Fortinet black logo

Persistent Agent Deployment and Configuration

Home FortiNAC-F 7.2.0 Persistent Agent Deployment and Configuration
7.2.0
7.4.0
7.2.0

Linux Machines (Silent Onboard)

Linux Machines (Silent Onboard)

The Linux machine automatically registers upon connecting to the network once the installed Persistent Agent communicates with FortiNAC. This method is transparent to the end user.

How it Works:

  1. Device connects to the network.

  2. Persistent Agent initiates communication with FortiNAC.

  3. FortiNAC registers the device (does not associate device with user).

Note the Following:

  • This method can be used in conjunction with the Windows Domain Single-Sign-On method.

  • Logged on users are not tracked for Mac and Linux.

Requirements:

  • Agent Deployment Method: Software Management Program

  • Root access to the Mac machine

Review Software Modifiable Settings for the Persistent Agent for other settings that may need to be modified.

Configuration

  1. Navigate to System > Settings > Persistent Agent > Credential Configuration.

  2. Select “Enable Registration” and “Register as Device.”

  3. Configure any other necessary FortiNAC configurations. See FortiNAC Settings.

  4. Create the Persistent Agent Settings policy file to be pushed to Linux machines. This file will override the default settings.

    1. Install Persistent agent on a test machine. For instructions, see section Installation for Linux of the Administration Guide.

    2. In the test machine CLI, create policy file PersistentAgentPolicy.conf by making a copy of PersistentAgent.conf

      sudo cp /etc/xdg/com.bradfordnetworks/PersistentAgent.conf /etc/xdg/com.bradfordnetworks/PersistentAgentPolicy.conf

      Note: Root access is required. If already logged in as root, the use of “sudo” in the syntax is not required.

  5. Modify the new policy file with the appropriate Persistent Agent Settings. The following table provides recommended settings. Review Software Modifiable Settings for the Persistent Agent for additional options.

    vi PersistentAgentPolicy.conf

    Best practice: PersistentAgentPolicy.conf should be ASCII encoding. As of FortiNAC 8.7.0, UTF-8 can also be parsed.

    Recommended Persistent Agent Settings

    For details on these settings, see Persistent Agent on Linux in the Administration Guide.

    Option

    Value

    Function

    Home Server

    homeServer

    Name of FortiNAC appliance with which the agent must communicate.

    Allowed Servers

    allowedServers

    Needed if agent could potentially roam to multiple FortiNAC appliances (NCM environment or High Availability).

    Restrict Roaming

    restrictRoaming

    Agent will only communicate with server names provided by homeServer and allowedServers settings.

    Login Dialog

    LoginDialogDisabled

    Credential popup will not display to the user.

    System Tray Icon

    ShowIcon

    System tray icon will not display.

    Balloon Notifications

    ClientStateEnabled

    State change notifications will not display.

    Example

    allowedServers=a.example.com,b.example.com

    restrictRoaming=true

    ShowIcon=0

    ClientStateEnabled=0

    LoginDialogDisabled=1

  6. Push PersistentAgentPolicy.conf to the /etc/xdg/com.bradfordnetworks directory of Linux machines using a software management program.

  7. Push agent package to Linux machines using the software management program.

Validate

  1. Connect host to network.

  2. Search for Windows machine in Users & Hosts > Hosts.

  3. Verify the following:

    • Host record displays as registered.

    • UserID is displayed under “Logged On User” column.

    • The appropriate Endpoint Compliance Policy matches (right click on host and select Policy Details)

    • The applicable scan runs (right click on host and select Host Health)

    • The scan result accurately reflects the machine posture (e.g. does the scan pass when it should have failed?)

If any of the above do not work as expected, see KB article Troubleshooting the Persistent Agent.

After the network has been enforced:

  1. Leave “Register as Device” enabled.

  2. Create a scan policy that checks for a specific value defining the asset.

  3. Do one of the following:

    1. Enable Forced Remediation. If the host fails the scan, the host will register. However, it will be marked “At Risk” and placed in an Isolation VLAN.

    2. Forced Remediation alternative: send an email notification for the Security Risk Host event. Note: if Forced Remediation is not used, non-domain machines with the Persistent Agent that auto register may gain access to the production network.

Previous
Next

Linux Machines (Silent Onboard)

The Linux machine automatically registers upon connecting to the network once the installed Persistent Agent communicates with FortiNAC. This method is transparent to the end user.

How it Works:

  1. Device connects to the network.

  2. Persistent Agent initiates communication with FortiNAC.

  3. FortiNAC registers the device (does not associate device with user).

Note the Following:

  • This method can be used in conjunction with the Windows Domain Single-Sign-On method.

  • Logged on users are not tracked for Mac and Linux.

Requirements:

  • Agent Deployment Method: Software Management Program

  • Root access to the Mac machine

Review Software Modifiable Settings for the Persistent Agent for other settings that may need to be modified.

Configuration

  1. Navigate to System > Settings > Persistent Agent > Credential Configuration.

  2. Select “Enable Registration” and “Register as Device.”

  3. Configure any other necessary FortiNAC configurations. See FortiNAC Settings.

  4. Create the Persistent Agent Settings policy file to be pushed to Linux machines. This file will override the default settings.

    1. Install Persistent agent on a test machine. For instructions, see section Installation for Linux of the Administration Guide.

    2. In the test machine CLI, create policy file PersistentAgentPolicy.conf by making a copy of PersistentAgent.conf

      sudo cp /etc/xdg/com.bradfordnetworks/PersistentAgent.conf /etc/xdg/com.bradfordnetworks/PersistentAgentPolicy.conf

      Note: Root access is required. If already logged in as root, the use of “sudo” in the syntax is not required.

  5. Modify the new policy file with the appropriate Persistent Agent Settings. The following table provides recommended settings. Review Software Modifiable Settings for the Persistent Agent for additional options.

    vi PersistentAgentPolicy.conf

    Best practice: PersistentAgentPolicy.conf should be ASCII encoding. As of FortiNAC 8.7.0, UTF-8 can also be parsed.

    Recommended Persistent Agent Settings

    For details on these settings, see Persistent Agent on Linux in the Administration Guide.

    Option

    Value

    Function

    Home Server

    homeServer

    Name of FortiNAC appliance with which the agent must communicate.

    Allowed Servers

    allowedServers

    Needed if agent could potentially roam to multiple FortiNAC appliances (NCM environment or High Availability).

    Restrict Roaming

    restrictRoaming

    Agent will only communicate with server names provided by homeServer and allowedServers settings.

    Login Dialog

    LoginDialogDisabled

    Credential popup will not display to the user.

    System Tray Icon

    ShowIcon

    System tray icon will not display.

    Balloon Notifications

    ClientStateEnabled

    State change notifications will not display.

    Example

    allowedServers=a.example.com,b.example.com

    restrictRoaming=true

    ShowIcon=0

    ClientStateEnabled=0

    LoginDialogDisabled=1

  6. Push PersistentAgentPolicy.conf to the /etc/xdg/com.bradfordnetworks directory of Linux machines using a software management program.

  7. Push agent package to Linux machines using the software management program.

Validate

  1. Connect host to network.

  2. Search for Windows machine in Users & Hosts > Hosts.

  3. Verify the following:

    • Host record displays as registered.

    • UserID is displayed under “Logged On User” column.

    • The appropriate Endpoint Compliance Policy matches (right click on host and select Policy Details)

    • The applicable scan runs (right click on host and select Host Health)

    • The scan result accurately reflects the machine posture (e.g. does the scan pass when it should have failed?)

If any of the above do not work as expected, see KB article Troubleshooting the Persistent Agent.

After the network has been enforced:

  1. Leave “Register as Device” enabled.

  2. Create a scan policy that checks for a specific value defining the asset.

  3. Do one of the following:

    1. Enable Forced Remediation. If the host fails the scan, the host will register. However, it will be marked “At Risk” and placed in an Isolation VLAN.

    2. Forced Remediation alternative: send an email notification for the Security Risk Host event. Note: if Forced Remediation is not used, non-domain machines with the Persistent Agent that auto register may gain access to the production network.

Previous
Next