Hi
I want to achieve this :
When a registered host is connected ,its first put in isolation vlan until it passes endpoint compliance ,is this possible? I have set the default vlan as isolation ,however when a registered host connects ,its moved from isolation -> production then isolated.
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes I agree, this may be a bit drastic also from the user experience that need to wait at least 1-2 minutes each time they reconnect in the network for the Scan to finish and the network change to happen (quarantine -> production).
This approach may be feasible and can be configured for some of the segments in the network that require security over availability. This will prevent a non compliant host to ever reach the production network.
The mapping rule can be limited to a specific host group.
That will depend on the method used for registration. In order to directly isolate (quarantine VLAN) before registering the host, the registration should be handled by the Persistent Agent. A endpoint compliance and a dedicated Scan should be created with the following condition:
Hi
Thats there
In case of PA there is a note: Persistent Agent always registers and marks at risk. Make sure that the hosts are registered only through the agent (no registration through DPR, dot1x, portal etc.) and the remediation is configured and enforced while the host is still in the rogue state.
If the host is already registered, FortiNAC will not put it back into the Registration VLAN in order to Scan it.
Scanning while host is in Isolation/registration VLAN happens only when a host is initially learned as a rogue. This is the scenario where the setting "Scan before Registering" will be applied. So the rogue will be registered only if it passes the scan.
But if the host is already registered, this setting has no relevance since the host has already passed this step of registration before. FortiNAC will proactively scan it and move the host in remediation if the scan fails and host is marked "At Risk".
So in summary, the registered host will be scanned while they are in their current production VLAN and if the scan fails, then the host is put into Remediation VLAN.
A rogue will be scanned while in Isolation VLAN. If the scan fails, they are not registered but remediated (as per your settings).
This article might give a better idea of the host states in FortiNAC: https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-State-based-Control-concept-and-VLAN-chan...
In addition, if you want to always scan the hosts before they can join the network even for already registered hosts you may follow the same approach as here. Create a Mapping to change the status of the host as At-Risk as soon as the host get disconnected from the network:
So next time the host joins the network, it has to pass the scan in order to change its status and to be moved from Quarantine to Production VLAN.
This can work, however i am not sure how feasible would be this configuration in a busy environment.
A user might connect/disconnect to the network multiple times a day. Each time the host is marked "At risk" when it disconnects, FortiNAC will also change the VLAN of the port to remediation when the connect. Now imagine multiple users triggering such changes frequently. This can take not only FortiNAC resources but also generate a lot of network traffic and probably affect user functionality. But still it depends on how busy the environment is.
The other problem is that this configuration makes the feature "Scan on Connect" useless. "Scan on Connect" is applied only to registered hosts once they reconnect to the network. So each time a registered host will reconnect, it will be scanned.
https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/862957/scan-on-connect
If a registered host has the Persistent Agent installed and Scan on Connect is enabled for the Scan that applies to this host, then the host is scanned. When the host disconnects from the network, the Persistent Agent modifies that host's Scan on Connect status to indicate that the host should be scanned again the next time it connects. If the host has more than one interface, such as wired and wireless, the host is scanned regardless of which one is used.
With this feature enabled i find it unneccessary why there is a need from @Partisan44 to have registered hosts to be scanned in isolation/remediation.
Yes I agree, this may be a bit drastic also from the user experience that need to wait at least 1-2 minutes each time they reconnect in the network for the Scan to finish and the network change to happen (quarantine -> production).
This approach may be feasible and can be configured for some of the segments in the network that require security over availability. This will prevent a non compliant host to ever reach the production network.
The mapping rule can be limited to a specific host group.
Thank you!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.