Our customers use it for micro-segmentation in the network and authentication.
We typically install this solution for medium-sized companies.
Download the Fortinet FortiNAC Buyer's Guide including reviews and more. Updated: December 2022
Fortinet's FortiNAC is a network access control solution that provides visibility, control, and automated response for everything that connects to the network, enhancing the security fabric. FortiNAC protects against Internet of Things (IoT) threats, extends control to third-party devices, and orchestrates automated responses to a variety of networking events.
Using many information and behavior sources, FortiNAC delivers extensive profiling of even headless devices on your network, allowing you to precisely identify what's on your network.
You can change the configurations of switches and wireless equipment from more than 70 vendors to implement micro-segmentation regulations. You can also extend the security fabric's reach in diverse contexts.
With FortiNac, you can respond in seconds to events in your network to stop attacks from spreading. When the relevant behavior is seen, FortiNAC offers a rich and customized set of automation policies that can rapidly trigger configuration changes.
Fortinet FortiNAC Features
Fortinet FortiNAC has many valuable key features. Some of the most useful ones include:
Fortinet FortiNAC Benefits
There are many benefits to implementing DX Spectrum. Some of the biggest advantages the solution offers include:
Reviews from Real Users
Fortinet FortiNAC stands out among its competitors for a number of reasons. Two major ones are its robust network segmentation and its device visibility. PeerSpot users take note of the advantages of these features in their reviews:
A Senior Proposal Manager at a tech services company writes of the solution, “The network segmentation is the most important part of the solution. The integration with the Zero Trust Access solution is a crucial part of segmenting your network.”
Eranjaya K., Security Engineer at Eguardian lanka, notes, “We use Fortinet FortiNAC to receive excellent visibility of our network for traffic and what devices are connected to prevent attacks.” He adds, “I have found Fortinet FortiNAC to be scalable.”
Fortinet FortiNAC was previously known as FortiNAC, Bradford Networks, Bradford Networks Sentry, Network Sentry Family.
Isavia, Pepperdine University, Medical University of South Carolina, Columbia University Medical Center, Utah Valley University
Our customers use it for micro-segmentation in the network and authentication.
We typically install this solution for medium-sized companies.
It expands authentication. It's incredibly good with profiling and onboarding methods.
Overall, it's a great product. The GUI is a little bit strange — different than other Fortinet products. It could be more user-friendly.
I have been using this solution for one year.
Fortinet FortiNAC is both scalable and stable.
Their technical support is very good. I am satisfied.
It depends on the client and infrastructure, but it's very well documented. FortiNAC has a huge documentation library with a really good deployment and installation guide.
Deployment time depends on the size and infrastructure of the company.
I handle the implementation for our customers but I rarely perform maintenance.
I believe there are three types of licenses based on three uses: visibility, control, and response — if I remember correctly.
Be sure to carefully read over the documentation pack because it's really great — I Absolutely love it.
On a scale from one to ten, I would give this solution a rating of ten.
We are a solution provider and this is one of the products that we implement for our clients.
The most valuable features are the ease of deployment and ease of use.
The reporting is good.
This solution could be more agile.
The technical support is in need of improvement.
I have between six and eight months of experience with FortiNAC.
FortiNAC is a stable solution.
This is a scalable solution and most of our customers are enterprise-level organizations. The majority and financial institutions and government bodies.
I feel that technical support can be improved.
The complexity of the installation and the length of time for deployment depends on the client's requirements, as well as their level of involvement.
The pricing is similar to that of other solutions.
My advice for anybody who is considering this product is to first do a proof of concept. Everybody has different requirements and it is best to ensure that FortiNAC meets your needs before implementing it.
I would rate this solution a seven out of ten.
We are a solution provider and this is one of the products that we implement for our clients.
My role is security and I deal with products to protect data centers. FortiNAC makes up part of the security solution in a data center.
The most valuable features are usability and security.
The response and resolution time for technical support issues need to be improved. Support overall needs to be a little faster.
I have two years of experience with FortiNAC.
FortiNAC is a stable product.
Scalability depends on licensing. Our customers vary in size from small and medium-sized businesses to enterprise-level organizations.
The technical support is in need of improvement because sometimes it takes too long to resolve issues.
I have worked with other similar solutions including Cisco ISE. I find that many of the SMBs and Enterprise-level customers choose Cisco instead.
The installation is pretty simple. The length of time for deployment depends on the planning and what is in the environment. It will normally take about a day.
I would rate this solution a seven out of ten.
We are a solution provider and this is one of the products that we implement for our customers. It is used as part of the network security and protects our clients.
This solution is very easy to implement and use.
The interface is user-friendly.
The most valuable feature for us is the support for iOS and iPhones.
The problem with Fortinet is that if you want to be 100% secure then you have to buy other products. It should support better integration with third-party solutions.
The reporting capability needs to be improved.
We have been using FortiNAC for about three years.
FortiNAC is a stable solution.
It is a scalable solution, although the scalability also depends on the other products that it is integrated with. Our customers are medium-sized and enterprise-level organizations. Our clients have about 500 users.
This solution is so stable that we have not had any problems and never needed to contact technical support.
I am also working with Cisco ISE. It is very complicated compared to FortiNAC.
It is very easy and straightforward to implement.
Three of our engineers were involved in the deployment. One of them focuses on security and the others take care of networking.
The licensing fees are a little bit high.
I try to push the use of this product because sometimes, the complicated solutions like Cisco ISE sometimes make the customers feel annoyed.
My advice to anybody who is considering this solution is that if the budget allows it, the entire security solution should be made up of Fortinet products. They integrate well and it will be better overall. A complete and secure solution will include products like FortiSandbox and FortiAnalyzer as well.
I would rate this solution an eight out of ten.
I was certified in FortiNAC (Part of Fortinet-NSE6) last year and I've personally implemented FortiNAC in three organizations. We work as a team with people who have expertise in different areas and Vendors and have exposure to different infrastructures.
FortiNAC scans your network to discover every user, application, and device (IOT), With up to 18 different techniques, it can then profile each element based on observed characteristics and responses for granular visibility - We then apply state-based control(eth0 VLAN switching) and Policy based control rules for access control and response.
Anyone (Domain users, Contractors, guests, etc) wanting to connect to the network has to be accessed by the NAC. Users come in at different times and some may be working from branches or home through a VPN and they will be authenticated in the same way with different privileges on the Network.
So it has to run 24/7. It's authenticating users all the time. We are gold partners with FortiNac.
There are quite a number of things that are valuable about this solution. Having dealt with Cisco ISE, I realize that FortiNAC is different in a way that gives you granular visibility of the entire network infrastructure related to IOT devices (Who, What, When, Which information). It's helpful that you can know what's going on from your phone, your tablet, and from home. The solution provides containment, reporting and security event-alarm mapping and saves log and carries out further analysis for cyber thefts. It really is a good solution.
I've realized that one of the issues is the need to use agents. For instance, if a domain user has to authenticate on the network via FSSO or Certificate management he has to have a persistent agent.
The admin UI is not that good. It could be better matched and more friendly to use and it cannot work as a RADIUS server. You have to have a RADIUS server which means bringing in a FortiAuthenticator to build it.
The other thing would probably be the visibility granular. For example, when I have a user at a particular branch, I can't tell what SSIDs they are connected to. I only have the IP addresses so if the wireless controller is integrated with FortiNAc, you're going to realize that you won't be able to know whether a particular person is connected, that an AP is connected to a particular SSID, is connected to. . . etc. It only gives you the IP addresses, Host names, etc. That has to be improved and am sure it will be in the next build version.
Additional features, would be an agentless link and adopters - online, offline adopters - it picks the IP's, the host names, the layer 3 information, layer 2 information, what's connected. And also to give different privileges, best rule privileges to users.
VLAN Interswitching (state based controls) could be quicker when doing the process flow from different sorts of authentication. When it comes to guests or contractors, you don't want to use a dissolvable agents. It dissolves in the process of downloading, but it takes longer and that could be improved.
I've been using the solution for a year and a half.
FortiNAC is Pretty stable. We initially had a couple of troubleshooting issues in the deployments but we worked them out and it's fine now and has pretty good Visibility across the Network for every device, application and user, extend Control of the Network to third-party products and automated responsiveness.
You won't find so many NAC solutions like it. I mean it's granular, you will see a lot that you need to ask. It will give you all the controls you need and it has event alarm mapping, - I mean "you can't control what you can't see"
It is very scalable, you can have as many features and access points as you want. as you have. It depends on the licenses, but you can have as many IoT devices (Switches, routers, Firewals, WLC, etc) as you want and as many features as you want. You can have visibility to all the ports of the switches on the NAC, you can easily see Who, What, When, Which information then control and respond
Technical support is good. You create a ticket and within that ticket you explain what challenges you're facing. They assign you an engineer who'll help solve the issue. It's pretty easy and straight forward and they're always there to help.
Initial setup is pretty easy. If you're doing a VM setup, you do the registration on the Fortinet portal, and then you set the IP addresses. I think it's pretty good when you're implementing it the first time, it's very easy but when you get to tests, which are the UAT's, you're most likely to have a few issues that you need to be aware of.
Deployment time depends on the kind of customer. For example, the current implementation I'm doing has an assessing vendor. 90% of the network is wireless and 10% is cabled in network. They have more than 80 access features, more than 80 routers, and two wireless controllers. They have a number of databases and different firewalls - to use that fountain it slows things down. You're also dealing with Domain users, contractors and Guests in different locations. Obviously this will take more time than a project with less infrastructure devices. It really depends on the nature of the infrastructure.
There is a base license level which pretty much gives you topologies and groupings automation/control, etc. When it comes to policies, it's only going to give you user host profiling and network access. If you're looking for endpoint compliance, integrations, Incidence response and reporting, then you have to go for an Plus or PRO license.
You need to think about what you need as a company. There are so many government institutions, so many corporate institutions in the world that want to protect their networks. People have different privileges within a network, an instructor cannot have the same privileges as a normal user and the guest. We have guests coming onto our network, contractors coming to work at different times on the network, the main users who are working in different departments and who shouldn't have access to some platforms. When it comes to authentication you need to make sure you're protected from all kinds of threats. You have different products, Vendors and divices that all need to be controlled. If something goes off you need to know where and why.
I would rate this product a eight out of 10. It's still evolving.
You can simply control whole network even you can check your switches configuration
Compliance checks are a good feature. Compliance check is for windows updates and for antivirus updates, etc.
Security is also good. No guest can enter without credentials, such as usernames and passwords. You have full visibility, which is very good.
The implementation process needs improvement. Right now, it's somewhat complicated. They could create some templates to facilitate implementation. Right now everything is done manually, and it just takes a really long time at the initial setup.
I've been using the solution for three years.
The solution is stable.
The solution is easily scalable. Once you have one working correctly, you can expand easily to make it as big as you want. However, setting up the first properly takes time.
I've contacted technical support three or four times. They have been very good.
We didn't previously use a different solution.
The initial setup is complex. How long it takes to deploy depends on the complexity of the project, for example, if you are setting up the solution at branches or just at one location. So long as the team is cooperating and coordinating, it shouldn't take more than three months. You only need one to two engineers to deploy the solution. Afterward, you may only need one person for maintenance.
You need professional engineers to set up the solution. Only trained and experienced people will be able to handle the implementation.
We use the on-premises deployment model.
In terms of advice I'd give to others, I'd say the most important thing to worry about is organizing the network, like active directory groups and groups of users, etc. Organize the groups with VLAN IDs that are not too specific and the VLANs should be on all company switches.
I'd rate the solution eight out of ten.
The solution is generally used for compliance and other related items such as network visibility.
The most valuable features of the solution are the user-friendliness, the graphical interface, and the technical support. The interface is very nice and the customization is good.
Overall, our clients seem to be quite pleased with the product.
For our organization and our clients, the price is the main concern. They should work to make it more competitive.
Customization could be improved in future releases.
I recently deployed the product. I've been using it for about a year.
Regarding scaling, I don't believe I would know about the requirements related to scaling the product. However, in terms of the device itself, my client is fully sufficient with the license. He has the number of devices he needs in order to monitor everything. I don't believe our client has scaled it, so I don't know how easy or difficult scaling is.
Our clients are largely medium-sized enterprises and may have up to about 400 devices on site.
I've never reached out to technical support myself and have never opened a support ticket, but I have heard that the solution is quite good at handling customer queries.
We've used community support and it's been quite good. We've found most of the answers to our queries using it.
The initial setup is quite straightforward. We didn't run into any complexities during the implementation.
We're a Fortinet partner.
I would recommend the product to others. Usability is a crucial thing for networking and this product offers that. I'm not familiar with other NAC products. However, I think every organization should be implementing NAC. That does not always mean just FortiNAC products. There are other NAC products as well. We are very fortunate to have access to such products that continue to help our customers.
Overall, I'd rate the solution eight out of ten.
I don't exactly remember the version our clients are using currently, however, and I believe it is vm based for 2000 devices.
We don't actually use the solution in our own organization, but we have deployed it and we provide service, support, and monitoring on the devices to our clients.
I'm a senior network architect and our company is a reseller of FortiNAC. This is a new product for me and we'll be starting implementation shortly. We've been testing the product and I'm just finishing the course. I'll be implementing for our client which is a medium-size company.
The interface is good and simple to use. Some of the ideas presented on the online course could be clearer, like policy creation. But the interface and other features are very good.
I think that the course content could be improved, it's not that simple to work through. I'm an expert on Cisco ISE. And also I have CCIE on Cisco. I made a comparison between Cisco ISE and FortiNAC. Cisco ISE has full integration but FortiNAC doesn't.
I've been using FortiNAC for just one month.
I'll have a better idea next week about the stability, once it's been tested in the production environment.
The communication with customer support is fine from an administration perspective. But it's lacking documentation on the concept of how the technology works. There are no documents in the FortiNAC library relating to network function.
I would rate this product an eight out of 10.
We are only consultants, so we implement FortiNAC for our customers. The good part about FortiNAC is that it works seamlessly across either public cloud, private cloud, a hybrid one or on premises. So, depending on the client's requirements, I usually suggest that they go for public cloud where they have remote locations, and that they go for an application where they have a large deployment, adequate network and technical staff to support the requests.
The features we generally propose is basically agent-based authentication and the agent case solution product for wireless endpoints, which allow them to do automatic registration, and the third would be the health checks.
Something that the developers of FortiNAC might look at to improve, is more integration with third-party products. The dashboard also needs to improve.
FortiNAC is quite a stable solution.
FortiNAC is a highly scalable product. The licenses remain unlimited. It's a subscription-based license, which is based on the usage and number of concurrent users. So the good part is that it can be deployed out of any environment.
The technical support for us has been extremely good and the local support is excellent.
The initial setup was easy and straightforward. The deployment can be done within a day.
The good thing about FortiNAC is that it's more vendor agnostic. And then we have the deployed FortiNAC activate solution, which are different kinds of firewalls, which works perfectly fine.
On a scale from one to 10, my rating for this program will be a nine. Additional features that I would like to see included in the next release of this solution is more integration with third-party products and probably some improvements on the dashboard.
The solution is good at giving a deep dive into each product. It tells you, for example, what is connected to the network. It gives us good reporting tools.
I think the network devices need to give more information.
In the next release, we'd like to see more information on controlling, for example, adding more policies etc. We should get more information about IoT devices, and have more information available for the users.
Scalability can be improved.
The solution is good, so I've had no reason to contact Technical Support.
This is the first product we have used.
The initial setup was straightforward. You only need one person for deployment and maintenance.
We used a consultant to assist with implementation. They were good. We didn't have a problem with them.
We evaluated so many other products but we found the features of this solution to be the most valuable.
I would rate this solution at a seven or eight out of 10. If they improved their network devices and their IoT product I would rate them higher. The solution is pretty inexpensive. That's why we are using it. I am satisfied with the interface, the dashboard, and the overall support.
The primary use case is that we are using it as a network access control (NAC), preventing external devices from plugging into the network or foreign computers from joining the network.
We are using the latest version.
When it works, it's great. It keeps things off the network which are supposed to be off the network.
When it works, doing what it's supposed to.
Not using a Java front-end would be fantastic. It takes forever to load the system up and get in there to configure everything. It is too slow to do anything at all.
The stability is relatively poor, as it has taken us roughly 12 months to get the network access control to be functional. It took us six months to get the USB lockdown to work appropriately. It still false flags mice, etc. On top of it, it broke once we finally got the network access control working. It literally took us 12 months for people to be blocked on an Ethernet connection, and it takes about 90 seconds to knock them off. Even then, it's only 50/50. We have escalated this every week for 12 months, and I'm not sure we'll be renewing this contract.
The technical support is bad. We've had to escalate to Tier 2 and Tier 3. My customer relationship manager on the other side of this has stopped returning phone calls and emails, because there has been such a constant back and forth.
We didn't have something prior. We had someone do a security audit on us, and they made some recommendations of things that we were missing. We contacted a managed service provider to recommend things to fix these issues, and this was one of those things. We went with what the managed service provider recommended as a solution along with having a short timeframe.
The initial setup was highly complex. Every time you get one piece to work, everything else breaks. We have not been able to get a full solution in place.
We used a managed service provider to help get everything up and running.
The process was frustrating. The managed a lot of our network as is, and they've done several of these setups. They moved from the previous version to the newest version, and they have even stopped recommending it as a solution because they don't want to do this again with another customer.
Look into the complexity of using tools. Anything that is difficult to manage will probably be painful to maintain.
We have a very aggressive roadmap with a fairly mature security posture.
It’s a unified place where we can manage campus onboarding/BYOD NAC security.
It has provided port/wireless security to all devices trying to connect to our campus network.
Interaction with other vendors switches & APs should be more thoroughly tested as integration between Networks Sentry and other networking equipment needs to be seamless for this product to work.
I've been using it for five years.
We had no issues with deployment.
We had no issues with the stability.
We had no issues with the scalability.
Customer Service leaves a lot to be desired. Most times the engineers blame the customer’s network even even before they collect the necessary data regarding an issue. We’ve discovered several flaws and bugs with the system in various occasions, only to have Bradford support deny there’s a problem or make fun of the customer. Also, response time on cases has been terrible. After opening a case, it could take days before an initial response from TAC is performed. Even after that... cases can linger open for weeks or months before any feasible solution is found. We had a case regarding integration with Aerohive open for over a year. Furthermore, case resolution follows very non-standard Practices in the industry. In many instances, TAC engineers close the cases without notice or without asking the customer if it's OK to close the case or if the issue has been resolved.
This is the first NAC appliance we ever used on-campus.
Initial set-up required engineers to be on-site to configure the box to work with our network. Thus, I would say it was complex (this was in 2010; it might be different now).
We implemented through a team provided by the vendor. I would advise to test implementation in a small building before make a campus-wide deployment.
Pricing & Licensing are fair as far as we can tell.
I would make sure this product integrates well with the customer’s network before deployment. We had to move away from this product recently on the Wireless side of the network as the Sentry would not integrate well with our Aerohive Wireless Infrastructure. We had an issue where the Sentry would not properly communicate with the APs and thus would let customers blocked from our network for no particular reason. Since this issue went unresolved for over three years, we decided to implement a different Wireless NAC solution and cut back our Bradford licenses to less than half of the original (we’re now using Bradford only to secure our wired network).
Auto Switch port Tagging – Allows for easy management without using consoles.
Currently this product manages access to our Wi-Fi network, it also us used to prevent rouge devices from gaining access to our LAN.
I've used it for one and a half years.
It deployed just fine for us.
Issues with polling switches, hosts not being updated with accurate host names affected its stability.
It scaled well enough for us.
As there is currently not any UK based support – Poor.
Personally did not set up the product but rather complex overhearing conversations.
This is a very complex product which is very good when used correctly, it has control over fundamental parts of your network so correct configuration and implementation strategy is a must.
Out of 6500 wireless devices we see issues with less than 0.5% of clients. Though the product has many features we only utilize a fraction of them. We use the product for registration and management of our wireless network (NAC). The most valuable asset is visibility in to what a client is and who is using it. By forcing guests/users to register their BYOD devices we know who they are and can then apply appropriate web filtering policies to them based on a number of factors. We can then use that data to export reports etc on usage of our wireless network as a whole and troubleshoot as needed.
Prior to using the product we had a fully open wireless network. This means anyone could come in off the street and connect to our wifi. We would not have knowledge of who they are if the did something illegal or wrong. Our level of security has increase greatly as well as our knowledge of who is on our network.
We have had issues with certain Windows 10 devices not being able to register which requires manual intervention to fix. I think they are working on this issue. As Windows 10 devices grow this issue will become greater.
Another major pain point is management of existing and new wireless access points. You must import the Aps into Network Sentry every time you put them on the network. Its also advised to use DHCP reservations for each AP. The system does not delete APs if you remove them from production as well. This means you must remove the APs from Sentry each time its stake out of production or placed in a new building etc. The initial setup of an AP doubled as a result of using this product. There are steps that must be performed and if any are missed, the AP becomes a black hole resulting in zero connectivity for clients connecting to it.
We’ve used this solution for two years.
Their technical support is a 8/10. They are responsive and have the ability (if you allow) to log into your equipment remotely and fix problems or perform upgrades. They are helpful in answering questions and configuration assistance is always available as this product is complex at first.
The initial deployment took three days however we encountered many issues. The main factor was our network set-up was not fully understood by Bradford prior to purchase and deployment. This created many issues while we were in production with 10-15% of our users having connectivity problems every day. We were not fully operational until 3 months after deployment.
Initial set-up was done via a “Quick Start” where the bare bones are implemented by and on site tech. This is not meant to be a full implementation but to get the foundation in place. The on-site tech was knowledgeable but again, we had issues with understanding out network set-up and its complexity which were not discovered in the quick start.
Vendor team on site, which we paid for. In house is available but would have been very time consuming to learn and implement. I would not recommend quick start but instead have a tech on site for a minimum of 5-7 business days to fully understand the product. Its not until you are in full production will you see issues and have questions. As questions, learn how the product works deep down.
Pricing is expensive but cheaper than some other solutions out there. Licensing is based on number of concurrent devices and a number of other factors depending on implementation type. Yearly maintenance fees are very reasonable and highly recommended. ROI is immediate for us in terms of visibility.
We did not evaluate other solutions other than on a cost basis.
Explain you network set-up in full detail with diagrams. VLANs, SSIDs, switch vendors, wireless vendors, subnets. What methods do you use today for wireless authentication (802.1x/WPA2-PSK/Open). Show them everything and what it looks like to be a client on your network today and the process to get on-line. This product manages both wired and wireless network is you choose both options. This product can also do posturing of devices to ensure they meet criteria like current updates and Antivirus etc. We are not using that functionality yet however.