Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC-F 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0

    Persistent Agent on macOS

    Persistent Agent on macOS

    To take advantage of the Agent Security some settings must be configured on the host. Settings for Mac OS X hosts are configured in Preferences. At this time we do not have a recommendation for a tool to set preferences.

    Security settings

    The table below outlines settings that can be configured for Agent Security.

    Setting

    Options

    Allowed Ciphers and Authentication Schemes

    Indicates the cipher and authentication schemes that can be used.

    CA Trust Length/ Depth

    Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority.

    CA File path

    The absolute path to a file containing root and intermediate CA certificates in PEM format.

    Security

    Indicates whether security is enabled or disabled.

    Note: This option is no longer available with agent 5.3 and greater. Security is always enabled.

    Home Server

    The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

    Allowed Servers

    In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate.

    Restrict Roaming

    If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers.

    If disabled, the agent searches for additional servers when the home server is unavailable.

    maxConnectInterval

    The maximum number of seconds between attempts to connect to FortiNAC.

    Data Type: Integer

    Default: 960

    Last Connected Server

    Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery.

    Discover Servers, Priority, and Ports

    Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer.
    Preferences

    The table below shows the modifications that need to be made to the host's Preferences. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

    Value

    Data

    allowedServers

    Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

    Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>). The default port if not specified is 4568.

    Example: a.example.com:9001, b.example.com:4568, c.example.com:4985

    Data Type: String

    Default: Empty

    homeServer

    The fully qualified hostname of the default server with which the agent should communicate.

    Example: a.example.com

    Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>). The default port if not specified is 4568.

    Example: a.example.com:9001

    Data Type: String

    Default: Empty

    restrictRoaming

    0: Do not restrict roaming. Allow agent to communicate with any server.

    1: Restrict roaming to the home server and the allowed servers list.

    Data Type: Integer

    Default: 0

    securityEnabled

    0: Disable Agent Security.

    1: Enable Agent Security

    Data Type: Integer

    Default: 1

    Agent 5.3 and greater: Security is always enabled.

    ServerIP

    The fully qualified hostname to which the agent should communicate.

    Data Type: String

    Default: ns8200

    ShowIcon

    0: Do not show the tray icon.

    1: Show the tray icon.

    Default: Not Configured

    (Tray icon displayed)

    Note

    If both com.bradfordnetworks.bndaemon and com.bradfordnetworks.bndaemon.policy are configured on the system, the com.bradfordnetworks.bndaemon.policy configuration takes precedence over the com.bradfordnetworks.bndaemon configuration.

    maxConnectInterval

    The maximum number of seconds between attempts to connect to FortiNAC.

    Data Type: Integer

    Default: 960

    lastConnectedServer

    The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server.

    Data Type: String

    Default: Empty

    discoveryEnabled

    Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well.

    0: Disable Discovery.

    1: Enable Discovery

    Data Type: Integer

    Default: 1

    There are manual commands that can be used to modify the Preferences as follows:

    1. On the macOS host, navigate to a command prompt (Terminal).

    2. Before editing the preferences, it is recommended that you unload the launchDaemon plist. Type the following:

      sudo launchctl unload /Library/LaunchDaemons/com.bradfordnetworks.agent.plist

    1. To read the configuration, type the following:

      sudo defaults read /Library/Preferences/com.bradfordnetworks.bndaemon

    2. To write configuration values use the table above for the value names and type a command similar to the following:

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon homeServer -string qa225.bradfordnetworks.com

      In the example above, homeServer is the value name, -string is the data type, qa225.bradfordnetworks is the data or setting that should be added to Preferences.

    3. While some elements require a string data value, others require an integer data value. For these elements, type a command similar to the following:

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon restrictRoaming -int 1

      In the example above, restrictRoaming is the value name, -int is the value data type and 1 is the setting added to the value. In this case 1 is equal to enabled and 0 is disabled.

    4. To reload the launchDaemon plist, type the following:

      sudo launchctl load /Library/LaunchDaemons/com.bradfordnetworks.agent.plist

    Previous
    Next

    Persistent Agent on macOS

    Persistent Agent on macOS

    To take advantage of the Agent Security some settings must be configured on the host. Settings for Mac OS X hosts are configured in Preferences. At this time we do not have a recommendation for a tool to set preferences.

    Security settings

    The table below outlines settings that can be configured for Agent Security.

    Setting

    Options

    Allowed Ciphers and Authentication Schemes

    Indicates the cipher and authentication schemes that can be used.

    CA Trust Length/ Depth

    Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority.

    CA File path

    The absolute path to a file containing root and intermediate CA certificates in PEM format.

    Security

    Indicates whether security is enabled or disabled.

    Note: This option is no longer available with agent 5.3 and greater. Security is always enabled.

    Home Server

    The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

    Allowed Servers

    In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate.

    Restrict Roaming

    If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers.

    If disabled, the agent searches for additional servers when the home server is unavailable.

    maxConnectInterval

    The maximum number of seconds between attempts to connect to FortiNAC.

    Data Type: Integer

    Default: 960

    Last Connected Server

    Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery.

    Discover Servers, Priority, and Ports

    Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer.
    Preferences

    The table below shows the modifications that need to be made to the host's Preferences. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

    Value

    Data

    allowedServers

    Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

    Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>). The default port if not specified is 4568.

    Example: a.example.com:9001, b.example.com:4568, c.example.com:4985

    Data Type: String

    Default: Empty

    homeServer

    The fully qualified hostname of the default server with which the agent should communicate.

    Example: a.example.com

    Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>). The default port if not specified is 4568.

    Example: a.example.com:9001

    Data Type: String

    Default: Empty

    restrictRoaming

    0: Do not restrict roaming. Allow agent to communicate with any server.

    1: Restrict roaming to the home server and the allowed servers list.

    Data Type: Integer

    Default: 0

    securityEnabled

    0: Disable Agent Security.

    1: Enable Agent Security

    Data Type: Integer

    Default: 1

    Agent 5.3 and greater: Security is always enabled.

    ServerIP

    The fully qualified hostname to which the agent should communicate.

    Data Type: String

    Default: ns8200

    ShowIcon

    0: Do not show the tray icon.

    1: Show the tray icon.

    Default: Not Configured

    (Tray icon displayed)

    Note

    If both com.bradfordnetworks.bndaemon and com.bradfordnetworks.bndaemon.policy are configured on the system, the com.bradfordnetworks.bndaemon.policy configuration takes precedence over the com.bradfordnetworks.bndaemon configuration.

    maxConnectInterval

    The maximum number of seconds between attempts to connect to FortiNAC.

    Data Type: Integer

    Default: 960

    lastConnectedServer

    The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server.

    Data Type: String

    Default: Empty

    discoveryEnabled

    Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well.

    0: Disable Discovery.

    1: Enable Discovery

    Data Type: Integer

    Default: 1

    There are manual commands that can be used to modify the Preferences as follows:

    1. On the macOS host, navigate to a command prompt (Terminal).

    2. Before editing the preferences, it is recommended that you unload the launchDaemon plist. Type the following:

      sudo launchctl unload /Library/LaunchDaemons/com.bradfordnetworks.agent.plist

    1. To read the configuration, type the following:

      sudo defaults read /Library/Preferences/com.bradfordnetworks.bndaemon

    2. To write configuration values use the table above for the value names and type a command similar to the following:

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon homeServer -string qa225.bradfordnetworks.com

      In the example above, homeServer is the value name, -string is the data type, qa225.bradfordnetworks is the data or setting that should be added to Preferences.

    3. While some elements require a string data value, others require an integer data value. For these elements, type a command similar to the following:

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon restrictRoaming -int 1

      In the example above, restrictRoaming is the value name, -int is the value data type and 1 is the setting added to the value. In this case 1 is equal to enabled and 0 is disabled.

    4. To reload the launchDaemon plist, type the following:

      sudo launchctl load /Library/LaunchDaemons/com.bradfordnetworks.agent.plist

    Previous
    Next