Security policies for devices
Security policies enable you to implement policies according to device type. For example:
- Gaming consoles cannot connect to the company network or the Internet.
- Personal tablet and phone devices can connect to the Internet but not to company servers.
- Company-issued laptop computers can connect to the Internet and company servers. Web filtering and antivirus are applied.
- Employee laptop computers can connect to the Internet, but web filtering is applied. They can also connect to company networks, but only if FortiClient Endpoint Security is installed to protect against viruses.
The following images show these policies implemented for WiFi to the company network and to the Internet.
Device policies for company laptop access to the company network
Device policies for WiFi access to the Internet
The next section explains device policy creation in detail.
Creating device policies
Device-based security policies are similar to policies based on user identity:
- The policy enables traffic to flow from one network interface to another.
- NAT can be enabled.
- UTM protection can be applied.
To create a device policy
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Choose Incoming Interface, Outgoing Interface and Source as you would for any security policy.
- In Source, select an address and the device types that can use this policy.
You can select multiple devices or device groups.
- Turn on NAT if appropriate.
- Configure Security Profiles as you would for any security policy.
- Select OK.
Adding endpoint protection
Optionally, you can require that users’ devices connecting to a particular network interface have FortiClient Endpoint Security software installed. Devices without an up-to-date installation of FortiClient software are restricted to a captive portal from which the user can download a FortiClient installer. For information about creating FortiClient profiles, see "Endpoint Protection".
To add endpoint protection to a security policy
- Go to Network > Interfaces and edit the interface.
- In Admission Control turn on Allow FortiClient Connections and FortiClient Enforcement.
- Optionally, select sources (addresses and device types) to exempt from FortiClient enforcement.
- Optionally, select destination addresses and services to exempt from FortiClient enforcement.
- Select OK.
FortiOS pushes a FortiClient profile out to the FortiClient software, configuring network protection such as antivirus, application control, and web category filtering. To create these profiles, go to Security Profiles > FortiClient Profiles.