Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Persistent Agent

The Persistent Agent is an application that works on Windows,macOS, or Linux hosts to identify them to FortiNAC and scan them for compliance with an endpoint compliance policy. This Agent is downloaded and installed on the host permanently.

Communication

The Persistent Agent installed on a host is designed to "check in" through a periodic heartbeat sent to the Persistent Agent server. This lets the server know that the Persistent Agent is still installed and running on the host host. When this does not happen, a "Lost Contact with Persistent Agent" event is generated indicating that the server cannot communicate with the host. When the Persistent Agent eventually contacts the server again a "Regained Contact with Persistent Agent" event is generated.

Lost contact with the Persistent Agent is intended to communicate to FortiNAC Administrators that hosts that are marked as having the Persistent Agent are online and not communicating to the FortiNAC agent server. Lost contact with the Persistent Agent detection can take up to approximately 90 minutes from the first failure to communicate detection to generate the Event. This also depends on the L2 poll interval of the Network Device.

The Persistent Agent communicates using the following ports:

  • udp 4567
  • tcp 4568
  • tcp 80 (required for upgrades)
Note

The "Lost Contact with Persistent Agent" event only detects that the agent is no longer successfully communicating. This loss of contact could be caused by many things including: a missing or disabled agent, a lack of network connectivity, a lack of network activity that would prevent FortiNAC from polling to discover that the host was offline, a firewall that prevents communication between the agent and the server or any other issue that would interrupt communication.

The Persistent Agent does work within the context of FortiNAC's VPN integration.

Setup requirements and options

  • Make sure the latest Agent package is installed on the FortiNAC server.
  • Add SRV records to your production DNS server that allow the agent to locate the FortiNAC Server or Application server to which it should connect.
  • If you are using Persistent Agent 3.X or higher, the FortiNAC appliance must be configured with SSL and must have a valid third party SSL certificate from a CA. A self-signed certificate cannot be used.
  • The 3.x Persistent Agent communication method requires not only SSL certificates be installed for the Persistent Agent target in FortiNAC, but also the root certificate be installed on the endstation hosting the agent. The Persistent Agent reads all certificates from the trusted root certification authorities store of the system account. If the CA is not listed in this store, the Persistent Agent will not trust the connection to FortiNAC and will not communicate.

    FortiNAC does not push root certificates to endstations. Root certificates come pre-installed with the host's operating system. Any additions or updates to root certificates are distributed via the host's OS updates.

  • The Persistent Agent can be downloaded and installed by the user through the captive portal, by a login script or by any other software distribution method your organization might use. Determine your distribution method.
  • If you plan to deliver the agent via the captive portal, configure the portal styles. See Portal configuration.
  • You can configure FortiNAC to authenticate users with their Windows domain logon credentials eliminating the need for the Persistent Agent to ask for credentials. See Using Windows domain logon credentials.
  • The Persistent Agent can be configured to provide messages to the user when the host is scanned indicating the results of the scan. In addition you can provide pop-up messages indicating the host's current state, such as disabled, requires authentication or network access is normal. See Persistent Agent settings.
  • In addition to the settings contained within the admin UI, registry settings on Windows hosts can be configured using Group Policy Objects. These registry settings contain the URL of the FortiNAC Application Server, enable and disable the system tray icon or Balloon Notifications and various security settings. See Agent packages.
  • The Persistent Agent has different files for macOS and Windows operating systems. FortiNAC can be configured to update the Persistent Agent automatically with a user-specified version or an updated agent can be pushed to a specific host.
  • The Persistent Agent can be used to apply a supplicant configuration to a host. See Supplicant EasyConnect policies.

Host requirements and options

  • The host must be running Windows, macOS, or Linux. Refer to the Agent Comparison table in Agent overview or the Release Notes for more detailed information about operating system versions that are supported.
  • If the host is running a Virtual Machine (VM) with the Persistent Agent inside the VM, the VM must be bridged. The Persistent Agent is not fully functional when it runs in a NATed Virtual Machine on a host. The agent can contact the FortiNAC server and receive a response. However, unsolicited messages from the FortiNAC server fail to reach the agent.
  • For the Persistent Agent to detect guest VMs running on the host, the VMs must be bridged. The VM adapters will then be associated with the host with the Medium of VirtualGuest.
  • If the Persistent Agent is delivered via the captive portal, the user must install it manually. See Installion for Windows and Installation for macOS.
  • For an overview of the host registration and scanning process using the Persistent Agent, refer to Using the Persistent Agent.

Troubleshooting

  • If you are troubleshooting an issue with the Persistent Agent, review the logs generated on the host. See Logging.

Persistent Agent

The Persistent Agent is an application that works on Windows,macOS, or Linux hosts to identify them to FortiNAC and scan them for compliance with an endpoint compliance policy. This Agent is downloaded and installed on the host permanently.

Communication

The Persistent Agent installed on a host is designed to "check in" through a periodic heartbeat sent to the Persistent Agent server. This lets the server know that the Persistent Agent is still installed and running on the host host. When this does not happen, a "Lost Contact with Persistent Agent" event is generated indicating that the server cannot communicate with the host. When the Persistent Agent eventually contacts the server again a "Regained Contact with Persistent Agent" event is generated.

Lost contact with the Persistent Agent is intended to communicate to FortiNAC Administrators that hosts that are marked as having the Persistent Agent are online and not communicating to the FortiNAC agent server. Lost contact with the Persistent Agent detection can take up to approximately 90 minutes from the first failure to communicate detection to generate the Event. This also depends on the L2 poll interval of the Network Device.

The Persistent Agent communicates using the following ports:

  • udp 4567
  • tcp 4568
  • tcp 80 (required for upgrades)
Note

The "Lost Contact with Persistent Agent" event only detects that the agent is no longer successfully communicating. This loss of contact could be caused by many things including: a missing or disabled agent, a lack of network connectivity, a lack of network activity that would prevent FortiNAC from polling to discover that the host was offline, a firewall that prevents communication between the agent and the server or any other issue that would interrupt communication.

The Persistent Agent does work within the context of FortiNAC's VPN integration.

Setup requirements and options

  • Make sure the latest Agent package is installed on the FortiNAC server.
  • Add SRV records to your production DNS server that allow the agent to locate the FortiNAC Server or Application server to which it should connect.
  • If you are using Persistent Agent 3.X or higher, the FortiNAC appliance must be configured with SSL and must have a valid third party SSL certificate from a CA. A self-signed certificate cannot be used.
  • The 3.x Persistent Agent communication method requires not only SSL certificates be installed for the Persistent Agent target in FortiNAC, but also the root certificate be installed on the endstation hosting the agent. The Persistent Agent reads all certificates from the trusted root certification authorities store of the system account. If the CA is not listed in this store, the Persistent Agent will not trust the connection to FortiNAC and will not communicate.

    FortiNAC does not push root certificates to endstations. Root certificates come pre-installed with the host's operating system. Any additions or updates to root certificates are distributed via the host's OS updates.

  • The Persistent Agent can be downloaded and installed by the user through the captive portal, by a login script or by any other software distribution method your organization might use. Determine your distribution method.
  • If you plan to deliver the agent via the captive portal, configure the portal styles. See Portal configuration.
  • You can configure FortiNAC to authenticate users with their Windows domain logon credentials eliminating the need for the Persistent Agent to ask for credentials. See Using Windows domain logon credentials.
  • The Persistent Agent can be configured to provide messages to the user when the host is scanned indicating the results of the scan. In addition you can provide pop-up messages indicating the host's current state, such as disabled, requires authentication or network access is normal. See Persistent Agent settings.
  • In addition to the settings contained within the admin UI, registry settings on Windows hosts can be configured using Group Policy Objects. These registry settings contain the URL of the FortiNAC Application Server, enable and disable the system tray icon or Balloon Notifications and various security settings. See Agent packages.
  • The Persistent Agent has different files for macOS and Windows operating systems. FortiNAC can be configured to update the Persistent Agent automatically with a user-specified version or an updated agent can be pushed to a specific host.
  • The Persistent Agent can be used to apply a supplicant configuration to a host. See Supplicant EasyConnect policies.

Host requirements and options

  • The host must be running Windows, macOS, or Linux. Refer to the Agent Comparison table in Agent overview or the Release Notes for more detailed information about operating system versions that are supported.
  • If the host is running a Virtual Machine (VM) with the Persistent Agent inside the VM, the VM must be bridged. The Persistent Agent is not fully functional when it runs in a NATed Virtual Machine on a host. The agent can contact the FortiNAC server and receive a response. However, unsolicited messages from the FortiNAC server fail to reach the agent.
  • For the Persistent Agent to detect guest VMs running on the host, the VMs must be bridged. The VM adapters will then be associated with the host with the Medium of VirtualGuest.
  • If the Persistent Agent is delivered via the captive portal, the user must install it manually. See Installion for Windows and Installation for macOS.
  • For an overview of the host registration and scanning process using the Persistent Agent, refer to Using the Persistent Agent.

Troubleshooting

  • If you are troubleshooting an issue with the Persistent Agent, review the logs generated on the host. See Logging.