Skip to main content
nflnetwork29
nflnetwork29
Explorer III
November 18, 2024
Question

NAC - create initial endpoint policy

  • November 18, 2024
  • 3 replies
  • 1501 views

is there any sample of an initial endpoint policy for NAC-F ? I just want to see what a very simple basic initial policy looks like . Assuming this would be some sort of posture check? What is the most common policy type that is being used fort a simple deployment? Thanks, 

3 replies

ebilcari
Staff
ebilcari
Staff
November 19, 2024

As a start you have to deploy the agent (usually for enterprise networks) like shown in the PA deployment guide. After making sure that the agent can communicate with FNAC, you can create Scans and include it in an Endpoint Compliance Policies. Usually the Scan contains checks related to Antivirus and OS having the latest updates but many other options are available.

Emirjon
    nflnetwork29
    nflnetwork29Author
    Explorer III
    December 4, 2024

    @ebilcari When you say agent can this be company devices which are already managed by EMS? Would this cancel out any requirement for additional agent to be installed on the endpoint?

    Hatibi
    Staff & Editor
    Hatibi
    Staff & Editor
    November 19, 2024

    This is a use case provided in Fortinet Docs: https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/605737/use-case

    You can test something similar for another application or process.

      sjoshi
      Staff
      sjoshi
      Staff
      December 4, 2024

      For an initial endpoint policy in FortiNAC, a common and simple policy type used for a basic deployment is typically a posture check policy. This policy would involve checking basic security requirements such as antivirus presence, firewall status, and operating system updates. A sample initial endpoint policy could include criteria like antivirus software installed, firewall enabled, and OS patches up to date. This basic posture check helps ensure that devices connecting to the network meet minimum security standards before being granted access.

      Thanks, Salon
        nflnetwork29
        nflnetwork29Author
        Explorer III
        December 4, 2024

        do we need to install agent or can I just use existing FortiClient / EMS?

        Hatibi
        Staff & Editor
        Hatibi
        Staff & Editor
        December 5, 2024

        Endpoint compliance in FortiNAC works only with persistent agent.

        However you can use EMS integration to register compliant hosts. In such case you will not use endpoing compliance policies in FortiNAC since the compliance is done by EMS. FortiNAC simply receives the information from EMS that the endpoint is compliant or not and then enforces control.

         

        So yes, you can use the existing FortiCLient/EMS integration with FortiNAC to enforce control for endpoints deemed compliant in EMS.

        Check this for a comparison: https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-Persistent-Agent-comparison-to-FortiClient-EMS-MDM/ta-p/348726

          Terms & ConditionsAccessibility statement