Fortinet white logo
Fortinet white logo

Administration Guide

7.4.0

Add or modify a scan

Add or modify a scan

Use the Add or Modify Scan dialog to configure scan settings. Settings are divided into two tables. The first table details the fields on the General tab and the second details the Categories available under the remaining tabs.

  1. Select Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. On the Scans View, click Add to add a new scan or select an existing Scan and click Modify.
  5. Enter data in the fields as needed. See the Settings table below for information on each field.
  6. For each operating system tab, there is a drop-down menu of categories that can be set, such as antivirus settings. Instructions for configuring each category are contained in the Scan Configuration Settings - Categories table.
  7. The Summary tab provides an overview of the entire scan configuration for your review.
  8. Click OK to save the scan.
Settings - general tab

Field

Definition

Scan Name

Each scan must have a unique name.

Scan settings

Scan On Connect
(Persistent Agent Only)

Forces a rescan every time the host assigned this scan connects to the network.

This option only affects hosts running the Persistent Agent.

See Scan on connect.

Renew IP
(Supported Dissolvable Agent Only)

Indicates whether the Renew IP option is enabled or disabled. When this option is enabled, it causes the Dissolvable Agent to actively release and renew the IP address of the host after it has completed its scan. The Renew IP option is only supported on Windows and macOS.

Root Detection
( Mobile Agent Only)

The Mobile Agent determines whether or not the device has been rooted. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem.

If enabled, rooted mobile devices are not allowed to register.

If disabled, devices suspected of being rooted are allowed to register and (Rooted) is appended to the operating system information displayed in the Host View.

If the agent detects that device has been altered, a Potential Rooted Device event is generated.

Remediation - On Failure

If enabled, the host is scanned and the information associated with the scan is recorded. If the host fails the scan, the user must resolve all of the issues for which the host failed and rescan before being allowed on the network.

Agent Order Of Operations:

This set of options is available only when Remediation is set to On Failure.

Determines the order in which the agent performs its tasks. Choose one of the following:

Scan Before Registering: The host downloads the Agent and is scanned in the registration network before being registered. If the scan fails you must choose one of the following:

  • Do not Register, Remediate: Host remains a rogue and stays in the registration network until it passes the scan. Note the host will not be marked At Risk.
  • Register and mark At Risk: The host is registered immediately after the scan and then moved to quarantine.
  • Register, then Scan (if the scan fails, Remediate): The host does not download an agent in the registration network. Instead, the host is registered and moved to quarantine to download the Agent and be scanned.

Remediation - Delayed

Hosts who fail this scan are set to Pending at Risk for the number of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until the number of days indicated has elapsed. The user is notified of the failure immediately.

Changes to this setting do not affect hosts that are already marked as Pending At Risk. If a host was set to a delay of 3 days and you change the Remediation Delay field to 5 days, the host remains at a delay of 3 days. Hosts scanned after the change will use the 5 day setting.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, the Persistent Agent displays a message stating that the host is at risk. Click the message to display information about the scan. The host is automatically registered.

The Dissolvable Agent displays the results of the scan. You can choose to rescan or register.

When the host is registered, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Remediation - Audit Only

If enabled, the host is scanned and the information associated with the scan is recorded.If the host fails the scan, it is not marked "at risk". Therefore, it is not forced into Remediation and can continue using the network. The administrator can review the scan results and take corrective action without disrupting users on the network.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, a web page with a Register option and a Remediate option is displayed to the user.

If the user chooses the Remediate option, the host is placed in remediation and the user must correct all issues and rescan.

If the user chooses the Register option, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Remediation

If On Failure is enabled, the host is scanned and the information associated with the scan is recorded. If the host fails the scan, the user must resolve all of the issues for which the host failed and rescan before being allowed on the network.

If Delayed is enabled, hosts who fail this scan are set to Pending at Risk for the number of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until the number of days indicated has elapsed. The user is notified of the failure immediately.

If Audit Only is enabled, the host is scanned and the information associated with the scan is recorded. If the host fails the scan, it is not marked At Risk. Therefore, it is not forced into remediation and can continue using the network. The administrator can review the scan results and take corrective action without disrupting users on the network.

Agent Order of Operations

When Remediation is set to On Failure:

Determines the order in which the agent performs its tasks. Choose one of the following:

  • Scan Before Registering: The host downloads the Agent and is scanned in the registration network before being registered. If the scan fails you must choose one of the following:
  • Do not Register, Remediate: Host remains a Rogue and stays in the registration network until it passes the scan. Note the host will not be marked "at risk." Default setting.
  • Register and mark At Risk: The host is registered immediately after the scan and then moved to Quarantine.
Note

Persistent Agent always registers and marks at risk.

Register, then Scan (if the scan fails, Remediate): The host does not download an agent in the Registration network. Instead, the host is registered and moved to Quarantine to download the Agent and be scanned.

When Remediation is set to Delayed or Audit Only:

If scan fails - Register or Remediate: If the host fails a scan, a web page with a Register option and a Remediate option is displayed to the user.

If the user chooses the Remediate option, the host is placed in remediation and the user must correct all issues and rescan.

If the user chooses the Register option, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Portal page settings

Label For Scan Failure Link

Label displayed on the failure page when a network user's PC has failed a scan. If no label is provided, the scan name is used. The label or scan name is a link that takes the user to a page indicating why the PC has failed the scan.

Instructions For Scan Failure

If a host has failed a scan, the user must remedy the issue and rescan. This field allows you to provide the user with a brief set of instructions.

Patch URL For
Dissolvable Agent
Re-Scan

URL for the web page to be displayed when a host using the Dissolvable Agent fails the scan. This web page allows the user to download the agent and rescan after addressing the issues that caused the failure. Hosts using the Persistent Agent have the agent installed and do not use this page.

Set this to /remediation

To rescan the user must open a browser and navigate to the following:

https://<Server or Application Server>/remediation

The FortiNAC Server or Application Server in the URL can be either the IP address or Name of the server that is running the captive portal.

In use by/Not currently in use

Indicates whether the scan is being used in user/host profile(s). When the scan is in use, click the link to view the user/host profile(s).

Settings - categories

For each operating system there is a Category drop-down that allows you to configure specific settings for categories such as antivirus. The table below outlines these settings.

Default parameter values for individual antivirus and operating systems packages are entered and updated automatically by the schedsuled Auto-Def Updates. If the values have been manually edited, the Auto-Def Updates will not override those changes.

Removing a check mark from a selected option causes any underlying changes to be lost. For example, if you modified settings for AVG antivirus and then unselected it, those changes are lost.

Field

Definition

Antivirus

Validation Options

  • Any: Any one of the selected items must be present on the host to pass the scan.
  • All: All of the selected items must be present on the host to pass the scan.

Anti-Virus List

New antivirus software is continually being created. As new antivirus software becomes available, parameters for that software are made available as quickly as possible in FortiNAC. The default values for each antivirus program are entered automatically by the scheduled Auto-Def Updates feature. You should not need to modify these.

Select one or more types of Anti-virus software to check for on the host. To set additional parameters for any of the selected antivirus programs, click the name of a program. A parameters window opens and displays all of the advanced options that can be set. Enter the custom parameter values for the selected program and click OK. See Antivirus parameters - Windows or Antivirus parameters - macOS for details on each parameter.

Preferred

Select the Preferred Anti-Virus from the drop-down list. If the host fails for all of the products selected for the scan, only the preferred item selected is displayed on the Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed Policy pages contains a separate line for every product failure.

Custom scans

Custom Scans List

Custom scans are user created scans that have been configured to scan hosts for things such as specific files, registry entries or programs. Custom scans must be created and saved before they can be included as part of a Security Policy. See Custom scans.

When a Custom scan is added to a regular scan the custom scan is used across the board no matter what other options have been selected for the policy. Any host that is scanned with the regular scan is also scanned based on the custom scan. See Create a scan.

Custom scans can be added within a category, such as antivirus. For example, any host that has AVG Antivirus will be scanned using an associated custom scan. In this case, the custom scan is being used to enhance the scan for AVG Antivirus and it is not run on every host. See Scan categories.

Operating systems

Selection Options

  • All: Marks every operating system with a check mark.
  • None: Removes the check mark from every operating system check box.

Operating Systems List

Scans for required or prohibited operating systems on hosts. Operating systems that are selected are required. See Operating system parameters - Windows

The Windows-2003-Server-x64 product has been removed. Use the Windows 2003 Server and Windows XP x64 products.

Preferred

Select the preferred operating system from the drop-down list. If the host fails for all of the products selected for the scan, only the preferred item selected is displayed on the Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed Policy pages contains a separate line for every product failure.

Monitors

Scan List

Allows you to run a custom scan with greater frequency than the regular scan with which it is associated. For example, the original scan may only run once a week, but you may have a custom scan that needs to run every half an hour. Instead of running the entire scan policy every half an hour you can choose to run only a custom scan.

Select a custom scan and enter the frequency with which it should run.

Performance degradation may occur if you select an interval less than every five (5) minutes. It is recommended that monitoring intervals be set to five (5) minutes or more.

Custom scan options - scan level

Custom scans can be enabled for a regular scan. When a host is checked for compliance with the regular scan, the custom scan is also checked. Before adding a custom scan to a security scan you must create the custom scan.

To enable a Custom scan for a security scan:

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. Modify the scan that will use this custom scan.
  5. Click either the Windows, the macOS, or the Linux tab.
  6. Select Custom from the drop-down menu at the top of the window.
  7. Select the check box next to the custom scan for the security scan.
  8. Click OK to save your changes.
Custom scans options within a category level

Custom scans can be enabled for various categories within a security scan such as the antivirus or operating system requirements. When a host is checked for compliance with the security scan and one of the products within a category has a custom scan enabled, the custom scan is also used for hosts with the selected product. For example, if the security scan checks for the existence of AVG Antivirus and a custom scan has been associated with AVG, then hosts with AVG will also be scanned using the custom scan.

Before adding a custom scan to a security scan you must create the custom scan.

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. Modify the security scan that will use this custom scan.
  5. Click either the Windows, the macOS, or the Linux tab.
  6. Click the Category drop-down on the Modify Scan view and select: antivirus, operating system, etc.
  7. Click the specific item within the sub-category (i.e. product name).
  8. Click the Custom Scans tab and select the custom scan to be applied to this sub-category.
  9. Click OK to save the selected custom scan.
  10. Click OK to save changes to the security scan.
Monitor custom scans
Caution

Script custom scans can't be used as a monitor.

This feature allows you to run a custom scan with greater frequency than the security scan with which it is associated. For example, the original security scan may only run once a week, but you may have a custom scan that needs to run every half an hour. Instead of running the entire security scan every half an hour you can choose to run only a custom scan.

Use the monitor feature to periodically test for a specific status on hosts running the Persistent Agent. Monitors use custom scans to check the host. A monitor you configure as part of a scan can be the same or different for each scan. Configure monitors for each platform (Windows, macOS, or Linux) separately.

Hosts associated with the security scan are checked at the interval period set in the monitor. The agent on the host sends a message to the server after each time period has passed, indicating whether the host has passed or failed the scan. If several monitors are set to 1 minute intervals, traffic to the server is increased. For example, if there are 10 monitors running every minute on 5,000 hosts, the server might see up to 50,000 messages a minute.

Even though monitors use custom scans which can be set to warning, monitors will not send warnings to hosts. Monitors can only pass or fail. Hosts that fail are marked at risk and placed in remediation.

Enabling a monitor for a custom scan automatically enables the custom scan. However, disabling a monitor will not disable the associated custom scan.

For example, you have created custom scan A but have not selected it within any security scan. When you select custom scan A in the Monitor list select a time period, the custom scan is enabled.

Monitors ignore the severity flag of a custom scan.

Monitor example

All users have been notified that peer-to-peer software is not tolerated on the network. A web page explaining this policy is located in the remediation area where the host is moved after failing the scan.

Actions taken:

  • A custom scan for a prohibited process has been created to check for LimeWire, a peer-to-peer software program, running on the host. The custom scan includes the URL of the web page where the host browser will be directed if the host fails the custom scan.
  • The monitor is set to 10 minutes for the custom scan.

Results:

  • Every 10 minutes the agent checks the host to determine if LimeWire is running.
    • If LimeWire is not running, the agent sends a message to the server indicating that the host has passed the security scan.
    • If LimeWire is running, the agent sends a message to the server indicating that the host has failed the scan. The host is immediately moved to the quarantine VLAN and the browser redirected to the web page specified in the custom scan.
Set up a custom scan monitor

Before adding a custom scan to a security scan you must create the custom scan.

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. Click the security scan name and click Modify. If the security scan does not exist, it needs to be added. See Scans for details on adding scans.
  5. Click either the Windows, the macOS, or the Linux tab.
  6. Click the Category drop-down and select Monitors.

  7. Select the check box for the type of custom scan.
  8. Select the time period that the agent waits before checking the host for compliance with the custom scan settings. The available intervals are every 15 seconds up to and including 1 minute, and every 5 minutes up to and including 1 hour.

    Performance degradation may occur if you select a very short interval or if you select a large number of monitors. It is recommended that monitoring intervals be set to five (5) minutes or more.

  9. Click OK.
Reset default antivirus values

Antivirus parameters contained in FortiNAC are updated weekly using the Auto-Def updates feature. This ensures that new version numbers and bug definition files for antivirus software that you require are taken into account when users' computers are scanned.

If you have manually edited any parameters associated with a particular antivirus software the Auto-Def update does not override your settings for that software. To reset antivirus to the default values and allow the Auto-Def updates feature to update parameters do the following:

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. Select a scan and click Modify.
  5. Click either Windows or Mac, whichever applies.
  6. Select Anti-Virus from the Categories drop-down.
  7. Uncheck the checkbox for the software for which you have modified settings.
  8. Click OK.
  9. Open the same scan again and navigate back to the software you unchecked.
  10. Check the checkbox for the previously modified settings and click OK.
  11. Repeat this process for each antivirus software that needs to be reset to defaults.
  12. The next time the Auto-Def updates feature retrieves and installs an update, the antivirus software that you reset will accept the updated parameters.

Add or modify a scan

Add or modify a scan

Use the Add or Modify Scan dialog to configure scan settings. Settings are divided into two tables. The first table details the fields on the General tab and the second details the Categories available under the remaining tabs.

  1. Select Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. On the Scans View, click Add to add a new scan or select an existing Scan and click Modify.
  5. Enter data in the fields as needed. See the Settings table below for information on each field.
  6. For each operating system tab, there is a drop-down menu of categories that can be set, such as antivirus settings. Instructions for configuring each category are contained in the Scan Configuration Settings - Categories table.
  7. The Summary tab provides an overview of the entire scan configuration for your review.
  8. Click OK to save the scan.
Settings - general tab

Field

Definition

Scan Name

Each scan must have a unique name.

Scan settings

Scan On Connect
(Persistent Agent Only)

Forces a rescan every time the host assigned this scan connects to the network.

This option only affects hosts running the Persistent Agent.

See Scan on connect.

Renew IP
(Supported Dissolvable Agent Only)

Indicates whether the Renew IP option is enabled or disabled. When this option is enabled, it causes the Dissolvable Agent to actively release and renew the IP address of the host after it has completed its scan. The Renew IP option is only supported on Windows and macOS.

Root Detection
( Mobile Agent Only)

The Mobile Agent determines whether or not the device has been rooted. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem.

If enabled, rooted mobile devices are not allowed to register.

If disabled, devices suspected of being rooted are allowed to register and (Rooted) is appended to the operating system information displayed in the Host View.

If the agent detects that device has been altered, a Potential Rooted Device event is generated.

Remediation - On Failure

If enabled, the host is scanned and the information associated with the scan is recorded. If the host fails the scan, the user must resolve all of the issues for which the host failed and rescan before being allowed on the network.

Agent Order Of Operations:

This set of options is available only when Remediation is set to On Failure.

Determines the order in which the agent performs its tasks. Choose one of the following:

Scan Before Registering: The host downloads the Agent and is scanned in the registration network before being registered. If the scan fails you must choose one of the following:

  • Do not Register, Remediate: Host remains a rogue and stays in the registration network until it passes the scan. Note the host will not be marked At Risk.
  • Register and mark At Risk: The host is registered immediately after the scan and then moved to quarantine.
  • Register, then Scan (if the scan fails, Remediate): The host does not download an agent in the registration network. Instead, the host is registered and moved to quarantine to download the Agent and be scanned.

Remediation - Delayed

Hosts who fail this scan are set to Pending at Risk for the number of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until the number of days indicated has elapsed. The user is notified of the failure immediately.

Changes to this setting do not affect hosts that are already marked as Pending At Risk. If a host was set to a delay of 3 days and you change the Remediation Delay field to 5 days, the host remains at a delay of 3 days. Hosts scanned after the change will use the 5 day setting.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, the Persistent Agent displays a message stating that the host is at risk. Click the message to display information about the scan. The host is automatically registered.

The Dissolvable Agent displays the results of the scan. You can choose to rescan or register.

When the host is registered, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Remediation - Audit Only

If enabled, the host is scanned and the information associated with the scan is recorded.If the host fails the scan, it is not marked "at risk". Therefore, it is not forced into Remediation and can continue using the network. The administrator can review the scan results and take corrective action without disrupting users on the network.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, a web page with a Register option and a Remediate option is displayed to the user.

If the user chooses the Remediate option, the host is placed in remediation and the user must correct all issues and rescan.

If the user chooses the Register option, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Remediation

If On Failure is enabled, the host is scanned and the information associated with the scan is recorded. If the host fails the scan, the user must resolve all of the issues for which the host failed and rescan before being allowed on the network.

If Delayed is enabled, hosts who fail this scan are set to Pending at Risk for the number of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until the number of days indicated has elapsed. The user is notified of the failure immediately.

If Audit Only is enabled, the host is scanned and the information associated with the scan is recorded. If the host fails the scan, it is not marked At Risk. Therefore, it is not forced into remediation and can continue using the network. The administrator can review the scan results and take corrective action without disrupting users on the network.

Agent Order of Operations

When Remediation is set to On Failure:

Determines the order in which the agent performs its tasks. Choose one of the following:

  • Scan Before Registering: The host downloads the Agent and is scanned in the registration network before being registered. If the scan fails you must choose one of the following:
  • Do not Register, Remediate: Host remains a Rogue and stays in the registration network until it passes the scan. Note the host will not be marked "at risk." Default setting.
  • Register and mark At Risk: The host is registered immediately after the scan and then moved to Quarantine.
Note

Persistent Agent always registers and marks at risk.

Register, then Scan (if the scan fails, Remediate): The host does not download an agent in the Registration network. Instead, the host is registered and moved to Quarantine to download the Agent and be scanned.

When Remediation is set to Delayed or Audit Only:

If scan fails - Register or Remediate: If the host fails a scan, a web page with a Register option and a Remediate option is displayed to the user.

If the user chooses the Remediate option, the host is placed in remediation and the user must correct all issues and rescan.

If the user chooses the Register option, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Portal page settings

Label For Scan Failure Link

Label displayed on the failure page when a network user's PC has failed a scan. If no label is provided, the scan name is used. The label or scan name is a link that takes the user to a page indicating why the PC has failed the scan.

Instructions For Scan Failure

If a host has failed a scan, the user must remedy the issue and rescan. This field allows you to provide the user with a brief set of instructions.

Patch URL For
Dissolvable Agent
Re-Scan

URL for the web page to be displayed when a host using the Dissolvable Agent fails the scan. This web page allows the user to download the agent and rescan after addressing the issues that caused the failure. Hosts using the Persistent Agent have the agent installed and do not use this page.

Set this to /remediation

To rescan the user must open a browser and navigate to the following:

https://<Server or Application Server>/remediation

The FortiNAC Server or Application Server in the URL can be either the IP address or Name of the server that is running the captive portal.

In use by/Not currently in use

Indicates whether the scan is being used in user/host profile(s). When the scan is in use, click the link to view the user/host profile(s).

Settings - categories

For each operating system there is a Category drop-down that allows you to configure specific settings for categories such as antivirus. The table below outlines these settings.

Default parameter values for individual antivirus and operating systems packages are entered and updated automatically by the schedsuled Auto-Def Updates. If the values have been manually edited, the Auto-Def Updates will not override those changes.

Removing a check mark from a selected option causes any underlying changes to be lost. For example, if you modified settings for AVG antivirus and then unselected it, those changes are lost.

Field

Definition

Antivirus

Validation Options

  • Any: Any one of the selected items must be present on the host to pass the scan.
  • All: All of the selected items must be present on the host to pass the scan.

Anti-Virus List

New antivirus software is continually being created. As new antivirus software becomes available, parameters for that software are made available as quickly as possible in FortiNAC. The default values for each antivirus program are entered automatically by the scheduled Auto-Def Updates feature. You should not need to modify these.

Select one or more types of Anti-virus software to check for on the host. To set additional parameters for any of the selected antivirus programs, click the name of a program. A parameters window opens and displays all of the advanced options that can be set. Enter the custom parameter values for the selected program and click OK. See Antivirus parameters - Windows or Antivirus parameters - macOS for details on each parameter.

Preferred

Select the Preferred Anti-Virus from the drop-down list. If the host fails for all of the products selected for the scan, only the preferred item selected is displayed on the Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed Policy pages contains a separate line for every product failure.

Custom scans

Custom Scans List

Custom scans are user created scans that have been configured to scan hosts for things such as specific files, registry entries or programs. Custom scans must be created and saved before they can be included as part of a Security Policy. See Custom scans.

When a Custom scan is added to a regular scan the custom scan is used across the board no matter what other options have been selected for the policy. Any host that is scanned with the regular scan is also scanned based on the custom scan. See Create a scan.

Custom scans can be added within a category, such as antivirus. For example, any host that has AVG Antivirus will be scanned using an associated custom scan. In this case, the custom scan is being used to enhance the scan for AVG Antivirus and it is not run on every host. See Scan categories.

Operating systems

Selection Options

  • All: Marks every operating system with a check mark.
  • None: Removes the check mark from every operating system check box.

Operating Systems List

Scans for required or prohibited operating systems on hosts. Operating systems that are selected are required. See Operating system parameters - Windows

The Windows-2003-Server-x64 product has been removed. Use the Windows 2003 Server and Windows XP x64 products.

Preferred

Select the preferred operating system from the drop-down list. If the host fails for all of the products selected for the scan, only the preferred item selected is displayed on the Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed Policy pages contains a separate line for every product failure.

Monitors

Scan List

Allows you to run a custom scan with greater frequency than the regular scan with which it is associated. For example, the original scan may only run once a week, but you may have a custom scan that needs to run every half an hour. Instead of running the entire scan policy every half an hour you can choose to run only a custom scan.

Select a custom scan and enter the frequency with which it should run.

Performance degradation may occur if you select an interval less than every five (5) minutes. It is recommended that monitoring intervals be set to five (5) minutes or more.

Custom scan options - scan level

Custom scans can be enabled for a regular scan. When a host is checked for compliance with the regular scan, the custom scan is also checked. Before adding a custom scan to a security scan you must create the custom scan.

To enable a Custom scan for a security scan:

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. Modify the scan that will use this custom scan.
  5. Click either the Windows, the macOS, or the Linux tab.
  6. Select Custom from the drop-down menu at the top of the window.
  7. Select the check box next to the custom scan for the security scan.
  8. Click OK to save your changes.
Custom scans options within a category level

Custom scans can be enabled for various categories within a security scan such as the antivirus or operating system requirements. When a host is checked for compliance with the security scan and one of the products within a category has a custom scan enabled, the custom scan is also used for hosts with the selected product. For example, if the security scan checks for the existence of AVG Antivirus and a custom scan has been associated with AVG, then hosts with AVG will also be scanned using the custom scan.

Before adding a custom scan to a security scan you must create the custom scan.

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. Modify the security scan that will use this custom scan.
  5. Click either the Windows, the macOS, or the Linux tab.
  6. Click the Category drop-down on the Modify Scan view and select: antivirus, operating system, etc.
  7. Click the specific item within the sub-category (i.e. product name).
  8. Click the Custom Scans tab and select the custom scan to be applied to this sub-category.
  9. Click OK to save the selected custom scan.
  10. Click OK to save changes to the security scan.
Monitor custom scans
Caution

Script custom scans can't be used as a monitor.

This feature allows you to run a custom scan with greater frequency than the security scan with which it is associated. For example, the original security scan may only run once a week, but you may have a custom scan that needs to run every half an hour. Instead of running the entire security scan every half an hour you can choose to run only a custom scan.

Use the monitor feature to periodically test for a specific status on hosts running the Persistent Agent. Monitors use custom scans to check the host. A monitor you configure as part of a scan can be the same or different for each scan. Configure monitors for each platform (Windows, macOS, or Linux) separately.

Hosts associated with the security scan are checked at the interval period set in the monitor. The agent on the host sends a message to the server after each time period has passed, indicating whether the host has passed or failed the scan. If several monitors are set to 1 minute intervals, traffic to the server is increased. For example, if there are 10 monitors running every minute on 5,000 hosts, the server might see up to 50,000 messages a minute.

Even though monitors use custom scans which can be set to warning, monitors will not send warnings to hosts. Monitors can only pass or fail. Hosts that fail are marked at risk and placed in remediation.

Enabling a monitor for a custom scan automatically enables the custom scan. However, disabling a monitor will not disable the associated custom scan.

For example, you have created custom scan A but have not selected it within any security scan. When you select custom scan A in the Monitor list select a time period, the custom scan is enabled.

Monitors ignore the severity flag of a custom scan.

Monitor example

All users have been notified that peer-to-peer software is not tolerated on the network. A web page explaining this policy is located in the remediation area where the host is moved after failing the scan.

Actions taken:

  • A custom scan for a prohibited process has been created to check for LimeWire, a peer-to-peer software program, running on the host. The custom scan includes the URL of the web page where the host browser will be directed if the host fails the custom scan.
  • The monitor is set to 10 minutes for the custom scan.

Results:

  • Every 10 minutes the agent checks the host to determine if LimeWire is running.
    • If LimeWire is not running, the agent sends a message to the server indicating that the host has passed the security scan.
    • If LimeWire is running, the agent sends a message to the server indicating that the host has failed the scan. The host is immediately moved to the quarantine VLAN and the browser redirected to the web page specified in the custom scan.
Set up a custom scan monitor

Before adding a custom scan to a security scan you must create the custom scan.

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. Click the security scan name and click Modify. If the security scan does not exist, it needs to be added. See Scans for details on adding scans.
  5. Click either the Windows, the macOS, or the Linux tab.
  6. Click the Category drop-down and select Monitors.

  7. Select the check box for the type of custom scan.
  8. Select the time period that the agent waits before checking the host for compliance with the custom scan settings. The available intervals are every 15 seconds up to and including 1 minute, and every 5 minutes up to and including 1 hour.

    Performance degradation may occur if you select a very short interval or if you select a large number of monitors. It is recommended that monitoring intervals be set to five (5) minutes or more.

  9. Click OK.
Reset default antivirus values

Antivirus parameters contained in FortiNAC are updated weekly using the Auto-Def updates feature. This ensures that new version numbers and bug definition files for antivirus software that you require are taken into account when users' computers are scanned.

If you have manually edited any parameters associated with a particular antivirus software the Auto-Def update does not override your settings for that software. To reset antivirus to the default values and allow the Auto-Def updates feature to update parameters do the following:

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click the Scans option to select it.
  4. Select a scan and click Modify.
  5. Click either Windows or Mac, whichever applies.
  6. Select Anti-Virus from the Categories drop-down.
  7. Uncheck the checkbox for the software for which you have modified settings.
  8. Click OK.
  9. Open the same scan again and navigate back to the software you unchecked.
  10. Check the checkbox for the previously modified settings and click OK.
  11. Repeat this process for each antivirus software that needs to be reset to defaults.
  12. The next time the Auto-Def updates feature retrieves and installs an update, the antivirus software that you reset will accept the updated parameters.