Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
Contributor II

FortiNAC // App threat score

Hello Fortinet community

We have FortiNAC 9.2, license Pro.

FortiNAC has application inventory for clients with persistent agent.

In the meantime and according to admin guide, it has app threat score for each inventoried app.

 

AEK_0-1657659606394.png

 

The only way to use it seems in User-Host Policy.

 

AEK_1-1657660111381.png

 

1st question: Why app threat score is always empty, and doesn't work when used within UHP, unless we apply Threat Override?

 

2nd question: In case this feature really works, what can be the best way to use it to mark a host as "At Risk" when FNAC agent finds it in the inventory?

 

Remark: On FortiNAC 9.x admin guide about using app threat score, it seems that there are some residual procedures from version 8.x that are not valid for 9.x anymore.

 

Any help would be welcome.

 

Thanks in advance.

AEK

4 REPLIES 4
Anonymous
Not applicable

Hello @AEK,

 

Thank you for using the Fortinet Community forum. We hope that fellow Fortinet Community members share their insights on your query which will be of help to you.

 

 

 

ethomollari
Staff
Staff


I think you are looking for automated threat response


https://docs.fortinet.com/document/fortinac/9.1.0/administration-guide/328047/automated-threat-respo...

FOS has several security levels that are sent to FNAC

FNAC itself shoudl me configured with security rules / triggers / actions

https://docs.fortinet.com/document/fortinac/9.1.0/administration-guide/27956/security-rules

ethomollari
Staff
Staff


If you are doing integration with syslog then conditions must be met

1 .System > Settings > System communication > syslog file

2. Sending device must be modeled as pingable device

3. The incoming events setting on the element tab must be set to Syslog

4. Select the syslog file from the drop-down menu

 

It is also explained in the NSE6 , FNAC training publicly accesible online

AEK
Contributor II

Hello Ethomollari

Thanks for your response.

I have Pro license with the Security Incidents license enabled. However I can't find where to configure the Threat Analysis Engines, even if it is mentioned on the documentation. I think the admin guide of version 9 is referencing some features of version 8 that are not existing on v9 anymore.

On the other hand, configuring syslog device (e.g.: FortiGate) can't feed App Threat Score, I think this score is acquired from a special appliance (unknown for me) or may probably be acquired from FortiGuard. This is still not clear for me, there is nowhere to configure it and there is no enough explanation in the admin guide.

I also read the whole FNAC NSE6 doc but I've found this feature very poorly documented.