Agents are used to scan hosts and determine whether the host complies with the Endpoint Compliance Policy assigned to that host. Agents can perform additional functions, such as, installing a Supplicant Configuration for a secure network. Several types of agents are available with FortiNAC, the Dissolvable Agent, the Passive Agent, the Persistent Agent and the Mobile Agent.
When hosts are scanned by an agent and fail, there are several options:
- Administrators can simply receive a warning that the host has failed the scan along with a list of what the failures were, but the host is given access to the network.
- Users can receive a warning that they have failed and be given access to the network.
- The network can be configured to move failed hosts off the production VLAN into the quarantine or remediation VLAN. This happens regardless of the agent type being used. Once remediation has taken place and the host has passed the scan, the host is moved back to the production VLAN.
Custom scans using HKEY_CURRENT_USER or HKEY_CLASSES_ROOT may not behave the same with Fortinet Persistent Agent as they do with Fortinet Dissolvable Agent. If HKEY_CLASSES_ROOT exists in HKEY_LOCAL_MACHINE\Software\Classes, it should work the same for both agents.
Agents have only been validated against English language versions of supported operating systems.
The Dissolvable Agent is downloaded to the host by the user. The user runs the agent and the agent scans the host. If the computer is compliant with the Endpoint Compliance Policy used for the scan, it is allowed on the network and the agent removes itself from the computer. If the computer is not compliant with the Endpoint Compliance Policy, the Dissolvable Agent remains on the host to be used in a future scan after compliance issues have been addressed.
This agent can run custom scans, verify that Hotfixes are installed, check for AntiVirus and AntiSpyware and Operating System information.
The Dissolvable Agent files are different for Windows, macOS and Linux.
All version 2.2.6, 3.x and higher agents are signed except the Windows Dissolvable Agent. The Windows Dissolvable Agent is signed as of version 3.1.
The Passive Agent is not installed, but is served as the user logs onto the network and does a scan in the background. See Passive Agent. This agent can run custom scans, verify that Hotfixes are installed, check for AntiVirus and AntiSpyware and Operating System information. This agent runs only on Windows.
The Persistent Agent can be downloaded to the host and installed by the user, by a login script or by any other software distribution method your organization might use. The Persistent Agent remains installed on the host at all times. Once the agent is installed it runs in the background and communicates with FortiNAC at intervals established by the FortiNAC administrator.
The Persistent Agent can be configured to provide messages to the user when the host is scanned indicating the results of the scan. In addition you can provide pop-up messages indicating the host's current state, such as disabled, requires authentication or network access is normal. See Persistent Agent settings.
The Persistent Agent can run custom scans and monitors, verify that Hotfixes are installed, check for AntiVirus and AntiSpyware and Operating System information and allow an administrator to send a message to the host.
The Mobile Agent is downloaded and installed either from the captive portal or from Google Play depending on device settings. The Mobile Agent assist with authentication and registration and provide an inventory of installed apps. The Mobile Agent can determine whether the device is rooted or not. A device is considered rooted when a user has accessed the secure areas of the operating system on the device.