every device and every user accessing their networks. IoT devices enable digital transformation initiatives and improve efficiency, flexibility, and optimization. However, they are inherently untrustworthy, with designs that prioritize low-cost over security. FortiNAC provides the network visibility to see everything connected to the network, as well as the ability to control those devices and users, including dynamic, automated responses.
FortiNAC News
-
Sep 4, 2018Fortinet Introduces New Network Access Control Solution for IoT SecurityFortiNAC Provides Visibility and Control of IoT Devices and Automated Response to Threats, Controls Access at Scale in Multi-Vendor Environments.
-
Jun 4, 2018Fortinet Acquires Bradford NetworksStrengthens Fortinet Security Fabric and extends segmentation and security to the edge of the enterprise network including Internet of Things (IoT).
FortiNAC Product Details:
The IoT revolution has raised a new challenge for network owners. How can you see and protect against a myriad of devices showing up on the network? Network Access Control has come back to the forefront of security solutions to address that challenge. This technology was deployed to assist with bring-your-own-device (BYOD) policies and is now getting renewed focus as a means to safely accommodate headless IoT devices in the network. FortiNAC enables three key capabilities to secure IoT devices:
- Network visibility to see every device and user as they join the network
- Network control to limit where devices can go on the network
- Automated response to speed the reaction time to events from days to seconds
Collectively, these three capabilities provide the tools that network owners need to secure a world that is embracing IoT.
Features
Agentless scanning
Detect and identify headless devices as they connect to the network
13 profiling methods
Utilize up to 13 different ways of determining the identity of a device
Simplified onboarding
Automate onboarding process for large number of endpoints, users, and guests
Benefits
Micro-segmentation
With identified devices, FortiNAC can narrowly restrict network access for those devices to only necessary network assets
Extensive multi-vendor support
Interact with and configure network devices (switches, wireless access points, firewalls, clients) from more than 150 vendors
Scalability
FortiNAC architecture enables effective scaling to multi-site locations and supporting millions of devices
FortiNAC Models and Specifications
The FortiNAC product line includes appliances, virtual machines and licenses. The licenses can run on either the hardware appliance or the virtual machine. Each FortiNAC deployment requires both a Control and Application server. Note that if your deployment is larger than what a single server can support, you can stack severs for more capacity. The FortiNAC solution has no upper limit on the number of concurrent ports it can support.
Function |
Control and Application Server |
Capacity |
Each server manages up to 1,000 ports in the network |
Function |
Control and Application Server |
Capacity |
Each server manages up to 7,500 ports in the network |
Function |
Control and Application Server |
Capacity |
Each server manages up to 15,000 ports in the network |
Function |
Control Server |
Capacity |
Each server manages up to 20,000 ports in the network |
Function |
Application Server |
Capacity |
Each server manages up to 20,000 ports in the network |
Function |
Control Server |
Capacity |
Each server manages up to 30,000 ports in the network |
Function |
Application Server |
Capacity |
Each server manages up to 30,000 ports in the network |
Function |
Management Server |
Capacity |
Unlimited |
Function |
Reporting and Analytics Server |
Capacity |
n/a |
Capacity |
Each VM manages up to 15,000 ports in the network |
Capacity |
Each VM manages up to 30,000 ports in the network |
Capacity |
Each VM manages up to 30,000 ports in the network |
Capacity |
Unlimited |
Capacity |
n/a |
Functionality |
Visibility |
Device Count |
100 concurrent endpoint devices per license |
Functionality |
Visibility and Control |
Device Count |
100 concurrent endpoint devices per license |
Functionality |
Visibility, Control, and Response |
Device Count |
100 concurrent endpoint devices per license |
Solution Guides
Related Links
FortiNAC Product Demo
FortiNAC product demo
The surge in deployment of IoT devices requires advanced network security. Specifically, network operators need to be able to identify every user and device that connects to the network and then grant or limit network access appropriately. Furthermore, the network needs constant supervision to ensure ongoing safe operation with automated responses to threats as they are detected. FortiNAC from Fortinet can provide those capabilities so that network operators can confidently know who and what is on their network. Come and see how FortiNAC can provide visibility, control, and response for your network.
FortiNAC FAQs
Below are answers to common questions regarding FortiNAC and related services:
How does FortiNAC identify a new device on the network?
FortiNAC uses the network characteristics of the device to classify the devices. There are up to 13 different attributes and techniques that FortiNAC can utilize such as Vendor OUI and DHCP fingerprinting, to profile a device.
Does FortiNAC analyze device behavior (EUBA) to identify a device?
No, FortiNAC looks at the profile of the device and is not analyzing behavior.
Do I need a FortiNAC in every location?
No, FortiNAC’s architecture enables complete visibility even from remote locations. There are many organizations that deploy FortiNAC in a cloud such as Amazon Web Services (AWS) to provide NAC for their network.
Q. What is the upper limit of how many devices FortiNAC can support?
A. There is no upper limit for how large a network can be. The FortiNAC servers can be stacked and managed as a group.
Q: What form factor does FortiNAC come in?
A: The FortiNAC solution requires a server to run the Control and Application functions. For smaller organizations, those can run in one server while larger organizations might need dedicated servers or multiple dedicated servers. Servers can be either hardware appliances or Virtual Machines (VMs). Licenses that run on the servers determine the level of functionality of the solution.
Q: What are the most popular form factor?
A: The VM form factor is most commonly deployed.
Q: Do you need a server at each location?
A: No, the architecture of FortiNAC means that you can centrally deploy and provide coverage for several sites. FortiNAC is not sniffing the traffic directly, so it does not need to be on the network. This greatly enhances FortiNAC’s ability to scale to multi-site locations.
Q: What are the different license levels for FortiNAC?
A: FortiNAC offers three levels of capability:
- Base -- offering visibility and network lockdown (does not permit new devices to join without permission)
- Plus -- offering the Base capabilities and adds user identification and segmentation.
- Pro -- offering the Plus capabilities and add automatic response
Q: Can you move from one license level to another? Or do you have to buy a whole new license?
A: Fortinet offers upgrade FortiNAC licenses so that if you want to move from Base to Plus, or Plus to Pro, you can simply buy the upgrade license.
Q: Are the FortiNAC licenses incremental in their features? Do you need to buy Base if you buy Pro?
A: No, the FortiNAC licenses are all-inclusive so you only need to purchase the level that you want.
Q: Are the FortiNAC licenses subscriptions?
A: No, the FortiNAC licenses are perpetual.
Q: Are the license measured by user?
A: No, the licenses are based on the total number of concurrent connections to your network that are managed by FortiNAC. This count includes hosts, servers or devices that are online on your network at any given time. When a host, server or device disconnects from the network, the license is released and can be used for another connection. For example, you may have 1000 hosts in your database but if only 100 are connected, then only 100 licenses are used.
Q: Are the FortiNAC licenses shared across locations?
A: Yes, when deployed with a Management Server, the FortiNAC licenses can be shared across the locations, as well as across stacked servers.
Q: Does FortiNAC do end-user behavior analysis (EUBA)?
A: No, FortiNAC does not perform behavior analysis but does collect network data about a device, utilizing up to 13 methods to profile a device.
Q: How does FortiNAC protect against MAC-spoofing if it does not do EUBA?
A: FortiNAC can protect against MAC-spoofing both on initial network access and after a MAC address has been granted permission. FortiNAC will look at 12 other factors to see if the device matches the appropriate profile for that MAC address and OUI. FortiNAC can quarantine a device with a suspicious profile for a network administrator to investigate and resolve.