When FortiNAC-F manages VPN clients through a FortiGate, the agent plays a fundamental role in device identification that standard network protocols cannot provide on their own. In a standard VPN connection, the FortiGate establishes a Layer 3 tunnel and assigns a virtual IP address to the client. While the FortiGate sends a syslog message to FortiNAC-F containing the username and this assigned IP address, it typically does not provide the hardware (MAC) address of the remote endpoint ' s physical or virtual adapter.
FortiNAC-F relies on theMAC addressas the primary unique identifier for all host records in its database. Without the MAC address, FortiNAC-F cannot correlate the incoming VPN session with an existing host record to apply specific policies or track the device ' s history. By running either a Persistent or Dissolvable Agent, the endpoint retrieves its own MAC address and communicates it directly to the FortiNAC-F service interface. This allows the " IP to MAC " mapping to occur. Once FortiNAC-F has both the IP and the MAC, it can successfully identify the device, verify its status, and send the appropriateFSSO tagsor group information back to the FortiGate to lift network restrictions.
Furthermore, while the agent can also perform compliance checks (Option D), the architectural requirement for the agent in a managed VPN environment is primarily driven by the need for session data correlation—specifically the collection of the IP and MAC address pairing.
" Session Data Components: • User ID (collected via RADIUS, syslog and API from the FortiGate). • Remote IP address for the remote user connection (collected via syslog and API from the FortiGate and from the FortiNAC agent). •Device IP and MAC address (collected via FortiNAC agent).... The Agent is used to provide the MAC address of the connecting VPN user (IP to MAC). " —FortiNAC-F FortiGate VPN Integration Guide: How it Works Section.
