Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Partisan44
New Contributor

Created on ‎10-28-2024 05:54 AM

FORTINAC - PUT REGISTERD HOSTS IN ISOOLATION VLAN

Hi 

 

I want to achieve this :

When a registered host is connected ,its first put in isolation vlan until it passes endpoint compliance ,is this possible? I have set the default vlan as isolation ,however when a registered host connects ,its moved from isolation -> production then isolated.

Thanks 

Labels:
634
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to Hatibi

Created on ‎11-04-2024 05:29 AM

Yes I agree, this may be a bit drastic also from the user experience that need to wait at least 1-2 minutes each time they reconnect in the network for the Scan to finish and the network change to happen (quarantine -> production).

This approach may be feasible and can be configured for some of the segments in the network that require security over availability. This will prevent a non compliant host to ever reach the production network.

The mapping rule can be limited to a specific host group.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

389
8 REPLIES 8
ebilcari
Staff
Staff

Created on ‎10-28-2024 06:13 AM

That will depend on the method used for registration. In order to directly isolate (quarantine VLAN) before registering the host, the registration should be handled by the Persistent Agent. A endpoint compliance and a dedicated Scan should be created with the following condition:

scan before.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
625
Partisan44
New Contributor
In response to ebilcari

Created on ‎10-28-2024 06:21 AM

Hi 

Thats there 

 

Scan.JPG

615
0 Kudos
ebilcari
Staff
Staff
In response to Partisan44

Created on ‎10-28-2024 06:32 AM

In case of PA there is a notePersistent Agent always registers and marks at risk. Make sure that the hosts are registered only through the agent (no registration through DPR, dot1x, portal etc.) and the remediation is configured and enforced while the host is still in the rogue state.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
606
Hatibi
Staff
Staff

Created on ‎11-01-2024 08:13 AM

If the host is already registered, FortiNAC will not put it back into the Registration VLAN in order to Scan it. 

 

Scanning while host is in Isolation/registration VLAN happens only when a host is initially learned as a rogue. This is the scenario where the setting "Scan before Registering" will be applied. So the rogue will be registered only if it passes the scan.

But if the host is already registered, this setting has no relevance since the host has already passed this step of registration before. FortiNAC will proactively scan it and move the host in remediation if the scan fails and host is marked "At Risk".

 

So in summary, the registered host will be scanned while they are in their current production VLAN and if the scan fails, then the host is put into Remediation VLAN.

A rogue will be scanned while in Isolation VLAN. If the scan fails, they are not registered but remediated (as per your settings). 

 

This article might give a better idea of the host states in FortiNAC: https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-State-based-Control-concept-and-VLAN-chan...

 

498
0 Kudos
ebilcari
Staff
Staff
In response to Hatibi

Created on ‎11-03-2024 01:09 AM

In addition, if you want to always scan the hosts before they can join the network even for already registered hosts you may follow the same approach as here. Create a Mapping to change the status of the host as At-Risk as soon as the host get disconnected from the network:

at-risk.PNG

 

So next time the host joins the network, it has to pass the scan in order to change its status and to be moved from Quarantine to Production VLAN.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
444
0 Kudos
Hatibi
Staff
Staff
In response to ebilcari

Created on ‎11-04-2024 03:25 AM

This can work, however i am not sure how feasible would be this configuration in a busy environment.

A user might connect/disconnect to the network multiple times a day. Each time the host is marked "At risk" when it disconnects, FortiNAC will also change the VLAN of the port to remediation when the connect. Now imagine multiple users triggering such changes frequently. This can take not only FortiNAC resources but also generate a lot of network traffic and probably affect user functionality. But still it depends on how busy the environment is.

 

The other problem is that this configuration makes the feature "Scan on Connect" useless. "Scan on Connect" is applied only to registered hosts once they reconnect to the network. So each time a registered host will reconnect, it will be scanned.

https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/862957/scan-on-connect

 

If a registered host has the Persistent Agent installed and Scan on Connect is enabled for the Scan that applies to this host, then the host is scanned. When the host disconnects from the network, the Persistent Agent modifies that host's Scan on Connect status to indicate that the host should be scanned again the next time it connects. If the host has more than one interface, such as wired and wireless, the host is scanned regardless of which one is used.

 

With this feature enabled i find it unneccessary why there is a need from @Partisan44 to have registered hosts to be scanned in isolation/remediation.

404
0 Kudos
ebilcari
Staff
Staff
In response to Hatibi

Created on ‎11-04-2024 05:29 AM

Yes I agree, this may be a bit drastic also from the user experience that need to wait at least 1-2 minutes each time they reconnect in the network for the Scan to finish and the network change to happen (quarantine -> production).

This approach may be feasible and can be configured for some of the segments in the network that require security over availability. This will prevent a non compliant host to ever reach the production network.

The mapping rule can be limited to a specific host group.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
390
Partisan44
New Contributor
In response to ebilcari

Created on ‎11-26-2024 08:05 AM

Thank you!

130
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.