Fortinet black logo

Administration Guide

Persistent Agent on macOS

Persistent Agent on macOS

To take advantage of the Agent Security some settings must be configured on the host. Settings for Mac OS X hosts are configured in Preferences. At this time we do not have a recommendation for a tool to set preferences.

Security settings

The table below outlines settings that can be configured for Agent Security.

Setting

Options

Allowed Ciphers and Authentication Schemes

Indicates the cipher and authentication schemes that can be used.

CA Trust Length/ Depth

Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority.

CA File path

The absolute path to a file containing root and intermediate CA certificates in PEM format.

Security

Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always enabled.

Home Server

The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Allowed Servers

In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate.

Restrict Roaming

If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers.

If disabled, the agent searches for additional servers when the home server is unavailable.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

Last Connected Server

Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery.

Discover Servers, Priority, and Ports

Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer.

Preferences

The table below shows the modifications that need to be made to the host's Preferences. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

Value

Data

allowedServers

Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>). The default port if not specified is 4568.

Example: a.example.com:9001, b.example.com:4568, c.example.com:4985

Data Type: String

Default: Empty

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Example: a.example.com

Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>). The default port if not specified is 4568.

Example: a.example.com:9001

Data Type: String

Default: Empty

restrictRoaming

0: Do not restrict roaming. Allow agent to communicate with any server.

1: Restrict roaming to the home server and the allowed servers list.

Data Type: Integer

Default: 0

securityEnabled

0: Disable Agent Security.

1: Enable Agent Security

Data Type: Integer

Default: 1

Agent 5.3 and greater: Security is always enabled.

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: ns8200

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Default: Not Configured

(Tray icon displayed)

Note

If both com.bradfordnetworks.bndaemon and com.bradfordnetworks.bndaemon.policy are configured on the system, the com.bradfordnetworks.bndaemon.policy configuration takes precedence over the com.bradfordnetworks.bndaemon configuration.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

lastConnectedServer

The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server.

Data Type: String

Default: Empty

discoveryEnabled

Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well.

0: Disable Discovery.

1: Enable Discovery

Data Type: Integer

Default: 1

There are manual commands that can be used to modify the Preferences as follows:

  1. On the macOS host, navigate to a command prompt (Terminal).
  2. Before editing the preferences, it is recommended that you unload the launchDaemon plist. Type the following:

    sudo launchctl unload /Library/LaunchDaemons/com.bradfordnetworks.agent.plist

  1. To read the configuration, type the following:

    sudo defaults read /Library/Preferences/com.bradfordnetworks.bndaemon

  2. To write configuration values use the table above for the value names and type a command similar to the following:

    sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon homeServer -string qa225.bradfordnetworks.com

    In the example above, homeServer is the value name, -string is the data type, qa225.bradfordnetworks is the data or setting that should be added to Preferences.

  3. While some elements require a string data value, others require an integer data value. For these elements, type a command similar to the following:

    sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon restrictRoaming -int 1

    In the example above, restrictRoaming is the value name, -int is the value data type and 1 is the setting added to the value. In this case 1 is equal to enabled and 0 is disabled.

  4. To reload the launchDaemon plist, type the following:

    sudo launchctl load /Library/LaunchDaemons/com.bradfordnetworks.agent.plist

Persistent Agent on macOS

Persistent Agent on macOS

To take advantage of the Agent Security some settings must be configured on the host. Settings for Mac OS X hosts are configured in Preferences. At this time we do not have a recommendation for a tool to set preferences.

Security settings

The table below outlines settings that can be configured for Agent Security.

Setting

Options

Allowed Ciphers and Authentication Schemes

Indicates the cipher and authentication schemes that can be used.

CA Trust Length/ Depth

Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority.

CA File path

The absolute path to a file containing root and intermediate CA certificates in PEM format.

Security

Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always enabled.

Home Server

The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Allowed Servers

In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate.

Restrict Roaming

If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers.

If disabled, the agent searches for additional servers when the home server is unavailable.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

Last Connected Server

Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery.

Discover Servers, Priority, and Ports

Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer.

Preferences

The table below shows the modifications that need to be made to the host's Preferences. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

Value

Data

allowedServers

Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>). The default port if not specified is 4568.

Example: a.example.com:9001, b.example.com:4568, c.example.com:4985

Data Type: String

Default: Empty

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Example: a.example.com

Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>). The default port if not specified is 4568.

Example: a.example.com:9001

Data Type: String

Default: Empty

restrictRoaming

0: Do not restrict roaming. Allow agent to communicate with any server.

1: Restrict roaming to the home server and the allowed servers list.

Data Type: Integer

Default: 0

securityEnabled

0: Disable Agent Security.

1: Enable Agent Security

Data Type: Integer

Default: 1

Agent 5.3 and greater: Security is always enabled.

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: ns8200

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Default: Not Configured

(Tray icon displayed)

Note

If both com.bradfordnetworks.bndaemon and com.bradfordnetworks.bndaemon.policy are configured on the system, the com.bradfordnetworks.bndaemon.policy configuration takes precedence over the com.bradfordnetworks.bndaemon configuration.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

lastConnectedServer

The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server.

Data Type: String

Default: Empty

discoveryEnabled

Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well.

0: Disable Discovery.

1: Enable Discovery

Data Type: Integer

Default: 1

There are manual commands that can be used to modify the Preferences as follows:

  1. On the macOS host, navigate to a command prompt (Terminal).
  2. Before editing the preferences, it is recommended that you unload the launchDaemon plist. Type the following:

    sudo launchctl unload /Library/LaunchDaemons/com.bradfordnetworks.agent.plist

  1. To read the configuration, type the following:

    sudo defaults read /Library/Preferences/com.bradfordnetworks.bndaemon

  2. To write configuration values use the table above for the value names and type a command similar to the following:

    sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon homeServer -string qa225.bradfordnetworks.com

    In the example above, homeServer is the value name, -string is the data type, qa225.bradfordnetworks is the data or setting that should be added to Preferences.

  3. While some elements require a string data value, others require an integer data value. For these elements, type a command similar to the following:

    sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon restrictRoaming -int 1

    In the example above, restrictRoaming is the value name, -int is the value data type and 1 is the setting added to the value. In this case 1 is equal to enabled and 0 is disabled.

  4. To reload the launchDaemon plist, type the following:

    sudo launchctl load /Library/LaunchDaemons/com.bradfordnetworks.agent.plist