Patch management
The patch management feature allows integration with patch servers such as BigFix or PatchLink. The endpoint’s posture is checked on the patch servers. When an endpoint is out-of-compliance, FortiNAC automatically moves the endpoint to a separate remediation network where the patch server solution automatically updates the non-compliant system.
Settings
Field |
Definition |
---|---|
Name |
Name of the server being configured. |
Type |
Type of patch server, such as BigFix or PatchLink. |
IP address |
IP address assigned to the patch server. |
Status |
Indicates whether or not contact has been established between FortiNAC and the patch server. |
Right click options |
|
Configuration (BigFix Only) |
Opens a new window to modify applied actions to BigFix Baseline results. |
Delete |
Deletes the selected Provider. Providers that are associated with Users cannot be deleted. |
Properties |
Displays patch management Server Properties and allows you to set the Polling Interval. Default = 2 minutes. |
Export |
Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data. |
Servers and hosts
The Persistent Agent is required on the host to support patch management. The patch management client must also be installed on the host. If the patch management client is installed on the host the Persistent Agent reports this during its routine messages to the server.
When a patch management Server is added to the patch management View, FortiNAC queries that server to determine whether or not the host is compliant.
-
If the patch management Server is not reachable, an event and alarm are generated. The host is considered compliant and remains in the production network.
- BigFix event - Communication lost with the BigFix Server Database
- PatchLink event - Communication lost with the PatchLink Server
-
If the patch management Server is reachable and determines that the host is not compliant, the host is moved to remediation. An event is generated to indicate that the host is not compliant.
- BigFix events - BigFix High Violation, BigFix Medium Violation, BigFix Low Violation
- PatchLink event - PatchLink Non Compliant
-
If the patch management Server is reachable and determines the host is compliant and the host was previously NOT compliant, then an event is generated to indicate that the host is now compliant. The compliant event is only generated after a not compliant event has been generated.
- PatchLink event - PatchLink Compliant
Alarms can be mapped to events to notify you when the event has been generated. Each of the events listed above could be mapped to an alarm. See Map events to alarms for additional information.
PatchLink implementation
To setup communication between a PatchLink Server and FortiNAC you must do the following:
- The PatchLink NAC Integrator plug-in is required on the PatchLink server to allow PatchLink to respond to HTTP requests from FortiNAC.
- Your FortiNAC Server must have licenses for integration suite and endpoint compliance. Check the License Information panel on the dashboard to make sure you have the correct licenses. See License management.
- Add the PatchLink Server to System > Settings > System Communication > Patch Management.
- Go to the PatchLink server properties and configure the Polling Interval. The default is 2 minutes.
- Network hosts must have the Persistent Agent installed. See Agent overview.
- Network hosts must have the PatchLink Agent installed. Refer to the PatchLink documentation for instructions on installing this agent.
- Enable the PatchLink Compliant and PatchLink Non Compliant events. See Enable and disable events.
- Create an Admin Scan specifically for PatchLink. These scans indicate the reason why a host was marked at risk. They are not actually scanning the host but provide a configuration or profile with which to associate the host state. Admin Scans are also used to mark hosts At Risk or Safe based on an alarm action triggered by a PatchLink event. See Add a scan.
- Map alarms to the PatchLink Compliant and PatchLink Non Compliant events. For each alarm, configure a Host security action associated with the PatchLink Admin Scan earlier and mark the host At Risk or Safe depending on the alarm triggered. See Add or modify alarm mapping.
PatchLink process
When PatchLink is integrated with FortiNAC as a patch management server a variety of communications occur between the two servers to make sure that hosts are compliant. The communication process is as follows:
-
The PatchLink Agent installed on the host sets a registry key value with an Agent ID value.
Example:
NameValue:
Name = PatchManagementID
Value = 6AA80EB2-CFAA-466C-9A6B-85B5A918B162
- The FortiNAC Persistent Agent installed on the host reads the registry key and reports the value set by the PatchLink Agent back to FortiNAC. This is stored in the database, but is not displayed in the administrator Interface.
-
Based on the Polling interval set for the PatchLink server, FortiNAC gathers a list of hosts with values for PatchLink in the database and sends an HTTP request to the PatchLink server for each host. For example, if the polling interval is set to 2 minutes, then every 2 minutes an HTTP request is sent for every host in the database with PatchLink data in the host record.
Example request:
http://10.20.100.32/IntegrationPoint/EndpointSecurity_V1/Status.aspx?Agentid=A5F1D1F2-F045-4866-8903-7E920417BD62
- The PatchLink server returns a response for each host indicating whether the host is compliant or non-compliant. For each response, either a PatchLink Compliant or a PatchLink Non Compliant event is triggered.
- If alarms have been configured for these events, then hosts are marked either safe or at risk based on the event triggered.
Add servers
To integrate a patch management Server with FortiNAC it must be added to the patch management view.
- Click System > Settings > System Communication.
- Select Patch Management.
- Click Add.
- Enter a name for the server, the IP address, and select the patch server from the Type drop-down list.
- Click OK.
-
If you select BigFix from the Type drop-down list, you are prompted to enter the BigFix database credentials, which lets FortiNAC connect directly to the data store of BigFix, allowing for BaseLine test results.
Read access is required.
PatchLink server configuration
Once the PatchLink server has been added to the Topology, the polling interval must be entered into the properties view. The polling interval is the length of time FortiNAC will wait before polling the PatchLink Server for updated client status information.
- Click Network Devices > Topology and expand the FortiNAC and Patch Management icons.
- Right-click on the PatchLink Server and select Properties.
- Enter the polling interval.
- Click Apply.
BigFix server properties
Once the BigFix patch management server has been added to the patch management Servers view, the connection parameters for the server and database must be entered to allow FortiNAC to communicate with the server and database.
The Persistent Agent must be installed to communicate with a patch management integration. |
The BigFix Client must be installed and be connected to the BigFix Server before the Persistent Agent is installed. |
- Click System > Settings > System Communication > Patch Management.
- Right-click on the BigFix Patch Management Server and select Properties.
- Use the table below to enter the connection parameters for the server and database.
- Click The BigFix Client must be installed and be connected to the BigFix Server before the Persistent Agent is installed.
Settings
Field |
Description |
Database IP |
The IP address of the server where the database resides. |
Database Port |
The port on the server used for access to the database information. |
Database Name |
The name of the database. |
Database User |
The username used to access the database information. |
Database Password |
The password for access to the database for the entered database user. |
Polling Interval (Sec) |
The length of time between polls to the patch management server to retrieve data. |
Test Connection |
Allows you to test SQL Server credentials for patch management servers. |
Once communication with the BigFix patch management server has been established the Administrator will use the BigFix server's Configuration view to view the status of host endpoint systems and select an action to take if the host is out of compliance.
BigFix configuration
The Configuration view contains a list of the Base-Line Names from the BigFix server. Each of the Base-Line Names has an associated Failure Action and Untested Action.
Although actions applied will affect all users that report as failed or untested, the report will only show online users being affected.
Field |
Description |
Base-Line Name |
A list of required patches given in the BigFix database that the host must have to be in compliance. The list of hosts or groups that the Base-Line Name apply to are determined in the BigFix server. |
Failure Action |
The action that can be applied to an endpoint if it has failed the test for the Base-Line Name indicated. |
Untested Action |
The action that can be applied to an endpoint if it has not been tested against the Base-Line Name indicated. |
The administrative action is an Admin scan that is created in Remediation Configuration. See Remediation configurations for details on adding and using an Admin scan.
Admin scans must be created under Remediation Configuration before you can select them here. See Remediation configurations.
To apply a Failure or Untested action on an endpoint:
- Click System > Settings > System Communication > Patch Management.
- Right-click on the BigFix Patch Management Server and select Configuration.
- Select the Severity under Failure Action to apply that action to the hosts indicated in the Base-Line Name that have failed to meet the specified patch requirements.
- Select the Severity under Untested Action to apply that action to the hosts indicated in the Base-Line Name that have not been tested to determine whether or not the specified patch requirements have been met.
-
Click Apply.
The severity creates an alarm that can be associated with actions, including Admin Scans. See Map events to alarms
In Logs > Event to Alarm Mappings, three events can be used for security related actions:
- BigFix Low Violation
- BigFix Medium Violation
- BigFix High Violation
When creating these events, an action may be applied to accompany the creation of the alarm. To use Admin Scans created in the Remediation Configuration, do the following:
- Select Host Security Action.
- Select the Admin Scan for which the host state will be modified.
When applying a severity to results of a baseline action, the online hosts that are affected will be in the Baseline Host Report. To access this report, select Hosts next to the severity being applied. |
BigFix Baseline Host
The data displays hosts that are currently online that have reported as untested or failed by BigFix.
These host reports only display online users. However, the action applied will affect all users who have a Persistent Agent and a BigFix Client installed simultaneously. |