Linux Agent FAQs

Does the Linux agent install kernel modules?

No. The Linux agent is an user mode program that runs verifiably safe eBPF programs. Hence, it does not have the risks associated with kernel modules.

Are root privileges required for installing a FortiCNAPP agent?

Yes, you must install the FortiCNAPP agent using root privileges:

• Log in as root and run the installer.
• Run the installer with sudo. Running a command with just the sudo prefix invokes the command with root privileges.

During startup, the agent checks that the agent binary and configuration files are owned by root.

Does the FortiCNAPP agent have any package dependencies?

No. The FortiCNAPP agent has no package dependencies. When the FortiCNAPP agent package is installed, FortiCNAPP does not install any shared libraries. The FortiCNAPP agent is a statically linked binary that uses the following libraries:

linux-vdso.so.1
/lib/x86_64-linux-gnu/libdl.so.2
/lib/x86_64-linux-gnu/libpthread.so.0
/lib/x86_64-linux-gnu/libc.so.6
/lib64/ld-linux-x86-64.so.2

Does the FortiCNAPP agent support containers/microservices?

Yes, the FortiCNAPP agent runs in the following environments:

• Agent runs as a Docker container - For more information, see Deploying with Docker. For Docker containers, the FortiCNAPP agent must be run as a privileged container.
• Agent is deployed across a Kubernetes cluster as a daemonset - For more information, see Installing Linux agent on Kubernetes.

When an agent is installed on a node as a DaemonSet or Pod or on the node itself, the agent has container visibility of the following resources:

• Processes running on the host
• Processes running in a container that make a network connection (server or client)
• All container internal servers and processes that are listening actively on certain ports
• File Integrity Monitoring (FIM) on the host
• Host vulnerability on the host

What is the impact of the FortiCNAPP agent on CPU?

The number of connections made by the host determines the CPU impact on an individual system. However, for an average workload, Fortinet has observed CPU usage of 1-3% but the CPU usage varies depending on the number of connections. You can optionally configure a limit for agent CPU usage. For more information, see CPU limit.

Why shouldn't I install the agent on the host and also on the containers running on the host?

You must install the agent only on the host on which containers are provisioned. Installing the agent on a host and also on any containers running on the host will result in increased memory and CPU usage proportional to the number of agents installed. This may cause significant resource usage on the host and degrade general system performance.

How much disk size does the agent use on a machine?

The agent uses approximately 250 MB of disk space on a machine.

How much memory does the FortiCNAPP agent consume?

Fortinet has observed an average of 250-300 MB of memory usage, but memory usage can vary depending on the host workload, such as the number of network connections, running applications, running containers, the amount of metadata processing, etc. FortiCNAPP also has guardrails on the FortiCNAPP agent to prevent the agent from consuming an unlimited amount of memory and CPU on a host. A host is where the agent process is running, either a Docker container or as part of a Kubernetes cluster, virtual machine, or standalone machine.

You can optionally configure a limit for agent memory usage. For more information, see Memory limit.

What is the impact of the FortiCNAPP agent on network resources?

The number of network connections made by the host determines the impact on the individual system. Fortinet has observed data usage of 1-2 Kilo Bytes/sec in current deployments, which translates to around 100-150 MB per system per day of data. A system is where the agent process is running, either a Docker or Kubernetes container, virtual machine, or standalone machine.

Does the FortiCNAPP agent work in the kernel or user space?

The FortiCNAPP agent works in the user space in a passive mode. There is no dependency on IP tables, and the agent does not slow down containerized applications and network connections.

How often does the FortiCNAPP agent collect data?

FortiCNAPP is a continuous monitoring system that collects and monitors metadata of all the processes associated with a network activity. The Polygraph is computed every hour.

What happens to the data collected by the agent if it cannot connect to the FortiCNAPP platform?

The agent can buffer up to 40MB of compressed data which is the equivalent of four hours of data collected on most hosts. When the data in the buffer exceeds 40MB, the agent drops data on a first in, first out basis.

What does the FortiCNAPP agent monitor?

The FortiCNAPP agent monitors the following:

• Every process that sends UDP or TCP packets over the network or receives UDP or TCP packets (client process or server process)
• Processes in all containers
• Any process that is used to log in (if the agent detects that it has network connections)

For every process that the agent monitors, it also monitors the dependent processes. These are the dependent processes:

• Parent process of the monitored process
• Process that belongs to the process group ID of the current monitored process
• Process that belongs to the session ID of the current monitored process
• Process that traces the current monitored process (if there is one)

The agent discovers the dependent processes recursively until it detects a cycle or reaches the root of the process hierarchy.

What affects retrieving vulnerability reports?

The following factors can affect the ability to retrieve vulnerability assessment reports:

• Falling outside of the viewable timeframe
• A container registry is not integrated with FortiCNAPP

To help prevent this, consider integrating container registries with FortiCNAPP because a host running for less than 60 minutes (applicable to host vulnerability only).

How is the Linux agent updated?

By default, the Linux agent is automatically updated when a new fleet upgrade version is available. You can disable automatic updates if you want to manually update the agent. For more information, see Upgrading the Linux agent.

Does the FortiCNAPP agent have remote access?

Fortinet Inc. does not enable remote connection to our Agent. Customers will be notified of any material changes affecting agent connectivity and access.

How can I deploy the agent?

You can deploy the agent with any configuration management tool such as Chef, Puppet, Ansible, or Salt. You can also use the installation script provided by Fortinet Inc. for these configuration management tools.

For single host installations, you can also use the Installing using the install.sh script or embed the FortiCNAPP agent in a base image or AMI.

You can also install from Debian-based (APT) and RPM-based (YUM and Zypper) repositories. For more information, see Installing the Linux agent.

Does the FortiCNAPP agent work with a proxy?

The FortiCNAPP agent supports a proxy configuration. If required, the agent can be configured to use a network proxy by adding proxy information to a configuration file or by creating an https_proxy environment variable. For more information about configuring a FortiCNAPP agent to use a proxy, see Required connectivity, proxies, and certificates for agents.

What Linux versions are supported by the agent?

The agent requires minimal system resources and runs on most 64-bit Linux distributions. For the supported agent Linux operating systems, see Downloading GPG and RSA keys to verify agent release package signature.

What kind of connectivity is needed by the agent?

To be able to communicate with Lacework, the installed agents must be allowed to reach specific URLs. For more information, see Required connectivity, proxies, and certificates for agents.

What authentication methods are used by the FortiCNAPP agent to connect to the FortiCNAPP platform?

To connect to the FortiCNAPP platform, agents require an active access token. If you have a FortiCNAPP account, an agent access token is automatically generated for you. In addition, you can create and disable agent access tokens. For more information, see Managing agent access tokens.

Is the data encrypted when in transit from the agent?

The FortiCNAPP agent encrypts all data when it is in transit to our SAAS service. The data is encrypted over https with port 443 using TLS 1.2.

Is the data compressed by the agent?

The FortiCNAPP agent compresses data before transmission (end-to-end).

Does the agent support the ability to add custom tags?

In addition to importing AWS, Google Cloud, and Azure tags, local tags can be added to agents. For more information, see Adding agent tags.

How is the hostname displayed in the Agents dashboard derived by the agent? Can I override the hostname derived by the agent?

The hostname displayed in the Legacy Agent Dossier dashboard is the actual hostname that you see when you run one of the following commands on the machine:

• uname -a
• hostname

You cannot override the hostname derived by the agent. However, the hostname specified using the Name tag in AWS or similar tags in Azure or labels in Google Cloud are displayed as machine tags in the FortiCNAPP console. Hence, you can use the tag to search or filter information for the host in the FortiCNAPP console. You can also define custom tags for the host in the config.json agent configuration file. For more information, see the following topics:

• Configuring access to tags and metadata in AWS
• Configuring access to labels in Google Cloud
• Adding agent tags

Why do some events not report event details in the FortiCNAPP console?

The monitoring and collection capability of the FortiCNAPP agent was designed to minimize the impact on host VM resources—CPU, memory, and the network. In most conditions, the FortiCNAPP agent is able to attribute a connection to the owning process either as a client or a server. But in certain conditions, the FortiCNAPP agent may not be able to report full details about the owning process. In such cases, the connections are attributed to the virtual machine. Some of those conditions may be associated with the untimely exit of a process while the Linux kernel continues to report the underlying data structures as in the case of socket cleanup timeout. Another condition is when the binary file associated with the process is unreadable (file not found, file content read failure, etc.) from the filesystem, which prevents the FortiCNAPP agent from fully reporting process details.

How can I view where the agents are running in my environment and what version of the agents are running?

From the FortiCNAPP console select Agents to view the Agent monitor table. This page lists the IP addresses where the agent is running and the version number. Also, the Agent upgrades table lists the agent versions that have generated events in your environment over time.

Can the agent capture command-line arguments from processes that generate no network activity?

If it is inside container, it is captured, provided it is long-lived (> 1 minute).

If it is outside the container, even if it opens a local Unix socket, it is monitored.
If you don't want a process to be monitored, ensure that it meets the following requirements:

• Be a process that does not do network activity
• Does not open Unix sockets
• Is not inside containers
• Is not a parent (parent group/trace) of any process that is being monitored
• Is not a login process (like shell)

What is a pod?

A pod defines a running process in Kubernetes and is the smallest entity that can be created or deployed in Kubernetes. A pod is a collection of one or more running containers. For more information, see Pod Overview. A FortiCNAPP agent can be deployed in Kubernetes.

How does FortiCNAPP calculate the monthly agent usage?

Info: This topic describes the legacy FortiCNAPP licensing model. For information on the new pricing and packaging model, see Subscription Management and Subscription Usage.

FortiCNAPP calculates the 95th percentile at the end of the month to get the total agent usage for the month. The following example demonstrates how this is calculated.

1. For each hour, FortiCNAPP counts the number of unique agents that sent data to Lacework.
2. At the end of the month, FortiCNAPP records 720 individual hourly agent counts for every hour in the month (assuming a 30-day month, 24 * 30=720). If the month has 31 days, the number of hourly agent counts is 24 * 31 = 744
3. FortiCNAPP sorts the hourly agent counts from lowest to highest and takes the 95th percentile of the 720 hourly counts. That is, FortiCNAPP sorts the hourly agent counts in ascending order and picks the 684th hourly agent count number. 684 is the 95th percentile of 720 items. For a 31-day month, it’s the 706th position.
4. The number of agents for the month is the 95th percentile number calculated above.

For example in a 30-day month, there are the following agent counts per hour, sorted in ascending order.

1. 500
2. 500
3. 504
4. 504
5. 505
6. 505
7. 505
8. 506
9. ….

682. 690
683. 690
684. 691 <---
685. 691
686. ….
720. 1020

The 95th percentile of the monthly agent count is 691 agents and therefore, FortiCNAPP charges for 691 agents.

What type of agents are counted towards usage and licensing?

Only ACTIVE agents are counted towards usage and licensing. If the agent cannot send data back to backend, it's shown as INACTIVE in the platform.