Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff

Created on ‎05-14-2024 06:08 AM

Article Id 314884

Technical Tip: Notify when a host is at risk state

Description

 

This article describes the cases when the network administrators want to be notified when a host is identified as an 'At Risk' state.

In some environments where connectivity is important, the Scan remediation action can be configured to Delayed or Audit Only.

This gives time to the Help Desk team to investigate and solve the issue without interrupting user activity and access to the network.

 

Scope

 

FortiNAC.

 

Solution

 

In Scan configurations, there are three options related to Remediation:

  1. On failure.
  2. Delayed.
  3. Audit Only.

The first option is the most secure one and will isolate the host as soon as it fails the scan. This is the recommended option for a high security environment but in some scenarios, this immediate action is not required.

 

Configure Scan to delay the isolation to one or more days:

On Scan configuration in Policy & Objects -> Endpoint compliance -> [Scan] change the Remediation action to Delayed (in this example 3 Days).

 

delay.PNG

 

After making this change the hosts that will fail the scan will continue to work normally. An event 'Host Pending At Risk' will be created and can be manually checked in Logs -> Events & Alarms [Events].

 

events.PNG

This event can be used on Mappings to notify the appropriate team for this event (in this example via e-mail):

 

Host pending at risk.PNG

 

An email will be sent to the users that are members of the selected group.

 

emails.PNG 

The host will be shown with a blue plus icon:

 

host blu.png

 

The status of the host can also be checked from CLI (output truncated):

 

> dumphostrecords -mac 00:00:00:6C:23:01

hostName = win10-ffm
owner = gimi
os = Windows 10 Pro 6.3 22H2 10.0.19045.4291
Status = Security_Risk_Pending_Connected
loggedOnUserId = gimi
role = AD-NetworkUserRole
type = 8
Agent Version = 9.4.2.99
Agent Platform = WINDOWS

 

If no action is taken to fix and remediate this host, after the delay timer expires (3 days), this host will get isolated.

 

Configure Scan to Audit only:

On Scan configuration in Policy & Objects -> Endpoint compliance -> [Scan] change the Remediation action to Audit Only.

Notification will be also sent for On Failure action when the hosts are isolated and the team wants to be notified instantly before the user starts complaining.

 

On Mappings the Event selected is Security Risk Host, in this case, the mapping is already created (built-in) but the notify option is not enabled by default:

 

modify mapping.PNG

After enabling notifications, an email will be sent if one of the hosts fails the scan:

 

emailsi.PNG

To send the email, FortiNAC should have a working email service configured in Service Connectors:

 

ser-con.PNG

 

The administrator members of the select group should contain a valid email address:

 

email-admin.PNG

 

Related article:

Technical Tip: Notify when a new rogue is trying to connect in the network

107
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.