Fortinet black logo

Administration Guide

Security management

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:223660
Download PDF

Security management

Use security management to set:

  • The host name of the server for Persistent Agent communication.
  • The Host group whose members receive the host name when they connect.
  • Whether to require an adapter to be connected to a device managed by FortiNAC in order to communicate.
  • Whether display notifications will be sent to the host.
  • Header and footer text for the Persistent Agent authentication page.
  • The amount of time that a CRL will be cached before retrieving a new CRL.
  • Status messages in the message box on the user's desktop.

You can also enter text for other message windows generated during Registration or Scanning.

To access Persistent Agent security management, go to Policy > Persistent Agent Properties.

Settings

Field

Definition

Primary Host Name

Fully qualified host name of the FortiNAC Application Server or the FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

In a high availability environment you must use the actual host name not the shared host name.

This field is required for Agent Updates.

Secondary Host Name

This field is displayed only in a high availability environment and is used only in a failover situation.

Fully qualified host name of the secondary FortiNAC Application Server or the secondary FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

Use the actual host name and not the shared host name.

This field is required for Agent Updates.

Host Group for on-connect Host Name update

When hosts in this group connect to the network, they are given this Persistent Agent host name for communication between the host and the Persistent Agent server.

Require Connected Adapter

If enabled, the server will require one of the adapters reported by the agent to be connected to a device managed by FortiNAC in order to communicate. This eliminates the need to use ACLs to block access to a FortiNAC Application server when the host is connecting on a device managed by a different FortiNAC Control server/Application server pair.

The agent must be configured with security enabled. Requires Persistent Agent 4.0.3 or higher.

Allowed IP Subnets

When you have a client that is not detected as connected (e.g., a VPN-connected client), the agents cannot connect to the server when the the Require Connected Adapter option is enabled.

You can configure specific subnets to allow the server to accept connections from any host connecting from an IP address within one of the subnets or from any connected adapter. Any IP address that the agent connects from will be checked against these subnets. If the IP address is within the range, it will be allowed to connect. This applies to all hosts connecting from the specified ranges.

Expiration

If enabled, the Persistent Agent uninstalls itself from the host once date and time selected have passed.

Header

This text appears at the top of all message windows generated by the Persistent Agent.

Login Prompt

This text displays on the login window.

Login Prompt after Authentication Failure

This text appears in the message block received when a user has not been authenticated.

User Name Label

Controls the text that appears next to the User Name field on the log in window.

Password Label

Controls the text that appears next to the Password field on the log in window.

Footer

This text appears at the bottom of all message windows generated by the Persistent Agent.

CRL Cache Strategy

Defines the amount of time that a CRL will be cached before retrieving a new CRL.

  • Expire After Next Update. This is the default setting. Retrieves a new copy of the CRL when the date defined by the CA in the CRL has expired.
  • Expire After This Update. Select this option to define how long after the date defined as This Update in the CRL when a new CRL should be retrieved. If the number of hours entered is fewer than the This Update time interval defined in the CRL, the CRL will be retrieved each time a scan occurs because the CRL will appear out of date. This may cause performance issues.
  • Poll for Changes. Sets the time interval to download a new CRL.
  • Update Cache. Lets you instantly retrieve a new CRL. This can be used when a certificate is revoked and you require a new CRL. Otherwise, the CRL is retrieved based on the defined Cache Strategy settings.

See Certificate validation.

Agent Contact Window on Host Connect

The time after host connection before an agent must connect or communicate successfully with the server. If this time expires without the agent having communicated, the "No Contact" flag is set and the "Persistent Agent Not Communicating" event is generated.

Agent Contact Window on Agent Disconnect

The time after the agent disconnects or communication is lost. If this time expires without the host disconnecting or the agent having communicated, the "No Contact" flag is set and the "Persistent Agent Not Communicating" event is generated.

VM Detection

None. When selected, a virtual machine that connects to the network as a bridged adapter is detected as a new device on the port.

Append to Host. When selected, the virtual machine adapters are added to the host as additional adapters.

When a Guest VM has been appended to the host as a virtual Guest adapter, the Guest VM will remain an adapter on that host until the Guest VM is manually deleted from the host, even if VM Detection is changed to None or Register as New Host.

Register as New Host. When selected, the virtual machine is automatically registered as a new host belonging to the same user as the host running the virtual machine, allowing default registration.

VM Platform Support by OS

Platform

Windows

OSX

Linux

Oracle VBox

Supported

Supported

Supported

VMware
Workstation*

Supported

Not Supported

Supported

VMware Fusion

Not Supported

Supported

Not Supported

*VIX 1.5 must also be installed for Workstation Player

VM Detection of VMware virtual machines requires the virtual machine to be configured with a bridged network adapter.

VM Detection of VMware virtual machines requires VMware VIX to be installed. Detection of Oracle Virtualbox VMs require Oracle VM Virtualbox to be installed.

Linux hosts must be configured to run the Persistent Agent Daemon process as the logged on user. To configure this, go to /etc/sysconfig/bndaemon and change DAEMON_USER from bndaemon to the current logged on user, and then restart the daemon service.

FortiNAC will register a detected VM guest with the same registration as the VM host. However, the VM guest will not inherit the authentication state of the VM host, and the guest OS will be subject to any authentication policies currently in place. This means that the guest OS may require separate authentication.

Display Notifications

Determines whether the popup notifications from the Persistent Agent such as "VLAN switch taking place", or "Renewing IP", will be displayed. When checked the notifications are displayed on the host.

If unchecked, the notification fields below are hidden on this configuration view and on the host.

Successful Registration

This text appears in the message block received when a host has successfully registered. If you do not enter text, the message box does not appear for successful registrations.

Failed Registration

This text appears in the message block received when a host has failed the registration process. If you do not enter text, the message box does not appear for failed registrations.

Failed Scan

This text appears in the message block received when a host has failed a scan. If you do not enter text, the message box does not appear for failed scans.

Warning Message

This text appears in the message block received when a host has warning messages generated from a scan. If you do not enter text, the message box does not appear for warning messages.

Remediation

This text appears in the message block received when a host has been placed in the Remediation VLAN. If you do not enter any text, the message box does not appear.

No Valid Network
Interfaces found

This text appears in the message block when the Persistent Agent cannot determine the MAC address of the interface used to connect to the network or if the MAC address for that interface is invalid. Default value for this field is blank. If you do not enter text, the message box does not appear for invalid MAC addresses.

Network Change
Message

This text appears in the message block when the IP address for the host is being renewed. This can happen when the host is being moved from one VLAN to another.

Configure security management properties

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Security Management from the tree.
  4. Use the information in the Security Management Settings table above to complete the fields.
  5. Click Save Settings.

Security management

Use security management to set:

  • The host name of the server for Persistent Agent communication.
  • The Host group whose members receive the host name when they connect.
  • Whether to require an adapter to be connected to a device managed by FortiNAC in order to communicate.
  • Whether display notifications will be sent to the host.
  • Header and footer text for the Persistent Agent authentication page.
  • The amount of time that a CRL will be cached before retrieving a new CRL.
  • Status messages in the message box on the user's desktop.

You can also enter text for other message windows generated during Registration or Scanning.

To access Persistent Agent security management, go to Policy > Persistent Agent Properties.

Settings

Field

Definition

Primary Host Name

Fully qualified host name of the FortiNAC Application Server or the FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

In a high availability environment you must use the actual host name not the shared host name.

This field is required for Agent Updates.

Secondary Host Name

This field is displayed only in a high availability environment and is used only in a failover situation.

Fully qualified host name of the secondary FortiNAC Application Server or the secondary FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

Use the actual host name and not the shared host name.

This field is required for Agent Updates.

Host Group for on-connect Host Name update

When hosts in this group connect to the network, they are given this Persistent Agent host name for communication between the host and the Persistent Agent server.

Require Connected Adapter

If enabled, the server will require one of the adapters reported by the agent to be connected to a device managed by FortiNAC in order to communicate. This eliminates the need to use ACLs to block access to a FortiNAC Application server when the host is connecting on a device managed by a different FortiNAC Control server/Application server pair.

The agent must be configured with security enabled. Requires Persistent Agent 4.0.3 or higher.

Allowed IP Subnets

When you have a client that is not detected as connected (e.g., a VPN-connected client), the agents cannot connect to the server when the the Require Connected Adapter option is enabled.

You can configure specific subnets to allow the server to accept connections from any host connecting from an IP address within one of the subnets or from any connected adapter. Any IP address that the agent connects from will be checked against these subnets. If the IP address is within the range, it will be allowed to connect. This applies to all hosts connecting from the specified ranges.

Expiration

If enabled, the Persistent Agent uninstalls itself from the host once date and time selected have passed.

Header

This text appears at the top of all message windows generated by the Persistent Agent.

Login Prompt

This text displays on the login window.

Login Prompt after Authentication Failure

This text appears in the message block received when a user has not been authenticated.

User Name Label

Controls the text that appears next to the User Name field on the log in window.

Password Label

Controls the text that appears next to the Password field on the log in window.

Footer

This text appears at the bottom of all message windows generated by the Persistent Agent.

CRL Cache Strategy

Defines the amount of time that a CRL will be cached before retrieving a new CRL.

  • Expire After Next Update. This is the default setting. Retrieves a new copy of the CRL when the date defined by the CA in the CRL has expired.
  • Expire After This Update. Select this option to define how long after the date defined as This Update in the CRL when a new CRL should be retrieved. If the number of hours entered is fewer than the This Update time interval defined in the CRL, the CRL will be retrieved each time a scan occurs because the CRL will appear out of date. This may cause performance issues.
  • Poll for Changes. Sets the time interval to download a new CRL.
  • Update Cache. Lets you instantly retrieve a new CRL. This can be used when a certificate is revoked and you require a new CRL. Otherwise, the CRL is retrieved based on the defined Cache Strategy settings.

See Certificate validation.

Agent Contact Window on Host Connect

The time after host connection before an agent must connect or communicate successfully with the server. If this time expires without the agent having communicated, the "No Contact" flag is set and the "Persistent Agent Not Communicating" event is generated.

Agent Contact Window on Agent Disconnect

The time after the agent disconnects or communication is lost. If this time expires without the host disconnecting or the agent having communicated, the "No Contact" flag is set and the "Persistent Agent Not Communicating" event is generated.

VM Detection

None. When selected, a virtual machine that connects to the network as a bridged adapter is detected as a new device on the port.

Append to Host. When selected, the virtual machine adapters are added to the host as additional adapters.

When a Guest VM has been appended to the host as a virtual Guest adapter, the Guest VM will remain an adapter on that host until the Guest VM is manually deleted from the host, even if VM Detection is changed to None or Register as New Host.

Register as New Host. When selected, the virtual machine is automatically registered as a new host belonging to the same user as the host running the virtual machine, allowing default registration.

VM Platform Support by OS

Platform

Windows

OSX

Linux

Oracle VBox

Supported

Supported

Supported

VMware
Workstation*

Supported

Not Supported

Supported

VMware Fusion

Not Supported

Supported

Not Supported

*VIX 1.5 must also be installed for Workstation Player

VM Detection of VMware virtual machines requires the virtual machine to be configured with a bridged network adapter.

VM Detection of VMware virtual machines requires VMware VIX to be installed. Detection of Oracle Virtualbox VMs require Oracle VM Virtualbox to be installed.

Linux hosts must be configured to run the Persistent Agent Daemon process as the logged on user. To configure this, go to /etc/sysconfig/bndaemon and change DAEMON_USER from bndaemon to the current logged on user, and then restart the daemon service.

FortiNAC will register a detected VM guest with the same registration as the VM host. However, the VM guest will not inherit the authentication state of the VM host, and the guest OS will be subject to any authentication policies currently in place. This means that the guest OS may require separate authentication.

Display Notifications

Determines whether the popup notifications from the Persistent Agent such as "VLAN switch taking place", or "Renewing IP", will be displayed. When checked the notifications are displayed on the host.

If unchecked, the notification fields below are hidden on this configuration view and on the host.

Successful Registration

This text appears in the message block received when a host has successfully registered. If you do not enter text, the message box does not appear for successful registrations.

Failed Registration

This text appears in the message block received when a host has failed the registration process. If you do not enter text, the message box does not appear for failed registrations.

Failed Scan

This text appears in the message block received when a host has failed a scan. If you do not enter text, the message box does not appear for failed scans.

Warning Message

This text appears in the message block received when a host has warning messages generated from a scan. If you do not enter text, the message box does not appear for warning messages.

Remediation

This text appears in the message block received when a host has been placed in the Remediation VLAN. If you do not enter any text, the message box does not appear.

No Valid Network
Interfaces found

This text appears in the message block when the Persistent Agent cannot determine the MAC address of the interface used to connect to the network or if the MAC address for that interface is invalid. Default value for this field is blank. If you do not enter text, the message box does not appear for invalid MAC addresses.

Network Change
Message

This text appears in the message block when the IP address for the host is being renewed. This can happen when the host is being moved from one VLAN to another.

Configure security management properties

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Security Management from the tree.
  4. Use the information in the Security Management Settings table above to complete the fields.
  5. Click Save Settings.