Advanced Features

FortiLink Network Access Control (NAC)

• FortiLink NAC Definition and Purpose:

  • Combines security and networking to simplify device onboarding in LAN environments.

  • Uses the FortiLink protocol to extend firewall policies across FortiSwitch devices and FortiAP access points.

  • Automates onboarding by placing devices into an isolated onboarding VLAN until security posture is verified.

  • Rules are based on device properties, including MAC addresses and specific Internet of Things (IoT) metadata.

• Core Advantages of FortiLink NAC:

  • Simplicity: Easy deployment with no design changes, no overlay, and ready-to-go defaults.

  • Visibility: Automatic discovery of endpoints/devices and access to the FortiGuard IoT service.

  • Security: Dynamic policy application that enables devices on specific ports or across the entire network.

• Matched NAC Devices Dashboard:

  • Location: WiFi & Switch Controller > Assets & Identities > Matched Devices.

  • Consolidates asset and identity information to ensure devices are identified and managed to maintain network visibility.

  • Provides detailed metadata: MAC addresses, IP addresses, and device types.

  • Includes search and filter options to help administrators manage large networks efficiently.

• Device Detection and FortiGuard Services:

  • FortiLink device detection analyzes security risks and identifies vulnerabilities automatically.

  • Unknown device data is sent to FortiGuard servers for identification (requires a valid FortiGuard license).

  • FortiGuard Attack Surface Security Service/IoT Detection: Evaluates the security posture of IoT devices, which often possess weak security settings.

  • Administrators can configure NAC policies to detect specific IoT vulnerability levels and dynamically assign high-risk devices to a quarantine VLAN.

• FortiLink NAC Policies:

  • Location: WiFi & Switch Controller > NAC Policies.

  • Discovers devices and assigns correct network permissions based on device status, OS, or user type.

  • Onboarding Process: Devices initially connect to a restrictive onboarding VLAN for identification; once matched to a policy, they are reassigned to a target VLAN.

  • Supported attributes for classification: manufacturer, operating system, user groups, zero trust network access (ZTNA) tags, FortiVoice tags, and vulnerabilities.

  • VLAN Subinterfaces: Created on physical interfaces to manage traffic for assigned VLANs.

• Virtual Patching:

  • Isolates and protects vulnerable devices through NAC isolation in separate VLAN segments.

  • IPS Virtual Patching: Applied dynamically to address security gaps before a permanent patch is available.

  • Includes vendor-specific signatures for Operational Technology (OT) systems.

  • Requires a valid Attack Surface Security Rating Service license.

• Dynamic Port Policies:

  • Location: WiFi & Switch Controller > FortiSwitch Port Policies > Dynamic Port Policy.

  • Automatically adjusts port properties based on detected device types.

  • Configurations impacted: VLAN policy, Link Layer Discovery Protocol (LLDP) profiles, quality-of-service (QoS) policy, and $802.1X$ policies.

  • Primarily used for networking devices such as wireless APs, IP phones, routers, and firewalls.

Dynamic VLANs and VLAN Pooling

• Dynamic VLANs with Enterprise RADIUS Authentication:

  • Available in both tunnel and bridge modes when using WPA2 or WPA3 Enterprise security.

  • The RADIUS server must return specific IETF attributes:

    • IETF 64 (Tunnel-Type): Set to VLAN.

    • IETF 65 (Tunnel-Medium-Type): Set to IEEE 802.

    • IETF 81 (Tunnel-Pvt-Group-ID): Set to the specific VLAN ID.

  • Optional attributes: Fortinet-Group-Name, Filter-ID.

• Dynamic VLANs with MAC RADIUS Authentication:

  • Allows dynamic assignment on non-enterprise (Open or PSK) networks using client MAC addresses.

  • Attributes added by FortiGate during authentication: Called Station Identifier, NAS IPv4 Address, NAS Identifier, NAS Port Type.

  • Enables two-factor authentication by combining the device MAC address with a Pre-Shared Key (PSK).

• IoT Device Segregation:

  • Addresses the limitation where many IoT devices (thermostats, smart plugs) do not support WPA2 Enterprise supplicants.

  • Allows a single PSK-based network to support multiple device types via RADIUS MAC authentication.

  • Facilitates moving printers or IoT devices to their own VLANs while keeping guests on a default VLAN, reducing the overhead of broadcasting multiple SSIDs.

• VLAN Pooling:

  • Location: AP Manager > SSID.

  • Allows a single SSID to egress traffic into multiple VLANs to reduce the size of broadcast domains.

  • Large broadcast domains (traditionally capped at $/24$ subnets) can cause performance issues; pooling removes client limits while maintaining efficient subnet sizing.

  • Load Balancing Methods (Tunnel Mode only):

    • Managed AP Group: Assigns VLANs from pools based on the physical location of the Access Point (AP).

    • Round Robin: Assigns the VLAN with the fewest number of clients to new connections.

    • Hash: Assigns a VLAN based on a hash calculation of the current number of SSID clients and pool entries.

WIDS and Rogue AP Management

• Wireless Threat Categories:

  • Wireless Intrusion Attempt: Methods used to bypass security or cause Denial of Service (DoS).

  • Rogue AP Types:

    • True Rogue: Malicious AP intended to compromise security via phishing or backdoors.

    • Wired Rogue AP: Installed inside the perimeter and connected to the wired infrastructure.

    • Rogue AP (Unconnected): Placed inside the perimeter but not connected to the local infrastructure.

    • Uncontrolled AP: Non-malicious device connected to the infrastructure but not managed by the IT department.

  • Interferer AP: Adjacent neighboring AP causing Radio Frequency (RF) interference due to poor configuration.

• Wireless Intrusion Detection System (WIDS):

  • Profiles detect threats such as weak WEP IV (Initial Vector) encryption, null SSID probe responses, deauthentication floods (DoS), invalid MAC OUIs (Organizationally Unique Identifiers), and EAP/beacon floods.

  • Profiles are assigned to radios within the FortiAP profile.

• Rogue AP Detection Methods:

  • Background Scanning: Opportunistic scanning during idle periods; default scan period starts every $600\,\text{seconds}$, checking different channels for $20\,\text{ms}$ each. Can cause packet loss during heavy traffic.

  • Dedicated Monitor: A dedicated radio or AP that performs continuous foreground scans. It cannot serve clients but provides the fastest discovery and is required for active suppression.

• On-Wire Rogue AP Detection:

  • Compares MAC addresses in wireless traffic to those seen on the wired LAN.

  • Exact MAC Address Match: Identifies if the same MAC is seen on both wired and wireless segments.

  • MAC Adjacency: Useful if the rogue AP is a router performing NAT. Matches LAN and Wi-Fi MACs with close hexadecimal values.

  • Default adjacency value is $7$. Configurable via CLI: set rogue-scan-mac-adjacency <0-31>.

• Suppressing Rogue APs:

  • The controller sends deauthentication messages to rogue clients (mimicking the rogue AP) and to the rogue AP (mimicking its clients).

  • Restriction: Requires a dedicated monitoring radio.

  • Legal Warning: Administrators must verify regional laws/regulations before enabling active suppression.

  • Technical Challenge: $802.11w$ (Management Frame Protection) prevents spoofed deauthentication frames, making suppression difficult on newer clients.

• Phishing and Fake SSIDs:

  • Fake SSID: Broadcasts the exact official SSID.

  • Offending SSID: Broadcasts a similar SSID (e.g., "FTNT" instead of "Fortinet"); up to $128$ user-defined patterns supported.

  • Detection is configured via CLI under wireless-controller setting. Log events are generated every $15\,\text{minutes}$.

Wired Networking Best Practices

• Design Principles:

  • Oversubscription: Managing upstream bandwidth so it is less than the combined max bandwidth of all devices. Ratios at the access layer are evolving from $20:1$ toward $1:1$.

  • Redundancy and Resiliency: Preventing single points of failure. Access layer switches should be dual-homed.

  • MCLAG and Fast Convergence: Use Multichassis Link Aggregation and FortiGate Clustering Protocol (FGCP) to minimize downtime.

  • Quality of Service (QoS): Prioritizing critical real-time traffic (voice/video) over lower-priority flows during congestion.

  • Future-Proofing: Anticipating bandwidth growth (approx. $50\%$ per year) by implementing multigigabit Ethernet ($2.5\,\text{GbE}$, $5\,\text{GbE}$) and core switches supporting $100\,\text{GbE}$ links.

Wireless Networking Best Practices

• Access Point Channelization:

  • Improper settings cause Co-Channel Interference (CCI).

  • Radios on the same channel with signals stronger than $-80\,\text{dBm}$ are likely to cause issues.

  • Solutions: Reduce transmission power (minimum recommended $10\,\text{dB}$), change channels, or disable interfering radios (often common to disable select $2.4\,\text{GHz}$ radios as $5\,\text{GHz}$ AP density increases).

• Limiting SSID Broadcasts:

  • Each SSID generates management frames broadcast at low data rates, consuming airtime.

  • Impact: Broadcasting $10$ SSIDs on one channel consumes approximately $32\%$ of available airtime for management alone.

  • Best Practice: Limit SSIDs to five or fewer per AP.

• Load Balancing and Handoffs:

  • AP Handoff: Moves the client with the lowest RSSI to another AP when the current AP exceeds its client threshold.

  • Frequency Handoff (Band Steering): Encourages dual-band clients to use $5\,\text{GHz}$ instead of $2.4\,\text{GHz}$ by ignoring initial $2.4\,\text{GHz}$ join requests.

• Probe Response Threshold:

  • Configurable threshold (default $-80\,\text{dBm}$, range $-20$ to $-95$) determining if an AP responds to a client's probe request.

  • Prevents "sticky" clients at extreme ranges from connecting with low link rates that waste airtime for everyone.

  • Best practice is to adjust in small ($5\,\text{dB}$) increments if clients connect to suboptimal, distant APs.

• Advanced SSID/VAP Tweaks:

  • Multicast to Unicast Conversion: Converts multicast streams to unicast for each client. While it increases data volume, unicast uses higher link rates and consumes significantly less airtime than standard multicast rates.

  • Disabling $802.11b$ Rates: Increases the management frame rate from $1\,\text{Mbps}$ to $6\,\text{Mbps}$. Improves airtime efficiency but removes support for legacy clients and reduces effective AP range.

  • Disabling Lower Data Rates: Granular control (e.g., set rates-11bg) forces clients to roam faster once they hit the lowest allowable rate, maintaining higher overall network throughput.