FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff
Article Id 363190
Description

 

This article explains the effectiveness and provides guidance on configuring and troubleshooting Monitoring for Custom scans.

 

Custom scans can be created and used in Endpoint Compliance Policies to check for specific settings or configurations in the end host. Depending on the Operating System, there are multiple options available like domain check, installed certificates, files, process, registry settings, etc.

 

In addition, these Custom scans offer the possibility to be monitored more frequently (in a range of minutes or seconds) compared to the standard/full scan that happens only when 'Scan on Connect' or after a Scheduled Scan is triggered. Monitors will also perform better because these are partial checks that are periodically performed by the Persistent Agent instead of waiting for the full Scans that are triggered by the Scheduler of FortiNAC.

 

Scope

 

FortiNAC and Persistent Agent.

 

Solution

 

In this example, two native Windows programs are chosen to illustrate the behavior. In order to be compliant the host needs to have Notepad open and Paint closed. 

 

A custom scan can be created in Policy & Objects -> Scans -> 'Custom Scans'. The example below shows the Custom scan that checks that the Notepad program is running in the end host.

 

notepadi.png

Another similar Custom scan is created to check that the Paint program is not running, the difference with the previous example is the Scan Type: Prohibited-Processes.

 

mos paint.PNG

 

Both these Custom scans are included in a Scan rule and enabled for monitoring. For testing purposes, a Monitor Interval of 1 minute is configured. In a production environment with a large number of hosts, this will need proper planning before applying.

 

Scan policy.PNG

The timestamp of the actions can be checked in the agent logs in the end host. In this example (log view from PowerShell in 'follow' mode), it shows that the monitoring status is evaluated every minute:

 

PS C:\Users\gimi> Get-Content "C:\ProgramData\Bradford Networks\general.txt" -Wait -tail 1

 

2024-12-07 16:27:46 UTC :: Detected Server Version: 0
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Requested: 6.1 System: 6.3 Delim: .
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Returning: false
2024-12-07 16:28:06 UTC :: Debug: DelimVersionTask Failed
2024-12-07 16:28:06 UTC :: Debug: andTask Failed
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Requested: 6.3 System: 6.3 Delim: .
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Returning: true
2024-12-07 16:28:06 UTC :: Debug: DelimVersionTask Passed
2024-12-07 16:28:06 UTC :: Debug: GetRegistryEntryTask Passed
2024-12-07 16:28:06 UTC :: Debug: notTask Passed
2024-12-07 16:28:06 UTC :: Debug: ProcessExistsTask Failed
2024-12-07 16:28:06 UTC :: Debug: andTask Failed

2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Requested: 10 System: 10 Delim: .
2024-12-07 16:28:06 UTC :: Debug: DelimVersion.. Returning: true
2024-12-07 16:28:06 UTC :: Debug: GetRegistryEntryTask Passed
2024-12-07 16:28:06 UTC :: Debug: ProcessExistsTask Passed
2024-12-07 16:28:06 UTC :: Debug: andTask Passed
2024-12-07 16:28:06 UTC :: Debug: orTask Failed


After the Paint program is open in the end host, the host status in FortiNAC UI changes to 'At Risk' for the reason of Failed Monitors:

 

host at risk.PNG

To get Persistent Agent logs output in FortiNAC (similar to the agent logs in the end host), the 'PersistentAgent' debug can be enabled as follows:

 

fnac # diagnose debug plugin enable PersistentAgent
fnac # diagnose tail -f output.nessus
yams.PersistentAgent.netty FINE :: 2024-12-07 17:28:06:911 :: #170295 :: [id: 0x440782e3, L:/10.1.2.50:4568 - R:/10.1.3.11:56196] FLUSH
yams.PersistentAgent FINER :: 2024-12-07 17:28:06:923 :: #45 :: Entering PersistentAgentServer dead monitor check
yams.PersistentAgent FINER :: 2024-12-07 17:28:06:936 :: #45 :: Dead Monitor Check Calling PersistentAgent.getMonitorsXML(test-scan,Windows)
yams.PersistentAgent FINER :: 2024-12-07 17:28:06:938 :: #45 :: MonitorResult:client = , gimi - win10-ffm atRisk = true passed = false ID = test-scan::Windows::Prohibited-Processes::NoPaint
yams.PersistentAgent FINER :: 2024-12-07 17:28:06:938 :: #45 :: ProcessThread[7] Done processing packet from IP = 10.1.3.11 Verb = Monitor-Result queue = 0

 

After the Paint program is closed by the user in the end host, the agent updates FortiNAC about the monitor status change. After receiving this update, it triggers a full Scan of the host in order to change the host status from 'At-risk' to normal. The actions can also be verified through the logs:

 

Agent logs in the end host:

 

2024-12-07 16:36:16 UTC :: Debug: ProcessExistsTask Failed
2024-12-07 16:36:16 UTC :: Debug: andTask Failed
2024-12-07 16:36:16 UTC :: Debug: orTask Passed

 

Logs in FortiNAC:

 

yams.PersistentAgent.netty FINE :: 2024-12-07 17:36:16:557 :: #170295 :: [id: 0x440782e3, L:/10.1.2.50:4568 - R:/10.1.3.11:56196] READ COMPLETE
yams.PersistentAgent.Default TCP FINE :: 2024-12-07 17:36:16:557 :: #79 :: Calling listeners
yams.PersistentAgent FINE :: 2024-12-07 17:36:16:558 :: #170297 :: Entered handleIncomingAgentPacket
yams.PersistentAgent FINE :: 2024-12-07 17:36:16:558 :: #170297 :: incomingagentpacket processing
.
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:580 :: #45 :: Entering PersistentAgentServer dead monitor check

yams.PersistentAgent FINER :: 2024-12-07 17:36:16:600 :: #45 :: Dead Monitor Check Calling PersistentAgent.getMonitorsXML(test-scan,Windows)
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:604 :: #45 :: MonitorResult:client = , gimi - win10-ffm atRisk = true passed = true ID = test-scan::Windows::Prohibited-Processes::NoPaint
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:605 :: #45 :: , gimi - win10-ffm Removing test-scan::Windows::Prohibited-Processes::NoPaint from FailedMonitors
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:655 :: #45 :: clearScanList() Removing policy test-scan from 00:76:6F:6C:23:01
yams.PersistentAgent.ScanList FINE :: 2024-12-07 17:36:16:655 :: #45 :: ScanList():: Removing policy test-scan from 00:76:6F:6C:23:01
yams.PersistentAgent FINER :: 2024-12-07 17:36:16:686 :: #45 :: sendPolicy , gimi - win10-ffm record.ip = 10.1.3.11 policy Name = test-scan

 

Note:

When the host fails the monitor the 'At-Risk' status is applied immediately without triggering a full scan.

 

Related articles:

Technical Tip: Custom Scan will not be disabled

Troubleshooting Tip: Agent logs on end hosts
Technical Tip: 'State based Control' concept and VLAN changes