FortiNAC: Network Access Control (NAC) Product Review

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Although best known for their industry-leading firewall technology, Fortinet harnesses their knowledge of network protection to create a powerful network access control (NAC) solution. With strong scalability and robust support for detecting, profiling, and onboarding traditional and non-traditional IT devices, FortiNAC provides a strong option for many enterprises to consider.

To compare FortiNAC against their competition, see the complete list of top network access control (NAC) solutions.

Who is Fortinet?

Founded in 2000, Sunnyvale, California headquartered Fortinet’s flagship FortiGate provides enterprise-grade firewall solutions. The company acquired Bradford Networks and its Network Sentry NAC product in 2018. Fortinet trades on the NASDAQ exchange under the stock symbol: FTNT.

FortiNAC

FortiNAC provides the network visibility to see everything connected to the network, as well as the ability to control those devices and users, including dynamic, automated responses. FortiNAC functions well as a basic NAC for wired and wireless connections with employee and guest users on traditional workstations, laptops, servers, and mobile devices.

FortiNAC also delivers network segmentation and automated responses specifically for IoT security. FortiNAC provides profiling of each device on the network and enables granular network segmentation and automated responses for changes in device status or behavior.

Additionally, FortiNAC can enforce company policies on device patching and firmware version. FortiNAC is integrated with FortiGate and other Fortinet products.

Agents

FortiNAC uses four types of agents to scan hosts to determine the endpoint’s compliance with endpoint policies:

  • Dissolvable Agent:
    • Temporary agent downloaded by the user
    • Deletes itself once the endpoint passes the compliance check
    • Available for Windows, macOS, Linux
  • Passive Agent:
    • Not installed, but runs in memory to run a scan in the background
    • Only available for Windows
  • Persistent Agent (Plus or Pro licenses only):
    • Downloaded agent installed by the user, login script, etc.
    • Provides messages to the user during scans
  • Mobile Agent:
    • Downloaded and installed on mobile devices
    • Verifies if the device is jailbroken

Applicable Metrics

Each control server manages from 2,000 to 25,000 ports in the network for physical appliances and up to 25,000 ports per virtual appliance. Appliances can be clustered and managed by a management appliance (physical or virtual) which can manage an unlimited number of users.

Security Qualifications

Although FortiNAC can help satisfy many of the requirements of various compliance and certification processes, Fortinet has not obtained formal certification for the FortiNAC solutions.

Features

  • Network discovery scans for users apps and devices, identifies rogue devices and endpoint anomalies
  • Device profiling classifies types of assets and current compliance with access policies
  • NAC Scan Failure Options: 
    • Warning to administrators; network access granted
    • Warning to users; network access granted
    • Endpoints denied access to virtual large area network (VLAN); endpoint access a quarantine or remediation VLAN
  • Device management integration with a variety of Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions
  • Network access policy development and enforcement
  • Firewall segmentation to isolate endpoints by policy using the firewall to create VLANs
  • Internet-of-Things (IoT) onboarding can be performed automatically with approval from a sponsoring user
  • MAC Address Bypass allows for port-based access control based upon the device’s unique MAC address identifier
  • REST API integration with other devices
  • Customized reporting for key performance metrics, compliance reports, etc.
  • User authentication (Plus or Pro licenses only) can use a captive portal or the agent to verify users (in addition to their devices)
  • Multi-factor certificate authentication using full RADIUS (EAP) for Plus and Pro licenses to provide device-specific certificates
  • Guest and BYOD onboarding (Plus or Pro Licenses) enable users to authenticate bring-your-own-device (BYOD) endpoints or guests to obtain access to the full or a limited portion of the network
  • Web and Firewall Single-Sign-On (SSO) can be enabled with pro or plus licenses
  • Security event integration for inbound (Pro only) or outbound (Plus or Pro) events
  • Incident response (Pro license only) features such as event correlation, audit trails, guided triage workflows, and alert criticality and routing

Pros

  • Extensive non-standard device support that recognizes and controls over 2,500 network devices and millions of IoT devices
  • Enables automation which enables deployment at scale and ROI 
  • Deployment options: physical or virtual appliances plus multiple appliance clustering and management
  • Scanning options for auditing or risk assessment
  • Supports multiple languages
  • Good visibility into devices on the network including a huge array of IoT devices
  • Simple configuration of policy rules and segmentation
  • Centralizes architecture for ease of deployment and management
  • Extensive third-party support through direct integrations and APIs

Cons

  • Scanning agents have been validated against only English-language versions of supported operating systems
  • Requires ongoing FortiCare support licenses to keep network and IoT device databases current
  • Remediation issues can require manual fixes and external servers to download updates
  • Unintuitive and outdated user interface
  • Works better with newer equipment; legacy equipment may have integration issues
  • Deployment can be difficult and time consuming

Intelligence

With the top-level Pro license, FortiNAC provides real-time automated threat responses that can immediately quarantine any device that acts suspiciously. Security teams can configure FortiNAC to send alerts, lock down access ports, deliver relevant information to an analyst, and integrate with other security tools to shorten response times.

Delivery

FortiNAC requires hardware appliances or virtual machine (VM) installation. Fortinet offers four dedicated hardware appliance versions:

  • Control & Application Server
    • 2,000 network ports: FortiNAC-CA-500C
    • 15,000 network ports: FortiNAC-CA-600C
    • 25,000 network ports: FortiNAC-CA-700C
  • FortiNAC-M-550C Management Server (unlimited capacity) to manage environments deploying multiple appliances

FortNAC deploys both the Control and Application and Management appliances as either nex-gen VMs (VMware, Hyper-V, AWS, Azure, kernel-based virtual machine (KVM)) or standard VMs (VM-ware, Hyper-V).

In addition to the appliance, the organization must also license the software and should obtain FortiCare Support for maximum functionality. FortiCare services are also available for organizations that want to engage Fortinet experts to deploy, operate, and maintain the FortiNAC instance.

Pricing

Fortinet does not publish pricing information, but does provide an ordering guide for FortiNAC products. FortiNAC offers perpetual and subscription licenses, hardware and VM appliances, and professional services to help customers with flexible options, but this also leads to a large number of potentially confusing product numbers. Still, compared to some other large competitors in the market, FortiNET provides more clear explanations of the required licenses to achieve specific capabilities.

Fortinet sells their products through reseller partners which may offer volume discounts, incentives, services, and other related products or services. Some partners publish list prices which allow for ballpark estimates of some prices.

FortiNAC Hardware and Virtual Appliance estimated prices include:

  • 2,000 Network ports, suitable for SMB, FNC-CA-500C
    • $21,000 or less for server with RAID, redundant power supplies
    • $4,150 or less for 1 year of FortiCare Premium support
  • 15,000 Network ports, mid-sized enterprise suitable, FNC-CA-600C
    • $41,000 or less for server with RAID, redundant power supplies
    • $8,100 or less for 1 year of FortiCare Premium support
  • 25,000 Network ports, suitable for SMB, FNC-CA-700C
    • $95,000 or less for server with RAID, redundant power supplies
    • $19,000 or less for 1 year of FortiCare Premium support
  • Optional multi-FortiNAC Management Server, FNC-CA-550C
    • $41,000 or less for server with RAID, redundant power supplies
    • $8,100 or less for 1 year of FortiCare Premium support
  • Regular and next-gen VM servers, control and application or manager
    • $3,400 or less for server
    • $700 or less for 1 year of FortiCare Premium support

Once the FortiNAC server is in place, an organization needs to license the FortiNAC application itself. Fortinet offers subscription licenses that include support and perpetual licenses for which support must be purchased separately. Software licenses are estimated to be:

  • Perpetual license (for the lowest tier of 100 endpoints):
    • $1,100 Base software + $110 for 24×7 FortiCare Support
    • $2,600 Plus software + $250 for 24×7 FortiCare Support
    • $3,300 Pro software + $320 for 24×7 FortiCare Support
  • Subscription (for the lowest tier of 25 endpoints):
    • $200 Base software
    • $355 Plus software
    • $420 Pro software

Higher tiers obviously cost more, but will reflect volume discounts on a per-endpoint basis.

Bottom Line: Best for IoT and OT Control

As organizations mature, automated NAC solutions save enormous time for IT and security teams to onboard users, detect network devices, and automatically quarantine devices that do not meet policy requirements (antivirus, operating system updates, etc.). In addition to controlling the traditional human-user endpoints (laptops, phones, etc.), a growing number of wired and wireless equipment requires a security solution to protect the expanding network.

Hospitals famously deploy legacy IoT devices such as heart monitors, oxygen sensors, and other special-purpose devices that require protection. However, many other industries now find themselves adding ‘smart’ devices to their networks such as:

  • Radio Frequency Identification (RFID) for logistics / transportation
  • Smart moisture monitors for agriculture
  • Fire sensors for building safety
  • 5G connected manufacturing equipment
  • Wireless sensors connected to conveyor belts
  • Temperature sensors for chemical plants

FortiNAC can recognize and control over 2,500 network devices and millions of IoT devices and provide an effective solution for protecting IoT and industrial technology. Additionally, it also provides robust NAC solutions for easy onboarding of employees, guests, and both corporate-owned and BYOD endpoints. Anyone with IoT needs seeking a NAC should add FortiNAC to their consideration list.

This article was originally written by Drew Robb on May 7, 2019, and updated by Chad Kime on March 31, 2023.

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required