Fortinet black logo

Administration Guide

Vulnerability scanner

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:200680
Download PDF

Vulnerability scanner

The vulnerability scanner integration enables FortiNAC to request and process scan results from a vulnerability scanner.

The vulnerability scanners view displays a list of scanners that are configured, allows you to add, modify, delete, and test a scanner connection, and configure polling for scanner results.

To access the vulnerability scanners view, go to System > Settings. From the folder view of the display, click the System Communications node, and then click Vulnerability Scanners.

Implementation

To integrate FortiNAC and a vulnerability scanner, perform the following steps:

  • Configure the scan(s) on your vulnerability scanner.
  • For Qualys integrations: Qualys Cloud Platform cannot scan hosts on an internal network, so you must configure an in-network scanner to scan hosts. Instructions for configuring the in-network scanner can be found on the Qualys website: https://www.qualys.com/docs/qualys-virtual-scanner-appliance-user-guide.pdf
  • Set up and test the connection between FortiNAC and the vulnerability scanner. Set the interval for FortiNAC to poll the scanner for new results. Select the Vulnerability scan(s) forFortiNAC to request and process information. Define each scan's threshold for triggering a scan failure.
  • For visibility, add the Vulnerability Scan Status and Last Vulnerability Scan columns in the Host View by selecting them in the Settings dialog.
  • For enforcement, configure the alarm actions and the vulnerability scanner portal page.
  • If specific hosts always require network access, regardless of scan results, you can add the hosts to the vulnerability scanner Exceptions group. Hosts in this group are allowed onto the network, even if they fail a vulnerability scan. See Add hosts to groups.

Processing scan results

At each Vulnerability poll, FortiNAC retrieves and processes the results for each configured scan that has completed since the previous poll of the scanner. Multiple scans can target a host. If any host's scan result exceeds the scan's failure threshold configured in FortiNAC, the host will be identified as failing scan.

In the Host View, the Vulnerability Scan Status column indicates the host's current health status. The Last Vulnerability Scan column, which displays the most recent time/date when scan results were processed for the host, is also displayed. See Host View.

The vulnerability scan filters in the custom filters of the Host/Adapter Users views allow you to display hosts by Failed Scan, Passed Scan, or Not Scanned status. You can also display hosts that were scanned before, during, or after a specified time period. To configure the vulnerability scan filters for a host, see Settings.

The Show Events option of a host filters events from the Events Log for the selected host. When results exceed the failure threshold, a Vulnerability Scan Failed event is generated. When the host's scan results do not exceed the failure threshold, a Vulnerability Scan Passed event is generated. The date and time displayed in the message for a Vulnerability Scan Failed or Vulnerability Scan Passed event indicates when the vulnerability scanner scanned the host. See Events .

The following table lists the events that may be generated when the scan results are processed.

Events generated when MadCap:variable name="User_Guide.ProductName"/> processes scan results for hosts.

Vulnerability Scan Failed

The host failed the vulnerability scan.

Vulnerability Scan Passed

The host passed the vulnerability scan.

Vulnerability Scan Started

The vulnerability rescan has started.

Vulnerability Scan Finished

The vulnerability rescan has finished.

Events generated for interaction between FortiNAC and the vulnerability scanner.

Vulnerability Scan Ignored

Scan results from the vendor include hosts that were added to the Vulnerability Exceptions Group, indicating which hosts were ignored. Hosts in this group are allowed onto the network, regardless of scan results.

Vulnerability Scan Incomplete

FortiNAC polls the vendor for scan results for a configured scan, but scan results are unavailable because the scan was not run by the vendor.

Vulnerability Scan Request Refused (Qualys Integration only)

The IP address targeted by a rescan is not included in the list of Qualysasset IPs.

Vulnerability Scan Removed

A Vulnerability scan that was added to FortiNAC was removed from the vulnerability scanner.

Vulnerability Scan Skipped

The Vulnerability scanner has not run the scan since FortiNAC previously polled it, so FortiNAC skipped the scan during processing.

Vulnerability Scanner Concurrent API Limit Exceeded (Qualys Integration only)

Exceeded the limit that is set for the number of requests that can be processed concurrently.

Vulnerability Scanner Connection Failure

The connection to the vulnerability scanner has failed.

Vulnerability Scanner Deleted

A vulnerability scanner was deleted from FortiNAC.

Vulnerability Scanner Periodic API Limit Exceeded (Qualys Integration only)

Qualys rejected an API request because the periodic API limit has been exceeded. The event message includes the number of seconds until the scanner will accept an API request.

These events can be enabled or disabled. For more information, see Enable and disable events.

Vulnerability scan results enforcement

In order to force hosts which have failed Vulnerability scans to remediate, use an administrative scan mapped to the Vulnerability Scan Failed and the Vulnerability Scan Passed events, with Host Security actions of At Risk and Safe, respectively. See Add a scan.

When the host fails the scan

In order to isolate hosts that have failed the vulnerability scan, configure an event to alarm mapping for the the Vulnerability Scan Failed event.

  1. Create a host security action and add the Mark Host At Risk activity for the Admin Scan.
  2. Map the Vulnerability Scan Failed event to the Security Action. Select Host Security Action, choose At Risk, and then select the Admin Scan. See Add or modify alarm mapping.
  3. To customize the vulnerability scan information displayed on the Remediation Portal page, edit the content in the Global > Failure Information page in the portal content editor.
When the host passes the scan

To move the host to production when the host passes the vulnerability scan, configure an event to alarm mapping for the Vulnerability Scan Passed event, with a Host Security Action of Safe for the administrative scan.

  1. Create a host security action and add the Mark Host Safe activity for the Admin Scan.
  2. Map the Vulnerability Scan Passed event to the Security Action. Select Host Security Action, choose Safe, and then select the Admin Scan. See Add or modify alarm mapping.

Exceptions

Hosts that are added to the vulnerability scanner Exceptions Group are allowed onto the network even if the vulnerability scan fails. Failed vulnerability scans for hosts in this group will not be listed in the Remediation Portal page, and this page will not appear if a host in this group fails a vulnerability scan, but passes all other scans. For hosts in the vulnerability scanner exceptions group, the Vulnerability Scan Status column will always display Passed in the Host View.

Remediation

If the host fails a vulnerability scan, the Remediation Portal page will show details for the vulnerability scan that failed. Users can click the scan to see details of the failed scan provided by the vulnerability scanner, and solutions to fix the vulnerability. After remediation, users click Rescan to rescan the host. If a host fails for multiple vulnerability scans when FortiNAC performs a "Poll Now" of the vulnerability scanner, if you are enforcing access and using an Admin Scan with a Host Security Action to mark the host "at risk", each scan failure and rescan m be performed separately because each scan failure triggers an event/alarm that is unique to one scan.

Settings

Field

Definition

Name

The name of the scanner to be displayed in FortiNAC.

Request URL

The URL for retrieving scan results from the vulnerability scanner (typically in the format of https://<IP>:####).

User Name

The username for retrieving scan results from the vulnerability scanner.

Vendor

The vendor of the vulnerability scanner.

Poll Interval

The interval for how often FortiNAC retrieves scan results from the Vulnerability scanner.

Last Successful Poll

The last time FortiNAC successfully retrieved scan results from the Vulnerability scanner.

Last Modified By

The user who last modified the Occurs when a Vulnerability scanner was deleted from FortiNACVulnerability scanner configuration.

Last Modified Date

The date when the FortiNAC Vulnerability scanner configuration, as defined in FortiNAC, was last modified.

Right click options

Modify

Modifies the selected vulnerability scanner configuration.

Delete

Deletes the selected vulnerability scanner.

Test Connection

Tests the connection between FortiNAC and the vulnerability scanner.

Poll Now

Immediately polls selected vulnerability scanner for new scan results, instead of waiting for the poll interval.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Add or modify a vulnerability scanner

When you add or modify a vulnerability scanner, you are configuring the connection to the FortiNAC Vulnerability scanner.

  1. Select System > Settings.
  2. Expand the System Communication folder.
  3. Select Vulnerability Scanners.
  4. Click Add or select an existing scanner from the list and click Modify.
  5. Use the table below to enter the vulnerability scanner information in the General tab.

    Field

    Definition

    Vendor

    The vendor of the Vulnerability scanner.

    Name

    Enter a name for the scanner to be used in FortiNAC.

    Request URL

    The URL for retrieving scan results from the vulnerability scanner.

    User Name

    Enter the username for retrieving scan results.

    Password

    Enter the password for retrieving scan results.

    Poll for Scan Results Every

    Defines how often FortiNAC retrieves results from the vulnerability scanner.

    Test Connection

    Click to test the connection between FortiNAC and the vulnerability scanner.

  6. Click the Scans tab.
  7. Select the scan(s) in the Available Scans list and click the down arrow to add the scan(s) from the list of available scans on the vulnerability scanner to the selected scans list which FortiNAC will process. Click the double arrow to add all scans to the Selected Scans list. FortiNAC will only process results for scans in the Selected Scans list.
  8. Select a scan in the Selected Scans list, and then click Set Failure Thresholds.

  9. Select the check box next to each category where you wish to enter a threshold value.
  10. Enter the minimum number of vulnerabilities for each category that may occur in the scan results before the host is identified as failing the scan. For example, entering "5" in the "Medium" category means that if five or more Medium vulnerabilities are detected when the host is polled, the host will be marked as Failed for that scan.

    Note

    Categories are vendor-specific.

  11. Click OK.
  12. To remove a scan from the Selected Scans list, click the scan and then click Delete. The scan is returned to the Available Scans list.
Qualys Scanner Integration

Qualys requires an in-network scanner host for scans. When Qualys is selected as the vendor, the Appliance tab appears where you must specify the host that will perform the scan.

Instructions for configuring the in-network scanner host can be found on the Qualys website: https://www.qualys.com/docs/qualys-virtual-scanner-appliance-user-guide.pdf

  1. Select the Scanner Appliance.
  2. Click OK.

Delete a vulnerability scanner

  1. Select System > Settings.
  2. Expand the System Communication folder.
  3. Select Vulnerability Scanners.
  4. Select the vulnerability scanner(s) you wish to delete, and click Delete.
  5. A confirmation message is displayed. Click Yes to continue.

Vulnerability scanner

The vulnerability scanner integration enables FortiNAC to request and process scan results from a vulnerability scanner.

The vulnerability scanners view displays a list of scanners that are configured, allows you to add, modify, delete, and test a scanner connection, and configure polling for scanner results.

To access the vulnerability scanners view, go to System > Settings. From the folder view of the display, click the System Communications node, and then click Vulnerability Scanners.

Implementation

To integrate FortiNAC and a vulnerability scanner, perform the following steps:

  • Configure the scan(s) on your vulnerability scanner.
  • For Qualys integrations: Qualys Cloud Platform cannot scan hosts on an internal network, so you must configure an in-network scanner to scan hosts. Instructions for configuring the in-network scanner can be found on the Qualys website: https://www.qualys.com/docs/qualys-virtual-scanner-appliance-user-guide.pdf
  • Set up and test the connection between FortiNAC and the vulnerability scanner. Set the interval for FortiNAC to poll the scanner for new results. Select the Vulnerability scan(s) forFortiNAC to request and process information. Define each scan's threshold for triggering a scan failure.
  • For visibility, add the Vulnerability Scan Status and Last Vulnerability Scan columns in the Host View by selecting them in the Settings dialog.
  • For enforcement, configure the alarm actions and the vulnerability scanner portal page.
  • If specific hosts always require network access, regardless of scan results, you can add the hosts to the vulnerability scanner Exceptions group. Hosts in this group are allowed onto the network, even if they fail a vulnerability scan. See Add hosts to groups.

Processing scan results

At each Vulnerability poll, FortiNAC retrieves and processes the results for each configured scan that has completed since the previous poll of the scanner. Multiple scans can target a host. If any host's scan result exceeds the scan's failure threshold configured in FortiNAC, the host will be identified as failing scan.

In the Host View, the Vulnerability Scan Status column indicates the host's current health status. The Last Vulnerability Scan column, which displays the most recent time/date when scan results were processed for the host, is also displayed. See Host View.

The vulnerability scan filters in the custom filters of the Host/Adapter Users views allow you to display hosts by Failed Scan, Passed Scan, or Not Scanned status. You can also display hosts that were scanned before, during, or after a specified time period. To configure the vulnerability scan filters for a host, see Settings.

The Show Events option of a host filters events from the Events Log for the selected host. When results exceed the failure threshold, a Vulnerability Scan Failed event is generated. When the host's scan results do not exceed the failure threshold, a Vulnerability Scan Passed event is generated. The date and time displayed in the message for a Vulnerability Scan Failed or Vulnerability Scan Passed event indicates when the vulnerability scanner scanned the host. See Events .

The following table lists the events that may be generated when the scan results are processed.

Events generated when MadCap:variable name="User_Guide.ProductName"/> processes scan results for hosts.

Vulnerability Scan Failed

The host failed the vulnerability scan.

Vulnerability Scan Passed

The host passed the vulnerability scan.

Vulnerability Scan Started

The vulnerability rescan has started.

Vulnerability Scan Finished

The vulnerability rescan has finished.

Events generated for interaction between FortiNAC and the vulnerability scanner.

Vulnerability Scan Ignored

Scan results from the vendor include hosts that were added to the Vulnerability Exceptions Group, indicating which hosts were ignored. Hosts in this group are allowed onto the network, regardless of scan results.

Vulnerability Scan Incomplete

FortiNAC polls the vendor for scan results for a configured scan, but scan results are unavailable because the scan was not run by the vendor.

Vulnerability Scan Request Refused (Qualys Integration only)

The IP address targeted by a rescan is not included in the list of Qualysasset IPs.

Vulnerability Scan Removed

A Vulnerability scan that was added to FortiNAC was removed from the vulnerability scanner.

Vulnerability Scan Skipped

The Vulnerability scanner has not run the scan since FortiNAC previously polled it, so FortiNAC skipped the scan during processing.

Vulnerability Scanner Concurrent API Limit Exceeded (Qualys Integration only)

Exceeded the limit that is set for the number of requests that can be processed concurrently.

Vulnerability Scanner Connection Failure

The connection to the vulnerability scanner has failed.

Vulnerability Scanner Deleted

A vulnerability scanner was deleted from FortiNAC.

Vulnerability Scanner Periodic API Limit Exceeded (Qualys Integration only)

Qualys rejected an API request because the periodic API limit has been exceeded. The event message includes the number of seconds until the scanner will accept an API request.

These events can be enabled or disabled. For more information, see Enable and disable events.

Vulnerability scan results enforcement

In order to force hosts which have failed Vulnerability scans to remediate, use an administrative scan mapped to the Vulnerability Scan Failed and the Vulnerability Scan Passed events, with Host Security actions of At Risk and Safe, respectively. See Add a scan.

When the host fails the scan

In order to isolate hosts that have failed the vulnerability scan, configure an event to alarm mapping for the the Vulnerability Scan Failed event.

  1. Create a host security action and add the Mark Host At Risk activity for the Admin Scan.
  2. Map the Vulnerability Scan Failed event to the Security Action. Select Host Security Action, choose At Risk, and then select the Admin Scan. See Add or modify alarm mapping.
  3. To customize the vulnerability scan information displayed on the Remediation Portal page, edit the content in the Global > Failure Information page in the portal content editor.
When the host passes the scan

To move the host to production when the host passes the vulnerability scan, configure an event to alarm mapping for the Vulnerability Scan Passed event, with a Host Security Action of Safe for the administrative scan.

  1. Create a host security action and add the Mark Host Safe activity for the Admin Scan.
  2. Map the Vulnerability Scan Passed event to the Security Action. Select Host Security Action, choose Safe, and then select the Admin Scan. See Add or modify alarm mapping.

Exceptions

Hosts that are added to the vulnerability scanner Exceptions Group are allowed onto the network even if the vulnerability scan fails. Failed vulnerability scans for hosts in this group will not be listed in the Remediation Portal page, and this page will not appear if a host in this group fails a vulnerability scan, but passes all other scans. For hosts in the vulnerability scanner exceptions group, the Vulnerability Scan Status column will always display Passed in the Host View.

Remediation

If the host fails a vulnerability scan, the Remediation Portal page will show details for the vulnerability scan that failed. Users can click the scan to see details of the failed scan provided by the vulnerability scanner, and solutions to fix the vulnerability. After remediation, users click Rescan to rescan the host. If a host fails for multiple vulnerability scans when FortiNAC performs a "Poll Now" of the vulnerability scanner, if you are enforcing access and using an Admin Scan with a Host Security Action to mark the host "at risk", each scan failure and rescan m be performed separately because each scan failure triggers an event/alarm that is unique to one scan.

Settings

Field

Definition

Name

The name of the scanner to be displayed in FortiNAC.

Request URL

The URL for retrieving scan results from the vulnerability scanner (typically in the format of https://<IP>:####).

User Name

The username for retrieving scan results from the vulnerability scanner.

Vendor

The vendor of the vulnerability scanner.

Poll Interval

The interval for how often FortiNAC retrieves scan results from the Vulnerability scanner.

Last Successful Poll

The last time FortiNAC successfully retrieved scan results from the Vulnerability scanner.

Last Modified By

The user who last modified the Occurs when a Vulnerability scanner was deleted from FortiNACVulnerability scanner configuration.

Last Modified Date

The date when the FortiNAC Vulnerability scanner configuration, as defined in FortiNAC, was last modified.

Right click options

Modify

Modifies the selected vulnerability scanner configuration.

Delete

Deletes the selected vulnerability scanner.

Test Connection

Tests the connection between FortiNAC and the vulnerability scanner.

Poll Now

Immediately polls selected vulnerability scanner for new scan results, instead of waiting for the poll interval.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Add or modify a vulnerability scanner

When you add or modify a vulnerability scanner, you are configuring the connection to the FortiNAC Vulnerability scanner.

  1. Select System > Settings.
  2. Expand the System Communication folder.
  3. Select Vulnerability Scanners.
  4. Click Add or select an existing scanner from the list and click Modify.
  5. Use the table below to enter the vulnerability scanner information in the General tab.

    Field

    Definition

    Vendor

    The vendor of the Vulnerability scanner.

    Name

    Enter a name for the scanner to be used in FortiNAC.

    Request URL

    The URL for retrieving scan results from the vulnerability scanner.

    User Name

    Enter the username for retrieving scan results.

    Password

    Enter the password for retrieving scan results.

    Poll for Scan Results Every

    Defines how often FortiNAC retrieves results from the vulnerability scanner.

    Test Connection

    Click to test the connection between FortiNAC and the vulnerability scanner.

  6. Click the Scans tab.
  7. Select the scan(s) in the Available Scans list and click the down arrow to add the scan(s) from the list of available scans on the vulnerability scanner to the selected scans list which FortiNAC will process. Click the double arrow to add all scans to the Selected Scans list. FortiNAC will only process results for scans in the Selected Scans list.
  8. Select a scan in the Selected Scans list, and then click Set Failure Thresholds.

  9. Select the check box next to each category where you wish to enter a threshold value.
  10. Enter the minimum number of vulnerabilities for each category that may occur in the scan results before the host is identified as failing the scan. For example, entering "5" in the "Medium" category means that if five or more Medium vulnerabilities are detected when the host is polled, the host will be marked as Failed for that scan.

    Note

    Categories are vendor-specific.

  11. Click OK.
  12. To remove a scan from the Selected Scans list, click the scan and then click Delete. The scan is returned to the Available Scans list.
Qualys Scanner Integration

Qualys requires an in-network scanner host for scans. When Qualys is selected as the vendor, the Appliance tab appears where you must specify the host that will perform the scan.

Instructions for configuring the in-network scanner host can be found on the Qualys website: https://www.qualys.com/docs/qualys-virtual-scanner-appliance-user-guide.pdf

  1. Select the Scanner Appliance.
  2. Click OK.

Delete a vulnerability scanner

  1. Select System > Settings.
  2. Expand the System Communication folder.
  3. Select Vulnerability Scanners.
  4. Select the vulnerability scanner(s) you wish to delete, and click Delete.
  5. A confirmation message is displayed. Click Yes to continue.