Managing “Bring Your Own Device”

Security policies for devices

Security policies enable you to implement policies according to device type. For example:

  • Gaming consoles cannot connect to the company network or the Internet. l Personal tablet and phone devices can connect to the Internet but not to company servers.
  • Company-issued laptop computers can connect to the Internet and company servers. Web filtering and antivirus are applied.
  • Employee laptop computers can connect to the Internet, but web filtering is applied. They can also connect to company networks, but only if FortiClient Endpoint Security is installed to protect against viruses.

The following images show these policies implemented for WiFi to the company network and to the Internet.

Security policies for devices

Device policies for company laptop access to the company network

Device policies for WiFi access to the Internet

The next section explains device policy creation in detail.

Creating device policies

Device-based security policies are similar to policies based on user identity:

l The policy enables traffic to flow from one network interface to another. l NAT can be enabled. l UTM protection can be applied.

To create a device policy

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Choose Incoming Interface, Outgoing Interface and Source as you would for any security policy.
  3. In Source, select an address and the device types that can use this policy. You can select multiple devices or device groups.
  4. Turn on NAT if appropriate.
  5. Configure Security Profiles as you would for any security policy.
  6. Select OK.

Adding endpoint protection

Optionally, you can require that users’ devices connecting to a particular network interface have FortiClient Endpoint Security software installed. Devices without an up-to-date installation of FortiClient software are restricted to a captive portal from which the user can download a FortiClient installer. For information about creating FortiClient profiles, see “Endpoint Protection”.

To add endpoint protection to a security policy

  1. Go to Network > Interfaces and edit the interface.
  2. In Admission Control turn on Allow FortiClient Connections and FortiClient Enforcement.
  3. Optionally, select sources (addresses and device types) to exempt from FortiClient enforcement.
  4. Optionally, select destination addresses and services to exempt from FortiClient enforcement.
  5. Select OK.

FortiOS pushes a FortiClient profile out to the FortiClient software, configuring network protection such as antivirus, application control, and web category filtering. To create these profiles, go to Security Profiles > FortiClient Profiles.

FortiClient endpoint licence updates

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Security policies for devices

Model(s) Maximum Client Limit
VM00 200
FGT/FWF 30 to 90 series 200
FGT 100 to 400 series 600
FGT 500 to 900 series, VM01, VM02 2,000
FGT 1000 to 2900 series 20,000
FGT 3000 to 3600 series, VM04 50,000
FGT 3700D and above, VM08 and above 100,000

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.