Fortinac-F Persistent Agent Problem

Forum|Forum|7 months ago
October 21, 2025
2 replies
729 views

I am using Fortinac F version 7.2. I have the following issue. A user joins the network using a persistent agent. They obtain an IP address from the relevant VLAN to which the necessary policies are applied. However, when the user removes the persistent agent, instead of being moved to quarantine, they continue to obtain an IP address from the same VLAN.

FortiNAC

ebilcari

Staff

There is no built-in procedure to isolate hosts that suddenly do not have a communicating agent. A UHP can be created with a condition to check the agent communication status but this will take affect only after a policy evaluation is triggered for that host.
To achieve quicker results, you can create an Event Mapping that immediately changes the host status to 'At-Risk' as soon as an event is received (default is 300 seconds):

mapping risk.PNG

Emirjon

rcpdkcAuthor

Explorer II

I created a rule as shown in the image from the User/Host Profiles tab. However, this time it keeps going into quarantine even though it's an agent. It automatically fixes itself after 2-3 minutes, then goes back into quarantine. It keeps disconnecting even though it has a persistent agent connection.

AEK

SuperUser

According to the described behavior, I guess the agent can communicate when in isolation, and can't communicate when in prod VLAN. You can confirm with tcpdump.

AEK

rcpdkcAuthor

Explorer II

First, I checked this. The agent can communicate on both the quarantine VLAN and the production VLAN. However, even though there are no obstacles on the production VLAN, the instantaneous flow is interrupted and it goes into quarantine. The moment I added the agent connection check from the Newtrok access menu, the query fires almost once a minute.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded