Fortinet white logo
Fortinet white logo

Administration Guide

7.2.0

Persistent Agent on Linux

Persistent Agent on Linux

To take advantage of the Agent Security some settings must be configured on the host. Settings for Mac OS X hosts are configured in Preferences. At this time we do not have a recommendation for a tool to set preferences.

Security settings

The table below outlines settings that can be configured for Agent Security.

Setting

Options

Allowed Ciphers and Authentication Schemes

Indicates the cipher and authentication schemes that can be used.

CA Trust Length/ Depth

Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority.

CA File path

The absolute path to a file containing root and intermediate CA certificates in PEM format.

Security

Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always enabled.

Home Server

The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Allowed Servers

In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate.

Restrict Roaming

If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers.

If disabled, the agent searches for additional servers when the home server is unavailable.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

Last Connected Server

Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery.

Discover Servers, Priority, and Ports

Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer.

Configuration settings

The table below shows the modifications that need to be made to the host's Preferences. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

Value

Data

allowedServers

Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Data Type: String

Default: Empty

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Data Type: String

Default: Empty

restrictRoaming

False: Do not restrict roaming. Allow agent to communicate with any server.

True: Restrict roaming to the home server and the allowed servers list.

Data Type: Boolean

Default: False

securityEnabled

False: Disable Agent Security.

True: Enable Agent Security

Data Type: Boolean

Default: True

Agent 5.3 and greater: Security is always enabled.

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: ns8200

caFile

The absolute path to a file containing root and intermediate CA certificates in PEM format.

Data type: String

Default: /etc/ssl/certs/ca-bundle.crt (RPM) or /etc/ssl/certs/ca-certificates.crt (DEB)

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Default: Not Configured

(Tray icon displayed)

Note

If both PersistentAgent.conf and PersistentAgentPolicy.conf are configured on the system, the PersistentAgentPolicy.conf configuration takes precedence over the PersistentAgent.conf configuration.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

macpollinterval

The maximum number of seconds between attempts to learn of new MAC address added to the host. This is intended to facilitate the quick discovery of VM Guests that have been deployed for use with the VM-Detection feature.

Data Type: Integer

Default: 5

lastConnectedServer

The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server.

Data Type: String

Default: Empty

discoveryEnabled

Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well.

0: Disable Discovery.

1: Enable Discovery

Data Type: Integer

Default: 1

Persistent Agent on Linux

Persistent Agent on Linux

To take advantage of the Agent Security some settings must be configured on the host. Settings for Mac OS X hosts are configured in Preferences. At this time we do not have a recommendation for a tool to set preferences.

Security settings

The table below outlines settings that can be configured for Agent Security.

Setting

Options

Allowed Ciphers and Authentication Schemes

Indicates the cipher and authentication schemes that can be used.

CA Trust Length/ Depth

Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority.

CA File path

The absolute path to a file containing root and intermediate CA certificates in PEM format.

Security

Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always enabled.

Home Server

The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Allowed Servers

In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate.

Restrict Roaming

If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers.

If disabled, the agent searches for additional servers when the home server is unavailable.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

Last Connected Server

Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery.

Discover Servers, Priority, and Ports

Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer.

Configuration settings

The table below shows the modifications that need to be made to the host's Preferences. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

Value

Data

allowedServers

Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Data Type: String

Default: Empty

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Data Type: String

Default: Empty

restrictRoaming

False: Do not restrict roaming. Allow agent to communicate with any server.

True: Restrict roaming to the home server and the allowed servers list.

Data Type: Boolean

Default: False

securityEnabled

False: Disable Agent Security.

True: Enable Agent Security

Data Type: Boolean

Default: True

Agent 5.3 and greater: Security is always enabled.

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: ns8200

caFile

The absolute path to a file containing root and intermediate CA certificates in PEM format.

Data type: String

Default: /etc/ssl/certs/ca-bundle.crt (RPM) or /etc/ssl/certs/ca-certificates.crt (DEB)

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Default: Not Configured

(Tray icon displayed)

Note

If both PersistentAgent.conf and PersistentAgentPolicy.conf are configured on the system, the PersistentAgentPolicy.conf configuration takes precedence over the PersistentAgent.conf configuration.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

macpollinterval

The maximum number of seconds between attempts to learn of new MAC address added to the host. This is intended to facilitate the quick discovery of VM Guests that have been deployed for use with the VM-Detection feature.

Data Type: Integer

Default: 5

lastConnectedServer

The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server.

Data Type: String

Default: Empty

discoveryEnabled

Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well.

0: Disable Discovery.

1: Enable Discovery

Data Type: Integer

Default: 1