Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Persistent Agent Deployment and Configuration

    Home FortiNAC 9.2.0 Persistent Agent Deployment and Configuration
    9.2.0
    9.4.0
    9.2.0
    9.1.0
    8.8.0
    8.7.0
    8.6.0
    8.5.0
    8.3.0

    Use Case 2: Agent Distributed Via Software Management (DNS Sub Domains)

    Use Case 2: Agent Distributed Via Software Management (DNS Sub Domains)

    The above example shows three locations:

    • Server 1P Application Server and Server 1S Application Server in a High Availability pair at Location A.

    • Server 2 Application Server at Location B.

    • Server 3 Application Server at Location C.

    • Production domain server with SRV records for locations A, B and C.

    • There are no ACLs configured between sites to block agent traffic.

    Use Case 2 Requirements

    • Single software image will be pushed to locations A & B.

    • Agent communications allowed with Locations A & B only.

    One SSL Certificate will be used for all FortiNAC appliances.

    Use Case 2 Recommended Settings and Configurations

    Persistent Agent Settings Configured via Software

    Security

    enabled

    Allowed Servers

    Server1P.a.domain.com

    Server1S.b.domain.com

    Server2.c.domain.com

    Restrict Roaming

    Enabled

    Login Dialog

    disabled

    System Tray Icon

    disabled

    FortiNAC Settings

    "Require Connected Adapter" Feature

    enabled

    Certificate Type for Persistent Agent Target

    SAN or wildcard Certificate

    Use Case 2 Scenarios: Persistent Agent Discovery - Host Connects to Location A

    Last Connected Server

    SRV Records Received

    Home Server

    (Default Location)

    Allowed Servers

    (none)

    1P

    (none)

    Server1P

    1S

    Server1S

    Server2

    Server Connection List Order

    Server1P (SRV and Allowed Servers List)

    Server1S (SRV and Allowed Servers List)

    Server2 (Next in Allowed Servers List)

    Since SRV records were received for 1P and 1S and they are part of the Allowed Servers list, they will be prioritized. Since both the Last Connected Server and Home Server entries are empty, the agent will then proceed to attempt connection based on the Allowed Servers list.

    Resulting behavior:

    1. Agent attempts to communicate with Server1P. Server1P is active and sees the host online so it responds.

    2. Both the Last Connected Server and Home Server entries are populated with Server1P.

    Last Connected Server

    Home Server

    (Default Location)

    Allowed Servers

    Server1P

    Server1P

    Server1P

    Server1S

    Server2

    The next time the agent attempts to communicate, unless the agent receives a DNS record from a different server in the list, the agent will try to connect to the Last Connected Server first.

    Use Case 2 Scenarios: Persistent Agent Discovery Roams from Location A to B

    Last Connected Server

    SRV Records Received

    Home Server

    (Default Location)

    Allowed Servers

    Server1P

    Server2

    Server1P

    Server1P

    Server1S

    Server2

    Server Connection List Order

    Server2 (SRV and in Allowed Servers List)

    Server1P (Last Connected Server and Home Server)

    Server1S (Next in Allowed Servers List)

    Resulting behavior:

    1. Agent attempts to communicate with Server2. Server2 is active and sees the host online so it responds.

    2. The Last Connected Server entry is updated to Server2.

    Last Connected Server

    Home Server

    (Default Location)

    Allowed Servers

    Server2

    Server1P

    Server1P

    Server1S

    Server2

    The next time the agent attempts to communicate, unless the agent receives a DNS record from a different server in the list, the agent will try to connect to the Last Connected Server first.

    Use Case 2 Scenarios: Persistent Agent Discovery Roams from Location B to C

    Last Connected Server

    SRV Records Received

    Home Server

    (Default Location)

    Allowed Servers

    Server2

    Server3

    Server1P

    Server1P

    Server1S

    Server2

    SRV record was received for Server3, but Server3 is not in the Allowed Servers List. Since Restrict Roaming is enabled, the agent will not attempt to connect to Server3.

    Server Connection List Order

    Server2 (Last Connected Server)

    Server1P (Home Server and first in Allowed Servers List)

    Server1S (Next in Allowed Servers List)

    Resulting behavior:

    1. Agent attempts to communicate with Server2. Server2 sees the host offline, so it directs the agent to try the next server.

    2. Agent attempts to communicate with Server1P. Server1P sees the host offline, so it directs the agent to try the next server.

    3. Agent attempts to communicate with Server1S. Server1S is in standby and does not respond.

    Previous
    Next

    Use Case 2: Agent Distributed Via Software Management (DNS Sub Domains)

    Use Case 2: Agent Distributed Via Software Management (DNS Sub Domains)

    The above example shows three locations:

    • Server 1P Application Server and Server 1S Application Server in a High Availability pair at Location A.

    • Server 2 Application Server at Location B.

    • Server 3 Application Server at Location C.

    • Production domain server with SRV records for locations A, B and C.

    • There are no ACLs configured between sites to block agent traffic.

    Use Case 2 Requirements

    • Single software image will be pushed to locations A & B.

    • Agent communications allowed with Locations A & B only.

    One SSL Certificate will be used for all FortiNAC appliances.

    Use Case 2 Recommended Settings and Configurations

    Persistent Agent Settings Configured via Software

    Security

    enabled

    Allowed Servers

    Server1P.a.domain.com

    Server1S.b.domain.com

    Server2.c.domain.com

    Restrict Roaming

    Enabled

    Login Dialog

    disabled

    System Tray Icon

    disabled

    FortiNAC Settings

    "Require Connected Adapter" Feature

    enabled

    Certificate Type for Persistent Agent Target

    SAN or wildcard Certificate

    Use Case 2 Scenarios: Persistent Agent Discovery - Host Connects to Location A

    Last Connected Server

    SRV Records Received

    Home Server

    (Default Location)

    Allowed Servers

    (none)

    1P

    (none)

    Server1P

    1S

    Server1S

    Server2

    Server Connection List Order

    Server1P (SRV and Allowed Servers List)

    Server1S (SRV and Allowed Servers List)

    Server2 (Next in Allowed Servers List)

    Since SRV records were received for 1P and 1S and they are part of the Allowed Servers list, they will be prioritized. Since both the Last Connected Server and Home Server entries are empty, the agent will then proceed to attempt connection based on the Allowed Servers list.

    Resulting behavior:

    1. Agent attempts to communicate with Server1P. Server1P is active and sees the host online so it responds.

    2. Both the Last Connected Server and Home Server entries are populated with Server1P.

    Last Connected Server

    Home Server

    (Default Location)

    Allowed Servers

    Server1P

    Server1P

    Server1P

    Server1S

    Server2

    The next time the agent attempts to communicate, unless the agent receives a DNS record from a different server in the list, the agent will try to connect to the Last Connected Server first.

    Use Case 2 Scenarios: Persistent Agent Discovery Roams from Location A to B

    Last Connected Server

    SRV Records Received

    Home Server

    (Default Location)

    Allowed Servers

    Server1P

    Server2

    Server1P

    Server1P

    Server1S

    Server2

    Server Connection List Order

    Server2 (SRV and in Allowed Servers List)

    Server1P (Last Connected Server and Home Server)

    Server1S (Next in Allowed Servers List)

    Resulting behavior:

    1. Agent attempts to communicate with Server2. Server2 is active and sees the host online so it responds.

    2. The Last Connected Server entry is updated to Server2.

    Last Connected Server

    Home Server

    (Default Location)

    Allowed Servers

    Server2

    Server1P

    Server1P

    Server1S

    Server2

    The next time the agent attempts to communicate, unless the agent receives a DNS record from a different server in the list, the agent will try to connect to the Last Connected Server first.

    Use Case 2 Scenarios: Persistent Agent Discovery Roams from Location B to C

    Last Connected Server

    SRV Records Received

    Home Server

    (Default Location)

    Allowed Servers

    Server2

    Server3

    Server1P

    Server1P

    Server1S

    Server2

    SRV record was received for Server3, but Server3 is not in the Allowed Servers List. Since Restrict Roaming is enabled, the agent will not attempt to connect to Server3.

    Server Connection List Order

    Server2 (Last Connected Server)

    Server1P (Home Server and first in Allowed Servers List)

    Server1S (Next in Allowed Servers List)

    Resulting behavior:

    1. Agent attempts to communicate with Server2. Server2 sees the host offline, so it directs the agent to try the next server.

    2. Agent attempts to communicate with Server1P. Server1P sees the host offline, so it directs the agent to try the next server.

    3. Agent attempts to communicate with Server1S. Server1S is in standby and does not respond.

    Previous
    Next