Fortinet white logo
Fortinet white logo

Administration Guide

Implementation

Implementation

Endpoint Compliance allows you to create security policies and use those policies to scan network users' computers for compliance with your organization's network usage rules. The implementation of this feature set can vary widely from one organization to another based on how restrictive or open you choose to make it. You can simply monitor hosts for non-compliance or go so far as to completely block network access. You can institute scans based on simple options included in FortiNAC or create your own custom scans. This section of the documentation discusses the implementation in the approximate order in which it should be done. It also details optional features that you may or may not choose to implement. As the options are discussed, links to additional information are provided.

Note

Before implementing Endpoint Compliance, it is recommended that you notify all users about your network usage requirements. This helps users anticipate the changes and reduces calls to your IT Staff.

Agent

Choose one or more agents

The first step in implementing Endpoint Compliance is determining whether you will use the Persistent Agent, the Dissolvable Agent, the Passive Agent, the Mobile Agent or a combination.

  • The Persistent Agent is installed on the host and remains there to scan the computer as needed.
  • The Dissolvable Agent is downloaded to the host and removes itself once the host has passed the security scan. If the host does not pass the scan, the Dissolvable Agent remains on the host for the user to run again after compliance issues have been resolved.
  • The Passive Agent is provided using an external method, such as Group Policy Objects, and launched when the user logs into the domain. Users experience a slight delay while logging in but are unaware that their hosts are being scanned. See Passive Agent.
  • The Mobile Agent is installed on Android devices and is downloaded from either the captive portal or Google Play.

You may have situations in which one agent works better than others. For example, network users who log into your network every day could use the Persistent Agent and guest users could use the Dissolvable Agent. See Agent overview for additional information.

Use the latest agents

You may not have the most recent version of the selected agent on your FortiNAC appliance. Use the Agent Distribution window to see which agents are installed. From this window download the latest agent from Fortinet, if you need it. See Agent packages . Not all agent versions are compatible with all FortiNAC versions. It is recommended that you check with a sales or support representative before using a new agent.

Deploy selected agents

Once you have determined which agents to use, you must decide how to deploy them. Typically agents are deployed using the portal pages or web pages that users see when they connect to your network. These web pages allow users to download an agent and install it on their hosts. If this is the method you use to give the agent to your hosts, no special setup is required. FortiNAC takes care of making the agent available via its own web pages based on the options selected in the Endpoint Compliance Policy. Go to the Portal Configuration window and edit the content displayed on those web pages in order to customize them. See Portal content editor.

Deployment options for each agent are as follows:

  • Dissolvable Agent—Can be deployed from the captive portal or a separate web page.
  • Passive Agent—Deployed using an external method, such as Group Policy Objects. This agent is launched and served to the host when the users logs onto the network.
  • Mobile Agent—Deployed using the captive portal or Google Play.
  • Persistent Agent—Deployed using the captive portal, a separate web page or some other software distribution method.
    • If you choose to deploy the agent outside of FortiNAC you must download the agent and make it available for your chosen distribution method. See Agent packages for information on downloading the latest agent.
    • Go to the Persistent Agent Settings to configure agent behavior and the server with which the agent must communicate. See Persistent Agent settings.

Agent / server communications

All Agents must be configured to communicate with the FortiNAC server while they are scanning the host. The default configuration is for the agent to communicate based on the server alias "ns8200". To ensure that this communication is successful the alias must be resolvable through DNS. Agents distributed through the captive portal are set automatically to communicate with the server. Additional settings in both FortiNAC and your Production DNS direct the agent to the correct server. See and .

Agents at V3.0 or higher are designed to use a secure communication protocol with the FortiNAC Server or Application Server, however, that does require some configuration.

Endpoint compliance policy

When you have determined the agent or agents to be used, you are ready to begin configuring your Endpoint Compliance Policies.

  • Create User/Host Profiles to determine which users/hosts will match a policy. See User/host profiles.
  • Create Endpoint Compliance Policies to evaluate the hosts connecting to your network. See Endpoint compliance policies.
  • Policies contain Scans that rely on having up-to-date information about Anti-Virus and Operating Systems. In order to ensure that you have the latest information at all times you should configure a schedule for and run the Auto Def Updates. See .
  • If you plan to use Custom Scans, you must create them first and then associate them with a Scan. This can be done at any time you feel that a custom scan is necessary. New custom scans can be associated with existing Scans. See Custom scans.
  • For each Scan that you create, decide how often to rescan hosts assigned to that policy. Setup a rescan schedule. See Schedule a scan.
  • If you are using the Dissolvable Agent and you want to allow hosts to rescan at their convenience, enable Proactive scanning. See Add Proactive Scanning To A Scheduled Scan.
  • When a host fails a scan the user sees a web page with a list of reasons for the failure. To comply with your organization's requirements, that host may need access to certain web sites. For example, if the host failed because virus definitions were not up to date, that host needs to access the anti-virus software manufacturer's web page to download new virus definitions. FortiNAC has a list of web sites that are made accessible even when a host has failed a scan. Make sure that the web sites for the software you require are included in that list.
  • To understand what determines the policy that is assigned to a host, see Policy assignment.

Events & alarms

  • Make sure the Security Risk Host event is enabled, so that an event is generated any time a host fails a scan. The event message provides you with information about the host and why they failed. This is optional, but may be helpful in troubleshooting. See Enable and disable events.
  • You can view the list of events that have been generated by going to the Events View. See Events view.
  • If you would like to be notified that a host has failed a scan, map the Security Risk Host event to an alarm. Within the alarm configuration you can specify that you would like to be notified via email or you can use the Alarm Panel on the dashboard. This alarm notifies you when a host has failed a scan and helps you trouble shoot any problems. You can also set up e-mail notification for users so they are aware that their host failed a scan. See Map events to alarms and Alarm.
  • Make sure that your administrator e-mail address and your e-mail server have been configured or FortiNAC will not be able to send e-mail notifications. See Email settings.

Ports - control access

  • Place ports for wired switches in a Forced Registration group. This forces hosts connecting on those ports to the Registration VLAN and displays the registration page. From this page they can download an agent and be scanned. See and .
  • Hosts who have an agent and have already registered are not forced to the registration page. They are sent directly to the network. They are rescanned based on the schedule you have implemented for their policy.
  • If you have a Remediation or Quarantine VLAN where hosts are placed when they fail a scan, you must place ports in a Forced Remediation group. Placing ports in this group enables the Quarantine VLAN switching option. If you are not ready to begin placing hosts in Remediation, you can disable this option.
  • When Quarantine VLAN switching is disabled, hosts are scanned and can see the passed and failed items from their scans, but they are given access to the network instead of being put into the Quarantine VLAN. This is a good option to use when testing out the system. See Quarantine.
  • Other groups you may choose to use are Forced Authentication, Dead End and Role Based Access.

Scan hosts without enforcing remediation (optional)

To scan hosts without placing "at risk" hosts in remediation you can enable one or more options. See Scan hosts without enforcing remediation for more details.

  • Disable Quarantine VLAN switching to scan hosts but not mark them "at risk".
  • Enable the Audit Only option on an Endpoint Compliance Policy. Hosts that fail when scanned with that policy are not marked "at risk" .
  • Add hosts to the Forced Remediation Exceptions Group. Hosts in this group are scanned with the policy that corresponds to them. Hosts that fail the scan are marked "at risk" but are not forced into remediation.

Delayed remediation for scanned hosts (optional)

Allows you to scan hosts, notify the users of hosts that fail the scan of any pending issues, but not place the host in Remediation for a specified number of days. See Delayed remediation for scanned hosts.

  • Enable the Delayed Remediation setting on one or more Endpoint Compliance Policies by entering the number of days for the delay.

Switches - model configuration

  • Go to the Model Configuration for your wired and wireless switches and configure your VLANs. See Model configuration.

Authentication

  • If you are using the Persistent Agent, you must set the method for authenticating your users in the Credential Configuration and in Portal Configuration. The authentication method selected must be the same in both places. See Credential configuration.
  • If you are using the Dissolvable Agent or the Mobile Agent, you must set the method for authenticating your users in the Portal Configuration window.

Monitoring

  • Use the Scan Results View to see a list of hosts with their current scan status. This view provides information on the Scan used and whether or not the host passed the scan. See Scan results view.
  • Use Standard Reports to view lists of policies, the number of scans run that were passed or failed and details on the Pass/Fail. See Standard report templates.
  • Use the Health Tab under Host Properties to view detailed scan information for an individual host. See Host health and scanning.

Testing

It is recommended that you spend considerable time testing your Endpoint Compliance Policies, web pages and VLAN switching before fully implementing Endpoint Compliance. Use your own hosts and go through as many failure scenarios as possible to make sure that hosts are being managed correctly.

Implementation

Implementation

Endpoint Compliance allows you to create security policies and use those policies to scan network users' computers for compliance with your organization's network usage rules. The implementation of this feature set can vary widely from one organization to another based on how restrictive or open you choose to make it. You can simply monitor hosts for non-compliance or go so far as to completely block network access. You can institute scans based on simple options included in FortiNAC or create your own custom scans. This section of the documentation discusses the implementation in the approximate order in which it should be done. It also details optional features that you may or may not choose to implement. As the options are discussed, links to additional information are provided.

Note

Before implementing Endpoint Compliance, it is recommended that you notify all users about your network usage requirements. This helps users anticipate the changes and reduces calls to your IT Staff.

Agent

Choose one or more agents

The first step in implementing Endpoint Compliance is determining whether you will use the Persistent Agent, the Dissolvable Agent, the Passive Agent, the Mobile Agent or a combination.

  • The Persistent Agent is installed on the host and remains there to scan the computer as needed.
  • The Dissolvable Agent is downloaded to the host and removes itself once the host has passed the security scan. If the host does not pass the scan, the Dissolvable Agent remains on the host for the user to run again after compliance issues have been resolved.
  • The Passive Agent is provided using an external method, such as Group Policy Objects, and launched when the user logs into the domain. Users experience a slight delay while logging in but are unaware that their hosts are being scanned. See Passive Agent.
  • The Mobile Agent is installed on Android devices and is downloaded from either the captive portal or Google Play.

You may have situations in which one agent works better than others. For example, network users who log into your network every day could use the Persistent Agent and guest users could use the Dissolvable Agent. See Agent overview for additional information.

Use the latest agents

You may not have the most recent version of the selected agent on your FortiNAC appliance. Use the Agent Distribution window to see which agents are installed. From this window download the latest agent from Fortinet, if you need it. See Agent packages . Not all agent versions are compatible with all FortiNAC versions. It is recommended that you check with a sales or support representative before using a new agent.

Deploy selected agents

Once you have determined which agents to use, you must decide how to deploy them. Typically agents are deployed using the portal pages or web pages that users see when they connect to your network. These web pages allow users to download an agent and install it on their hosts. If this is the method you use to give the agent to your hosts, no special setup is required. FortiNAC takes care of making the agent available via its own web pages based on the options selected in the Endpoint Compliance Policy. Go to the Portal Configuration window and edit the content displayed on those web pages in order to customize them. See Portal content editor.

Deployment options for each agent are as follows:

  • Dissolvable Agent—Can be deployed from the captive portal or a separate web page.
  • Passive Agent—Deployed using an external method, such as Group Policy Objects. This agent is launched and served to the host when the users logs onto the network.
  • Mobile Agent—Deployed using the captive portal or Google Play.
  • Persistent Agent—Deployed using the captive portal, a separate web page or some other software distribution method.
    • If you choose to deploy the agent outside of FortiNAC you must download the agent and make it available for your chosen distribution method. See Agent packages for information on downloading the latest agent.
    • Go to the Persistent Agent Settings to configure agent behavior and the server with which the agent must communicate. See Persistent Agent settings.

Agent / server communications

All Agents must be configured to communicate with the FortiNAC server while they are scanning the host. The default configuration is for the agent to communicate based on the server alias "ns8200". To ensure that this communication is successful the alias must be resolvable through DNS. Agents distributed through the captive portal are set automatically to communicate with the server. Additional settings in both FortiNAC and your Production DNS direct the agent to the correct server. See and .

Agents at V3.0 or higher are designed to use a secure communication protocol with the FortiNAC Server or Application Server, however, that does require some configuration.

Endpoint compliance policy

When you have determined the agent or agents to be used, you are ready to begin configuring your Endpoint Compliance Policies.

  • Create User/Host Profiles to determine which users/hosts will match a policy. See User/host profiles.
  • Create Endpoint Compliance Policies to evaluate the hosts connecting to your network. See Endpoint compliance policies.
  • Policies contain Scans that rely on having up-to-date information about Anti-Virus and Operating Systems. In order to ensure that you have the latest information at all times you should configure a schedule for and run the Auto Def Updates. See .
  • If you plan to use Custom Scans, you must create them first and then associate them with a Scan. This can be done at any time you feel that a custom scan is necessary. New custom scans can be associated with existing Scans. See Custom scans.
  • For each Scan that you create, decide how often to rescan hosts assigned to that policy. Setup a rescan schedule. See Schedule a scan.
  • If you are using the Dissolvable Agent and you want to allow hosts to rescan at their convenience, enable Proactive scanning. See Add Proactive Scanning To A Scheduled Scan.
  • When a host fails a scan the user sees a web page with a list of reasons for the failure. To comply with your organization's requirements, that host may need access to certain web sites. For example, if the host failed because virus definitions were not up to date, that host needs to access the anti-virus software manufacturer's web page to download new virus definitions. FortiNAC has a list of web sites that are made accessible even when a host has failed a scan. Make sure that the web sites for the software you require are included in that list.
  • To understand what determines the policy that is assigned to a host, see Policy assignment.

Events & alarms

  • Make sure the Security Risk Host event is enabled, so that an event is generated any time a host fails a scan. The event message provides you with information about the host and why they failed. This is optional, but may be helpful in troubleshooting. See Enable and disable events.
  • You can view the list of events that have been generated by going to the Events View. See Events view.
  • If you would like to be notified that a host has failed a scan, map the Security Risk Host event to an alarm. Within the alarm configuration you can specify that you would like to be notified via email or you can use the Alarm Panel on the dashboard. This alarm notifies you when a host has failed a scan and helps you trouble shoot any problems. You can also set up e-mail notification for users so they are aware that their host failed a scan. See Map events to alarms and Alarm.
  • Make sure that your administrator e-mail address and your e-mail server have been configured or FortiNAC will not be able to send e-mail notifications. See Email settings.

Ports - control access

  • Place ports for wired switches in a Forced Registration group. This forces hosts connecting on those ports to the Registration VLAN and displays the registration page. From this page they can download an agent and be scanned. See and .
  • Hosts who have an agent and have already registered are not forced to the registration page. They are sent directly to the network. They are rescanned based on the schedule you have implemented for their policy.
  • If you have a Remediation or Quarantine VLAN where hosts are placed when they fail a scan, you must place ports in a Forced Remediation group. Placing ports in this group enables the Quarantine VLAN switching option. If you are not ready to begin placing hosts in Remediation, you can disable this option.
  • When Quarantine VLAN switching is disabled, hosts are scanned and can see the passed and failed items from their scans, but they are given access to the network instead of being put into the Quarantine VLAN. This is a good option to use when testing out the system. See Quarantine.
  • Other groups you may choose to use are Forced Authentication, Dead End and Role Based Access.

Scan hosts without enforcing remediation (optional)

To scan hosts without placing "at risk" hosts in remediation you can enable one or more options. See Scan hosts without enforcing remediation for more details.

  • Disable Quarantine VLAN switching to scan hosts but not mark them "at risk".
  • Enable the Audit Only option on an Endpoint Compliance Policy. Hosts that fail when scanned with that policy are not marked "at risk" .
  • Add hosts to the Forced Remediation Exceptions Group. Hosts in this group are scanned with the policy that corresponds to them. Hosts that fail the scan are marked "at risk" but are not forced into remediation.

Delayed remediation for scanned hosts (optional)

Allows you to scan hosts, notify the users of hosts that fail the scan of any pending issues, but not place the host in Remediation for a specified number of days. See Delayed remediation for scanned hosts.

  • Enable the Delayed Remediation setting on one or more Endpoint Compliance Policies by entering the number of days for the delay.

Switches - model configuration

  • Go to the Model Configuration for your wired and wireless switches and configure your VLANs. See Model configuration.

Authentication

  • If you are using the Persistent Agent, you must set the method for authenticating your users in the Credential Configuration and in Portal Configuration. The authentication method selected must be the same in both places. See Credential configuration.
  • If you are using the Dissolvable Agent or the Mobile Agent, you must set the method for authenticating your users in the Portal Configuration window.

Monitoring

  • Use the Scan Results View to see a list of hosts with their current scan status. This view provides information on the Scan used and whether or not the host passed the scan. See Scan results view.
  • Use Standard Reports to view lists of policies, the number of scans run that were passed or failed and details on the Pass/Fail. See Standard report templates.
  • Use the Health Tab under Host Properties to view detailed scan information for an individual host. See Host health and scanning.

Testing

It is recommended that you spend considerable time testing your Endpoint Compliance Policies, web pages and VLAN switching before fully implementing Endpoint Compliance. Use your own hosts and go through as many failure scenarios as possible to make sure that hosts are being managed correctly.