Fortinet black logo

Administration Guide

Properties

Properties

Use properties to set:

  • The host name of the server for Persistent Agent communication.
  • The Host group whose members receive the host name when they connect.
  • Whether to require an adapter to be connected to a device managed by FortiNAC in order to communicate.
  • Whether display notifications will be sent to the host.
  • Header and footer text for the Persistent Agent authentication page.
  • The amount of time that a CRL will be cached before retrieving a new CRL.
  • Status messages in the message box on the user's desktop.

You can also enter text for other message windows generated during Registration or Scanning.

To access Persistent Agent properties, go to System > Settings > Persistent Agent.

Settings

Field

Definition

Primary Host Name

Fully qualified host name of the FortiNAC Application Server or the FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

In a high availability environment you must use the actual host name not the shared host name.

This field is required for Agent Updates.

Secondary Host Name

This field is displayed only in a high availability environment and is used only in a failover situation.

Fully qualified host name of the secondary FortiNAC Application Server or the secondary FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

Use the actual host name and not the shared host name.

This field is required for Agent Updates.

Host Group for on-connect Host Name update

When hosts in this group connect to the network, they are given this Persistent Agent host name for communication between the host and the Persistent Agent server.

Require Connected Adapter

If enabled, the server will require one of the adapters reported by the agent to be connected to a device managed by FortiNAC in order to communicate. This eliminates the need to use ACLs to block access to a FortiNAC Application server when the host is connecting on a device managed by a different FortiNAC Control server/Application server pair.

The agent must be configured with security enabled. Requires Persistent Agent 4.0.3 or higher.

Allowed IP Subnets

When you have a client that is not detected as connected (e.g., a VPN-connected client), the agents cannot connect to the server when the the Require Connected Adapter option is enabled.

You can configure specific subnets to allow the server to accept connections from any host connecting from an IP address within one of the subnets or from any connected adapter. Any IP address that the agent connects from will be checked against these subnets. If the IP address is within the range, it will be allowed to connect. This applies to all hosts connecting from the specified ranges.

Expiration

If enabled, the Persistent Agent uninstalls itself from the host once date and time selected have passed.

Header

This text appears at the top of all message windows generated by the Persistent Agent.

Login Prompt

This text displays on the login window.

Login Prompt after Authentication Failure

This text appears in the message block received when a user has not been authenticated.

User Name Label

Controls the text that appears next to the User Name field on the log in window.

Password Label

Controls the text that appears next to the Password field on the log in window.

Footer

This text appears at the bottom of all message windows generated by the Persistent Agent.

CRL Cache Strategy

Defines the amount of time that a CRL will be cached before retrieving a new CRL.

  • Expire After Next Update. This is the default setting. Retrieves a new copy of the CRL when the date defined by the CA in the CRL has expired.
  • Expire After This Update. Select this option to define how long after the date defined as This Update in the CRL when a new CRL should be retrieved. If the number of hours entered is fewer than the This Update time interval defined in the CRL, the CRL will be retrieved each time a scan occurs because the CRL will appear out of date. This may cause performance issues.
  • Poll for Changes. Sets the time interval to download a new CRL.
  • Update Cache. Lets you instantly retrieve a new CRL. This can be used when a certificate is revoked and you require a new CRL. Otherwise, the CRL is retrieved based on the defined Cache Strategy settings.

See Certificate validation.

Agent Contact Window on Connect

Applies to host records identified as having the Persistent Agent installed.

Default value: 600 seconds

Time the agent on the endpoint device has to establish a connection with FortiNAC.

This window of time starts when the endpoint device’s host record status changes from offline to online.

When the allotted window of time has passed without communication:

  • Host record’s agent status is set to "No Contact"

  • "Persistent Agent Not Communicating" event is generated

When agent starts communicating again:

  • Host record’s "No Contact” agent status is cleared

  • “Persistent Agent Communication Resumed” event is generated

Successful Connection

Unsuccessful Connection

Agent Contact Window on Disconnect

Applies to host records identified as having the Persistent Agent installed.

Default value: 300 seconds

Time the agent on the online endpoint device has to communicate with FortiNAC.

This window of time starts once FortiNAC detects the TCP session with the agent has been broken.

When the allotted window of time has passed without communication:

  • Host record’s agent status is set to "No Contact"

  • "Persistent Agent Not Communicating" event is generated

When agent starts communicating again:

  • Host record’s "No Contact” agent status is cleared

  • “Persistent Agent Communication Resumed” event is generated

Successful Connection

Unsuccessful Connection

Agent Contact Window on Host Disconnect

Applies to host records identified as having the Persistent Agent installed.

Default value: 30 seconds

Time before clearing the "No Contact” agent status on an affected endpoint device’s host record after disconnecting from the network.

This window of time starts when the endpoint device’s host record status changes from online to offline.

When the allotted window of time has passed:

  • Host record’s "No Contact” agent status is cleared

Unsuccessful Connection

Host disconnects from network (offline)

"No Contact” agent status is cleared

VM Detection

None. When selected, a virtual machine that connects to the network as a bridged adapter is detected as a new device on the port.

Append to Host. When selected, the virtual machine adapters are added to the host as additional adapters.

When a Guest VM has been appended to the host as a virtual Guest adapter, the Guest VM will remain an adapter on that host until the Guest VM is manually deleted from the host, even if VM Detection is changed to None or Register as New Host.

Register as New Host. When selected, the virtual machine is automatically registered as a new host belonging to the same user as the host running the virtual machine, allowing default registration.

VM Platform Support by OS

Platform

Windows

OSX

Linux

Oracle VBox

Supported

Supported

Supported

VMware
Workstation*

Supported

Not Supported

Supported

VMware Fusion

Not Supported

Supported

Not Supported

*VIX 1.5 must also be installed for Workstation Player

VMware requirements:

  • Virtual machine must be configured with a bridged network adapter.
  • VMware VIX must be installed.
  • *VIX 1.5 must be installed for Workstation Player
    • In %ProgramFilesx86%\VMWare\VMware VIX\vixwrapper-config.txt, set the 4th column (16.1.2 in the example below) to whichever version of workstation or player is installed.

      Example:

      ws 19 vmdb 16.1.2 Workstation-12.0.0
      player 19 vmdb 16.1.2 Workstation-12.0.0

Oracle VBox requirements

  • Oracle VM Virtualbox must be installed.

Linux hosts must be configured to run the Persistent Agent Daemon process as the logged on user. To configure this, go to /etc/sysconfig/bndaemon and change DAEMON_USER from bndaemon to the current logged on user, and then restart the daemon service.

FortiNAC will register a detected VM guest with the same registration as the VM host. However, the VM guest will not inherit the authentication state of the VM host, and the guest OS will be subject to any authentication policies currently in place. This means that the guest OS may require separate authentication.

Display Notifications

Determines whether the popup notifications from the Persistent Agent such as "VLAN switch taking place", or "Renewing IP", will be displayed. When checked the notifications are displayed on the host.

If unchecked, the notification fields below are hidden on this configuration view and on the host.

Successful Registration

This text appears in the message block received when a host has successfully registered. If you do not enter text, the message box does not appear for successful registrations.

Failed Registration

This text appears in the message block received when a host has failed the registration process. If you do not enter text, the message box does not appear for failed registrations.

Failed Scan

This text appears in the message block received when a host has failed a scan. If you do not enter text, the message box does not appear for failed scans.

Warning Message

This text appears in the message block received when a host has warning messages generated from a scan. If you do not enter text, the message box does not appear for warning messages.

Remediation

This text appears in the message block received when a host has been placed in the Remediation VLAN. If you do not enter any text, the message box does not appear.

No Valid Network
Interfaces found

This text appears in the message block when the Persistent Agent cannot determine the MAC address of the interface used to connect to the network or if the MAC address for that interface is invalid. Default value for this field is blank. If you do not enter text, the message box does not appear for invalid MAC addresses.

Network Change
Message

This text appears in the message block when the IP address for the host is being renewed. This can happen when the host is being moved from one VLAN to another.

Configure properties
  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select properties from the tree.
  4. Use the information in the properties Settings table above to complete the fields.
  5. Click Save Settings.

Properties

Properties

Use properties to set:

  • The host name of the server for Persistent Agent communication.
  • The Host group whose members receive the host name when they connect.
  • Whether to require an adapter to be connected to a device managed by FortiNAC in order to communicate.
  • Whether display notifications will be sent to the host.
  • Header and footer text for the Persistent Agent authentication page.
  • The amount of time that a CRL will be cached before retrieving a new CRL.
  • Status messages in the message box on the user's desktop.

You can also enter text for other message windows generated during Registration or Scanning.

To access Persistent Agent properties, go to System > Settings > Persistent Agent.

Settings

Field

Definition

Primary Host Name

Fully qualified host name of the FortiNAC Application Server or the FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

In a high availability environment you must use the actual host name not the shared host name.

This field is required for Agent Updates.

Secondary Host Name

This field is displayed only in a high availability environment and is used only in a failover situation.

Fully qualified host name of the secondary FortiNAC Application Server or the secondary FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

Use the actual host name and not the shared host name.

This field is required for Agent Updates.

Host Group for on-connect Host Name update

When hosts in this group connect to the network, they are given this Persistent Agent host name for communication between the host and the Persistent Agent server.

Require Connected Adapter

If enabled, the server will require one of the adapters reported by the agent to be connected to a device managed by FortiNAC in order to communicate. This eliminates the need to use ACLs to block access to a FortiNAC Application server when the host is connecting on a device managed by a different FortiNAC Control server/Application server pair.

The agent must be configured with security enabled. Requires Persistent Agent 4.0.3 or higher.

Allowed IP Subnets

When you have a client that is not detected as connected (e.g., a VPN-connected client), the agents cannot connect to the server when the the Require Connected Adapter option is enabled.

You can configure specific subnets to allow the server to accept connections from any host connecting from an IP address within one of the subnets or from any connected adapter. Any IP address that the agent connects from will be checked against these subnets. If the IP address is within the range, it will be allowed to connect. This applies to all hosts connecting from the specified ranges.

Expiration

If enabled, the Persistent Agent uninstalls itself from the host once date and time selected have passed.

Header

This text appears at the top of all message windows generated by the Persistent Agent.

Login Prompt

This text displays on the login window.

Login Prompt after Authentication Failure

This text appears in the message block received when a user has not been authenticated.

User Name Label

Controls the text that appears next to the User Name field on the log in window.

Password Label

Controls the text that appears next to the Password field on the log in window.

Footer

This text appears at the bottom of all message windows generated by the Persistent Agent.

CRL Cache Strategy

Defines the amount of time that a CRL will be cached before retrieving a new CRL.

  • Expire After Next Update. This is the default setting. Retrieves a new copy of the CRL when the date defined by the CA in the CRL has expired.
  • Expire After This Update. Select this option to define how long after the date defined as This Update in the CRL when a new CRL should be retrieved. If the number of hours entered is fewer than the This Update time interval defined in the CRL, the CRL will be retrieved each time a scan occurs because the CRL will appear out of date. This may cause performance issues.
  • Poll for Changes. Sets the time interval to download a new CRL.
  • Update Cache. Lets you instantly retrieve a new CRL. This can be used when a certificate is revoked and you require a new CRL. Otherwise, the CRL is retrieved based on the defined Cache Strategy settings.

See Certificate validation.

Agent Contact Window on Connect

Applies to host records identified as having the Persistent Agent installed.

Default value: 600 seconds

Time the agent on the endpoint device has to establish a connection with FortiNAC.

This window of time starts when the endpoint device’s host record status changes from offline to online.

When the allotted window of time has passed without communication:

  • Host record’s agent status is set to "No Contact"

  • "Persistent Agent Not Communicating" event is generated

When agent starts communicating again:

  • Host record’s "No Contact” agent status is cleared

  • “Persistent Agent Communication Resumed” event is generated

Successful Connection

Unsuccessful Connection

Agent Contact Window on Disconnect

Applies to host records identified as having the Persistent Agent installed.

Default value: 300 seconds

Time the agent on the online endpoint device has to communicate with FortiNAC.

This window of time starts once FortiNAC detects the TCP session with the agent has been broken.

When the allotted window of time has passed without communication:

  • Host record’s agent status is set to "No Contact"

  • "Persistent Agent Not Communicating" event is generated

When agent starts communicating again:

  • Host record’s "No Contact” agent status is cleared

  • “Persistent Agent Communication Resumed” event is generated

Successful Connection

Unsuccessful Connection

Agent Contact Window on Host Disconnect

Applies to host records identified as having the Persistent Agent installed.

Default value: 30 seconds

Time before clearing the "No Contact” agent status on an affected endpoint device’s host record after disconnecting from the network.

This window of time starts when the endpoint device’s host record status changes from online to offline.

When the allotted window of time has passed:

  • Host record’s "No Contact” agent status is cleared

Unsuccessful Connection

Host disconnects from network (offline)

"No Contact” agent status is cleared

VM Detection

None. When selected, a virtual machine that connects to the network as a bridged adapter is detected as a new device on the port.

Append to Host. When selected, the virtual machine adapters are added to the host as additional adapters.

When a Guest VM has been appended to the host as a virtual Guest adapter, the Guest VM will remain an adapter on that host until the Guest VM is manually deleted from the host, even if VM Detection is changed to None or Register as New Host.

Register as New Host. When selected, the virtual machine is automatically registered as a new host belonging to the same user as the host running the virtual machine, allowing default registration.

VM Platform Support by OS

Platform

Windows

OSX

Linux

Oracle VBox

Supported

Supported

Supported

VMware
Workstation*

Supported

Not Supported

Supported

VMware Fusion

Not Supported

Supported

Not Supported

*VIX 1.5 must also be installed for Workstation Player

VMware requirements:

  • Virtual machine must be configured with a bridged network adapter.
  • VMware VIX must be installed.
  • *VIX 1.5 must be installed for Workstation Player
    • In %ProgramFilesx86%\VMWare\VMware VIX\vixwrapper-config.txt, set the 4th column (16.1.2 in the example below) to whichever version of workstation or player is installed.

      Example:

      ws 19 vmdb 16.1.2 Workstation-12.0.0
      player 19 vmdb 16.1.2 Workstation-12.0.0

Oracle VBox requirements

  • Oracle VM Virtualbox must be installed.

Linux hosts must be configured to run the Persistent Agent Daemon process as the logged on user. To configure this, go to /etc/sysconfig/bndaemon and change DAEMON_USER from bndaemon to the current logged on user, and then restart the daemon service.

FortiNAC will register a detected VM guest with the same registration as the VM host. However, the VM guest will not inherit the authentication state of the VM host, and the guest OS will be subject to any authentication policies currently in place. This means that the guest OS may require separate authentication.

Display Notifications

Determines whether the popup notifications from the Persistent Agent such as "VLAN switch taking place", or "Renewing IP", will be displayed. When checked the notifications are displayed on the host.

If unchecked, the notification fields below are hidden on this configuration view and on the host.

Successful Registration

This text appears in the message block received when a host has successfully registered. If you do not enter text, the message box does not appear for successful registrations.

Failed Registration

This text appears in the message block received when a host has failed the registration process. If you do not enter text, the message box does not appear for failed registrations.

Failed Scan

This text appears in the message block received when a host has failed a scan. If you do not enter text, the message box does not appear for failed scans.

Warning Message

This text appears in the message block received when a host has warning messages generated from a scan. If you do not enter text, the message box does not appear for warning messages.

Remediation

This text appears in the message block received when a host has been placed in the Remediation VLAN. If you do not enter any text, the message box does not appear.

No Valid Network
Interfaces found

This text appears in the message block when the Persistent Agent cannot determine the MAC address of the interface used to connect to the network or if the MAC address for that interface is invalid. Default value for this field is blank. If you do not enter text, the message box does not appear for invalid MAC addresses.

Network Change
Message

This text appears in the message block when the IP address for the host is being renewed. This can happen when the host is being moved from one VLAN to another.

Configure properties
  1. Click System > Settings.
  2. Expand the Persistent Agent folder.
  3. Select properties from the tree.
  4. Use the information in the properties Settings table above to complete the fields.
  5. Click Save Settings.