Fortinet black logo

Administration Guide

Host health and scanning

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:241168
Download PDF

Host health and scanning

Host health is determined by the endpoint compliance policies, system and administrative states, or scans run on the host. Each time a scan is run a record of that scan is stored in the database and displayed on the Heath tab of the Host Properties window. Each scan and scan type the host is eligible for is shown along with the name, status, and action. The agent scan shown in bold text and highlighted with a gray bar indicates the scan that is currently applied to the host. Click Show History for short-term historical data.

When multiple scans exist in a host record in Host Health, the combination of the Status fields can affect whether or not the host is allowed on the network or is placed in remediation. In FortiNAC versions lower than Version 6.1, failing any scan would prevent the host from accessing the network, even if that scan no longer applied.

For example, assume an Administrator created an endpoint compliance policy for all Accounting Staff and selected Scan A for that Policy. Accounting Staff would connect to the network, and be scanned using Scan A. Some hosts would fail and others would pass. If the Administrator then changed the scan associated with the Policy to Scan B, hosts that had failed Scan A would never be able to access the network even if they had passed Scan B. The failure of Scan A would prevent network access. In addition, those hosts would not be able to rescan for Scan A and it would remain a Failed scan permanently.

In Versions 6.1 and higher that is no longer true. Using the example above, the results of Scan A would no longer affect the host because the endpoint compliance policy that now applies to the host uses Scan B. However, failing an Admin or System Scan would still prevent network access. Refer to the table below for the effects of the Status fields on network access in Version 6.1 and higher.

Scan type/status

Network access

Admin

System

Agent scan A

Agent scan B*

Initial

Initial

Failure

Initial

No. Must pass scan B.

Initial

Initial

Failure

Success

Yes

Failure

Initial

Failure

Success

No. Must pass Admin Scan.

Success

Failure

Failure

Success

No. Must pass System Scan.

Success

Success

Failure

Success

Yes

*Agent Scan B is the scan that currently applies to the host in the example in the table.

Access the health tab

  1. Select Hosts > Host View.
  2. Search for the appropriate host.
  3. Select the host and either right-click or click Options.
  4. From the menu select Host Properties.
  5. Click on the Health tab.

Settings

Option

Description

Type

Admin: Indicates the reason why a host was manually marked at risk. They are not actually scanning the host but provide a configuration or profile with which to associate the host state. Admin Scans can be used to mark hosts At Risk or Safe based on an alarm action triggered by an event. These scans can also be used to enable or disable access based on the time of day, for example to limit access for guests after 5:00 pm.

System: These scans run scripts on the FortiNAC platform.

Agent: Scans run by an agent installed on the host based on an endpoint compliance policy or set of requirements with which the host must comply. The Agent scan listed in bold and highlighted by a gray bar indicates the scan that is currently applied to the host.

Name

The Name of the scan. There may be more than one scan of a particular type that the host is eligible to be scanned against.

Status

Initial: Default setting indicating that the host has not been scanned, therefore it has neither passed nor failed. For Admin scans, manually setting the scan to Initial is the equivalent of Success. For other scan types, setting the status to Initial has no effect.

Failure: Indicates that the host has failed the scan. This option can also be set manually. When the status is set to Failure the host is marked "At Risk" for the selected scan.

Failure Pending: The host has been scanned and failed a scan that has the Delayed Remediation option enabled. The host is not placed in remediation and it is marked "Pending At Risk". See Delayed remediation for additional information.

Success: Indicates that the host has passed the scan. This option can also be set manually. When the status is set to Success the host is marked "Safe" for the selected scan.

Actions

ReScan appears in the Actions column for Agent scans. Clicking ReScan places the host into the queue to be re-scanned.

If FortiNAC cannot contact the host when ReScan is clicked, a message is displayed indicating that the host was not rescanned.

View history

  1. On the Host Properties Health tab, click Show History.
  2. View the list of scans, results, and when the scan(s) were performed. Results are sorted with the most recent at the top of the list. Note that if there are no Admin, System, or endpoint compliance policy scan results to display when you click History, the History window opens with the message, "There are no scan results for this host."
  3. Inside the History window, click the Script/Profile name to view the details of the scan. The details view opens in a new browser window.
  4. Close the scan details window.
  5. Click Refresh on the History view to refresh the list with the most recent data.
  6. Close the window when finished.

Host health and scanning

Host health is determined by the endpoint compliance policies, system and administrative states, or scans run on the host. Each time a scan is run a record of that scan is stored in the database and displayed on the Heath tab of the Host Properties window. Each scan and scan type the host is eligible for is shown along with the name, status, and action. The agent scan shown in bold text and highlighted with a gray bar indicates the scan that is currently applied to the host. Click Show History for short-term historical data.

When multiple scans exist in a host record in Host Health, the combination of the Status fields can affect whether or not the host is allowed on the network or is placed in remediation. In FortiNAC versions lower than Version 6.1, failing any scan would prevent the host from accessing the network, even if that scan no longer applied.

For example, assume an Administrator created an endpoint compliance policy for all Accounting Staff and selected Scan A for that Policy. Accounting Staff would connect to the network, and be scanned using Scan A. Some hosts would fail and others would pass. If the Administrator then changed the scan associated with the Policy to Scan B, hosts that had failed Scan A would never be able to access the network even if they had passed Scan B. The failure of Scan A would prevent network access. In addition, those hosts would not be able to rescan for Scan A and it would remain a Failed scan permanently.

In Versions 6.1 and higher that is no longer true. Using the example above, the results of Scan A would no longer affect the host because the endpoint compliance policy that now applies to the host uses Scan B. However, failing an Admin or System Scan would still prevent network access. Refer to the table below for the effects of the Status fields on network access in Version 6.1 and higher.

Scan type/status

Network access

Admin

System

Agent scan A

Agent scan B*

Initial

Initial

Failure

Initial

No. Must pass scan B.

Initial

Initial

Failure

Success

Yes

Failure

Initial

Failure

Success

No. Must pass Admin Scan.

Success

Failure

Failure

Success

No. Must pass System Scan.

Success

Success

Failure

Success

Yes

*Agent Scan B is the scan that currently applies to the host in the example in the table.

Access the health tab

  1. Select Hosts > Host View.
  2. Search for the appropriate host.
  3. Select the host and either right-click or click Options.
  4. From the menu select Host Properties.
  5. Click on the Health tab.

Settings

Option

Description

Type

Admin: Indicates the reason why a host was manually marked at risk. They are not actually scanning the host but provide a configuration or profile with which to associate the host state. Admin Scans can be used to mark hosts At Risk or Safe based on an alarm action triggered by an event. These scans can also be used to enable or disable access based on the time of day, for example to limit access for guests after 5:00 pm.

System: These scans run scripts on the FortiNAC platform.

Agent: Scans run by an agent installed on the host based on an endpoint compliance policy or set of requirements with which the host must comply. The Agent scan listed in bold and highlighted by a gray bar indicates the scan that is currently applied to the host.

Name

The Name of the scan. There may be more than one scan of a particular type that the host is eligible to be scanned against.

Status

Initial: Default setting indicating that the host has not been scanned, therefore it has neither passed nor failed. For Admin scans, manually setting the scan to Initial is the equivalent of Success. For other scan types, setting the status to Initial has no effect.

Failure: Indicates that the host has failed the scan. This option can also be set manually. When the status is set to Failure the host is marked "At Risk" for the selected scan.

Failure Pending: The host has been scanned and failed a scan that has the Delayed Remediation option enabled. The host is not placed in remediation and it is marked "Pending At Risk". See Delayed remediation for additional information.

Success: Indicates that the host has passed the scan. This option can also be set manually. When the status is set to Success the host is marked "Safe" for the selected scan.

Actions

ReScan appears in the Actions column for Agent scans. Clicking ReScan places the host into the queue to be re-scanned.

If FortiNAC cannot contact the host when ReScan is clicked, a message is displayed indicating that the host was not rescanned.

View history

  1. On the Host Properties Health tab, click Show History.
  2. View the list of scans, results, and when the scan(s) were performed. Results are sorted with the most recent at the top of the list. Note that if there are no Admin, System, or endpoint compliance policy scan results to display when you click History, the History window opens with the message, "There are no scan results for this host."
  3. Inside the History window, click the Script/Profile name to view the details of the scan. The details view opens in a new browser window.
  4. Close the scan details window.
  5. Click Refresh on the History view to refresh the list with the most recent data.
  6. Close the window when finished.