Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC 9.1.0 Administration Guide
    9.1.0
    9.4.0
    9.2.0
    9.1.0
    8.8.0
    8.7.0
    8.6.0
    8.5.2
    8.3.0

    Add or modify a configuration

    Add or modify a configuration

    1. Select Policy & Objects.
    2. Expand Endpoint Compliance.
    3. From the menu on the left, select Configuration.
    4. On the Endpoint Compliance Configurations window, click Add or select an existing configuration and click Modify.
    5. On the General tab, click in the Name field and enter a name for this configuration.
    6. Select a Scan from the drop-down menu. You can use the icons next to the Scan field to add a new scan or modify the scan shown in the drop-down menu. Note that if you modify this scan, it is modified for all features that make use of it. See Add or modify a scan.
    7. If you would like to add a list of installed applications to the host record, enable the Collect Application Inventory check box. This only applies to hosts that are assigned an agent. An application inventory cannot be generated for hosts unless an agent is in use.
    8. If you would like to add a whitelist of SSIDs that the endpoints can connect to, enable Restrict Wireless Connections to Specific SSIDs.
    9. If you would like the endpoint compliance scans to check for Dual Homes connections, enable Detect Multihoming.
    10. If you would like to grant varying levels of access based on the host's role, select Advanced Scan Controls. This displays additional options that allow you to select and map a security action to scan success, failure, and warning. See Chaining configuration scans .

      You must have ATR access enabled to use the Advanced Scan Controls feature.

    11. The Note field is optional.
    12. Click the Agent tab to select it.
    13. Select an agent for each operating system. You may choose not to use an agent for a particular operating system, however, scans can only be applied via an agent.
    14. No agent exists for some operating systems. In those cases select either None-Deny Access or None-Bypass. Refer to the table below for information on each field.
    15. Click OK to save the configuration.
    Settings

    Field

    Definition

    General tab

    Name

    User specified name for this configuration.

    Scan

    Select the scan to be associated with this configuration. Hosts that match the endpoint compliance policy containing this configuration will be scanned with the selected Scan.

    Collect Application Inventory

    If enabled, the agent assigned to the host will collect information about installed applications and add that information to the host record. An application inventory cannot be generated for a hosts unless an agent is in use.

    Advanced Scan Controls

    If enabled, allows you to select a security action mapped to an endpoint compliance activity that will be taken based on scan results. See Chaining configuration scans .

    Note

    User specified note field. This field may contain notes regarding the conversion of policies from a previous version of FortiNAC.

    Agent tab

    Windows

    macOS

    Linux

    Allows you to select a separate agent or treatment for each operating system. For example, a host with a Windows operating system may be scanned by the Persistent Agent while a host with a Mac operating system may be scanned with the Dissolvable Agent. See Determining host operating system.

    The names of all the agent versions and types available on the appliance are included in the list. The .exe is recommended for user-interactive installation. The .msi is recommended for use for a managed install by a non-user-interactive means.

    Agent options include:

    • Persistent Agent: Hosts with this operating system are required to download and install the selected version of the Persistent Agent.
    • Dissolvable Agent: Hosts with this operating system are required to download and run the selected version of the Dissolvable Agent.
    • Persistent Agent: Hosts with this operating system are required to download and install the highest version of the Persistent Agent available on the FortiNAC Application server. Using the Latest Persistent Agent option prevents you from having to update Policies each time a new Agent is released and loaded onto your server.
    • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.

    • None-Bypass: No agent is assigned but hosts are allowed to access the network.

      If you select None - Bypass, hosts can register only if their IP address has been determined by FortiNAC. If IP address information has not been determined FortiNAC cannot determine the physical address and will not allow that host on the network. Users see the following message: Registration Failed - Physical Address not Found.

    Android
    • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
    • None-Bypass: No agent is assigned but hosts are allowed to access the network if they have the matching operating system.
    • Mobile Agent: Mobile devices detected running the Android operating system are required to download and install the Mobile Agent. These devices are automatically directed to the Mobile Agent Download page in the captive portal where the host is prompted to download the Mobile Agent from Google Play (Android).
    • Latest Mobile Agent: Hosts with this operating system are required to download and install the highest version of the Mobile Agent availability Mobile Agent is downloaded from Google Play.

    See Mobile Agent.

    Settings For Operating Systems Without Agents

    This section provides a list of additional operating systems and allows you to select treatment for each one. For example, iPod devices could be set to None-Bypass indicating that no agent is necessary and allowing that device to connect to the network. Options for additional platforms include:

    • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
    • None-Bypass: No agent is assigned but hosts are allowed to access the network if they have the matching operating system.

    Use Set all to None-Bypass or Set all to None-Deny Access to modify settings for all additional platforms at once.

    The last platform labeled Other is used as a catch-all for devices with new or unsupported operating systems. Any platform not listed in the Policy, is treated as specified by the setting associated with Other.

    Previous
    Next

    Add or modify a configuration

    Add or modify a configuration

    1. Select Policy & Objects.
    2. Expand Endpoint Compliance.
    3. From the menu on the left, select Configuration.
    4. On the Endpoint Compliance Configurations window, click Add or select an existing configuration and click Modify.
    5. On the General tab, click in the Name field and enter a name for this configuration.
    6. Select a Scan from the drop-down menu. You can use the icons next to the Scan field to add a new scan or modify the scan shown in the drop-down menu. Note that if you modify this scan, it is modified for all features that make use of it. See Add or modify a scan.
    7. If you would like to add a list of installed applications to the host record, enable the Collect Application Inventory check box. This only applies to hosts that are assigned an agent. An application inventory cannot be generated for hosts unless an agent is in use.
    8. If you would like to add a whitelist of SSIDs that the endpoints can connect to, enable Restrict Wireless Connections to Specific SSIDs.
    9. If you would like the endpoint compliance scans to check for Dual Homes connections, enable Detect Multihoming.
    10. If you would like to grant varying levels of access based on the host's role, select Advanced Scan Controls. This displays additional options that allow you to select and map a security action to scan success, failure, and warning. See Chaining configuration scans .

      You must have ATR access enabled to use the Advanced Scan Controls feature.

    11. The Note field is optional.
    12. Click the Agent tab to select it.
    13. Select an agent for each operating system. You may choose not to use an agent for a particular operating system, however, scans can only be applied via an agent.
    14. No agent exists for some operating systems. In those cases select either None-Deny Access or None-Bypass. Refer to the table below for information on each field.
    15. Click OK to save the configuration.
    Settings

    Field

    Definition

    General tab

    Name

    User specified name for this configuration.

    Scan

    Select the scan to be associated with this configuration. Hosts that match the endpoint compliance policy containing this configuration will be scanned with the selected Scan.

    Collect Application Inventory

    If enabled, the agent assigned to the host will collect information about installed applications and add that information to the host record. An application inventory cannot be generated for a hosts unless an agent is in use.

    Advanced Scan Controls

    If enabled, allows you to select a security action mapped to an endpoint compliance activity that will be taken based on scan results. See Chaining configuration scans .

    Note

    User specified note field. This field may contain notes regarding the conversion of policies from a previous version of FortiNAC.

    Agent tab

    Windows

    macOS

    Linux

    Allows you to select a separate agent or treatment for each operating system. For example, a host with a Windows operating system may be scanned by the Persistent Agent while a host with a Mac operating system may be scanned with the Dissolvable Agent. See Determining host operating system.

    The names of all the agent versions and types available on the appliance are included in the list. The .exe is recommended for user-interactive installation. The .msi is recommended for use for a managed install by a non-user-interactive means.

    Agent options include:

    • Persistent Agent: Hosts with this operating system are required to download and install the selected version of the Persistent Agent.
    • Dissolvable Agent: Hosts with this operating system are required to download and run the selected version of the Dissolvable Agent.
    • Persistent Agent: Hosts with this operating system are required to download and install the highest version of the Persistent Agent available on the FortiNAC Application server. Using the Latest Persistent Agent option prevents you from having to update Policies each time a new Agent is released and loaded onto your server.
    • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.

    • None-Bypass: No agent is assigned but hosts are allowed to access the network.

      If you select None - Bypass, hosts can register only if their IP address has been determined by FortiNAC. If IP address information has not been determined FortiNAC cannot determine the physical address and will not allow that host on the network. Users see the following message: Registration Failed - Physical Address not Found.

    Android
    • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
    • None-Bypass: No agent is assigned but hosts are allowed to access the network if they have the matching operating system.
    • Mobile Agent: Mobile devices detected running the Android operating system are required to download and install the Mobile Agent. These devices are automatically directed to the Mobile Agent Download page in the captive portal where the host is prompted to download the Mobile Agent from Google Play (Android).
    • Latest Mobile Agent: Hosts with this operating system are required to download and install the highest version of the Mobile Agent availability Mobile Agent is downloaded from Google Play.

    See Mobile Agent.

    Settings For Operating Systems Without Agents

    This section provides a list of additional operating systems and allows you to select treatment for each one. For example, iPod devices could be set to None-Bypass indicating that no agent is necessary and allowing that device to connect to the network. Options for additional platforms include:

    • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
    • None-Bypass: No agent is assigned but hosts are allowed to access the network if they have the matching operating system.

    Use Set all to None-Bypass or Set all to None-Deny Access to modify settings for all additional platforms at once.

    The last platform labeled Other is used as a catch-all for devices with new or unsupported operating systems. Any platform not listed in the Policy, is treated as specified by the setting associated with Other.

    Previous
    Next