Fortinet black logo

Control Manager

Home FortiNAC 8.5.0 Control Manager
8.5.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0

Add/modify a scan

Add/modify a scan

Use the Add or Modify Scan dialog to configure scan settings. Field definitions are divided into two tables. The first table details the fields on the General tab and the second details the Categories available under the remaining tabs.

  1. Select Policy > Policy Configuration.
  2. In the menu on the left click the + sign next to Endpoint Compliance to open it.
  3. Click the Scans option to select it.
  4. On the Scans View, click Add to add a new Scan or select an existing Scan and click Modify.
  5. Enter data in the fields as needed. See the Scan Configuration Field Definitions table below for information on each field.
  6. For each operating system tab, there is a drop-down menu of categories that can be set, such as, anti-virus settings. Instructions for configuring each category are contained in the Scan Configuration Field Definitions - Categories table.
  7. The Summary tab provides an overview of the entire scan configuration for your review.
  8. Click OK to save the Scan.

Field

Definition

Scan Name

Each scan must have a unique name.

Scan Settings

Scan On Connect
(Persistent Agent Only)

Forces a rescan every time the host assigned this scan connects to the network.

This option only affects hosts running the Persistent Agent.

See Scan on connect.

Renew IP
(Supported Dissolvable Agent Only)

Indicates whether the Renew IP option is enabled or disabled. When this option is enabled, it causes the Dissolvable Agent to actively release and renew the IP address of the host after it has completed its scan. The Renew IP option is only supported on the following systems that use the Dissolvable agent:

  • Windows: All Dissolvable Agent Versions
  • macOS: Dissolvable Agent Versions 3.3.0.56+

Root Detection
(Android Agent Only)

The Mobile Agent for Android devices determines whether or not the device has been rooted. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem.

If enabled, rooted mobile devices are not allowed to register.

If disabled, devices suspected of being rooted are allowed to register and (Rooted) is appended to the operating system information displayed in the Host View.

If the agent detects that device has been altered, a Potential Rooted Device event is generated.

Root Detection
(Android Agent Only)

The Mobile Agent for Android devices determines whether or not the device has been rooted. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem.

If enabled, rooted mobile devices are not allowed to register.

If disabled, devices suspected of being rooted are allowed to register and (Rooted) is appended to the operating system information displayed in the Host View.

If the agent detects that device has been altered, a Potential Rooted Device event is generated.

Remediation - On Failure

If enabled, the host is scanned and the information associated with the scan is recorded. If the host fails the scan, the user must resolve all of the issues for which the host failed and rescan before being allowed on the network.

Agent Order Of Operations:

This set of options is available only when Remediation is set to On Failure.

Determines the order in which the agent performs its tasks. Choose one of the following:

Scan Before Registering: The host downloads the Agent and is scanned in the registration network before being registered. If the scan fails you must choose one of the following:

  1. Do not Register, Remediate: Host remains a Rogue and stays in the registration network until it passes the scan. Note the host will not be marked "at risk." Default setting.
  2. Register and mark At Risk: The host is registered immediately after the scan and then moved to Quarantine.

Persistent Agent ALWAYS registers and marks at risk.

Register, then Scan (if the scan fails, Remediate): The host does not download an agent in the Registration network. Instead, the host is registered and moved to Quarantine to download the Agent and be scanned.

Remediation - Delayed

Hosts who fail this scan are set to Pending at Risk for the number of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until the number of days indicated has elapsed. The user is notified of the failure immediately.

Changes to this setting do not affect hosts that are already marked as Pending At Risk. If a host was set to a delay of 3 days and you change the Remediation Delay field to 5 days, the host remains at a delay of 3 days. Hosts scanned after the change will use the 5 day setting.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, the Persistent Agent displays a message stating that the host is at risk. Click the message to display information about the scan. The host is automatically registered.

The Dissolvable Agent displays the results of the scan. You can choose to rescan or register.

When the host is registered, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Remediation - Audit Only

If enabled, the host is scanned and the information associated with the scan is recorded.If the host fails the scan, it is not marked "at risk". Therefore, it is not forced into Remediation and can continue using the network. The administrator can review the scan results and take corrective action without disrupting users on the network.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, a web page with a Register option and a Remediate option is displayed to the user.

If the user chooses the Remediate option, the host is placed in remediation and the user must correct all issues and rescan.

If the user chooses the Register option, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Portal Page Settings

Label For Scan Failure Link

Label displayed on the failure page when a network user's PC has failed a scan. If no label is provided, the scan name is used. The label or scan name is a link that takes the user to a page indicating why the PC has failed the scan.

Instructions For Scan Failure

If a host has failed a scan, the user must remedy the issue and rescan. This field allows you to provide the user with a brief set of instructions.

Patch URL For
Dissolvable Agent
Re-Scan

URL for the web page to be displayed when a host using the Dissolvable Agent fails the scan. This web page allows the user to download the agent and rescan after addressing the issues that caused the failure. Hosts using the Persistent Agent have the agent installed and do not use this page.

Set this to /remediation

To rescan the user must open a browser and navigate to the following: 

https://<Server or Application Server>/remediation

The FortiNAC Server or Application Server in the URL can be either the IP Address or Name of the server that is running the captive portal.

In use by/Not currently in use

Indicates whether the scan is being used in User/Host Profile(s). When the scan is in use, click the link to view the User/Host Profile(s).

Scan categories

For each operating system there is a Category drop-down that allows you to configure specific settings for categories such as anti-virus. The table below outlines these settings.

Default parameter values for individual anti-virus and operating systems packages are entered and updated automatically by the scheduled Auto-Def Updates. If the values have been manually edited, the Auto-Def Updates will not override those changes.

Removing a check mark from a selected option causes any underlying changes to be lost. For example, if you modified settings for AVG antivirus and then unselected it, those changes are lost.

Field

Definition

Anti-Virus

Validation Options

Any — Any one of the selected items must be present on the host machine to pass the scan.

All — All of the selected items must be present on the host machine to pass the scan.

Anti-Virus List

New anti-virus software is continually being created. As new anti-virus software becomes available, parameters for that software are made available as quickly as possible in FortiNAC. The default values for each anti-virus program are entered automatically by the scheduled Auto-Def Updates feature. You should not need to modify these.

Select one or more types of Anti-virus software to check for on the host machine. To set additional parameters for any of the selected Anti-Virus programs, click the name of a program. A parameters window opens and displays all of the advanced options that can be set. Enter the custom parameter values for the selected program and click OK. See Antivirus parameters - Windows or Antivirus parameters - macOS for details on each parameter.

Preferred

Select the Preferred Anti-Virus from the drop-down list. If the host fails for all of the products selected for the scan, only the preferred item selected is displayed on the Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed Policy pages contains a separate line for every product failure.

Custom Scans

Custom Scans List

Custom scans are user created scans that have been configured to scan hosts for things such as specific files, registry entries or programs. Custom scans must be created and saved before they can be included as part of a Security Policy. See Custom scans overview.

When a Custom scan is added to a regular scan the custom scan is used across the board no matter what other options have been selected for the policy. Any host that is scanned with the regular scan is also scanned based on the Custom Scan. See Custom scans options - scan level.

Custom scans can be added within a category, such as Anti-Virus. For example, any host that has AVG Anti-Virus will be scanned using an associated custom scan. In this case, the Custom Scan is being used to enhance the scan for AVG Anti-Virus and it is not run on every host. See Custom scans options within a category level.

Operating Systems

Selection Options

All — Marks every operating system with a check mark.

None — Removes the check mark from every operating system check box.

Operating Systems List

Scans for required or prohibited operating systems on host machines. Operating systems that are selected are required. See Operating system parameters - Windows

The Windows-2003-Server-x64 product has been removed. Use the Windows 2003 Server and Windows XP x64 products.

Preferred

Select the Preferred Operating System from the drop-down list. If the host fails for all of the products selected for the scan, only the preferred item selected is displayed on the Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed Policy pages contains a separate line for every product failure.

Monitors

Scan List

Allows you to run a custom scan with greater frequency than the regular scan with which it is associated. For example, the original scan may only run once a week, but you may have a custom scan that needs to run every half an hour. Instead of running the entire scan policy every half an hour you can choose to run only a custom scan. See Monitor custom scans.

Select a custom scan and enter the frequency with which it should run.

Performance degradation may occur if you select an interval less than every five (5) minutes. It is recommended that monitoring intervals be set to five (5) minutes or more.

Previous
Next

Add/modify a scan

Use the Add or Modify Scan dialog to configure scan settings. Field definitions are divided into two tables. The first table details the fields on the General tab and the second details the Categories available under the remaining tabs.

  1. Select Policy > Policy Configuration.
  2. In the menu on the left click the + sign next to Endpoint Compliance to open it.
  3. Click the Scans option to select it.
  4. On the Scans View, click Add to add a new Scan or select an existing Scan and click Modify.
  5. Enter data in the fields as needed. See the Scan Configuration Field Definitions table below for information on each field.
  6. For each operating system tab, there is a drop-down menu of categories that can be set, such as, anti-virus settings. Instructions for configuring each category are contained in the Scan Configuration Field Definitions - Categories table.
  7. The Summary tab provides an overview of the entire scan configuration for your review.
  8. Click OK to save the Scan.

Field

Definition

Scan Name

Each scan must have a unique name.

Scan Settings

Scan On Connect
(Persistent Agent Only)

Forces a rescan every time the host assigned this scan connects to the network.

This option only affects hosts running the Persistent Agent.

See Scan on connect.

Renew IP
(Supported Dissolvable Agent Only)

Indicates whether the Renew IP option is enabled or disabled. When this option is enabled, it causes the Dissolvable Agent to actively release and renew the IP address of the host after it has completed its scan. The Renew IP option is only supported on the following systems that use the Dissolvable agent:

  • Windows: All Dissolvable Agent Versions
  • macOS: Dissolvable Agent Versions 3.3.0.56+

Root Detection
(Android Agent Only)

The Mobile Agent for Android devices determines whether or not the device has been rooted. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem.

If enabled, rooted mobile devices are not allowed to register.

If disabled, devices suspected of being rooted are allowed to register and (Rooted) is appended to the operating system information displayed in the Host View.

If the agent detects that device has been altered, a Potential Rooted Device event is generated.

Root Detection
(Android Agent Only)

The Mobile Agent for Android devices determines whether or not the device has been rooted. Rooting is a process allowing users of devices running the Android operating system to attain privileged control (known as "root access") within Android's subsystem.

If enabled, rooted mobile devices are not allowed to register.

If disabled, devices suspected of being rooted are allowed to register and (Rooted) is appended to the operating system information displayed in the Host View.

If the agent detects that device has been altered, a Potential Rooted Device event is generated.

Remediation - On Failure

If enabled, the host is scanned and the information associated with the scan is recorded. If the host fails the scan, the user must resolve all of the issues for which the host failed and rescan before being allowed on the network.

Agent Order Of Operations:

This set of options is available only when Remediation is set to On Failure.

Determines the order in which the agent performs its tasks. Choose one of the following:

Scan Before Registering: The host downloads the Agent and is scanned in the registration network before being registered. If the scan fails you must choose one of the following:

  1. Do not Register, Remediate: Host remains a Rogue and stays in the registration network until it passes the scan. Note the host will not be marked "at risk." Default setting.
  2. Register and mark At Risk: The host is registered immediately after the scan and then moved to Quarantine.

Persistent Agent ALWAYS registers and marks at risk.

Register, then Scan (if the scan fails, Remediate): The host does not download an agent in the Registration network. Instead, the host is registered and moved to Quarantine to download the Agent and be scanned.

Remediation - Delayed

Hosts who fail this scan are set to Pending at Risk for the number of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until the number of days indicated has elapsed. The user is notified of the failure immediately.

Changes to this setting do not affect hosts that are already marked as Pending At Risk. If a host was set to a delay of 3 days and you change the Remediation Delay field to 5 days, the host remains at a delay of 3 days. Hosts scanned after the change will use the 5 day setting.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, the Persistent Agent displays a message stating that the host is at risk. Click the message to display information about the scan. The host is automatically registered.

The Dissolvable Agent displays the results of the scan. You can choose to rescan or register.

When the host is registered, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Remediation - Audit Only

If enabled, the host is scanned and the information associated with the scan is recorded.If the host fails the scan, it is not marked "at risk". Therefore, it is not forced into Remediation and can continue using the network. The administrator can review the scan results and take corrective action without disrupting users on the network.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, a web page with a Register option and a Remediate option is displayed to the user.

If the user chooses the Remediate option, the host is placed in remediation and the user must correct all issues and rescan.

If the user chooses the Register option, the host is placed in production. The user can correct all of the issues and re-run the Agent.

Portal Page Settings

Label For Scan Failure Link

Label displayed on the failure page when a network user's PC has failed a scan. If no label is provided, the scan name is used. The label or scan name is a link that takes the user to a page indicating why the PC has failed the scan.

Instructions For Scan Failure

If a host has failed a scan, the user must remedy the issue and rescan. This field allows you to provide the user with a brief set of instructions.

Patch URL For
Dissolvable Agent
Re-Scan

URL for the web page to be displayed when a host using the Dissolvable Agent fails the scan. This web page allows the user to download the agent and rescan after addressing the issues that caused the failure. Hosts using the Persistent Agent have the agent installed and do not use this page.

Set this to /remediation

To rescan the user must open a browser and navigate to the following: 

https://<Server or Application Server>/remediation

The FortiNAC Server or Application Server in the URL can be either the IP Address or Name of the server that is running the captive portal.

In use by/Not currently in use

Indicates whether the scan is being used in User/Host Profile(s). When the scan is in use, click the link to view the User/Host Profile(s).

Scan categories

For each operating system there is a Category drop-down that allows you to configure specific settings for categories such as anti-virus. The table below outlines these settings.

Default parameter values for individual anti-virus and operating systems packages are entered and updated automatically by the scheduled Auto-Def Updates. If the values have been manually edited, the Auto-Def Updates will not override those changes.

Removing a check mark from a selected option causes any underlying changes to be lost. For example, if you modified settings for AVG antivirus and then unselected it, those changes are lost.

Field

Definition

Anti-Virus

Validation Options

Any — Any one of the selected items must be present on the host machine to pass the scan.

All — All of the selected items must be present on the host machine to pass the scan.

Anti-Virus List

New anti-virus software is continually being created. As new anti-virus software becomes available, parameters for that software are made available as quickly as possible in FortiNAC. The default values for each anti-virus program are entered automatically by the scheduled Auto-Def Updates feature. You should not need to modify these.

Select one or more types of Anti-virus software to check for on the host machine. To set additional parameters for any of the selected Anti-Virus programs, click the name of a program. A parameters window opens and displays all of the advanced options that can be set. Enter the custom parameter values for the selected program and click OK. See Antivirus parameters - Windows or Antivirus parameters - macOS for details on each parameter.

Preferred

Select the Preferred Anti-Virus from the drop-down list. If the host fails for all of the products selected for the scan, only the preferred item selected is displayed on the Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed Policy pages contains a separate line for every product failure.

Custom Scans

Custom Scans List

Custom scans are user created scans that have been configured to scan hosts for things such as specific files, registry entries or programs. Custom scans must be created and saved before they can be included as part of a Security Policy. See Custom scans overview.

When a Custom scan is added to a regular scan the custom scan is used across the board no matter what other options have been selected for the policy. Any host that is scanned with the regular scan is also scanned based on the Custom Scan. See Custom scans options - scan level.

Custom scans can be added within a category, such as Anti-Virus. For example, any host that has AVG Anti-Virus will be scanned using an associated custom scan. In this case, the Custom Scan is being used to enhance the scan for AVG Anti-Virus and it is not run on every host. See Custom scans options within a category level.

Operating Systems

Selection Options

All — Marks every operating system with a check mark.

None — Removes the check mark from every operating system check box.

Operating Systems List

Scans for required or prohibited operating systems on host machines. Operating systems that are selected are required. See Operating system parameters - Windows

The Windows-2003-Server-x64 product has been removed. Use the Windows 2003 Server and Windows XP x64 products.

Preferred

Select the Preferred Operating System from the drop-down list. If the host fails for all of the products selected for the scan, only the preferred item selected is displayed on the Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed Policy pages contains a separate line for every product failure.

Monitors

Scan List

Allows you to run a custom scan with greater frequency than the regular scan with which it is associated. For example, the original scan may only run once a week, but you may have a custom scan that needs to run every half an hour. Instead of running the entire scan policy every half an hour you can choose to run only a custom scan. See Monitor custom scans.

Select a custom scan and enter the frequency with which it should run.

Performance degradation may occur if you select an interval less than every five (5) minutes. It is recommended that monitoring intervals be set to five (5) minutes or more.

Previous
Next