| Description | This article describes the features and differences between the Persistent Agent and FortiClient EMS in terms of endpoint compliance. |
| Scope | FortiNAC, Persistent Agent, FortiClient EMS. |
| Solution |
FortiNAC can leverage integrations with FortiClient EMS or any third-party MDM solution to register endpoints and then apply Network Access Control by using 'MDM compliant' state as a filter in its Policies. In these cases, the compliance part is covered by the MDM, and FortiNAC simply uses this information (Compliant or Not) to apply control.
FortiNAC can also use the Persistent Agent to register Endpoints. Compliance in this case is configured in FortiNAC through Endpoint Compliance policies.
Different features are checked for Compliance. FortiClient EMS will provide compliance and cover endpoint security in the following areas:
This documentation provides more details on EMS endpoint profiles and their features: Endpoint profiles.
FortiNAC collects the following host data when it polls FortiClient EMS:
When an endpoint is marked in FortiClient EMS as 'Compliant', FortiNAC will check the 'Quarantine' attribute to determine if updating the host attribute with MDM is compliant or not.
To troubleshoot, enable the following debug commands in the FortiNAC-F CLI:
diagnose debug plugin enable MdmManager diagnose tail -F output.master
Filtered output from the returned information from EMS will show the following JSON data for a compliant endpoint:
yams.FortinetEMSServer FINER :: DATE :: 8334 :: endpointsJson =
The MDM Compliant attribute and/or other Host attributes can then be leveraged to enforce control: Technical Tip: 'State based Control' concept and VLAN changes on the registered host.
In FortiNAC Host view, it is possible to add Columns that represent specific attributes that are used in the Network Access Policies. This makes it easier to identify if a host is currently MDM managed or if there is no Persistent Agent installed. Failing to match the defined criteria will result in the Host matching no policy. In these cases, FortiNAC returns the Default VLAN configured in the Model configuration or port/SSID.
The Persistent Agent can register, authenticate, and proactively scan hosts by returning Host/Adapter/User attribute information to FortiNAC. Additionally, the Persistent agent provides the following in combination with Endpoint Compliance policies in FortiNAC:
Application Inventory can also be used as a filter to enforce control. Figure 3 shows the list of attributes that can be used.
 Figure 3. Application Inventory Attributes that can be leveraged for Policy Matching.
An example would be a group of users that have a unique Application Version or vendor that is used only by them. Using such attributes will make it possible to correctly apply network access. Another option would be to use the 'Threat Score', where a High threat score value can be used as a filter and applied in policies that isolate the host.
Using both FortiClient EMS (MDM) integration and the Persistent Agent will provide a complete endpoint security posture, as they complement each other in different areas.
FortiClient EMS data can be used for the initial Host registration and compliance in secure remote access, while the Agent will apply custom scans, scan chaining, and monitors to proactively make sure that the Host is fulfilling the criteria of being allowed to access production resources. If any of these criteria do not match, FortiNAC will move the host to remediation state: Technical Tip: 'State based Control' concept and VLAN changes when a scan fails, or will change the VLAN to an Isolation VLAN when the EMS reports that the host is not Compliant.
Related documents: |
