FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.

This article discusses the behavior where Linux hosts running CrowdStrike Falcon sensor 6.11 and later are not being detected by the agent.

This causes hosts running CrowdStrike Falcon to incorrectly fail scans.


The following changes were made in Crowdstrike version 6.11+:


- The service now runs as root. The agent does not have permission to validate the service is running.


- Directory capitilization has changed from 'Crowdstrike' to 'CrowdStrike'.


This prevents the appliance from searching for the correct service name.

Scope Agent 5.2.6 and greater.


1) Make modifications in the appliance such that it looks for the correct service.

- Login to the appliance CLI as root.
- Modify /bsc/campusMgr/agent/templates/Linux/Anti-Virus/Crowdstrike-Falcon/crowdstrike.xml to look for /opt/CrowdStrike/falconctl


Find entry
script="/opt/Crowdstrike/falconctl -g


Change to:

script="/opt/CrowdStrike/falconctl -g

2) Clear the cached policies to re-read from the templates. Type
AgentTool policy -refresh

Contact Support if assistance is required.

3) In Host System For Agent 5.2.6


RPM/systemd installs:
- Type
sudo systemctl edit bndaemon.service

- Add this to the file:
User=(Insert user with high enough permissions ex. root)

- Restart the agent
sudo systemctl restart bndaemon


This creates a file in /etc/systemd/system/bndaemon.service that could be deployed if they're managing machines.


dpkg installs:
- Type
edit /etc/default/bndaemon

- Change DAEMON_USER appropriately.

DAEMON_USER=(Insert user with high enough permissions ex. root).