The integration of FortiNAC-F withFortiGate VPNrequires a specific policy workflow to bridge the gap between initial user authentication and full network access. When a user connects to the VPN, the FortiGate typically provides the User ID and IP address, but FortiNAC-F requires aMAC addressto uniquely identify and manage the endpoint's record.

According to theFortiGate VPN Integration Guide, theEndpoint Compliance Policyis a mandatory component of this setup because it is used todesignate the required agent type. Because a VPN connection is Layer 3, FortiNAC cannot "see" the MAC address through traditional SNMP or L2 polling. The compliance policy instructs the system to present aCaptive Portalto the remote user, requiring them to download and run either thePersistentorDissolvable Agent. The agent then reports the device's MAC address back to FortiNAC, allowing the system to correlate the VPN session with a host record.

Once the agent is running and the MAC is known, FortiNAC-F can evaluate the device's security posture (if scanning is configured) and send the necessaryFSSO tagsback to the FortiGate to lift the initial network restrictions. Without the compliance policy to enforce the agent requirement, the connection would remain in an isolated "IP-only" state with no unique hardware identity.

"TheEndpoint Compliance Policyis necessary to control the agent requirement for VPN users. Create a default VPN Endpoint Compliance Policy todistribute an agentvia captive portal for isolated machines. This policy allows the administrator todesignate the required agent type(Persistent or Dissolvable) that will be used to collect the hardware (MAC) address and perform health scans on the remote endpoint." —FortiNAC FortiGate VPN Integration Guide: Default Endpoint Compliance Policy (Optional) Section.