Fortinet black logo

Administration Guide

Delayed remediation for scanned hosts

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:521626
Download PDF

Delayed remediation for scanned hosts

The Delayed Remediation scan feature allows you to scan hosts on your network, notify the user if the host has failed the scan and delay placing the host in the remediation VLAN for a specified number of days. This process gives the host's owner time to rectify the issues that triggered the failed scan and rescan without being removed from the network. If the user does not take care of the issues that caused the failure and successfully rescan the host by the time the specified delay has elapsed, the host is placed in remediation and cannot access the network.

Implementation

To implement Delayed Remediation, first implement the settings for Endpoint Compliance. See Implementation.

  • This feature works with any agent (Passive, Persistent or Dissolvable). If you choose to use this feature with the Dissolvable Agent, note the following:
    • Using the Dissolvable Agent, Delayed Remediation can only be implemented during the registration process where the host is provided a link to the Dissolvable Agent. If the host fails, it is marked as Pending - At Risk, but can register and move to the production VLAN. The Dissolvable Agent remains on the host until all issues have been resolved and the host has been rescanned.
    • If you set up scheduled rescans for hosts, using Delayed Remediation does not prevent the scheduled rescan from marking the host "At Risk" at the scheduled interval. Therefore, it is recommended that you use Proactive Scanning with the Dissolvable Agent instead of Delayed Remediation. Proactive Scanning allows a user to rescan a host prior to a scheduled required rescan and if the host fails it is not marked "at risk" until the date of the scheduled rescan. See Schedule a scan.

      To rescan the user must open a browser and navigate to the following:

      https://<Server or Application Server>/remediation

      The FortiNAC Server or Application Server in the URL can be either the IP Address or Name of the server that is running the captive portal.

  • Modify existing scans or create new ones and set the Delayed Remediation option for the number of days the host should be allowed to continue on the network after failing a scan. The default setting for Delayed Remediation is 0 days or no delay. See Add/modify a scan.
  • If a host has already failed a scan with a Delayed Remediation setting and the delay setting is changed on the Scan, it does not change the delay for the associated host. For example, if Host A is scanned, fails Scan A and is assigned a delay of 2 days, changing Scan A to a delay of 5 days does not alter the delay for Host A. It remains 2 days.
  • Configure events and alarms to notify you when a host is affected by the Delayed Remediation setting. See Enable and disable events. Events include:
    • Host Pending At Risk — Indicates that a host has failed a scan that has a Delayed Remediation set and has been set to Pending At Risk.
    • Host Security Test - Delayed Failure — A host has failed a scan and the scan has been set to Failure Pending in the Host Properties Health Tab.

Process

Below is a sample of the process FortiNAC goes through when Delayed Remediation is enabled.

  1. A host connects to the network and is scanned by an agent with Scan A that has a 3 day delay configured.
  2. The host fails the scan for Anti-Virus.
  3. A failure page indicating the reason for the failure is displayed on the host.
  4. A Delayed Remediation record is created for this host and Scan A, which was used to scan the host.
  5. The host's status is set to Pending At Risk.
  6. On the Host Properties - Health Tab the scan for Scan A is set to Failure Pending.
  7. The host remains on the production network and is not sent to the remediation VLAN.
  8. After one day the host connects in the Library and is scanned by an agent with Scan B that has a 5 day delay configured.
  9. The host fails the scan for Operating System.
  10. A failure page indicating the reason for the failure is displayed on the host.
  11. A second Delayed Remediation record is created for this host and Scan B.
  12. The host status remains Pending At Risk.
  13. On the Host Properties - Health Tab the scan for Scan B is set to Failure Pending.
  14. The user corrects the Anti-Virus issue and rescans with Scan A.
  15. The Delayed Remediation record for this host and Scan A is removed.
  16. On the Host Properties - Health Tab the scan for Scan A is set to Success.
  17. The host's status remains Pending At Risk because the user has not corrected the Operating System issue and rescanned for Scan B.
  18. Five days elapse and the user still has not corrected the Operating System issue and rescanned for Scan B.
  19. The host is marked At Risk but it is not moved to the Remediation VLAN because Scan B is not the scan that currently applies to the host. Scan B will apply to the host if the host ever reconnects in the Library.
  20. On the Host Properties - Health Tab the scan for Scan B is set to Failure.
  21. The Delayed Remediation record for this host and Scan B is removed.
  22. The host continues on the production network.
  23. If the host ever reconnects in the Library, the host will be placed in Remediation. The User will have to resolve the Operating System issue and rescan the host for Scan B.
Note

Each host failure and delay record is treated individually. Passing one scan and associated delay, does not remove failures for other scans and corresponding delays. However, if a failed scan does not apply to the host, the host will not be sent to Remediation. Refer to Host health and scanning.

Delayed remediation for scanned hosts

The Delayed Remediation scan feature allows you to scan hosts on your network, notify the user if the host has failed the scan and delay placing the host in the remediation VLAN for a specified number of days. This process gives the host's owner time to rectify the issues that triggered the failed scan and rescan without being removed from the network. If the user does not take care of the issues that caused the failure and successfully rescan the host by the time the specified delay has elapsed, the host is placed in remediation and cannot access the network.

Implementation

To implement Delayed Remediation, first implement the settings for Endpoint Compliance. See Implementation.

  • This feature works with any agent (Passive, Persistent or Dissolvable). If you choose to use this feature with the Dissolvable Agent, note the following:
    • Using the Dissolvable Agent, Delayed Remediation can only be implemented during the registration process where the host is provided a link to the Dissolvable Agent. If the host fails, it is marked as Pending - At Risk, but can register and move to the production VLAN. The Dissolvable Agent remains on the host until all issues have been resolved and the host has been rescanned.
    • If you set up scheduled rescans for hosts, using Delayed Remediation does not prevent the scheduled rescan from marking the host "At Risk" at the scheduled interval. Therefore, it is recommended that you use Proactive Scanning with the Dissolvable Agent instead of Delayed Remediation. Proactive Scanning allows a user to rescan a host prior to a scheduled required rescan and if the host fails it is not marked "at risk" until the date of the scheduled rescan. See Schedule a scan.

      To rescan the user must open a browser and navigate to the following:

      https://<Server or Application Server>/remediation

      The FortiNAC Server or Application Server in the URL can be either the IP Address or Name of the server that is running the captive portal.

  • Modify existing scans or create new ones and set the Delayed Remediation option for the number of days the host should be allowed to continue on the network after failing a scan. The default setting for Delayed Remediation is 0 days or no delay. See Add/modify a scan.
  • If a host has already failed a scan with a Delayed Remediation setting and the delay setting is changed on the Scan, it does not change the delay for the associated host. For example, if Host A is scanned, fails Scan A and is assigned a delay of 2 days, changing Scan A to a delay of 5 days does not alter the delay for Host A. It remains 2 days.
  • Configure events and alarms to notify you when a host is affected by the Delayed Remediation setting. See Enable and disable events. Events include:
    • Host Pending At Risk — Indicates that a host has failed a scan that has a Delayed Remediation set and has been set to Pending At Risk.
    • Host Security Test - Delayed Failure — A host has failed a scan and the scan has been set to Failure Pending in the Host Properties Health Tab.

Process

Below is a sample of the process FortiNAC goes through when Delayed Remediation is enabled.

  1. A host connects to the network and is scanned by an agent with Scan A that has a 3 day delay configured.
  2. The host fails the scan for Anti-Virus.
  3. A failure page indicating the reason for the failure is displayed on the host.
  4. A Delayed Remediation record is created for this host and Scan A, which was used to scan the host.
  5. The host's status is set to Pending At Risk.
  6. On the Host Properties - Health Tab the scan for Scan A is set to Failure Pending.
  7. The host remains on the production network and is not sent to the remediation VLAN.
  8. After one day the host connects in the Library and is scanned by an agent with Scan B that has a 5 day delay configured.
  9. The host fails the scan for Operating System.
  10. A failure page indicating the reason for the failure is displayed on the host.
  11. A second Delayed Remediation record is created for this host and Scan B.
  12. The host status remains Pending At Risk.
  13. On the Host Properties - Health Tab the scan for Scan B is set to Failure Pending.
  14. The user corrects the Anti-Virus issue and rescans with Scan A.
  15. The Delayed Remediation record for this host and Scan A is removed.
  16. On the Host Properties - Health Tab the scan for Scan A is set to Success.
  17. The host's status remains Pending At Risk because the user has not corrected the Operating System issue and rescanned for Scan B.
  18. Five days elapse and the user still has not corrected the Operating System issue and rescanned for Scan B.
  19. The host is marked At Risk but it is not moved to the Remediation VLAN because Scan B is not the scan that currently applies to the host. Scan B will apply to the host if the host ever reconnects in the Library.
  20. On the Host Properties - Health Tab the scan for Scan B is set to Failure.
  21. The Delayed Remediation record for this host and Scan B is removed.
  22. The host continues on the production network.
  23. If the host ever reconnects in the Library, the host will be placed in Remediation. The User will have to resolve the Operating System issue and rescan the host for Scan B.
Note

Each host failure and delay record is treated individually. Passing one scan and associated delay, does not remove failures for other scans and corresponding delays. However, if a failed scan does not apply to the host, the host will not be sent to Remediation. Refer to Host health and scanning.