Security policies for devices
Security policies enable you to implement policies according to device type. For example:
- Gaming consoles cannot connect to the company network or the Internet. l Personal tablet and phone devices can connect to the Internet but not to company servers.
- Company-issued laptop computers can connect to the Internet and company servers. Web filtering and antivirus are applied.
- Employee laptop computers can connect to the Internet, but web filtering is applied. They can also connect to company networks, but only if FortiClient Endpoint Security is installed to protect against viruses.
The following images show these policies implemented for WiFi to the company network and to the Internet.
Security policies for devices
Device policies for company laptop access to the company network
Device policies for WiFi access to the Internet
The next section explains device policy creation in detail.
Creating device policies
Device-based security policies are similar to policies based on user identity:
l The policy enables traffic to flow from one network interface to another. l NAT can be enabled. l UTM protection can be applied.
To create a device policy
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Choose Incoming Interface, Outgoing Interface and Source as you would for any security policy.
- In Source, select an address and the device types that can use this policy. You can select multiple devices or device groups.
- Turn on NAT if appropriate.
- Configure Security Profiles as you would for any security policy.
- Select OK.
Adding endpoint protection
Optionally, you can require that users’ devices connecting to a particular network interface have FortiClient Endpoint Security software installed. Devices without an up-to-date installation of FortiClient software are restricted to a captive portal from which the user can download a FortiClient installer. For information about creating FortiClient profiles, see “Endpoint Protection”.
To add endpoint protection to a security policy
- Go to Network > Interfaces and edit the interface.
- In Admission Control turn on Allow FortiClient Connections and FortiClient Enforcement.
- Optionally, select sources (addresses and device types) to exempt from FortiClient enforcement.
- Optionally, select destination addresses and services to exempt from FortiClient enforcement.
- Select OK.
FortiOS pushes a FortiClient profile out to the FortiClient software, configuring network protection such as antivirus, application control, and web category filtering. To create these profiles, go to Security Profiles > FortiClient Profiles.
FortiClient endpoint licence updates
FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.
If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.
Security policies for devices
Model(s) | Maximum Client Limit |
VM00 | 200 |
FGT/FWF 30 to 90 series | 200 |
FGT 100 to 400 series | 600 |
FGT 500 to 900 series, VM01, VM02 | 2,000 |
FGT 1000 to 2900 series | 20,000 |
FGT 3000 to 3600 series, VM04 | 50,000 |
FGT 3700D and above, VM08 and above | 100,000 |
Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6