Fortinet black logo

FortiGate VPN Integration

Home FortiNAC 9.4.0 FortiGate VPN Integration
9.4.0
9.4.0

Default Endpoint Compliance Policy (Optional)

Default Endpoint Compliance Policy (Optional)

Endpoint compliance is a feature set used to ensure hosts connecting to the network comply with network usage requirements. Create a default VPN Endpoint Compliance Policy to:

  • Distribute an agent via captive portal for isolated machines that do not have an agent already installed. Note: If endpoints are expected to have an agent already installed prior to connecting, this function may not be required.

  • Scan the machine to determine if security requirements are met (Anti-Virus programs, operating system, etc).

If these functions are not required, skip this step and proceed to Network Access Policies.

Create a Security Scan

  1. Navigate to Policy & Objects > Policy Configuration.

  2. Under Endpoint Compliance click Scans.

  3. Configure the scan to check for required programs and/or files. For more details, refer to the following section in the Administration Guide: Add or modify a scan

    Note: Since a device remains in an isolated state until the scan completes, the complexity of the scan may introduce delays in the time it takes the remote user to complete the connection process.

Create Endpoint Compliance Configuration

Create an Endpoint Compliance Configuration to assign an agent and the security scan.

  1. Under the General tab, select the scan created for the VPN connection.

  2. For better performance, it is recommended to de-select Collect Application Inventory.

  3. Click the Agent tab.

  4. Select the agent type and version to provide to connecting computers that do not have an agent installed. There are three agent types:

  • Persistent Agent (PA): Installed on the user's PC and remains there, communicating with FortiNAC whenever the PC is on the network.

    Note: It is recommended to enable the Restrict Roaming Persistent Agent setting when connecting over VPN managed by FortiNAC. For details on this setting, refer to section Persistent Agent Settings of the Persistent Agent Configuration and Deployment reference manual in the Fortinet Document Library.

  • Dissolvable Agent (DA): Downloaded and installed every time the user connects to the network. After scanning the user's PC and reporting results to FortiNAC, the agent removes itself.

    Note:

    • It is recommended users are sent to the download location through DNS and URL redirection.

    • It is recommended to disable split-tunneling for the VPN configured on the FortiGate. This ensures user's browser is automatically redirected to the URL where they can download the run-once agent.

  • Mobile Agent: Installed on a handheld device running Android and remains there, communicating with FortiNAC whenever the device is on the network.

    Note: Due to unsupported features by the vendor, mobile devices running iOS cannot connect through VPN.

For more details, refer to the following section in the Administration Guide: Add or modify a configuration.

Create User/Host Profile

Configure the User/Host Profile for the Endpoint Compliance policy.

  1. Create a new User/Host profile. See below for criteria options.

    Persistent Agent

    Required: Host [VPN Client: Yes]

    Optional: Add other criteria as desired. Optionally with some other criteria to avoid undesired scanning of non-VPN offline hosts.

    Dissolvable Agent

    Required: Adapter [Connected: Offline]

    Optional:

    Host [Persistent Agent: No]

    Adapter [IP Address: <VPN IP subnets. Can use wildcard (*)>]

  2. Click OK.

For more details, refer to the following section in the Administration Guide: User/host profiles.

Note: Hosts connecting to VPN via a local SSID will not match the “VPN Client: Yes” criteria.

Create Endpoint Compliance Policy

Create the Endpoint Compliance policy using the User/Host Profile and Endpoint Compliance Configuration. Once created, adjust ranking as appropriate. For more details, refer to the following section in the Administration Guide: Add or Modify a policy.

Previous
Next

Default Endpoint Compliance Policy (Optional)

Endpoint compliance is a feature set used to ensure hosts connecting to the network comply with network usage requirements. Create a default VPN Endpoint Compliance Policy to:

  • Distribute an agent via captive portal for isolated machines that do not have an agent already installed. Note: If endpoints are expected to have an agent already installed prior to connecting, this function may not be required.

  • Scan the machine to determine if security requirements are met (Anti-Virus programs, operating system, etc).

If these functions are not required, skip this step and proceed to Network Access Policies.

Create a Security Scan

  1. Navigate to Policy & Objects > Policy Configuration.

  2. Under Endpoint Compliance click Scans.

  3. Configure the scan to check for required programs and/or files. For more details, refer to the following section in the Administration Guide: Add or modify a scan

    Note: Since a device remains in an isolated state until the scan completes, the complexity of the scan may introduce delays in the time it takes the remote user to complete the connection process.

Create Endpoint Compliance Configuration

Create an Endpoint Compliance Configuration to assign an agent and the security scan.

  1. Under the General tab, select the scan created for the VPN connection.

  2. For better performance, it is recommended to de-select Collect Application Inventory.

  3. Click the Agent tab.

  4. Select the agent type and version to provide to connecting computers that do not have an agent installed. There are three agent types:

  • Persistent Agent (PA): Installed on the user's PC and remains there, communicating with FortiNAC whenever the PC is on the network.

    Note: It is recommended to enable the Restrict Roaming Persistent Agent setting when connecting over VPN managed by FortiNAC. For details on this setting, refer to section Persistent Agent Settings of the Persistent Agent Configuration and Deployment reference manual in the Fortinet Document Library.

  • Dissolvable Agent (DA): Downloaded and installed every time the user connects to the network. After scanning the user's PC and reporting results to FortiNAC, the agent removes itself.

    Note:

    • It is recommended users are sent to the download location through DNS and URL redirection.

    • It is recommended to disable split-tunneling for the VPN configured on the FortiGate. This ensures user's browser is automatically redirected to the URL where they can download the run-once agent.

  • Mobile Agent: Installed on a handheld device running Android and remains there, communicating with FortiNAC whenever the device is on the network.

    Note: Due to unsupported features by the vendor, mobile devices running iOS cannot connect through VPN.

For more details, refer to the following section in the Administration Guide: Add or modify a configuration.

Create User/Host Profile

Configure the User/Host Profile for the Endpoint Compliance policy.

  1. Create a new User/Host profile. See below for criteria options.

    Persistent Agent

    Required: Host [VPN Client: Yes]

    Optional: Add other criteria as desired. Optionally with some other criteria to avoid undesired scanning of non-VPN offline hosts.

    Dissolvable Agent

    Required: Adapter [Connected: Offline]

    Optional:

    Host [Persistent Agent: No]

    Adapter [IP Address: <VPN IP subnets. Can use wildcard (*)>]

  2. Click OK.

For more details, refer to the following section in the Administration Guide: User/host profiles.

Note: Hosts connecting to VPN via a local SSID will not match the “VPN Client: Yes” criteria.

Create Endpoint Compliance Policy

Create the Endpoint Compliance policy using the User/Host Profile and Endpoint Compliance Configuration. Once created, adjust ranking as appropriate. For more details, refer to the following section in the Administration Guide: Add or Modify a policy.

Previous
Next