Fortinet black logo

Control Manager

Home FortiNAC 8.5.0 Control Manager
8.5.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0

Server synchronization

Server synchronization

Host Propagation controls the replication of hosts from one FortiNAC Control Server to another. In an environment where multiple Control Servers are being managed, it is possible for a host to connect to one Control Server and then move to another building and connect to a different Control Server.

Global Object Synchronization enables automatic synchronization of the FortiNAC Server(s) with the FortiNAC Control Manager.

Host propagation

Each Control Server then has to determine that host's state. Determining the host's state may include processes such scanning the host or presenting a registration page, thus delaying the host's access to the network. In addition, hosts could be in conflicting states on different Control Servers.

For example, a host connects to the network via Control Server A and is presented with a registration page. The user cancels out of the page and is listed as a Rogue Host on Control Server A.

Later the same host connects to the network via Control Server B and is presented with a registration page. The user fills out the registration page and becomes a Registered Host on Control Server B. This host is now in two different states on two different Control Servers on the same network. When the host returns to Control Server A, the user will have to register there also.

Enabling the On Demand Host Propagation option copies a registered host from one managed server to all other managed servers when the host registers, if the associated user has the Propagate Hosts option enabled. However, if the host is already a rogue on a different managed server, the registered host is not copied. For example, if the host is a rogue on Control Server A, it registers on Control Server B and is unknown on Control Server C, then the registered host exists on Control Server B, it is copied to Control Server C, but the existence of the rogue on Control Server A prevents it from being copied there. The user would need to re-register the host on Control Server A if it connects there.

This setting and the Propagate Hosts option on User records are enabled by default. Disabling this option on the FortiNAC Control Manager disables it globally. Disabling Propagate Hosts on an individual user, disables the feature only for that user.

Enabling the Rogue Host Synchronization option stops a rogue or unknown host from having to re-register on a second Control Server if they have already registered on any other Control Server. This option copies registered hosts only to Control Servers that have rogue hosts, not to all Control Servers. Choosing this option uses less bandwidth than the Registered Host Synchronization feature. It also allows you to view the servers to which hosts have connected. If you use the Registered Host Synchronization option, all hosts exist on all servers.

Enabling the Registered Host Synchronization option alleviates the need to determine whether or not an individual host is registered for each Control Server. When the host registers, that information is passed to all other Control Servers on the network. If you choose this option, you do not need to choose the previous option, since all hosts are copied to all servers.

Once a host is registered on a Control Server, the host's enabled/disabled status will be propagated, but no other attribute or state changes are propagated. The Registered Host Synchronization feature is used to speed up the registration process in an environment with multiple Control Servers.

If the synchronization options are enabled as detailed above, registered hosts are copied from one Control Server to another when the host registers. As the host logs on and off the network and the host state changes, these changes are not copied from one Control Server to another.

If both synchronization options are disabled, the FortiNAC Control Manager can query all Control Servers when a host connects to determine the host's previous state. However, choosing one of the copy options reduces the amount of time a host waits to be connected to the network and provides a better user experience.

Global object synchronization

When the Global Object Synchronization option is enabled, all FortiNAC Servers are automatically synchronized with the FortiNAC Control Manageronce per minute. Any information on the server that is older than the information on the FortiNAC Control Manageris overwritten.

Upon manual synchronization, all information on the FortiNAC Server that is shared globally with the FortiNAC Control Manager is overwritten.

Global information on the FortiNAC Server is read-only. The following information is shared globally between the FortiNAC Server and the FortiNAC Control Manager:

  • Admin Profiles
  • Guest Templates
  • Device Profiling Rules
  • Device Types
  • Groups
  • Roles
  • User/Host Profiles
  • Endpoint Compliance Policies
  • Endpoint Compliance Configurations
  • Endpoint Compliance Scans
  • Security Actions that are used by Endpoint Compliance configurations

Modify host propagation

  1. Select System > Settings > Network Control Manager.

  2. Select Server Synchronization.

  3. Under Host Propagation select an option for the synchronization of hosts.

  4. Enter a time interval for the enabled host synchronization.

  5. Click Save Settings.

Modify global object synchronization

  1. Select System > Settings > Network Control Manager.

  2. Select Server Synchronization.

  3. Under Global Object Synchronization enable automatic synchronization of global information, by selecting Global Object Synchronization, and then click Save Settings.

  4. To manually synchronize global information, click Synchronize Now.

    Manual synchronization can also be done from Dashboard > Server List panel. Click the Synchronize Server icon in front of each listed server

Server synchronization field definitions

Field

Definitions

Host Propagation

On Demand Host
Propagation

If enabled, copies registered hosts to Control Servers, when the associated user has the Propagate Hosts option enabled. The Propagate Hosts option is enabled by default on every user. This option will not replace an existing rogue with a host that registered on different managed appliance. In that case, the user would have to register again on the appliance where the rogue exists.

Default = Enabled.

Rogue Host
Synchronization

If enabled, copies registered hosts to Control Servers that have rogue hosts. Rogues that match registered hosts are replaced by the registered host records.

Synchronization Time (minutes)

Registered hosts are copied to Control Servers with rogue hosts each time this interval elapses.

Registered Host
Synchronization

If enabled, copies all registered hosts to all Control Servers.

Synchronization Time (minutes)

Registered hosts are copied to Control Servers each time this interval elapses.

Global Object Synchronization

Global Object
Synchronization

If enabled, automatically synchronizes information between the FortiNAC Control Managerand the FortiNAC Servers. The information on the FortiNAC Servers will be read-only. Automatic synchronization occurs once per minute.

Synchronize Now

Lets you manually synchronize information between the FortiNAC Control Manager and the FortiNAC Servers.

Previous
Next

Server synchronization

Host Propagation controls the replication of hosts from one FortiNAC Control Server to another. In an environment where multiple Control Servers are being managed, it is possible for a host to connect to one Control Server and then move to another building and connect to a different Control Server.

Global Object Synchronization enables automatic synchronization of the FortiNAC Server(s) with the FortiNAC Control Manager.

Host propagation

Each Control Server then has to determine that host's state. Determining the host's state may include processes such scanning the host or presenting a registration page, thus delaying the host's access to the network. In addition, hosts could be in conflicting states on different Control Servers.

For example, a host connects to the network via Control Server A and is presented with a registration page. The user cancels out of the page and is listed as a Rogue Host on Control Server A.

Later the same host connects to the network via Control Server B and is presented with a registration page. The user fills out the registration page and becomes a Registered Host on Control Server B. This host is now in two different states on two different Control Servers on the same network. When the host returns to Control Server A, the user will have to register there also.

Enabling the On Demand Host Propagation option copies a registered host from one managed server to all other managed servers when the host registers, if the associated user has the Propagate Hosts option enabled. However, if the host is already a rogue on a different managed server, the registered host is not copied. For example, if the host is a rogue on Control Server A, it registers on Control Server B and is unknown on Control Server C, then the registered host exists on Control Server B, it is copied to Control Server C, but the existence of the rogue on Control Server A prevents it from being copied there. The user would need to re-register the host on Control Server A if it connects there.

This setting and the Propagate Hosts option on User records are enabled by default. Disabling this option on the FortiNAC Control Manager disables it globally. Disabling Propagate Hosts on an individual user, disables the feature only for that user.

Enabling the Rogue Host Synchronization option stops a rogue or unknown host from having to re-register on a second Control Server if they have already registered on any other Control Server. This option copies registered hosts only to Control Servers that have rogue hosts, not to all Control Servers. Choosing this option uses less bandwidth than the Registered Host Synchronization feature. It also allows you to view the servers to which hosts have connected. If you use the Registered Host Synchronization option, all hosts exist on all servers.

Enabling the Registered Host Synchronization option alleviates the need to determine whether or not an individual host is registered for each Control Server. When the host registers, that information is passed to all other Control Servers on the network. If you choose this option, you do not need to choose the previous option, since all hosts are copied to all servers.

Once a host is registered on a Control Server, the host's enabled/disabled status will be propagated, but no other attribute or state changes are propagated. The Registered Host Synchronization feature is used to speed up the registration process in an environment with multiple Control Servers.

If the synchronization options are enabled as detailed above, registered hosts are copied from one Control Server to another when the host registers. As the host logs on and off the network and the host state changes, these changes are not copied from one Control Server to another.

If both synchronization options are disabled, the FortiNAC Control Manager can query all Control Servers when a host connects to determine the host's previous state. However, choosing one of the copy options reduces the amount of time a host waits to be connected to the network and provides a better user experience.

Global object synchronization

When the Global Object Synchronization option is enabled, all FortiNAC Servers are automatically synchronized with the FortiNAC Control Manageronce per minute. Any information on the server that is older than the information on the FortiNAC Control Manageris overwritten.

Upon manual synchronization, all information on the FortiNAC Server that is shared globally with the FortiNAC Control Manager is overwritten.

Global information on the FortiNAC Server is read-only. The following information is shared globally between the FortiNAC Server and the FortiNAC Control Manager:

  • Admin Profiles
  • Guest Templates
  • Device Profiling Rules
  • Device Types
  • Groups
  • Roles
  • User/Host Profiles
  • Endpoint Compliance Policies
  • Endpoint Compliance Configurations
  • Endpoint Compliance Scans
  • Security Actions that are used by Endpoint Compliance configurations

Modify host propagation

  1. Select System > Settings > Network Control Manager.

  2. Select Server Synchronization.

  3. Under Host Propagation select an option for the synchronization of hosts.

  4. Enter a time interval for the enabled host synchronization.

  5. Click Save Settings.

Modify global object synchronization

  1. Select System > Settings > Network Control Manager.

  2. Select Server Synchronization.

  3. Under Global Object Synchronization enable automatic synchronization of global information, by selecting Global Object Synchronization, and then click Save Settings.

  4. To manually synchronize global information, click Synchronize Now.

    Manual synchronization can also be done from Dashboard > Server List panel. Click the Synchronize Server icon in front of each listed server

Server synchronization field definitions

Field

Definitions

Host Propagation

On Demand Host
Propagation

If enabled, copies registered hosts to Control Servers, when the associated user has the Propagate Hosts option enabled. The Propagate Hosts option is enabled by default on every user. This option will not replace an existing rogue with a host that registered on different managed appliance. In that case, the user would have to register again on the appliance where the rogue exists.

Default = Enabled.

Rogue Host
Synchronization

If enabled, copies registered hosts to Control Servers that have rogue hosts. Rogues that match registered hosts are replaced by the registered host records.

Synchronization Time (minutes)

Registered hosts are copied to Control Servers with rogue hosts each time this interval elapses.

Registered Host
Synchronization

If enabled, copies all registered hosts to all Control Servers.

Synchronization Time (minutes)

Registered hosts are copied to Control Servers each time this interval elapses.

Global Object Synchronization

Global Object
Synchronization

If enabled, automatically synchronizes information between the FortiNAC Control Managerand the FortiNAC Servers. The information on the FortiNAC Servers will be read-only. Automatic synchronization occurs once per minute.

Synchronize Now

Lets you manually synchronize information between the FortiNAC Control Manager and the FortiNAC Servers.

Previous
Next