Fortinet white logo
Fortinet white logo

Administration Guide

Add or modify a configuration

Add or modify a configuration

  1. Select Policy & Objects.
  2. Expand Endpoint Compliance.
  3. From the menu on the left, select Configuration.
  4. On the Endpoint Compliance Configurations window, click Add or select an existing configuration and click Modify.
  5. On the General tab, click in the Name field and enter a name for this configuration.
  6. Select a Scan from the drop-down menu. You can use the icons next to the Scan field to add a new scan or modify the scan shown in the drop-down menu. Note that if you modify this scan, it is modified for all features that make use of it. See Add or modify a scan.
  7. If you would like to add a list of installed applications to the host record, enable the Collect Application Inventory check box. This only applies to hosts that are assigned an agent. An application inventory cannot be generated for hosts unless an agent is in use.
  8. If you would like to add a whitelist of SSIDs that the endpoints can connect to, enable Restrict Wireless Connections to Specific SSIDs.
  9. If you would like the endpoint compliance scans to check for Dual Homes connections, enable Detect Multihoming.
  10. If you would like to grant varying levels of access based on the host's role, select Advanced Scan Controls. This displays additional options that allow you to select and map a security action to scan success, failure, and warning. See Chaining configuration scans .

    You must have Security Incidents access enabled to use the Advanced Scan Controls feature.

  11. The Note field is optional.
  12. Click the Agent tab to select it.
  13. Select an agent for each operating system. You may choose not to use an agent for a particular operating system, however, scans can only be applied via an agent.
  14. No agent exists for some operating systems. In those cases select either None-Deny Access or None-Bypass. Refer to the table below for information on each field.
  15. Click OK to save the configuration.
Settings

Field

Definition

General tab

Name

User specified name for this configuration.

Scan

Select the scan to be associated with this configuration. Hosts that match the endpoint compliance policy containing this configuration will be scanned with the selected Scan.

Collect Application Inventory

If enabled, the agent assigned to the host will collect information about installed applications and add that information to the host record. An application inventory cannot be generated for a hosts unless an agent is in use.

Advanced Scan Controls

If enabled, allows you to select a security action mapped to an endpoint compliance activity that will be taken based on scan results. See Chaining configuration scans .

Note

User specified note field. This field may contain notes regarding the conversion of policies from a previous version of FortiNAC.

Agent tab

Windows

macOS

Linux

Allows you to select a separate agent or treatment for each operating system. For example, a host with a Windows operating system may be scanned by the Persistent Agent while a host with a Mac operating system may be scanned with the Dissolvable Agent. See Determining host operating system.

The names of all the agent versions and types available on the appliance are included in the list. The .exe is recommended for user-interactive installation. The .msi is recommended for use for a managed install by a non-user-interactive means.

Agent options include:

  • Persistent Agent: Hosts with this operating system are required to download and install the selected version of the Persistent Agent.
  • Dissolvable Agent: Hosts with this operating system are required to download and run the selected version of the Dissolvable Agent.
  • Persistent Agent: Hosts with this operating system are required to download and install the highest version of the Persistent Agent available on the FortiNAC Application server. Using the Latest Persistent Agent option prevents you from having to update Policies each time a new Agent is released and loaded onto your server.
  • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
  • None-Bypass: No agent is assigned but hosts are allowed to access the network.

    If you select None - Bypass, hosts can register only if their IP address has been determined by FortiNAC. If IP address information has not been determined FortiNAC cannot determine the physical address and will not allow that host on the network. Users see the following message: Registration Failed - Physical Address not Found.

Android

  • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
  • None-Bypass: No agent is assigned but hosts are allowed to access the network if they have the matching operating system.
  • Mobile Agent: Mobile devices detected running the Android operating system are required to download and install the Mobile Agent. These devices are automatically directed to the Mobile Agent Download page in the captive portal where the host is prompted to download the Mobile Agent from Google Play (Android).
  • Latest Mobile Agent: Hosts with this operating system are required to download and install the highest version of the Mobile Agent availability Mobile Agent is downloaded from Google Play.

See Mobile Agent.

Settings For Operating Systems Without Agents

This section provides a list of additional operating systems and allows you to select treatment for each one. For example, iPod devices could be set to None-Bypass indicating that no agent is necessary and allowing that device to connect to the network. Options for additional platforms include:

  • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
  • None-Bypass: No agent is assigned but hosts are allowed to access the network if they have the matching operating system.

Use Set all to None-Bypass or Set all to None-Deny Access to modify settings for all additional platforms at once.

The last platform labeled Other is used as a catch-all for devices with new or unsupported operating systems. Any platform not listed in the Policy, is treated as specified by the setting associated with Other.

Add or modify a configuration

Add or modify a configuration

  1. Select Policy & Objects.
  2. Expand Endpoint Compliance.
  3. From the menu on the left, select Configuration.
  4. On the Endpoint Compliance Configurations window, click Add or select an existing configuration and click Modify.
  5. On the General tab, click in the Name field and enter a name for this configuration.
  6. Select a Scan from the drop-down menu. You can use the icons next to the Scan field to add a new scan or modify the scan shown in the drop-down menu. Note that if you modify this scan, it is modified for all features that make use of it. See Add or modify a scan.
  7. If you would like to add a list of installed applications to the host record, enable the Collect Application Inventory check box. This only applies to hosts that are assigned an agent. An application inventory cannot be generated for hosts unless an agent is in use.
  8. If you would like to add a whitelist of SSIDs that the endpoints can connect to, enable Restrict Wireless Connections to Specific SSIDs.
  9. If you would like the endpoint compliance scans to check for Dual Homes connections, enable Detect Multihoming.
  10. If you would like to grant varying levels of access based on the host's role, select Advanced Scan Controls. This displays additional options that allow you to select and map a security action to scan success, failure, and warning. See Chaining configuration scans .

    You must have Security Incidents access enabled to use the Advanced Scan Controls feature.

  11. The Note field is optional.
  12. Click the Agent tab to select it.
  13. Select an agent for each operating system. You may choose not to use an agent for a particular operating system, however, scans can only be applied via an agent.
  14. No agent exists for some operating systems. In those cases select either None-Deny Access or None-Bypass. Refer to the table below for information on each field.
  15. Click OK to save the configuration.
Settings

Field

Definition

General tab

Name

User specified name for this configuration.

Scan

Select the scan to be associated with this configuration. Hosts that match the endpoint compliance policy containing this configuration will be scanned with the selected Scan.

Collect Application Inventory

If enabled, the agent assigned to the host will collect information about installed applications and add that information to the host record. An application inventory cannot be generated for a hosts unless an agent is in use.

Advanced Scan Controls

If enabled, allows you to select a security action mapped to an endpoint compliance activity that will be taken based on scan results. See Chaining configuration scans .

Note

User specified note field. This field may contain notes regarding the conversion of policies from a previous version of FortiNAC.

Agent tab

Windows

macOS

Linux

Allows you to select a separate agent or treatment for each operating system. For example, a host with a Windows operating system may be scanned by the Persistent Agent while a host with a Mac operating system may be scanned with the Dissolvable Agent. See Determining host operating system.

The names of all the agent versions and types available on the appliance are included in the list. The .exe is recommended for user-interactive installation. The .msi is recommended for use for a managed install by a non-user-interactive means.

Agent options include:

  • Persistent Agent: Hosts with this operating system are required to download and install the selected version of the Persistent Agent.
  • Dissolvable Agent: Hosts with this operating system are required to download and run the selected version of the Dissolvable Agent.
  • Persistent Agent: Hosts with this operating system are required to download and install the highest version of the Persistent Agent available on the FortiNAC Application server. Using the Latest Persistent Agent option prevents you from having to update Policies each time a new Agent is released and loaded onto your server.
  • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
  • None-Bypass: No agent is assigned but hosts are allowed to access the network.

    If you select None - Bypass, hosts can register only if their IP address has been determined by FortiNAC. If IP address information has not been determined FortiNAC cannot determine the physical address and will not allow that host on the network. Users see the following message: Registration Failed - Physical Address not Found.

Android

  • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
  • None-Bypass: No agent is assigned but hosts are allowed to access the network if they have the matching operating system.
  • Mobile Agent: Mobile devices detected running the Android operating system are required to download and install the Mobile Agent. These devices are automatically directed to the Mobile Agent Download page in the captive portal where the host is prompted to download the Mobile Agent from Google Play (Android).
  • Latest Mobile Agent: Hosts with this operating system are required to download and install the highest version of the Mobile Agent availability Mobile Agent is downloaded from Google Play.

See Mobile Agent.

Settings For Operating Systems Without Agents

This section provides a list of additional operating systems and allows you to select treatment for each one. For example, iPod devices could be set to None-Bypass indicating that no agent is necessary and allowing that device to connect to the network. Options for additional platforms include:

  • None-Deny Access: No agent is assigned and hosts are denied access to the network if they have the matching operating system.
  • None-Bypass: No agent is assigned but hosts are allowed to access the network if they have the matching operating system.

Use Set all to None-Bypass or Set all to None-Deny Access to modify settings for all additional platforms at once.

The last platform labeled Other is used as a catch-all for devices with new or unsupported operating systems. Any platform not listed in the Policy, is treated as specified by the setting associated with Other.