Description
This article describes the cases when the network administrators want to be notified when a host is identified as an 'At Risk' state.
In some environments where connectivity is important, the Scan remediation action can be configured to Delayed or Audit Only.
This gives time to the Help Desk team to investigate and solve the issue without interrupting user activity and access to the network.
Scope
FortiNAC.
Solution
In Scan configurations, there are three options related to Remediation:
- On failure.
- Delayed.
- Audit Only.
The first option is the most secure one and will isolate the host as soon as it fails the scan. This is the recommended option for a high security environment but in some scenarios, this immediate action is not required.
Configure Scan to delay the isolation to one or more days:
On Scan configuration in Policy & Objects -> Endpoint compliance -> [Scan] change the Remediation action to Delayed (in this example 3 Days).
After making this change the hosts that will fail the scan will continue to work normally. An event 'Host Pending At Risk' will be created and can be manually checked in Logs -> Events & Alarms [Events].
This event can be used on Mappings to notify the appropriate team for this event (in this example via e-mail):
An email will be sent to the users that are members of the selected group.
The host will be shown with a blue plus icon:
The status of the host can also be checked from CLI (output truncated):
> dumphostrecords -mac 00:00:00:6C:23:01
hostName = win10-ffm
owner = gimi
os = Windows 10 Pro 6.3 22H2 10.0.19045.4291
Status = Security_Risk_Pending_Connected
loggedOnUserId = gimi
role = AD-NetworkUserRole
type = 8
Agent Version = 9.4.2.99
Agent Platform = WINDOWS
If no action is taken to fix and remediate this host, after the delay timer expires (3 days), this host will get isolated.
Configure Scan to Audit only:
On Scan configuration in Policy & Objects -> Endpoint compliance -> [Scan] change the Remediation action to Audit Only.
Notification will be also sent for On Failure action when the hosts are isolated and the team wants to be notified instantly before the user starts complaining.
On Mappings the Event selected is Security Risk Host, in this case, the mapping is already created (built-in) but the notify option is not enabled by default:
After enabling notifications, an email will be sent if one of the hosts fails the scan:
To send the email, FortiNAC should have a working email service configured in Service Connectors:
The administrator members of the select group should contain a valid email address:
Note:
Changes made to the scan will not affect the hosts until they are scanned again. The host status changes only after the scan gives the results, more information can be found in this section of the Administration Guide.
During new deployment or after making several configuration changes in Scans, it may be needed to remove all the hosts that are stuck in the 'At-Risk' state. This can be achieved in System -> Settings -> Control -> Quarantine [Set all hosts 'Risk State' to 'Safe'] and Apply.
Related articles:
Technical Tip: Notify when a new rogue is trying to connect in the network
Technical Tip: 'State based Control' concept and VLAN changes
