Description

This article describes the steps required to successfully deploy the Persistent Agent on a Linux host. In this example, Ubuntu 24.04 is used as the test host.

Scope

FortiNAC and Linux hosts.

Solution

This article is a follow-up to Technical Tip: A simple network example of deploying Persistent Agent in FortiNAC and covers the differences when the end host is running in Linux.

Agent deployment on the end host can be performed through various methods, such as MDM, captive portal, or manual installation. The details for manual installation are covered in Installation for Linux - FortiNAC-F administration guide. In this example, the portal is used to distribute the Agent package in the end hosts. To be able to download the agent package, the rogue host need to match with an Endpoint Compliance policy:

Upon successful login with a valid username, the user will be prompted to download the most recent version of the Agent package:

In this case, the host is running Ubuntu, so the package 'fortinac-persistent-agent_7.6.1.0016-1.amd64.deb' needs to be selected for download. Once downloaded, the package can be installed as follows:

cd Downloads/

sudo dpkg -i fortinac-persistent-agent_7.6.1.0016-1.amd64.deb
Selecting previously unselected package fortinac-agent.
(Reading database ... 219497 files and directories currently installed.)
Preparing to unpack fortinac-persistent-agent_7.6.1.0016-1.amd64.deb ...
Unpacking fortinac-agent (7.6.1.0016-1) ...
Setting up fortinac-agent (7.6.1.0016-1) ...
discoveryEnabled=true
Starting bndaemon (via systemctl): bndaemon.service.
nohup: appending output to '/home/fortinet/nohup.out'

After the installation, the service will start and the Agent logo will appear in the taskbar:

Communication can also be verified through the Agent logs:

tail -f /var/log/bndaemon

2025-08-11 14:14:29 UTC :: Looking up _bradfordagent._tcp.
2025-08-11 14:14:29 UTC :: Server List: fnac76.eb.lab:4568
2025-08-11 14:14:29 UTC :: About to delete transport
2025-08-11 14:14:29 UTC :: Deleted Transport
2025-08-11 14:14:29 UTC :: SecureAgentTransportV1 constructor finished
2025-08-11 14:14:29 UTC :: Server: fnac76.eb.lab:4568 <-- server is discovered
2025-08-11 14:14:29 UTC :: Host = fnac76.eb.lab
2025-08-11 14:14:29 UTC :: Joining connectBoostThread()
2025-08-11 14:14:29 UTC :: SSL_get_verify_result = 0 <-- TLS certificate is valid
2025-08-11 14:14:29 UTC :: SSL Certificate verification result: ok

Normal communication should then proceed with keepalives only, occurring every 30 seconds:

The Agent status should now appear as green. A test message can be sent to verify the host connectivity by selecting 'Send Message' after right clicking in the host.

Note:

Usually in FortiNAC deployments, a private signed certificate will be used for the Agent service. To avoid communication issues, the private root CA need to be imported in the end host and added to its trust store. Later agent versions will work only with TLS 1.3, more details can be found in this article: Technical Tip: How to enable TLS 1.3 for Persistent Agent in FortiNAC

These are the steps to add the certificate in the end host's trust store. More information can be found in vendor documentation such as Ubuntu Server documentation.

cd Desktop/

sudo cp ca.eb.eu.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

The trust certificate status can also be checked with the following command:

openssl s_client -connect fnac76.eb.lab:4568 -CApath /etc/ssl/certs

...

Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK

The configuration changes are saved in the following path that can also be used to add customizations:

cat /etc/xdg/com.bradfordnetworks/PersistentAgent.conf
[General]
ClientState=1
ServerIP=fnac76.eb.lab
ShowIcon=1
allowedCiphers=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
allowedServers=
caFile=/etc/ssl/certs/ca-certificates.crt
caTrustDepth=4
disconnectedMsg=Your network access may be restricted. Persistent Agent is disconnected from Network Sentry.
discoveryEnabled=true
homeServer=
lastConnectedServer=fnac76.eb.lab:4568
macPollInterval=5
maxConnectInterval=960
restrictRoaming=false
selfSignedAllowed=true
showDisconnectedIcon=false
showDisconnectedMsg=false

After making configuration changes, the process can be accelerated by manually stopping and starting the service using the following commands:

sudo service bndaemon stop
sudo service bndaemon start

Related articles:

• Troubleshooting Tip: Agent logs on end hosts
• Troubleshooting Tip: New vendor OUI missing from the database
• Technical Tip: Agent DNS records (SRV) and checks on Microsoft environment
• Technical Tip: Monitor Custom scans to ensure a quicker response to host compliance
• Technical Tip: Notify when a host is at risk state