FortiNAC FAQs

Below are answers to common questions regarding FortiNAC and related services:

How does FortiNAC identify a new device on the network?

FortiNAC uses the network characteristics of the device to classify the devices. There are up to 20 different attributes and techniques that FortiNAC can utilize such as Vendor OUI and DHCP fingerprinting, to profile a device.

Does FortiNAC analyze device behavior (EUBA) to identify a device?

No, FortiNAC does not perform behavior analysis but does collect network data about a device, utilizing up to 20 methods to profile a device.

Do I need a FortiNAC in every location?

No, FortiNAC’s architecture enables complete visibility even from remote locations. There are many organizations that deploy FortiNAC in a cloud such as Amazon Web Services (AWS) to provide NAC for their network.

What is the upper limit of how many devices FortiNAC can support?

There is no upper limit for how large a network can be. The FortiNAC servers can be stacked and managed as a group.

What form factor does FortiNAC come in?

The FortiNAC solution requires a server to run the Control and Application functions. Those can run in one server for smaller deployments while larger organizations might need several servers. Severs can be either hardware appliances or Virtual Machines (VMs). Licenses that run on the servers determine the level of functionality of the solution.

What are the most popular form factor?

The VM form factor is most commonly deployed.

Do you need a server at each location?

No, the architecture of FortiNAC means that you can centrally deploy and provide coverage for several sites. FortiNAC is not sniffing the traffic directly, so it does not need to be on the network. This greatly enhances FortiNAC’s ability to scale to multi-site locations.

What are the different license levels for FortiNAC?

FortiNAC offers three levels of capability:

Base - offering visibility and network lockdown (does not permit new devices to join without permission)

Plus - offering the Base capabilities and adds user identification and segmentation.

Pro - offering the Plus capabilities and add automatic response

Can you move from one license level to another? Or do you have to buy a whole new license?

Fortinet offers upgrade FortiNAC licenses so that if you want to move from Base to Plus, or Plus to Pro, you can simply buy the upgrade license.

Are the FortiNAC licenses incremental in their features? Do you need to buy Base if you buy Pro?

No, the FortiNAC licenses are all-inclusive so you only need to purchase the level that you want.

Are the FortiNAC licenses subscriptions?

FortiNAC licenses are offered in both perpetual and subscription forms.

Are the license measured by user?

No, the licenses are counted by active port or wireless device. For example, if you have 300 users in your network, but only 100 are active at any one time, you only need licenses for 100 active ports.

Are the FortiNAC licenses shared across locations?

Yes, when deployed with a Management Server, the FortiNAC licenses can be shared across the locations, as well as across stacked servers.

Does FortiNAC do end-user behavior analysis (EUBA)?

No, FortiNAC does not perform behavior analysis but does collect network data about a device, utilizing up to 20 methods to profile a device. When deployed with a FortiGate, ForitNAC can use the traffic sensing capabilities in the FortiGate to watch for anomalies in traffic patterns.

How does FortiNAC protect against MAC-spoofing if it does not do EUBA?

FortiNAC can protect against MAC-spoofing both on initial network access and after a MAC address has been granted permission. FortiNAC will look at 18 other factors to see if the device matches the appropriate profile for that MAC address and OUI. FortiNAC can quarantine a device with a suspicious profile for a network administrator to investigate and resolve.