Data Sheet

FortiGuest

Highlights

• Seamless integration
with multi-vendor
network infrastructure Simplified Guest Access, BYOD Onboarding, and Policy Management
and client platforms
• Policy- and role-
FortiGuest is a sophisticated network security solution
based provisioning
of wireless/wired specifically designed to address the challenges of guest
network access
• Ease of use for both access in modern environments. By providing a seamless
IT staff and end users
and secure method for granting temporary network access
• Enterprise-strength
authentication and to visitors, contractors, and partners, FortiGuest streamlines
encryption
the process while maintaining the highest level of network
• Reduced IT workload
• Easily deployed integrity.
payment options
With its advanced authentication protocols, comprehensive access controls, and real-time
• Integrated RADIUS
monitoring capabilities, FortiGuest ensures that guest users can enjoy a hassle-free and
server for quick and
protected experience. Whether it’s controlling bandwidth usage, preventing unauthorized
easy deployment of
access, or safeguarding sensitive data, FortiGuest offers a robust and reliable solution for
AAA services
managing guest access while prioritizing network security.
• Dynamic network
access control with
RADIUS CoA
• RADIUS and LDAP
Authentication
1
 FortiGuest Data Sheet

Deployment

Available in For Any User On Any Network With Any Device

Packaged in a simple, wizard-driven application, FortiGuest addresses all aspects of deploying
BYOD and managing IT workloads effectively, including:

• Onboarding for internet access with 802.1X authentications, across multiple operating
systems (iOS, Android, Microsoft Windows, Apple Mac OS X)
Virtual and devices (laptops, smart phones, tablets)
• Vendor-agnostic, wired and wireless network user access,
device onboarding, policy and access management
• Role- (visitor, contractor, employee) and device-based
policy management
• Integrated reporting and auditing
• Retrieval and verification of identity- and group-based
policies across multiple identity stores (LDAP/AD, RADIUS,
RadSEc, External DB, and social networking identities)
• Integrated policy and reporting across specialized
policy enforcement devices like firewalls
• Optimization for running on virtualized environments

2
FortiGuest Data Sheet

Key Features and Benefits

• Fully-integrated platform for policy- and role-based provisioning of wireless and wired
network access
• Seamless integration with multi-vendor network infrastructure and client platforms
• Simplified secure user access and BYOD
• Support for existing infrastructure and employee or visitor devices

Social media option for user onboarding

Access policy gated by both user and device

• Enterprise-strength authentication and encryption
• Comprehensive activity monitoring and reporting
• Protection of the network and sensitive data
• Appropriate use and audit support

Highlights

User Roles
FortiGuest looks at a variety of device and role trust relationships to provide unique access
across common scenarios found in enterprises, schools, universities, hotels, and other places
of business. They can be summarized as follows:

DEVICE TYPES
CORPORATE OWNED EMPLOYEE OWNED
USER ROLES (TRUSTED) (UNTRUSTED)
Employee (Trusted)
Hotel managers, engineers, Trusted access; Tightly Onboarding required;
doctors, nurses, teachers, controlled corporate identity restricted access based on
faculty server (AD, LDAP). policy. Possibly, restricted
Full access to resources access to resources allowed
allowed by role. by role.

Contractor (Trusted)
Consultants, temporary Trusted access; Tightly Onboarding required;
workers, vendors at event, controlled corporate identity restricted access based on
students, conference staff server (AD, LDAP). policy. Possibly, restricted
Full access to resources access to resources allowed
allowed by role. by role.

Guest / Visitor (Untrusted)

Patients, ticketed audience, Untrusted access – Self
parents provisioning or sponsored
visitor access.
Internet only access.

3
FortiGuest Data Sheet

Highlights
User Access
User access offers both sponsored and self-provisioned user or visitor account creation.
Multiple accounts can easily be created by uploading account information into FortiGuest or
creating accounts in bulk with random usernames and passwords. With FortiGuest, account
management functions, creation, updates, password changes, notifications, deletion, and
reports, are all customizable based on a variety of types of sponsors. These options include
self-sign, front desk at a hotel, front desk at a carpeted enterprise, and security at a company.

User access is optimized for ease of use, for both administrators and end users. It is client-
platform agnostic and supports any platform with a web browser, including iOS, Android, Apple
Mac OS X, and more.

Using social identity (Google, Facebook, Linux, and Twitter accounts) for network access is
becoming a larger trend for unpaid access. This situation creates a win-win for the provider
and the subscriber.

Brand-presence management is catered through the fully-customizable, mobile-adaptable

login portal and walled garden. User account notification can be managed through SMS, a
self-service kiosk, or email, creating a great experience for the user. Administrators can also
provide a variety of portals for visitors logging into their networks based on their locations and
languages, as well as whether or not they are using a traditional laptop, smartphone, or tablet.
FortiGuest supports captive portal language customization.

FortiGuest supports any OS, any mobile device, and any network - regardless of vendor.

ANY OS

Apple Mac
Android Linux Windows
OS X and iOS
ANY MOBILE DEVICE

iPhone, iPod, iPad, and Mac Android phone and tablet Windows phone and PC
ANY NETWORK

Wireless Wired

4
FortiGuest Data Sheet

Highlights
Access Policy and Policy Management
Of paramount concern with networks is the enforcement of appropriate policies for visiting
users. With FortiGuest, administrator-defined individual, group, or general policies can have
customized time-based access, usage-based access, or location-based access. Access to
specific resources as well as bandwidth usage restrictions may be placed on user accounts as
well. In addition, FortiGuest can grant access by looking at user and device policy combined.
This process means that even if the user is a trusted user, FortiGuest can still not allow access
to the network due to an untrusted device that user is using. However, for a trusted device and
user, full network access can be granted.

One of the major complaints against user access through a web portal is the need for users
to re-enter their credentials after their devices “wake up” from the power-save induced sleep
mode. FortiGuest securely addresses this concern to reconnect without having to enter
credentials and still be under the same policy guidelines that were set up for the user profile.

Businesses large and small are moving their IT services such as email, file shares, archiving,
and identity services to public cloud providers such as Google. FortiGuest integrates with
Google apps to authenticate users and guests and onboard them into the network with
appropriate policies.

FortiGuest is not vendor-agnostic for Captive portal redirection from third party WLAN
vendors.

Business Systems Integration

FortiGuest integrates with existing authentication. This avoids duplication of data, maximizes
appropriate use of these resources, and provides a single view into reporting and policies
associated with usage.

Simplify BYOD Provisioning

FortiGuest also provides employees and other trusted users a way to onboard their trusted and
untrusted devices on the secure network. It provides the administrator with flexibility to decide
on the correct level of policy for untrusted devices brought onto the network by a trusted user.

Onboarding refers to auto-provisioning of corporate- or employee-owned devices to use

secure (typically 802.1X authenticated) networks. This rule could be true of wireless or wired
infrastructures.

FortiGuest provides a set sequence of events for non-technical employees and contractors
to set up their devices with appropriate 802.1X settings for accessing the wired or wireless
network. A standard web portal (different from the secure network) is initially presented for
the user to enter their corporate credentials. Once a device connects, its type is detected,
the credentials are verified against a backend device, and based on the administrator’s
configuration, appropriate secure network access settings are downloaded to the device.
The device is then disconnected from the web portal network and reconnected to the secure
network using the new secure settings.

All of the steps done without the need for a client agent, thus providing ease of deployment
and scale. This workflow is very intuitive for the end users and removes their dependence on
IT to onboard their devices. Also from an IT perspective, since the settings are done centrally,
policies can be set effectively and uniformly based on user role, device role, and device type.
5
FortiGuest Data Sheet

Highlights
FortiGuest Walkthrough: Device Onboarding

1. Verify login using web authentication

2. Download an applet to configure 802.1X

3. Automatically connect with 802.1X

Encrypted

User Device Access Point

Secure and Simple Onboarding

Policy is managed via user roles from the corporate identity server such as AD or RADIUS as
configured, into the secure profile. The device policy is added to this profile for a complete
view of that session.

Device authentication and policy management can also be done using device onboarding
for devices such as printers, connected hospital equipment, and other devices that need to
be authenticated before being let onto the network. This action is especially true of devices
that are temporary or short-term leased and do not warrant being managed in the corporate
identity servers.

FortiGuest seamlessly integrates mobile and traditional laptop platforms including Apple
Mac OS, iOS, Android, Linux, and Windows operating systems for onboarding purposes. It
also supports setting up supplicants for a variety of secure 802.1X protocols including PEAP-
MSCHAPv2, PEAP-GTC, and EAP-TLS.

6
FortiGuest Data Sheet

Specifications
TECHNICAL
VIRTUAL APPLIANCE SYSTEM REQUIREMENTS
Minimum Hardware Specifications 4 GB memory, 500 GB disk space, 4 CPU
Hypervisor Support ESXi 7.0 and above
Microsoft Hyper-V on Windows 2008 and later
Linux KVM virtual server version1.5.3 and above
CLIENT PLATFORMS SUPPORTED

Smart Connect Support Windows-11 Pro

Android version-11,12,13
Linux-Ubuntu version 20.04,22.04
iOS 15,16
macOS 12.04
SUPPORTED IDENTITY STORES
RADIUS
RadSec (TLS encoded RADIUS)
Microsoft Active Directory
Any LDAP compliant Directory
MySQL, Microsoft SQL, PostgreSQL, and Oracle SQL
Built-in local store
Facebook, Twitter, Google
FRAMEWORK AND PROTOCOL SUPPORT
RADIUS, RADIUS Dynamic Authorization
RadSec (TLS Encloded RADIUS)
802.1X-2010, 802.1X-2020
PEAP (EAP-MSCHAPv2, EAP-GTC, EAP-TLS)
WPA2, WPA3
PAP, MSCHAPv2
Online Certificate Status Protocol (OCSP)
BROWSERS SUPPORTED
Safari
Microsoft Edge
Chrome
Firefox
BILLING SUPPORT
Credit Card Billing Support Paypal
Authorize.net
Peach Payment
Secure Pay
Sage Pay
PMS Support Oracle Cloud PMS
Hobic

7
 FortiGuest Data Sheet

Ordering Information
Product SKU Description
FortiGuest Subscription FC1-10-STVMS-493-01-DD FortiGuest license subscription for 25 users. Includes 24x7 support.
FC2-10-STVMS-493-01-DD FortiGuest license subscription for 500 users. Includes 24x7 support.
FC3-10-STVMS-493-01-DD FortiGuest license subscription for 2000 users. Includes 24x7 support.
FC4-10-STVMS-493-01-DD FortiGuest license subscription for 10 000 users. Includes 24x7 support.

Fortinet Corporate Social Responsibility Policy

Fortinet is committed to driving progress and sustainability for all through cybersecurity, with respect for human rights and
ethical business practices, making possible a digital world you can always trust. You represent and warrant to Fortinet that you
will not use Fortinet’s products and services to engage in, or support in any way, violations or abuses of human rights, including
those involving illegal censorship, surveillance, detention, or excessive use of force. Users of Fortinet products are required
to comply with the Fortinet EULA and report any suspected violations of the EULA via the procedures outlined in the Fortinet
Whistleblower Policy.

8
 www.fortinet.com

Copyright © 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.

June 8, 2023

FGST-DAT-R02-20230608