Fortinet black logo

Control Manager

Home FortiNAC 8.5.0 Control Manager

Monitor custom scans

8.5.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0
Copy Link
Copy Doc ID c0e495af-7299-11e9-81a4-00505692583a:855241
Download PDF

Monitor custom scans

This feature allows you to run a custom scan with greater frequency than the security scan with which it is associated. For example, the original security scan may only run once a week, but you may have a custom scan that needs to run every half an hour. Instead of running the entire security scan every half an hour you can choose to run only a custom scan.

Use the monitor feature to periodically test for a specific status on host machines running the Persistent Agent. Monitors use Custom Scans to check the host machine. A monitor you configure as part of a scan can be the same or different for each scan. Configure monitors for each platform (Windows, macOS, or Linux) separately.

Host machines associated with the security scan are checked at the interval period set in the monitor. The agent on the host sends a message to the server after each time period has passed, indicating whether the host has passed or failed the scan. If several monitors are set to 1 minute intervals, traffic to the server is increased. For example, if there are 10 monitors running every minute on 5,000 hosts, the server might see up to 50,000 messages a minute.

Even though monitors use custom scans which can be set to warning, monitors will not send warnings to hosts. Monitors can only pass or fail. Hosts that fail are marked at risk and placed in remediation.

Enabling a monitor for a custom scan automatically enables the custom scan. However, disabling a monitor will not disable the associated custom scan.

For example, you have created Custom Scan A but have not selected it within any security scan. When you select Custom Scan A in the Monitor list select a time period, the custom scan is enabled.

Monitors ignore the severity flag of a custom scan.

Monitor Example

All users have been notified that peer-to-peer software is not tolerated on the network. A web page explaining this policy is located in the remediation area where the host is moved after failing the scan.

Actions taken:

  • A custom scan for a prohibited process has been created to check for LimeWire, a peer-to-peer software program, running on the host machine. The custom scan includes the URL of the web page where the host browser will be directed if the host fails the custom scan.
  • The monitor is set to 10 minutes for the custom scan.

  • Results:
  • Every 10 minutes the agent checks the host machine to determine if LimeWire is running.
    • If LimeWire is not running, the agent sends a message to the server indicating that the host has passed the security scan.
    • If LimeWire is running, the agent sends a message to the server indicating that the host has failed the scan. The host machine is immediately moved to the quarantine VLAN and the browser redirected to the web page specified in the Custom Scan.

Set up a custom scan monitor

Before adding a Custom Scan to a security scan you must create the custom scan. See Create custom scans for windows or Create custom scans for macOS.

  1. Click Policy > Policy Configuration.

  2. In the menu on the left click the + sign next to Endpoint Compliance to open it.

  3. Click the Scans option to select it.

  4. Click the security scan name and click Modify. If the security scan does not exist, it needs to be added. See Scans for details on adding scans.

  5. Click either the Windows, the macOS, or the Linux tab.

  6. Click the Category drop-down and select Monitors.

  7. Select the check box for the type of Custom Scan.

  8. Select the time period that the agent waits before checking the host for compliance with the custom scan settings. The available intervals are every 15 seconds up to and including 1 minute, and every 5 minutes up to and including 1 hour.

    Performance degradation may occur if you select a very short interval or if you select a large number of monitors. It is recommended that monitoring intervals be set to five (5) minutes or more.

  9. Click OK.

Previous
Next

Monitor custom scans

This feature allows you to run a custom scan with greater frequency than the security scan with which it is associated. For example, the original security scan may only run once a week, but you may have a custom scan that needs to run every half an hour. Instead of running the entire security scan every half an hour you can choose to run only a custom scan.

Use the monitor feature to periodically test for a specific status on host machines running the Persistent Agent. Monitors use Custom Scans to check the host machine. A monitor you configure as part of a scan can be the same or different for each scan. Configure monitors for each platform (Windows, macOS, or Linux) separately.

Host machines associated with the security scan are checked at the interval period set in the monitor. The agent on the host sends a message to the server after each time period has passed, indicating whether the host has passed or failed the scan. If several monitors are set to 1 minute intervals, traffic to the server is increased. For example, if there are 10 monitors running every minute on 5,000 hosts, the server might see up to 50,000 messages a minute.

Even though monitors use custom scans which can be set to warning, monitors will not send warnings to hosts. Monitors can only pass or fail. Hosts that fail are marked at risk and placed in remediation.

Enabling a monitor for a custom scan automatically enables the custom scan. However, disabling a monitor will not disable the associated custom scan.

For example, you have created Custom Scan A but have not selected it within any security scan. When you select Custom Scan A in the Monitor list select a time period, the custom scan is enabled.

Monitors ignore the severity flag of a custom scan.

Monitor Example

All users have been notified that peer-to-peer software is not tolerated on the network. A web page explaining this policy is located in the remediation area where the host is moved after failing the scan.

Actions taken:

  • A custom scan for a prohibited process has been created to check for LimeWire, a peer-to-peer software program, running on the host machine. The custom scan includes the URL of the web page where the host browser will be directed if the host fails the custom scan.
  • The monitor is set to 10 minutes for the custom scan.

  • Results:
  • Every 10 minutes the agent checks the host machine to determine if LimeWire is running.
    • If LimeWire is not running, the agent sends a message to the server indicating that the host has passed the security scan.
    • If LimeWire is running, the agent sends a message to the server indicating that the host has failed the scan. The host machine is immediately moved to the quarantine VLAN and the browser redirected to the web page specified in the Custom Scan.

Set up a custom scan monitor

Before adding a Custom Scan to a security scan you must create the custom scan. See Create custom scans for windows or Create custom scans for macOS.

  1. Click Policy > Policy Configuration.

  2. In the menu on the left click the + sign next to Endpoint Compliance to open it.

  3. Click the Scans option to select it.

  4. Click the security scan name and click Modify. If the security scan does not exist, it needs to be added. See Scans for details on adding scans.

  5. Click either the Windows, the macOS, or the Linux tab.

  6. Click the Category drop-down and select Monitors.

  7. Select the check box for the type of Custom Scan.

  8. Select the time period that the agent waits before checking the host for compliance with the custom scan settings. The available intervals are every 15 seconds up to and including 1 minute, and every 5 minutes up to and including 1 hour.

    Performance degradation may occur if you select a very short interval or if you select a large number of monitors. It is recommended that monitoring intervals be set to five (5) minutes or more.

  9. Click OK.

Previous
Next