This article explains the effectiveness and provides guidance on configuring and troubleshooting Monitoring for Custom scans.
Custom scans can be created and used in Endpoint Compliance Policies to check for specific settings or configurations in the end host. Depending on the Operating System, there are multiple options available like domain check, installed certificates, files, process, registry settings, etc.
In addition, these Custom scans offer the possibility to be monitored more frequently (in a range of minutes or seconds) compared to the standard/full scan that happens only when 'Scan on Connect' or after a Scheduled Scan is triggered. Monitors will also perform better because these are partial checks that are periodically performed by the Persistent Agent instead of waiting for the full Scans that are triggered by the Scheduler of FortiNAC.
FortiNAC and Persistent Agent.
In this example, two native Windows programs are chosen to illustrate the behavior. In order to be compliant the host needs to have Notepad open and Paint closed.
A custom scan can be created in Policy & Objects -> Scans -> 'Custom Scans'. The example below shows the Custom scan that checks that the Notepad program is running in the end host.
Another similar Custom scan is created to check that the Paint program is not running, the difference with the previous example is the Scan Type: Prohibited-Processes.
Both these Custom scans are included in a Scan rule and enabled for monitoring. For testing purposes, a Monitor Interval of 1 minute is configured. In a production environment with a large number of hosts, this will need proper planning before applying.
The timestamp of the actions can be checked in the agent logs in the end host. In this example (log view from PowerShell in 'follow' mode), it shows that the monitoring status is evaluated every minute:
PS C:\Users\gimi> Get-Content "C:\ProgramData\Bradford Networks\general.txt" -Wait -tail 1
2024-12-07 16:27:46 UTC :: Detected Server Version: 0
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Requested: 6.1 System: 6.3 Delim: .
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Returning: false
2024-12-07 16:28:06 UTC :: Debug: DelimVersionTask Failed
2024-12-07 16:28:06 UTC :: Debug: andTask Failed
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Requested: 6.3 System: 6.3 Delim: .
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Returning: true
2024-12-07 16:28:06 UTC :: Debug: DelimVersionTask Passed
2024-12-07 16:28:06 UTC :: Debug: GetRegistryEntryTask Passed
2024-12-07 16:28:06 UTC :: Debug: notTask Passed
2024-12-07 16:28:06 UTC :: Debug: ProcessExistsTask Failed
2024-12-07 16:28:06 UTC :: Debug: andTask Failed
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Requested: 10 System: 10 Delim: .
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Returning: true
2024-12-07 16:28:06 UTC :: Debug: GetRegistryEntryTask Passed
2024-12-07 16:28:06 UTC :: Debug: ProcessExistsTask Passed
2024-12-07 16:28:06 UTC :: Debug: andTask Passed
2024-12-07 16:28:06 UTC :: Debug: orTask Failed
After the Paint program is open in the end host, the host status in FortiNAC UI changes to 'At Risk' for the reason of Failed Monitors:
To get Persistent Agent logs output in FortiNAC (similar to the agent logs in the end host), the 'PersistentAgent' debug can be enabled as follows:
fnac # diagnose debug plugin enable PersistentAgent
fnac # diagnose tail -f output.nessus
yams.PersistentAgent.netty FINE :: 2024-12-07 17:28:06:911 :: #170295 :: [id: 0x440782e3, L:/10.1.2.50:4568 - R:/10.1.3.11:56196] FLUSH
yams.PersistentAgent FINER :: 2024-12-07 17:28:06:923 :: #45 :: Entering PersistentAgentServer dead monitor check
yams.PersistentAgent FINER :: 2024-12-07 17:28:06:936 :: #45 :: Dead Monitor Check Calling PersistentAgent.getMonitorsXML(test-scan,Windows)
yams.PersistentAgent FINER :: 2024-12-07 17:28:06:938 :: #45 :: MonitorResult:client = , gimi - win10-ffm atRisk = true passed = false ID = test-scan::Windows::Prohibited-Processes::NoPaint
yams.PersistentAgent FINER :: 2024-12-07 17:28:06:938 :: #45 :: ProcessThread[7] Done processing packet from IP = 10.1.3.11 Verb = Monitor-Result queue = 0
After the Paint program is closed by the user in the end host, the agent updates FortiNAC about the monitor status change. After receiving this update, it triggers a full Scan of the host in order to change the host status from 'At-risk' to normal. The actions can also be verified through the logs:
Agent logs in the end host:
2024-12-07 16:36:16 UTC :: Debug: ProcessExistsTask Failed
2024-12-07 16:36:16 UTC :: Debug: andTask Failed
2024-12-07 16:36:16 UTC :: Debug: orTask Passed
Logs in FortiNAC:
yams.PersistentAgent.netty FINE :: 2024-12-07 17:36:16:557 :: #170295 :: [id: 0x440782e3, L:/10.1.2.50:4568 - R:/10.1.3.11:56196] READ COMPLETE
yams.PersistentAgent.Default TCP FINE :: 2024-12-07 17:36:16:557 :: #79 :: Calling listeners
yams.PersistentAgent FINE :: 2024-12-07 17:36:16:558 :: #170297 :: Entered handleIncomingAgentPacket
yams.PersistentAgent FINE :: 2024-12-07 17:36:16:558 :: #170297 :: incomingagentpacket processing
.
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:580 :: #45 :: Entering PersistentAgentServer dead monitor check
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:600 :: #45 :: Dead Monitor Check Calling PersistentAgent.getMonitorsXML(test-scan,Windows)
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:604 :: #45 :: MonitorResult:client = , gimi - win10-ffm atRisk = true passed = true ID = test-scan::Windows::Prohibited-Processes::NoPaint
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:605 :: #45 :: , gimi - win10-ffm Removing test-scan::Windows::Prohibited-Processes::NoPaint from FailedMonitors
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:655 :: #45 :: clearScanList() Removing policy test-scan from 00:76:6F:6C:23:01
yams.PersistentAgent.ScanList FINE :: 2024-12-07 17:36:16:655 :: #45 :: ScanList():: Removing policy test-scan from 00:76:6F:6C:23:01
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:686 :: #45 :: sendPolicy , gimi - win10-ffm record.ip = 10.1.3.11 policy Name = test-scan
Note:
When the host fails the monitor the 'At-Risk' status is applied immediately without triggering a full scan.
Related articles:
Technical Tip: Custom Scan will not be disabled
Troubleshooting Tip: Agent logs on end hosts
Technical Tip: 'State based Control' concept and VLAN changes
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.