FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ebilcari
Staff
Staff
Article Id 282093
Description

 

This article describes how to navigate a scenario where the agent installation is not handled by any third-party software and needs to be updated from FortiNAC.

 

Scope

 

Any supported version of FortiNAC.

 

Solution

 

Step 1: Prepare the setup and get the latest Agent packages.

 

The latest agent packages can be downloaded after specifying the 'Agent Distribution Directory' in Settings -> Updates -> System as shown below:

 

agent-distribution directory.png

The packages can be chosen from the provided list. The .jar file will be extracted and individual packages for the supported Operating systems will be available. These files can also be directly downloaded via the browser and manually installed on end hosts if needed.

 

download package.png

Step 2: Configure the setup to automatically update the agent.

 

The update is done through FortiNAC without any interaction with the end host. Under the Users & Hosts -> Hosts menu, there is an option to 'Update Persistent Agent' for individual hosts that can be selected after right-clicking a relevant host.

 

There are some requirements for the update to work normally:

  • The host should be online and the agent should be able to communicate with FortiNAC. The persistent Agent icon should be green. Test basic communication by right-clicking in the host and selecting 'Send Message': the message should then appear in the end host.

 

test message.PNG

 

  • Port 80 should be open for communication between the end host and FortiNAC. If the port is blocked from the GUI, the following loading screen will appear for some time:

 

blocked port 80.PNG

 

Note: In existing setups that have older agent versions installed (5.3 or lower) there are some things to check before proceeding with the upgrade. An important topic is the enforcement of secure agent communication: the UDP port can no longer be used. Only TCP communication and communication secured with TLS can be used. More details can be found in Windows Agent Release Notes.

 

The port can be easily tested with a telnet command on the end host or a tcpdump in FortiNAC:

 

From the host CMD:
 
telnet fnac.eb.eu 80
 
Packet capture in FortiNAC:
 
tcpdump -i any port 80 -nnv
11:04:44.191833 IP (tos 0x0, ttl 64, id 16233, offset 0, flags [DF], proto TCP (6), length 461)
    10.0.0.5.80 > 10.1.3.11.53460: Flags [P.], cksum 0x18d0 (incorrect -> 0x8bd2), seq 1:422, ack 4, win 229, length 421: HTTP, length: 421
        HTTP/1.1 400 Bad Request
        Date: Tue, 31 Oct 2023 10:04:44 GMT
        Server: Apache
        X-Frame-Options: SAMEORIGIN
        Content-Length: 226
        Connection: close
        Content-Type: text/html; charset=iso-8859-1
        <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 

If the communication is working normally, this error may still happen:

 
agent fail.PNG
 
It is also necessary to specify the 'Primary Host Name' in the FortiNAC configuration as shown below:
 
primary host name.PNG
 
To gain a better understating, enable the following debug:
 
nacdebug -name AgentUpdate true
logs

tf output.master
yams.AgentUpdate FINER :: 2023-10-31 11:08:49:975 :: #845 :: agentCommunicated called for 158
yams.AgentUpdate FINER :: 2023-10-31 11:08:49:976 :: #449 :: Took id 158
yams.AgentUpdate FINER :: 2023-10-31 11:09:42:765 :: #845 :: timeLeft = 90000
...
yams.AgentUpdate FINER :: 2023-10-31 11:09:55:461 :: #823 :: agentCommunicated called for 158
yams.AgentUpdate FINER :: 2023-10-31 11:09:55:461 :: #449 :: Took id 158
yams.AgentUpdate FINER :: 2023-10-31 11:09:55:461 :: #845 :: version = 9.4.0.93
yams.AgentUpdate FINER :: 2023-10-31 11:09:55:461 :: #845 :: newVersion = 9.4.0.93
 

As seen above, the new agent version (9.4.0.93) was silently updated on the end host.

From the packet capture, it is also possible to see the request and response:

 

11:11:03.696251 IP (tos 0x0, ttl 126, id 64952, offset 0, flags [DF], proto TCP (6), length 284)
10.1.3.11.53471 > 10.0.0.5.80: Flags [P.], cksum 0x8417 (correct), seq 1:245, ack 1, win 1025, length 244: HTTP, length: 244
GET /remediation/agent/download?type=p&os=Windows&agentID=c62d4840-b97b-4bc8-8f97-773d926814c9 HTTP/1.1
Host: fnac.eb.eu
User-Agent: BSC Agent
Accept: */*
X-BNUserAgent: Bradford-Agent/9.4.0.93 (Windows 10 Pro 6.3 22H2 10.0.19045.3570;)

11:11:03.696262 IP (tos 0x0, ttl 64, id 23471, offset 0, flags [DF], proto TCP (6), length 40)
10.0.0.5.80 > 10.1.3.11.53471: Flags [.], cksum 0x172b (incorrect -> 0x20d1), ack 245, win 237, length 0
11:11:03.781351 IP (tos 0x0, ttl 64, id 23472, offset 0, flags [DF], proto TCP (6), length 6950)
10.0.0.5.80 > 10.1.3.11.53471: Flags [.], cksum 0x3229 (incorrect -> 0xb3d5), seq 1:6911, ack 245, win 237, length 6910: HTTP, length: 6910
HTTP/1.1 200 OK
Date: Tue, 31 Oct 2023 10:11:03 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 CET
Content-Disposition: attachment;filename="FortiNAC Persistent Agent.exe"
Content-Type: application/octet-stream
Content-Length: 6102648
Set-Cookie: JSESSIONID=A66D1428BF5093D0A971DE7D045C665C; Path=/remediation; HttpOnly;HttpOnly

 

The Agent Update can also be enabled as a global option (it is disabled by default). It will try three times to install the agent (~ every 15 minutes). In cases where some of the hosts failed to update the agent, the 'Reset Counter' button will enable three new update retries.

 

auto-update.PNG

The auto-update procedure followed in the logs:

 

yams.AgentUpdate FINER :: 2023-10-31 13:51:31:537 :: #844 :: agentCommunicated called for 158
yams.AgentUpdate FINER :: 2023-10-31 13:51:31:537 :: #449 :: Took id 158
yams.AgentUpdate FINER :: 2023-10-31 13:51:31:538 :: #449 :: needsUpdate() platform = Windows
yams.AgentUpdate FINER :: 2023-10-31 13:51:31:538 :: #449 :: upd version = 9.4.2.99
yams.AgentUpdate FINER :: 2023-10-31 13:51:31:538 :: #449 :: host version = 9.4.1.98
yams.AgentUpdate FINER :: 2023-10-31 13:51:31:538 :: #449 :: Host 158 needs update = true
yams.AgentUpdate FINER :: 2023-10-31 13:51:31:539 :: #449 :: Needs update id: -1, attempts: 0, lastKnownVersion: 0.0.0.0
yams.AgentUpdate FINER :: 2023-10-31 13:51:31:643 :: #449 :: updateAttempt called with id: 158, attempts: 1, lastKnownVersion: 9.4.1.98
yams.AgentUpdate FINER :: 2023-10-31 13:51:44:446 :: #820 :: agentCommunicated called for 158
yams.AgentUpdate FINER :: 2023-10-31 13:51:44:446 :: #449 :: Took id 158
yams.AgentUpdate FINER :: 2023-10-31 13:51:44:446 :: #449 :: needsUpdate() platform = Windows
yams.AgentUpdate FINER :: 2023-10-31 13:51:44:452 :: #449 :: upd version = 9.4.2.99
yams.AgentUpdate FINER :: 2023-10-31 13:51:44:453 :: #449 :: host version = 9.4.2.99
yams.AgentUpdate FINER :: 2023-10-31 13:51:44:453 :: #449 :: Host 158 needs update = false

 

More information can be found in the Persistent Agent Deployment and Configuration guide.