Skip to main content
jbrines
jbrines
Explorer II
April 3, 2025
Question

FortiNAC Compliance Send a message if Windows OS is not up to date

  • April 3, 2025
  • 1 reply
  • 1848 views

Hi Guys,

 

New to FortiNAC.

 

Looking to do a compliance check using the Persistent Agent to detect if the Windows OS is up to date and if it isn't send a message telling the user to update.

 

The end goal after this would be to keep the computer in the Registration VLAN that would have access to out WSUS server where they could download and update their computer.

 

John 

1 reply

AEK
SuperUser
AEK
SuperUser
April 3, 2025

Hello John

When configuring the endpoint compliance, go to the "Windows" tab, cathegory Operating-System, and select all Windows versions you want.

epcomp.png

 

Then to configure the "update" policy, click on the operating system name you want (e.g.: "Windows-11" in blue) and select how the compliance checks the Windows patches and updates.

 

Then in order to put a client in quarantine when it is not compliant, configure the isolation VLAN number (or name) of the "Quarantine" in the model configuration of the switch or AP.

 

isol.png

 

Also in the L2 device (switch-port or SSID), edit the group membership and add "Forced Remediation".

portgrp.png

 

For your client to be able to access WSUS server when it is in quarantine VLAN, you need to open the required flow from the quarantine VLAN to the WSUS server (or specific destination on WAN).

AEK
    jbrines
    jbrinesAuthor
    Explorer II
    April 3, 2025

    Hi @AEK ,

     

    Thanks for this.

     

    To start with I would like to send notifications to the computers first, once I am happy that is working I could do the quarantine part after that.

    For the VLAN part I will discuss with our Manage FortiGate Services Team to setup the access to the WSUS server.

     

    Thanks

     

    John

    AEK
    SuperUser
    AEK
    SuperUser
    April 3, 2025

    Hi John

    For the notifications go to Logs > Events & Alarms > Mappings, then you should find an event on "compliance failure" (I don't have the event name). Otherwise click "Add" to create it (or any other event you need). And configure any notification you want for the event.

    Also as far as I remember, once a user is quarantined he should automatically see a portal where he can read the reason for which is quarantined. Sorry I don't remember well because didn't use FNAC since a while.

    AEK
      Terms & ConditionsAccessibility statement