Fortinet white logo
Fortinet white logo

Administration Guide

Scan hosts without enforcing remediation

Scan hosts without enforcing remediation

Hosts who are in Remediation are denied network access until they comply with the requirements of the Scan used to evaluate them. FortiNAC can scan hosts on the network without placing them in Remediation. This allows the administrator to determine host state or test new endpoint compliance policies without interrupting network users as they work. To scan hosts without enforcing remediation you can disable the Quarantine switching option in FortiNAC Properties. Disabling quarantine VLAN switching affects all hosts. However, you may need to scan selected hosts with no repercussions.

Two options have been provided to allow you to scan selected hosts without forcing "at risk" hosts into Remediation, Audit Only and Forced Remediation Exceptions group. You can use either one or both of these options. They work independently of each other. Audit Only controls remediation based on the scan applied. The Forced Remediation Exceptions group controls remediation based on group membership regardless of the scan used to evaluate the hosts.

Audit only

When the Audit Only option on a scan is enabled, hosts are scanned and the results of the scan are stored. Hosts that fail the scan are never marked "at risk" and therefore are not forced into Remediation or Quarantine. Administrators can then review all of the scan results and address issues of non-compliance without blocking users from the network.

Audit Only affects only those hosts evaluated by the scan in which Audit Only is enabled. If you have other scans with Audit Only disabled, hosts evaluated by those scans who fail are forced into Remediation. Using this option you can decide to force some groups of hosts into remediation while leaving others on the network. For example, you could have a scan for your executive staff that has Audit Only enabled and a different scan for administrative staff that has Audit Only disabled. Executives that fail a scan would continue to work without disruption, while administrative staff that fail a scan would be forced to remediate.

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click Scans.
  4. Select an existing scan to modify or create a new one.
  5. On the Add or Modify Scan window go to the Scan Settings section and enable Audit Only under the Remediation drop-down.

See Add or modify a scan for additional information.

Forced remediation exceptions group

When hosts are placed in this group, they are evaluated by the scan that corresponds to them. See Policy assignment. Results of the scan are stored and hosts who fail are marked "at risk". Hosts in this group are never forced into remediation no matter which scan they fail. To prevent selected hosts from being forced to remediate, add them to this group.

The Forced Remediation Exceptions group is a system group that has already been created. System groups cannot be removed only modified. See System groups and Modify a group.

Scan hosts without enforcing remediation

Scan hosts without enforcing remediation

Hosts who are in Remediation are denied network access until they comply with the requirements of the Scan used to evaluate them. FortiNAC can scan hosts on the network without placing them in Remediation. This allows the administrator to determine host state or test new endpoint compliance policies without interrupting network users as they work. To scan hosts without enforcing remediation you can disable the Quarantine switching option in FortiNAC Properties. Disabling quarantine VLAN switching affects all hosts. However, you may need to scan selected hosts with no repercussions.

Two options have been provided to allow you to scan selected hosts without forcing "at risk" hosts into Remediation, Audit Only and Forced Remediation Exceptions group. You can use either one or both of these options. They work independently of each other. Audit Only controls remediation based on the scan applied. The Forced Remediation Exceptions group controls remediation based on group membership regardless of the scan used to evaluate the hosts.

Audit only

When the Audit Only option on a scan is enabled, hosts are scanned and the results of the scan are stored. Hosts that fail the scan are never marked "at risk" and therefore are not forced into Remediation or Quarantine. Administrators can then review all of the scan results and address issues of non-compliance without blocking users from the network.

Audit Only affects only those hosts evaluated by the scan in which Audit Only is enabled. If you have other scans with Audit Only disabled, hosts evaluated by those scans who fail are forced into Remediation. Using this option you can decide to force some groups of hosts into remediation while leaving others on the network. For example, you could have a scan for your executive staff that has Audit Only enabled and a different scan for administrative staff that has Audit Only disabled. Executives that fail a scan would continue to work without disruption, while administrative staff that fail a scan would be forced to remediate.

  1. Click Policy & Objects.
  2. Expand Endpoint Compliance.
  3. Click Scans.
  4. Select an existing scan to modify or create a new one.
  5. On the Add or Modify Scan window go to the Scan Settings section and enable Audit Only under the Remediation drop-down.

See Add or modify a scan for additional information.

Forced remediation exceptions group

When hosts are placed in this group, they are evaluated by the scan that corresponds to them. See Policy assignment. Results of the scan are stored and hosts who fail are marked "at risk". Hosts in this group are never forced into remediation no matter which scan they fail. To prevent selected hosts from being forced to remediate, add them to this group.

The Forced Remediation Exceptions group is a system group that has already been created. System groups cannot be removed only modified. See System groups and Modify a group.