Hello Fortinet community
We have FortiNAC 9.2, license Pro.
FortiNAC has application inventory for clients with persistent agent.
In the meantime and according to admin guide, it has app threat score for each inventoried app.
The only way to use it seems in User-Host Policy.
1st question: Why app threat score is always empty, and doesn't work when used within UHP, unless we apply Threat Override?
2nd question: In case this feature really works, what can be the best way to use it to mark a host as "At Risk" when FNAC agent finds it in the inventory?
Remark: On FortiNAC 9.x admin guide about using app threat score, it seems that there are some residual procedures from version 8.x that are not valid for 9.x anymore.
Any help would be welcome.
Thanks in advance.
AEK
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 07-15-2022 03:44 AM
Hello @AEK,
Thank you for using the Fortinet Community forum. We hope that fellow Fortinet Community members share their insights on your query which will be of help to you.
Created on 08-14-2022 12:34 PM
I think you are looking for automated threat response
https://docs.fortinet.com/document/fortinac/9.1.0/administration-guide/328047/automated-threat-respo...
FOS has several security levels that are sent to FNAC
FNAC itself shoudl me configured with security rules / triggers / actions
https://docs.fortinet.com/document/fortinac/9.1.0/administration-guide/27956/security-rules
Created on 08-14-2022 12:35 PM
If you are doing integration with syslog then conditions must be met
1 .System > Settings > System communication > syslog file
2. Sending device must be modeled as pingable device
3. The incoming events setting on the element tab must be set to Syslog
4. Select the syslog file from the drop-down menu
It is also explained in the NSE6 , FNAC training publicly accesible online
Hello Ethomollari
Thanks for your response.
I have Pro license with the Security Incidents license enabled. However I can't find where to configure the Threat Analysis Engines, even if it is mentioned on the documentation. I think the admin guide of version 9 is referencing some features of version 8 that are not existing on v9 anymore.
On the other hand, configuring syslog device (e.g.: FortiGate) can't feed App Threat Score, I think this score is acquired from a special appliance (unknown for me) or may probably be acquired from FortiGuard. This is still not clear for me, there is nowhere to configure it and there is no enough explanation in the admin guide.
I also read the whole FNAC NSE6 doc but I've found this feature very poorly documented.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.