Fortinet black logo

Administration Guide

Chaining configuration scans

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:370093
Download PDF

Chaining configuration scans

When the Advanced Scan Controls option is enabled for an Endpoint Compliance Configuration, you can map a security action containing Run Endpoint Compliance Configuration activities to scan results.

The Run Endpoint Compliance Configuration activity will run scans for additional Endpoint Compliance Configurations. This allows further scans to be run on hosts when additional levels of access are needed. For example, if the host is part of a group requiring access to a secure VLAN, you can run additional scans the host must pass to be allowed onto this area of the network. Access is determined by the highest level scan that the host passes.

When a host is authenticated and matches an Endpoint Compliance Policy, the Endpoint Compliance Configuration scan is run. When the action is taken based on the scan results, if the Run Endpoint Compliance Configuration activity is performed and the Endpoint Compliance Configuration scan starts successfully, the action moves to the next activity in the list while the Endpoint Compliance Configuration scan is running.

If the Endpoint Compliance Configuration scan does not successfully start, additional activities are only performed if the On Activity Failure setting is set to Continue Running Activities.

There is no limit on the number of actions that can be run based on scan results.

Note

The Persistent Agent must be installed on the host.

To enable and configure Advanced Scan Controls, go to Policy > Policy Configuration. Click Endpoint Compliance > Configuration, and then click the Add button or select an existing configuration and click Modify.

Chaining configuration scans

When the Advanced Scan Controls option is enabled for an Endpoint Compliance Configuration, you can map a security action containing Run Endpoint Compliance Configuration activities to scan results.

The Run Endpoint Compliance Configuration activity will run scans for additional Endpoint Compliance Configurations. This allows further scans to be run on hosts when additional levels of access are needed. For example, if the host is part of a group requiring access to a secure VLAN, you can run additional scans the host must pass to be allowed onto this area of the network. Access is determined by the highest level scan that the host passes.

When a host is authenticated and matches an Endpoint Compliance Policy, the Endpoint Compliance Configuration scan is run. When the action is taken based on the scan results, if the Run Endpoint Compliance Configuration activity is performed and the Endpoint Compliance Configuration scan starts successfully, the action moves to the next activity in the list while the Endpoint Compliance Configuration scan is running.

If the Endpoint Compliance Configuration scan does not successfully start, additional activities are only performed if the On Activity Failure setting is set to Continue Running Activities.

There is no limit on the number of actions that can be run based on scan results.

Note

The Persistent Agent must be installed on the host.

To enable and configure Advanced Scan Controls, go to Policy > Policy Configuration. Click Endpoint Compliance > Configuration, and then click the Add button or select an existing configuration and click Modify.