Fortinet black logo

Control Manager

Home FortiNAC 8.5.0 Control Manager

Manage hosts in a FortiNAC Control Manager environment

8.5.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0
Copy Link
Copy Doc ID c0e495af-7299-11e9-81a4-00505692583a:381408
Download PDF

Manage hosts in a FortiNAC Control Manager environment

Host records are not synchronized across managed FortiNAC Servers. Host state changes are never propagated from one FortiNAC Server to another.

In an environment where multiple FortiNAC Servers are managed by a FortiNAC Control Manager, hosts register with the Server that manages the switch to which the hosts connect. The FortiNAC Control Manager can query the servers it manages to locate hosts and view host or adapter properties regardless of the server on which the host record resides.

Hosts That Move To A Different FortiNAC Server

When hosts are mobile, such as a laptop or an IPad, the host could connect to a switch that is not managed by the FortiNAC Server where the host originally registered. In this case the process is as follows:

  1. Host A connects to the network and registers on FortiNAC Server 1.
  2. Later, Host A moves and connects to a switch managed by FortiNAC Server 2.
  3. FortiNAC Server 2, does not have a record for that host and queries the FortiNAC Control Manager to find out if this is a registered host on a different FortiNAC Server.
  4. The FortiNAC Control Manager queries all of the FortiNAC Servers it manages and finds a record of Host A on FortiNAC Server 1.
  5. The record for Host A is copied from FortiNAC Server 1 to FortiNAC Server 2. If the security policy used to scan Host A, exists on FortiNAC Server 2, then the host state is also copied. If the policy does not exist on FortiNAC Server 2, then the host state is not copied.
  6. From this point forward, the two host records are never synchronized. Changes in host state on one FortiNAC Server are never propagated to any other FortiNAC Server.

Hosts With Delayed Remediation State

When a host has been scanned with and failed for a policy set for Delayed Remediation, it is set to Pending - At Risk. This particular host state indicates that the host has failed the policy but is not being prevented from accessing the network until the configured delay for that policy elapses. If in the meantime the host moves somewhere else on the network and connects to a switch managed by a different FortiNAC Server, the host state is not propagated. If the host state is set to Pending - At Risk, the state is never sent to the second FortiNAC Server. However, if the host returns to the first server it must resolve the issues that caused it to fail and rescan before the delay elapses or it will be marked "At Risk" and will not be allowed on the network.

Previous
Next

Manage hosts in a FortiNAC Control Manager environment

Host records are not synchronized across managed FortiNAC Servers. Host state changes are never propagated from one FortiNAC Server to another.

In an environment where multiple FortiNAC Servers are managed by a FortiNAC Control Manager, hosts register with the Server that manages the switch to which the hosts connect. The FortiNAC Control Manager can query the servers it manages to locate hosts and view host or adapter properties regardless of the server on which the host record resides.

Hosts That Move To A Different FortiNAC Server

When hosts are mobile, such as a laptop or an IPad, the host could connect to a switch that is not managed by the FortiNAC Server where the host originally registered. In this case the process is as follows:

  1. Host A connects to the network and registers on FortiNAC Server 1.
  2. Later, Host A moves and connects to a switch managed by FortiNAC Server 2.
  3. FortiNAC Server 2, does not have a record for that host and queries the FortiNAC Control Manager to find out if this is a registered host on a different FortiNAC Server.
  4. The FortiNAC Control Manager queries all of the FortiNAC Servers it manages and finds a record of Host A on FortiNAC Server 1.
  5. The record for Host A is copied from FortiNAC Server 1 to FortiNAC Server 2. If the security policy used to scan Host A, exists on FortiNAC Server 2, then the host state is also copied. If the policy does not exist on FortiNAC Server 2, then the host state is not copied.
  6. From this point forward, the two host records are never synchronized. Changes in host state on one FortiNAC Server are never propagated to any other FortiNAC Server.

Hosts With Delayed Remediation State

When a host has been scanned with and failed for a policy set for Delayed Remediation, it is set to Pending - At Risk. This particular host state indicates that the host has failed the policy but is not being prevented from accessing the network until the configured delay for that policy elapses. If in the meantime the host moves somewhere else on the network and connects to a switch managed by a different FortiNAC Server, the host state is not propagated. If the host state is set to Pending - At Risk, the state is never sent to the second FortiNAC Server. However, if the host returns to the first server it must resolve the issues that caused it to fail and rescan before the delay elapses or it will be marked "At Risk" and will not be allowed on the network.

Previous
Next