Fortinet black logo

Administration Guide

Global updates

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:347943
Download PDF

Global updates

Hosts on your network that already have a version of the Persistent Agent installed can be globally updated. The update is triggered when a host connects to the network and the current Persistent Agent begins to communicate with FortiNAC.

The Persistent Agent version number on the host is checked by FortiNAC. If the version is different than the one selected on the Agent Update window, an update is initiated.

Clients upgrading the Persistent Agent must have access to Port 80 on the FortiNAC appliances.

It is only the difference in version number that triggers the update. FortiNAC does not check to see if the existing number is higher or lower than the update. This allows you to go back to a previous Persistent Agent if necessary.

If the host has software installed to reset the host to its original configuration after a re-boot, the agent reverts to the previous version. The software must be disabled before updating the Agent.

Update failure

A maximum number of attempts to update limits the number of times FortiNAC tries to update the host. If the maximum number of attempts has already been met, then no update is sent.

To address this you have several options. If a large number of hosts have failed the update, use Reset Counter on the Agent Update window to set the counter for all hosts to 0. If only a few hosts have failed the update, the Agent Version can be updated individually. Another option is to increase the Maximum Attempts on the Agent Update window to force an update. However, if the original problem has not been addressed the update will probably fail again.

Reset hosts that failed to update

If you have a large number of hosts that failed to update successfully and the Maximum Global Update Attempts count for those hosts was exceeded, the counter can be reset allowing the system to try to update those hosts again. The counter is reset for all hosts in the database, however, the system will not attempt to update hosts that successfully updated earlier.

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Agent Update from the tree.
  4. Click Reset Counter.

Event generation

When an update fails because the maximum number of attempts has been met, an Agent Update Failure event is generated. The default setting for this event is Enabled. See Enable and disable events to modify the default setting. Enabled events are recorded and can be viewed. See Events .

When an update is successful an Agent Update Success event is generated. The default setting for this event is Disabled. Disabled events are not recorded and cannot be viewed later.

Alarms can be associated with enabled events. See Map events to alarms. Alarms can be configured to send e-mail notifications or simply display on the dashboard in the Alarm panel.

Set up global updates

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Agent Update from the tree.
  4. Click the check box(es) to enable an update.
  5. Click in the drop-down box and select the Persistent Agent Version for the update.
  6. Click in the Maximum Global Update Attempts field and enter the number of times the update feature should attempt to update the Persistent Agent for each host.
  7. If you need to trigger the installation of an earlier version of the Agent, click Allow Installation of a Previous Version and make sure the correct version is selected in the version fields. Typically this would remain unchecked because you would want to move to the newest version of the Agent.

    Note

    If you have selected Latest Persistent Agent as the agent to download on the Endpoint Compliance Configuration window for any configuration, you should not check this option.

    Your hosts could end up in a situation where the latest agent is installed based on the endpoint compliance policy used when the host is registered, then an older agent is installed because this option is checked and the agent selected is older than the latest agent.

  8. Click Save Settings.
Settings

Field

Definition

Modify Global Agent Update Exceptions

Opens the Global Agent Update Exceptions Group and allows you to add or remove hosts. This group can also be modified from the Groups View. Hosts in this group are never automatically updated.

See the Exclude Hosts From the Update section below this table.

Update Windows Agents To Version

If enabled, Windows hosts with a Persistent Agent installed will be updated if the version number on the agent currently installed is different than the version selected in the drop-down list.

A lower agent version will not be installed unless the Allow Installation of a Previous Version option is checked.

Update macOS Agents To
Version

If enabled, macOS hosts with a Persistent Agent installed will be updated if the version number on the agent currently installed is different than the version selected in the drop-down list.

A lower agent version will not be installed unless the Allow Installation of a Previous Version option is checked.

Maximum Global Update Attempts

Number of times FortiNAC should attempt to update the Persistent Agent for each host. If the maximum is reached and some hosts have not been updated, use Reset Counter to clear the number of attempts for all hosts and try again.

Allow Installation Of A Previous Version

If enabled, FortiNAC will update the agent on a host even if the installed agent is a higher version than the agent selected for update.

Reset The Hosts Update Counter To 0

Clear the number of update attempts from the Host record for all hosts. This allows FortiNAC to attempt to update hosts that were not successfully updated previously.

See the Reset Hosts That Failed To Update section above this table.

Schedule Auto-Definition Updates

Allows you to schedule updates that include:

  • Information on the latest antivirus definitions
  • Support for new versions of antivirus
  • Support for new operating system versions
  • Any new vendor OUIs released by the IEEE Standards Association
  • New or modified custom scan options

Exclude hosts from updates

A special group, Global Agent Update Exceptions, has been created to stop selected hosts from being automatically updated. Any host in this group is not updated. This is controlled by MAC address. If a host has more than one MAC address, as long as any one of its MAC addresses is listed in this group the host is not updated.

The user name of the person who logs into this host displays along with the MAC address in the Group window. However, the user name is actually ignored for update purposes. If a user logs into a second different host, the second host is updated because none of its MAC addresses match the anything in the Global Agent Update Exceptions group.

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Agent Update from the tree.
  4. Click Modify Global Agent Update Exceptions.
  5. In the Group dialog, select one or more hosts from the column on the left.
  6. Click the right arrow in the center of the dialog to move them to the Selected Members column.
  7. Click OK to save.

This group can also be modified from the Groups View.

Verify the number of updated hosts

Since hosts are only updated when they connect to the network, updating all hosts could take some time. To see how many hosts have been updated, go to the dashboard and look at the Persistent Agent Summary panel. This displays the total number of hosts registered and breaks that number up into groups by version number and operating system. If the panel is not displayed, use the Add Panel link to restore it to the dashboard.

Schedule auto-definition updates

This feature allows you to automatically update the Virus Definition or Signature information for the antivirus software that is permitted in Scans within your endpoint compliance policies.

Note

When new versions of an operating system and antivirus are added using the Auto-Def Schedule feature, they are not automatically selected in existing scans. You must go to each scan and enable the new options if you choose to scan for them.

The scans you configure with endpoint compliance specify the definition requirements for antivirus programs as well as operating systems. The default setting for the definition version information for all supported antivirus products is updated when the scheduled Automatic Definition Synchronizer task runs.

This task applies the update to all configured scans. The version information is maintained by Fortinet and is updated on a weekly basis. It is recommended that this task be scheduled to run weekly. If you change the default information in a scan for a specific operating system or antivirus software, the scheduled task will not overwrite that change.

To have the most recent version information appear in the Scan, go to the Scan containing the modified operating system or antivirus program, deselect the program and click OK. Open the Scan again and reselect the program. Click OK again to restore all the default settings for the selected program.

Automatic updates rely on the configuration of communications settings between the FortiNAC server and the updates server. See System update for information on configuring communications.

Configure Schedule
  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Agent Update from the tree.
  4. Click Modify Schedule.
  5. Select the Enabled check box.
  6. Enter a name for the task in the Name field.
  7. The Description field is optional. Enter a description of the task.
  8. Action type and Action are pre-configured based on the task and cannot be modified.
  9. From the Schedule Type drop down list, select either Fixed Day or Repetitive and set the day and time that the task is to be performed.
  10. A Fixed Day Task is one in which you schedule a task to run on a combination of days of the week and times of the day, such as Mondays at 1:00 pm and Fridays at 10:00 am. Select the day(s) and time to run the task.
    1. Click the box next to the day(s) to select the day.
    2. Click the down arrows and select the hour, minutes, and AM or PM from the drop-down list for each day.
    3. To enter days/times more quickly, select Set Multiple Days to set multiple days with the same time.
    4. To remove all settings, click Clear All.
  11. A Repetitive Task is one that you schedule to start on a given day, at a certain time, for the number of times you specify, such as every 10 days starting today. The repetition rate can be set to any number of minutes, hours, or days.
    1. Enter the Repetition Rate using whole numbers.

      Note

      A repetition rate of zero causes the task to run only once.

    2. Click the down arrow and select Minutes, Hours, or Days from the drop-down list.
    3. Enter the date and time for the task to run in the Next Scheduled Time field using the format MM/DD/YY hh:mm AM/PM Time Zone.

      Note

      The new Repetition Rate does not take effect immediately. It starts the next time the scheduled task runs. For the new Repetition Rate take effect immediately, click Update.

    4. Click Update to update the Next Scheduled Time field or change the Repetition Rate.
  12. Click OK.
Schedule settings

Field

Definition

Remove local backups older than

Number of days for which you would like to keep backups. Anything older than the number of days entered, is removed the next time the scheduled task for backups runs. This setting removes backup files created on the FortiNAC server before they are copied to the remote server. Backups on the remote server are not removed.

The timing of the scheduled backup task and the age of the files that are to be removed must be thought out carefully or you will remove all of your backups. For example, if the remove option is set to 5 days and your backup task runs every 15 days, you may inadvertently remove all of your backups. However, if the remove option is set to 15 days and the backup task runs every 5 days, then you would always have backup files.

Status

Indicates whether the task is enabled or disabled.

Schedule Interval

How often the scheduled task runs.

Next Scheduled Time

The next date and time the scheduled synchronization task will run. Entered in the format MM/DD/YY HH:MM AM/PM

Modify Schedule

Allows you to modify the scheduled activity.

Run Now

Runs the scheduled task immediately.

Global updates

Hosts on your network that already have a version of the Persistent Agent installed can be globally updated. The update is triggered when a host connects to the network and the current Persistent Agent begins to communicate with FortiNAC.

The Persistent Agent version number on the host is checked by FortiNAC. If the version is different than the one selected on the Agent Update window, an update is initiated.

Clients upgrading the Persistent Agent must have access to Port 80 on the FortiNAC appliances.

It is only the difference in version number that triggers the update. FortiNAC does not check to see if the existing number is higher or lower than the update. This allows you to go back to a previous Persistent Agent if necessary.

If the host has software installed to reset the host to its original configuration after a re-boot, the agent reverts to the previous version. The software must be disabled before updating the Agent.

Update failure

A maximum number of attempts to update limits the number of times FortiNAC tries to update the host. If the maximum number of attempts has already been met, then no update is sent.

To address this you have several options. If a large number of hosts have failed the update, use Reset Counter on the Agent Update window to set the counter for all hosts to 0. If only a few hosts have failed the update, the Agent Version can be updated individually. Another option is to increase the Maximum Attempts on the Agent Update window to force an update. However, if the original problem has not been addressed the update will probably fail again.

Reset hosts that failed to update

If you have a large number of hosts that failed to update successfully and the Maximum Global Update Attempts count for those hosts was exceeded, the counter can be reset allowing the system to try to update those hosts again. The counter is reset for all hosts in the database, however, the system will not attempt to update hosts that successfully updated earlier.

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Agent Update from the tree.
  4. Click Reset Counter.

Event generation

When an update fails because the maximum number of attempts has been met, an Agent Update Failure event is generated. The default setting for this event is Enabled. See Enable and disable events to modify the default setting. Enabled events are recorded and can be viewed. See Events .

When an update is successful an Agent Update Success event is generated. The default setting for this event is Disabled. Disabled events are not recorded and cannot be viewed later.

Alarms can be associated with enabled events. See Map events to alarms. Alarms can be configured to send e-mail notifications or simply display on the dashboard in the Alarm panel.

Set up global updates

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Agent Update from the tree.
  4. Click the check box(es) to enable an update.
  5. Click in the drop-down box and select the Persistent Agent Version for the update.
  6. Click in the Maximum Global Update Attempts field and enter the number of times the update feature should attempt to update the Persistent Agent for each host.
  7. If you need to trigger the installation of an earlier version of the Agent, click Allow Installation of a Previous Version and make sure the correct version is selected in the version fields. Typically this would remain unchecked because you would want to move to the newest version of the Agent.

    Note

    If you have selected Latest Persistent Agent as the agent to download on the Endpoint Compliance Configuration window for any configuration, you should not check this option.

    Your hosts could end up in a situation where the latest agent is installed based on the endpoint compliance policy used when the host is registered, then an older agent is installed because this option is checked and the agent selected is older than the latest agent.

  8. Click Save Settings.
Settings

Field

Definition

Modify Global Agent Update Exceptions

Opens the Global Agent Update Exceptions Group and allows you to add or remove hosts. This group can also be modified from the Groups View. Hosts in this group are never automatically updated.

See the Exclude Hosts From the Update section below this table.

Update Windows Agents To Version

If enabled, Windows hosts with a Persistent Agent installed will be updated if the version number on the agent currently installed is different than the version selected in the drop-down list.

A lower agent version will not be installed unless the Allow Installation of a Previous Version option is checked.

Update macOS Agents To
Version

If enabled, macOS hosts with a Persistent Agent installed will be updated if the version number on the agent currently installed is different than the version selected in the drop-down list.

A lower agent version will not be installed unless the Allow Installation of a Previous Version option is checked.

Maximum Global Update Attempts

Number of times FortiNAC should attempt to update the Persistent Agent for each host. If the maximum is reached and some hosts have not been updated, use Reset Counter to clear the number of attempts for all hosts and try again.

Allow Installation Of A Previous Version

If enabled, FortiNAC will update the agent on a host even if the installed agent is a higher version than the agent selected for update.

Reset The Hosts Update Counter To 0

Clear the number of update attempts from the Host record for all hosts. This allows FortiNAC to attempt to update hosts that were not successfully updated previously.

See the Reset Hosts That Failed To Update section above this table.

Schedule Auto-Definition Updates

Allows you to schedule updates that include:

  • Information on the latest antivirus definitions
  • Support for new versions of antivirus
  • Support for new operating system versions
  • Any new vendor OUIs released by the IEEE Standards Association
  • New or modified custom scan options

Exclude hosts from updates

A special group, Global Agent Update Exceptions, has been created to stop selected hosts from being automatically updated. Any host in this group is not updated. This is controlled by MAC address. If a host has more than one MAC address, as long as any one of its MAC addresses is listed in this group the host is not updated.

The user name of the person who logs into this host displays along with the MAC address in the Group window. However, the user name is actually ignored for update purposes. If a user logs into a second different host, the second host is updated because none of its MAC addresses match the anything in the Global Agent Update Exceptions group.

  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Agent Update from the tree.
  4. Click Modify Global Agent Update Exceptions.
  5. In the Group dialog, select one or more hosts from the column on the left.
  6. Click the right arrow in the center of the dialog to move them to the Selected Members column.
  7. Click OK to save.

This group can also be modified from the Groups View.

Verify the number of updated hosts

Since hosts are only updated when they connect to the network, updating all hosts could take some time. To see how many hosts have been updated, go to the dashboard and look at the Persistent Agent Summary panel. This displays the total number of hosts registered and breaks that number up into groups by version number and operating system. If the panel is not displayed, use the Add Panel link to restore it to the dashboard.

Schedule auto-definition updates

This feature allows you to automatically update the Virus Definition or Signature information for the antivirus software that is permitted in Scans within your endpoint compliance policies.

Note

When new versions of an operating system and antivirus are added using the Auto-Def Schedule feature, they are not automatically selected in existing scans. You must go to each scan and enable the new options if you choose to scan for them.

The scans you configure with endpoint compliance specify the definition requirements for antivirus programs as well as operating systems. The default setting for the definition version information for all supported antivirus products is updated when the scheduled Automatic Definition Synchronizer task runs.

This task applies the update to all configured scans. The version information is maintained by Fortinet and is updated on a weekly basis. It is recommended that this task be scheduled to run weekly. If you change the default information in a scan for a specific operating system or antivirus software, the scheduled task will not overwrite that change.

To have the most recent version information appear in the Scan, go to the Scan containing the modified operating system or antivirus program, deselect the program and click OK. Open the Scan again and reselect the program. Click OK again to restore all the default settings for the selected program.

Automatic updates rely on the configuration of communications settings between the FortiNAC server and the updates server. See System update for information on configuring communications.

Configure Schedule
  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select Agent Update from the tree.
  4. Click Modify Schedule.
  5. Select the Enabled check box.
  6. Enter a name for the task in the Name field.
  7. The Description field is optional. Enter a description of the task.
  8. Action type and Action are pre-configured based on the task and cannot be modified.
  9. From the Schedule Type drop down list, select either Fixed Day or Repetitive and set the day and time that the task is to be performed.
  10. A Fixed Day Task is one in which you schedule a task to run on a combination of days of the week and times of the day, such as Mondays at 1:00 pm and Fridays at 10:00 am. Select the day(s) and time to run the task.
    1. Click the box next to the day(s) to select the day.
    2. Click the down arrows and select the hour, minutes, and AM or PM from the drop-down list for each day.
    3. To enter days/times more quickly, select Set Multiple Days to set multiple days with the same time.
    4. To remove all settings, click Clear All.
  11. A Repetitive Task is one that you schedule to start on a given day, at a certain time, for the number of times you specify, such as every 10 days starting today. The repetition rate can be set to any number of minutes, hours, or days.
    1. Enter the Repetition Rate using whole numbers.

      Note

      A repetition rate of zero causes the task to run only once.

    2. Click the down arrow and select Minutes, Hours, or Days from the drop-down list.
    3. Enter the date and time for the task to run in the Next Scheduled Time field using the format MM/DD/YY hh:mm AM/PM Time Zone.

      Note

      The new Repetition Rate does not take effect immediately. It starts the next time the scheduled task runs. For the new Repetition Rate take effect immediately, click Update.

    4. Click Update to update the Next Scheduled Time field or change the Repetition Rate.
  12. Click OK.
Schedule settings

Field

Definition

Remove local backups older than

Number of days for which you would like to keep backups. Anything older than the number of days entered, is removed the next time the scheduled task for backups runs. This setting removes backup files created on the FortiNAC server before they are copied to the remote server. Backups on the remote server are not removed.

The timing of the scheduled backup task and the age of the files that are to be removed must be thought out carefully or you will remove all of your backups. For example, if the remove option is set to 5 days and your backup task runs every 15 days, you may inadvertently remove all of your backups. However, if the remove option is set to 15 days and the backup task runs every 5 days, then you would always have backup files.

Status

Indicates whether the task is enabled or disabled.

Schedule Interval

How often the scheduled task runs.

Next Scheduled Time

The next date and time the scheduled synchronization task will run. Entered in the format MM/DD/YY HH:MM AM/PM

Modify Schedule

Allows you to modify the scheduled activity.

Run Now

Runs the scheduled task immediately.