Fortinet black logo

Administration Guide

Endpoint compliance policies

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:985922
Download PDF

Endpoint compliance policies

Endpoint compliance polices are used to assess hosts and determine if they are safe. An endpoint compliance policy is composed of building blocks, including: a user/host profile and an endpoint compliance configuration. Refer to Implementation for information on the entire endpoint compliance feature.

When a host is evaluated and FortiNAC determines that the host requires an endpoint compliance policy, the host and user are compared to the user/host profiles within each endpoint compliance policy starting with the first policy in the list. When a match is found, the endpoint compliance policy is applied. Once a policy is selected as a match for the host or user, the endpoint compliance configuration within the policy determines the treatment that the host receives. An endpoint compliance configuration specifies whether or not an agent is required and the scan parameters for scanning the host.

Endpoint compliance policies created on the FortiNAC server will be ranked above global endpoint compliance policy created on the NCM. The rank of a local endpoint compliance policy can be adjusted above or below another local endpoint compliance policy, but cannot be ranked below a global endpoint compliance policy. The rank for a global endpoint compliance policy cannot be modified from the FortiNAC server.

If the user/host does not match any policy, it is allowed to register with no scan and no policy.

There may be more than one endpoint compliance policy that is a match for this host/user, however, the first match found is the one that is used.

If you create a user/host profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Settings

Field

Definition

Rank Buttons

Moves the selected policy up or down in the list. Host connections are compared to Policies in order by rank.

Set Rank Button

Allows you to type a different rank number for a selected policy and immediately move the policy to that position. In an environment with a large number of policies, this process is faster than using the up and down Rank buttons.

Note

Rank can only be set on local policies, rank changes for global policies must be done at the NCM.

Table columns

Rank

Policy's rank in the list of policies. Rank controls the order in which host connections are compared to Policies.

Name

User defined name for the policy.

Endpoint
Compliance
Configuration

Contains the configuration for the Agent and Scan parameters that will be assigned if this Policy matches the connecting host and user. See Endpoint compliance configurations.

User/Host Profile

Contains the required criteria for a host or user, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated endpoint compliance configuration. See User/host profiles.

Where (Location)

The connection location specified in the user/host profile. The host must connect to the network on a device, port or SSID contained within one of the groups shown here to be a match. When set to Any, this field is a match for all hosts or users.

Who/What by Group

User or Host group or groups specified in the user/host profile. These groups must contain the connecting user or host for the connection to be a match for this policy. When set to Any, this field is a match for all hosts or users.

Who/What by Attribute

User or Host attributes specified in the selected user/host profile. The connecting host or user must have the attributes to be a match. See Filter example.

When

The time frame specified in the selected User/Host Profile. The host must be on the network within this time frame to be a match. When set to Always this field is a match for all hosts or users.

Note

User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC.

Last Modified By

User name of the last user to modify the policy.

Last Modified Date

Date and time of the last modification to this policy.

Right click options

Delete

Deletes the selected endpoint compliance policy.

Modify

Opens the Modify Endpoint Compliance Policy window for the selected policy.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Add or modify a policy

  1. Select Policy > Policy Configuration.
  2. Select Endpoint Compliance.
  3. Click Add or select an existing policy and click Modify.
  4. Click in the Name field and enter a name for this policy.
  5. Select a User/Host Profile from the drop-down menu. You can use the icons next to the User/Host Profile field to add a new profile or modify the profile shown in the drop-down menu. Note that if you modify this profile, it is modified for all features that make use of the profile. Connecting hosts must match this User/Host Profile to be assigned the endpoint compliance configuration specified in the next step.
  6. Select an Endpoint Compliance Configuration from the drop-down menu. You can use the icons next to the Endpoint Compliance Configuration field to add a new configuration or modify the configuration shown in the drop-down menu. Note that if you modify this configuration, it is modified for all features that make use of it. See Add or modify a configuration.
  7. The Note field is optional.
  8. Click OK to save your policy.

Endpoint compliance policies

Endpoint compliance polices are used to assess hosts and determine if they are safe. An endpoint compliance policy is composed of building blocks, including: a user/host profile and an endpoint compliance configuration. Refer to Implementation for information on the entire endpoint compliance feature.

When a host is evaluated and FortiNAC determines that the host requires an endpoint compliance policy, the host and user are compared to the user/host profiles within each endpoint compliance policy starting with the first policy in the list. When a match is found, the endpoint compliance policy is applied. Once a policy is selected as a match for the host or user, the endpoint compliance configuration within the policy determines the treatment that the host receives. An endpoint compliance configuration specifies whether or not an agent is required and the scan parameters for scanning the host.

Endpoint compliance policies created on the FortiNAC server will be ranked above global endpoint compliance policy created on the NCM. The rank of a local endpoint compliance policy can be adjusted above or below another local endpoint compliance policy, but cannot be ranked below a global endpoint compliance policy. The rank for a global endpoint compliance policy cannot be modified from the FortiNAC server.

If the user/host does not match any policy, it is allowed to register with no scan and no policy.

There may be more than one endpoint compliance policy that is a match for this host/user, however, the first match found is the one that is used.

If you create a user/host profile with fields Where (Location) set to Any, Who/What by Group set to Any, Who/What by Attribute left blank and When set to always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.

The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Settings

Field

Definition

Rank Buttons

Moves the selected policy up or down in the list. Host connections are compared to Policies in order by rank.

Set Rank Button

Allows you to type a different rank number for a selected policy and immediately move the policy to that position. In an environment with a large number of policies, this process is faster than using the up and down Rank buttons.

Note

Rank can only be set on local policies, rank changes for global policies must be done at the NCM.

Table columns

Rank

Policy's rank in the list of policies. Rank controls the order in which host connections are compared to Policies.

Name

User defined name for the policy.

Endpoint
Compliance
Configuration

Contains the configuration for the Agent and Scan parameters that will be assigned if this Policy matches the connecting host and user. See Endpoint compliance configurations.

User/Host Profile

Contains the required criteria for a host or user, such as connection location, host or user group membership, host or user attributes or time of day. Host connections that match the criteria within the user/host profile are assigned the associated endpoint compliance configuration. See User/host profiles.

Where (Location)

The connection location specified in the user/host profile. The host must connect to the network on a device, port or SSID contained within one of the groups shown here to be a match. When set to Any, this field is a match for all hosts or users.

Who/What by Group

User or Host group or groups specified in the user/host profile. These groups must contain the connecting user or host for the connection to be a match for this policy. When set to Any, this field is a match for all hosts or users.

Who/What by Attribute

User or Host attributes specified in the selected user/host profile. The connecting host or user must have the attributes to be a match. See Filter example.

When

The time frame specified in the selected User/Host Profile. The host must be on the network within this time frame to be a match. When set to Always this field is a match for all hosts or users.

Note

User specified note field. This field may contain notes regarding the data conversion from a previous version of FortiNAC.

Last Modified By

User name of the last user to modify the policy.

Last Modified Date

Date and time of the last modification to this policy.

Right click options

Delete

Deletes the selected endpoint compliance policy.

Modify

Opens the Modify Endpoint Compliance Policy window for the selected policy.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Admin auditing.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Buttons

Export

Exports the data displayed to a file in the default downloads location. File types include CSV, Excel, PDF, or RTF. See Export data.

Add or modify a policy

  1. Select Policy > Policy Configuration.
  2. Select Endpoint Compliance.
  3. Click Add or select an existing policy and click Modify.
  4. Click in the Name field and enter a name for this policy.
  5. Select a User/Host Profile from the drop-down menu. You can use the icons next to the User/Host Profile field to add a new profile or modify the profile shown in the drop-down menu. Note that if you modify this profile, it is modified for all features that make use of the profile. Connecting hosts must match this User/Host Profile to be assigned the endpoint compliance configuration specified in the next step.
  6. Select an Endpoint Compliance Configuration from the drop-down menu. You can use the icons next to the Endpoint Compliance Configuration field to add a new configuration or modify the configuration shown in the drop-down menu. Note that if you modify this configuration, it is modified for all features that make use of it. See Add or modify a configuration.
  7. The Note field is optional.
  8. Click OK to save your policy.