Scans
The Scans View allows you to configure network scans or sets of rules that are used to scan hosts for compliance. Scans are included in Endpoint Compliance Configurations that are paired with User/Host Profiles, which form Endpoint Compliance Polices. When a host is evaluated and requires an Endpoint Compliance Policy, FortiNAC goes through the list of polices and compares user and host information to the associated User/Host Profile. When a match is found, the Endpoint Compliance Configuration inside the policy is applied to the host. That configuration contains the scan and agent information used to evaluate the host.
Scans typically consist of lists of permitted operating systems and required anti-virus software. In addition, Custom Scans can be created for more detailed scanning such as, searching the registry for particular entries, searching the hard drive for specific files, or verifying that hotfixes have been installed. Individual scans can be scheduled to run at regular intervals if your organization requires frequent rescans.
For a list of supported operating systems, anti-virus software software, use the Customer Portal on our web site. |
The results of a scan are stored on the Host Health tab in the Host Properties view. Refer to Host health and scanning for additional information.
Scanning with Agent 2.X
If your hosts are scanned by an Agent prior to Agent version 3.0, the agent tests every single item in the scan and presents extensive scan results. In some cases those items may not be relevant. For example, if Windows XP is required and that operating system is not installed, the agent will still test to see if the updates have been installed. In the scan results, the host fails for not having the operating system AND for not having the updates.
The opposite is also true. In some cases if an item is unchecked and therefore is not required, the host passes for that item and can pass the scan. See the example below:
OS/AV |
Anti-Virus 1 |
Anti-Virus 2 |
Anti-Virus 3 |
---|---|---|---|
Operating System 1 |
Unchecked |
Unchecked |
Checked |
Operating System 2 |
Unchecked |
Checked |
Checked |
Operating System 3 |
Checked |
Checked |
Checked |
If the scan is set to Any indicating that any combination is acceptable, the goal of these scan settings would be as follows:
- Operating System 1 requires Anti-Virus 3
- Operating System 2 requires either Anti-Virus 1 or Anti-Virus 2.
- Operating System 3 requires either Anti-Virus 1, Anti-Virus 2 or Anti-Virus 3.
However, this is not supported because the agent tests for each combination. The actual process is as follows:
- Operating System 1 requires either no Anti-Virus 1 or no Anti-Virus 2 or Anti-Virus 3. Host passes if it does not have Anti-Virus 1 or 2 because those are unchecked, and the agent tests for that combination. It also passes if it has Anti-Virus 3.
- Operating System 2 requires either no Anti-Virus 1 or Anti-Virus 2 or Anti-Virus 3. Host passes if it does not have Anti-Virus 1 because that one is unchecked, and the agent tests for that combination. It also passes if it has Anti-Virus 2 or 3.
- Operating System 3 requires either Anti-Virus 1, Anti-Virus 2 or Anti-Virus 3. Host passes if it has any one of the three Anti-Viruses installed.
Scanning with Agent 3.X and higher
If your hosts are scanned using Agent version 3.0 or higher, the agent first checks to see if a required item is installed and then proceeds to scan for additional details about that item. For example, if the host is required to run Windows XP and that operating system is not installed, the agent does not check to see if the updates have been installed. Scan results, therefore, are reduced because needless scans are minimized. In the scan results, the host fails only for not having the operating system.
Using the example from the table shown above, Agent 3.X ignores items that are not checked or selected. With this agent, you would achieve the following results.
- Operating System 1 requires Anti-Virus 3. The agent does not test to see that Anti-Virus 1 and 2 are not installed, therefore, the host cannot pass the scan unless it has Operating System 1 with Anti-Virus 3.
- Operating System 2 requires either Anti-Virus 1 or Anti-Virus 2. The agent does not test for Anti-Virus 1.
- Operating System 3 requires either Anti-Virus 1, Anti-Virus 2 or Anti-Virus 3.
Scans view navigation
Scans can be accessed from Policy > Policy Configuration > Endpoint Compliance or from System > Quick Start > Policy Configuration, however configuration steps point you to Policy > Policy Configuration > Endpoint Compliance. See Navigation and Filters for information on common navigation tools and data filters.
Settings
Field |
Definition |
||
---|---|---|---|
Scan Name |
Each scan must have a unique name. |
||
Remediation |
Indicates when the host is moved to Remediation. Options include: On Failure — Host is moved to remediation immediately after failing a scan. Delayed — Host is moved to remediation after a user specified delay if the reason for the scan failure has not been addressed. Audit Only — Host is scanned and a failure report is generated, but the host is never moved to remediation. |
||
Scan On Connect |
Indicates whether this option is enabled or disabled. Scan On Connect forces a rescan every time the host assigned this scan connects to the network. See Scan on connect. This option only affects hosts running the Persistent Agent. |
||
Renew IP (Supported by Dissolvable Agent Only) |
Indicates whether the Renew IP option is enabled or disabled. When this option is enabled, it causes the Dissolvable Agent to actively release and renew the IP Address of the host after it has completed its scan. The Renew IP option is only supported on the following systems that use the Dissolvable agent:
|
||
Scan Failure Link Label |
Label displayed on the failure page when a network user's PC has failed a scan. If no label is provided, the scan name is used. The label or scan name is a link that takes the user to a page indicating why the PC has failed the scan. |
||
Agent Order Of |
This set of options is available only when Remediation is set to On Failure. Determines the order in which the agent performs its tasks. Choose one of the following: Scan Before Registering: The host downloads the Agent and is scanned in the registration network before being registered. If the scan fails you must choose one of the following:
Register, then Scan (if the scan fails, Remediate): The host does not download an agent in the Registration network. Instead, the host is registered and moved to Quarantine to download the Agent and be scanned. |
||
Agent Order Of Remediation = Delay or Audit Only |
The option below is available only when Remediation is set to Delay or Audit Only. If scan fails - Register or Remediate: If the host fails a scan, a web page with a Register option and a Remediate option is displayed to the user. If the user chooses the Remediate option, the host is placed in remediation and the user must correct all issues and rescan. If the user chooses the Register option, the host is placed in production. The user can correct all of the issues and re-run the Agent. |
||
Patch URL |
URL for the web page to be displayed when a host using the Dissolvable Agent fails the scan. This web page allows the user to download the agent and rescan after addressing the issues that caused the failure. Hosts using the Persistent Agent have the agent installed and do not use this page. |
||
Root Detection |
Indicates whether this option is enabled or disabled. If enabled, rooted mobile devices are not allowed to register. Mobile Agent for Android devices determines whether or not the device has been rooted. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem. |
||
Last Modified By |
User name of the last user to modify the scan. |
||
Last Modified Date |
Date and time of the last modification to this scan. |
||
Right click options |
|||
Copy |
Copy the selected Scan to create a new record. |
||
Delete |
Deletes the selected Scan. Scans that are currently in use cannot be deleted. |
||
In Use |
Indicates whether or not the selected Scan is currently being used by any other FortiNAC element. See Scans in use. |
||
Modify |
Opens the Modify Scan window for the selected Scan. |
||
Schedule |
Opens the Schedule Policy view for the selected scan and allows you to add a schedule for host rescans using that Scan. See Schedule a scan. |
||
Show Audit Log |
Opens the Admin Auditing Log showing all changes made to the selected item. For information about the Admin Auditing Log, see Admin auditing.
|
||
Buttons |
|||
Custom Scans |
Opens the Custom Scan Configuration window which allows you to add, remove or modify Custom Scans. Custom scan can be added to policies for more detailed host scans. See Custom scans. |
||
Schedule |
Opens the Schedule Policy view for the selected scan and allows you to add a schedule for host rescans using that Scan. See Schedule a scan. |