Properties

Fully qualified host name of the FortiNAC Application Server or the FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

In a high availability environment you must use the actual host name not the shared host name.

This field is required for Agent Updates.

This field is displayed only in a high availability environment and is used only in a failover situation.

Fully qualified host name of the secondary FortiNAC Application Server or the secondary FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

Use the actual host name and not the shared host name.

This field is required for Agent Updates.

When hosts in this group connect to the network, they are given this Persistent Agent host name for communication between the host and the Persistent Agent server.

If enabled, the server will require one of the adapters reported by the agent to be connected to a device managed by FortiNAC in order to communicate. This eliminates the need to use ACLs to block access to a FortiNAC Application server when the host is connecting on a device managed by a different FortiNAC Control server/Application server pair.

The agent must be configured with security enabled. Requires Persistent Agent 4.0.3 or higher.

When you have a client that is not detected as connected (e.g., a VPN-connected client), the agents cannot connect to the server when the the Require Connected Adapter option is enabled.

You can configure specific subnets to allow the server to accept connections from any host connecting from an IP address within one of the subnets or from any connected adapter. Any IP address that the agent connects from will be checked against these subnets. If the IP address is within the range, it will be allowed to connect. This applies to all hosts connecting from the specified ranges.

If enabled, the Persistent Agent uninstalls itself from the host once date and time selected have passed.

This text appears at the top of all message windows generated by the Persistent Agent.

This text displays on the login window.

This text appears in the message block received when a user has not been authenticated.

Controls the text that appears next to the User Name field on the log in window.

Controls the text that appears next to the Password field on the log in window.

This text appears at the bottom of all message windows generated by the Persistent Agent.

Defines the amount of time that a CRL will be cached before retrieving a new CRL.

• Expire After Next Update. This is the default setting. Retrieves a new copy of the CRL when the date defined by the CA in the CRL has expired.
• Expire After This Update. Select this option to define how long after the date defined as This Update in the CRL when a new CRL should be retrieved. If the number of hours entered is fewer than the This Update time interval defined in the CRL, the CRL will be retrieved each time a scan occurs because the CRL will appear out of date. This may cause performance issues.
• Poll for Changes. Sets the time interval to download a new CRL.
• Update Cache. Lets you instantly retrieve a new CRL. This can be used when a certificate is revoked and you require a new CRL. Otherwise, the CRL is retrieved based on the defined Cache Strategy settings.

See Certificate validation.

Applies to host records identified as having the Persistent Agent installed.

Default value: 600 seconds

Time the agent on the endpoint device has to establish a connection with FortiNAC.

This window of time starts when the endpoint device’s host record status changes from offline to online.

When the allotted window of time has passed without communication:

• Host record’s agent status is set to "No Contact"

• "Persistent Agent Not Communicating" event is generated

When agent starts communicating again:

• Host record’s "No Contact” agent status is cleared

• “Persistent Agent Communication Resumed” event is generated

Successful Connection

Unsuccessful Connection

Applies to host records identified as having the Persistent Agent installed.

Default value: 300 seconds

Time the agent on the online endpoint device has to communicate with FortiNAC.

This window of time starts once FortiNAC detects the TCP session with the agent has been broken.

When the allotted window of time has passed without communication:

• Host record’s agent status is set to "No Contact"

• "Persistent Agent Not Communicating" event is generated

When agent starts communicating again:

• Host record’s "No Contact” agent status is cleared

• “Persistent Agent Communication Resumed” event is generated

Successful Connection

Unsuccessful Connection

Applies to host records identified as having the Persistent Agent installed.

Default value: 30 seconds

Time before clearing the "No Contact” agent status on an affected endpoint device’s host record after disconnecting from the network.

This window of time starts when the endpoint device’s host record status changes from online to offline.

When the allotted window of time has passed:

• Host record’s "No Contact” agent status is cleared

Unsuccessful Connection

Host disconnects from network (offline)

"No Contact” agent status is cleared

None. When selected, a virtual machine that connects to the network as a bridged adapter is detected as a new device on the port.

Append to Host. When selected, the virtual machine adapters are added to the host as additional adapters.

When a Guest VM has been appended to the host as a virtual Guest adapter, the Guest VM will remain an adapter on that host until the Guest VM is manually deleted from the host, even if VM Detection is changed to None or Register as New Host.

Register as New Host. When selected, the virtual machine is automatically registered as a new host belonging to the same user as the host running the virtual machine, allowing default registration.

VM Platform Support by OS

VMware requirements:

• Virtual machine must be configured with a bridged network adapter.
• VMware VIX must be installed.
• *VIX 1.5 must be installed for Workstation Player
  • In %ProgramFilesx86%\VMWare\VMware VIX\vixwrapper-config.txt, set the 4th column (16.1.2 in the example below) to whichever version of workstation or player is installed.

    Example:

    ws 19 vmdb 16.1.2 Workstation-12.0.0
    player 19 vmdb 16.1.2 Workstation-12.0.0

Oracle VBox requirements

• Oracle VM Virtualbox must be installed.

Linux hosts must be configured to run the Persistent Agent Daemon process as the logged on user. To configure this, go to /etc/sysconfig/bndaemon and change DAEMON_USER from bndaemon to the current logged on user, and then restart the daemon service.

FortiNAC will register a detected VM guest with the same registration as the VM host. However, the VM guest will not inherit the authentication state of the VM host, and the guest OS will be subject to any authentication policies currently in place. This means that the guest OS may require separate authentication.

Determines whether the popup notifications from the Persistent Agent such as "VLAN switch taking place", or "Renewing IP", will be displayed. When checked the notifications are displayed on the host.

If unchecked, the notification fields below are hidden on this configuration view and on the host.

This text appears in the message block received when a host has successfully registered. If you do not enter text, the message box does not appear for successful registrations.

This text appears in the message block received when a host has failed the registration process. If you do not enter text, the message box does not appear for failed registrations.

This text appears in the message block received when a host has failed a scan. If you do not enter text, the message box does not appear for failed scans.

This text appears in the message block received when a host has warning messages generated from a scan. If you do not enter text, the message box does not appear for warning messages.

This text appears in the message block received when a host has been placed in the Remediation VLAN. If you do not enter any text, the message box does not appear.

This text appears in the message block when the Persistent Agent cannot determine the MAC address of the interface used to connect to the network or if the MAC address for that interface is invalid. Default value for this field is blank. If you do not enter text, the message box does not appear for invalid MAC addresses.