Schedule a scan
When hosts that use the Persistent Agent or the Dissolvable Agent connect to the network, they are checked against an endpoint compliance policy. FortiNAC maintains a list of hosts that have passed the scan within the policy. When hosts that previously passed the scan connect to the network, they are given access.
To recheck the hosts and ensure continued compliance, schedule the scan to be run at specific intervals. The hosts are rechecked the next time the scheduled task for the scan runs. Only hosts that have a valid operating system listed in Host Properties are rescanned. Valid operating systems include Linux, Windows, and macOS.
You can add more than one scheduled task for each scan to check different groups of network hosts at various times. This prevents an excessive load on the system. These groups are subgroups of the original group targeted by the scan. For example, if the original scan was set to scan all staff in the Building A group, the scheduled scan could target staff in subsets of the Building A group. Subsets would be created by placing staff from the Building A group into smaller groups. Then, the 1st floor group could be scanned on Mondays, the 2nd floor group could be scanned on Tuesdays, etc.
If FortiNAC has lost contact with the host's Persistent Agent, the host cannot be scanned. Offline hosts will be rescanned when they come back online.
- Click Policy & Objects.
- Expand Endpoint Compliance.
- Click the Scans option to select it.
- Click the scan to be scheduled.
-
Click Schedule. The Schedule Rescan of Agents window opens. Any existing scheduled tasks appear in the window.
-
Click Add.
- Use the information in the table below to configure your schedule.
Field
Definition
Task
Scan Name
Name of the scan that will be used to rescan hosts.
Schedule Task Name
Each task for the selected scan must have a unique name.
Target Agent Types
Type of agent the hosts are using: all, Dissolvable Agent, or Persistent Agent.
Host Group
If selected, indicates the group of hosts that will be checked for scan compliance when this scheduled task runs. See Groups for information on creating groups. This group of hosts must be contained within the set of hosts targeted in the original scan.
Security And Access Attribute
If selected, filters hosts for rescan based on a field in the user record with matching data in the LDAP or Active Directory. This group must be the same as or a subset of the group targeted in the original scan.
If the Group option and the Security and Access Attribute option are both selected, the host must be a member of the group selected and the user must have a matching Security and Access Attribute value in order to be scanned.
If neither the Group option nor the Security and Access Attribute option are selected, all of the hosts targeted by the original scan are scanned.
Scans can be used in multiply policies, therefore, the set of hosts to be scanned could be quite large.
Schedule
Status
Indicates whether the scheduled task is current enabled or disabled.
Schedule Interval
How often the scheduled task is to run. Enter a number and select Days, Hours, or Minutes from the drop-down list.
Next Scheduled Time
The next date/time to run the scheduled task. Enter in the format MM/DD/YY HH:MM AM/PM
Modify Schedule
Opens the Modify Scheduled Activity dialog where you can configure the scan's schedule.
Proactive scanning
Proactive Scanning
See the section below for additional information.
- Click Modify Schedule to run the scheduled task automatically or on a fixed day.
- To run the task automatically, select Repetitive Task to select the rate at which you wish to run the task. For example, selecting a Repetition Rate of two days and the Next Scheduled Time of today at 1:00 PM means the task will run today at 1:00 PM, and will continue to run every two days at 1:00 PM.
- To run the task on a fixed day and time, select Fixed Day Task and then select the day(s). The task will automatically run on the selected day(s) and time each week.
- Click Apply.
Add proactive scanning to a scheduled scan
Within FortiNAC you can schedule scans to run automatically. Hosts using the Dissolvable Agent can initiate a rescan on the production network. When a rescan is successful, the host has extended the time before another scan is required.
For example, assume the schedule is set to rescan every Sunday. The user rescans his host at his convenience on Friday and passes the scan. When Sunday comes, FortiNAC checks the scan history and determines that this host has had a successful scan. This host is not forced to rescan nor is it marked at risk.
If the host fails the scan, the user is presented with a list of reasons for the failure. The host is not marked at risk at this time. If the user resolves the issues and rescans before the scheduled scan date, the host is never marked at risk and is not forced to rescan on Sunday. If the user does not resolve the issues and rescan, when the scheduled scan date arrives the host is either marked at risk or aged out of the database. The host cannot access the network until it has been successfully scanned or until the host is reregistered and then is successfully scanned.
To rescan the user must open a browser and navigate to https://<Server or Application Server>/remediation
.
The FortiNAC Server or Application Server in the URL can be either the IP address or Name of the server that is running the captive portal.
Proactive scanning is enabled on the Schedule Rescan window. To provide your hosts access to the Dissolvable Agent, you can create a web page accessible from your network to download the Dissolvable Agent.
Scan results are central to FortiNAC's ability to determine when a host was last scanned. Scan results are removed based on the archive and purge schedule set up in FortiNAC properties. When configuring the archive and purge schedule be sure to make the interval long enough to allow the scan results to be used for Proactive Scanning. If the interval is too short, scan results will be purged too soon forcing all hosts to rescan regardless of when their last scan occurred. See Database archive for information on archive and purge settings.
Schedule a scan: proactive scanning
Users can proactively rescan their computers to re-assess their system with or without any impact to their At Risk status. This feature helps to decrease the load around the re-registration process or rescan intervals.
To rescan the user must open a browser and navigate to https://<Server or Application Server>/remediation
.
The FortiNAC Server or Application Server in the URL can be either the IP address or Name of the server that is running the captive portal.
The time extension capability can not change a guest record’s age-out time; time extensions only apply to standard hosts.
Use the options in the Schedule Rescan window to specify whether to apply a time extension if there is a successful scan history within the interval, and what actions to take if there is no scan history. For example if a host does not rescan proactively, the registered host can be set to age-out or be marked At Risk.
Once you have created a policy, do the following to configure the proactive scanning and specify subsequent actions.
Add proactive scanning to a scan schedule
- Click Policy & Objects.
- Expand Endpoint Compliance.
- Click the Scans option to select it.
- Select the scan to be scheduled.
- Click Schedule. The Schedule Rescan of Agents window opens. Any existing scheduled tasks for the scan appear in the window.
- Click Add.
- For Target, select Dissolvable. Only hosts using the Dissolvable Agent can do a proactive scan.
- For the Proactive Scanning Option, select On.
- Click Apply.
In the example shown below, the Scan History Interval is set to one week. If hosts have successfully passed a scan during the week prior to the time and date specified in the Next Scheduled Time field, their expiration time is extended by one week and they will remain on their production network. If they do not have a successful scan within the previous week, they are marked at risk and moved to remediation to be rescanned.
Settings
Field |
Definition |
||||||||
Task |
|||||||||
Scan Name |
Name of the Scan that will be used to rescan hosts. |
||||||||
Schedule Task Name |
Each task for the selected policy must have a unique name. |
||||||||
Target Agent Types |
Type of agent the hosts are using: all, Dissolvable Agent, or Persistent Agent. |
||||||||
Host Group |
If selected, indicates the group of hosts that will be checked for scan compliance when this scheduled task runs. See Groups for information on creating groups. This group of hosts must be contained within the set of hosts targeted in the original policy. |
||||||||
Security And Access Attribute |
If selected, filters hosts for rescan based on a field in the user record with matching data in the LDAP or Active Directory. This group of must be the same as or a subset of the group targeted in the original policy. |
||||||||
|
|||||||||
Schedule |
|||||||||
Schedule Interval |
How often the scheduled task is to run. Enter a number and select Days, Hours, or Minutes from the drop-down list. |
||||||||
Next Scheduled Time |
The next date/time to run the scheduled task. Enter in the format MM/DD/YY HH:MM AM/PM |
||||||||
Pause |
When selected, the scheduled task is paused and will not run automatically. Go to the Scheduler View and run the task manually. See the Scheduler for more information. |
||||||||
Proactive scanning |
|||||||||
Proactive Scanning |
Select On. If you select Off, the hosts are placed in Quarantine when the scheduled task runs. |
||||||||
Scan History Interval (previous) |
Interval of time the previous scan history is considered valid. |
||||||||
No Scan History Found |
If the host has not been successfully scanned within the scan history interval, you have the option of marking the host at risk or aging the record. If you select At Risk, the host is moved to Quarantine to be rescanned. If you select Age Record, the host is deleted and must be re-registered to regain network access. |
||||||||
Scan History Found |
If the most recent scan in the scan history is a successful scan for the host and is within the scan history interval, you have the option of selecting No Action or Extend Time. Select No Action to let the account remain with the existing expiration date and time. If the system takes no action, the host is forced to rescan when the expiration date and time are met even if the host has a successful scan prior to the expiration date and time. Select Extend Time to specify a period in Extend Expiration Date (the next field). |
||||||||
Extend Expiration Time |
If Extend Time is selected and the host has had a successful scan within the Scan History Interval, the host’s expiration time is extended by this amount. |