Technical Tip: Quickly isolate hosts that have disabled or uninstalled the Persistent Agent
Description
This article describes the configuration steps required to quickly isolate hosts that initially had the Persistent Agent communicating, but are no longer doing so. The host's compliance status may have changed during this time, and it may be a requirement to put this host in Remediation until agent communication is restored and the host is checked again for compliance.
Scope
FortiNAC and Persistent Agent.
Solution
There is no built-in procedure to isolate hosts that have their status suddenly change to agent non-communicating. A User Host Profile can be created with a condition to check the agent communication status, but this will take effect only when the host is connected for the first time or after a policy evaluation is triggered for that host:
 
To achieve quicker results, an Event Mapping can be created that immediately changes the host status to 'At-Risk' as soon as an event 'Persistent Agent Not Communicating' is created.
 
The default timers for generating these events can be customized in System -> Settings -> Persistent Agent -> Properties -> 'Agent Contact Window on Connect' and 'Agent Contact Window on Disconnect'.
Note: It is not recommended to reduce this value excessively, as network behavior and latency may lead to false positive events.
During the configuration phase, the behavior can be easily emulated by stopping the agent service 'FortiNAC Persistent Agent Service'. The actions can be monitored under Events:
 
Approximately 10 minutes after the agent service is stopped and keepalive messages go unanswered, an event is triggered, and then the host is marked as 'At Risk'. As a result of the host status change, remediation is enforced, and the host is moved to the Remediation VLAN.
Related articles: