Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jbrines
New Contributor II

Created on ‎04-03-2025 04:42 AM

FortiNAC Compliance Send a message if Windows OS is not up to date

Hi Guys,

 

New to FortiNAC.

 

Looking to do a compliance check using the Persistent Agent to detect if the Windows OS is up to date and if it isn't send a message telling the user to update.

 

The end goal after this would be to keep the computer in the Registration VLAN that would have access to out WSUS server where they could download and update their computer.

 

John 

Labels:
394
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎04-03-2025 06:10 AM

Hello John

When configuring the endpoint compliance, go to the "Windows" tab, cathegory Operating-System, and select all Windows versions you want.

epcomp.png

 

Then to configure the "update" policy, click on the operating system name you want (e.g.: "Windows-11" in blue) and select how the compliance checks the Windows patches and updates.

 

Then in order to put a client in quarantine when it is not compliant, configure the isolation VLAN number (or name) of the "Quarantine" in the model configuration of the switch or AP.

 

isol.png

 

Also in the L2 device (switch-port or SSID), edit the group membership and add "Forced Remediation".

portgrp.png

 

For your client to be able to access WSUS server when it is in quarantine VLAN, you need to open the required flow from the quarantine VLAN to the WSUS server (or specific destination on WAN).

AEK
AEK
387
jbrines
New Contributor II
In response to AEK

Created on ‎04-03-2025 06:18 AM

Hi @AEK ,

 

Thanks for this.

 

To start with I would like to send notifications to the computers first, once I am happy that is working I could do the quarantine part after that.

For the VLAN part I will discuss with our Manage FortiGate Services Team to setup the access to the WSUS server.

 

Thanks

 

John

377
0 Kudos
AEK
SuperUser
SuperUser
In response to jbrines

Created on ‎04-03-2025 06:33 AM

Hi John

For the notifications go to Logs > Events & Alarms > Mappings, then you should find an event on "compliance failure" (I don't have the event name). Otherwise click "Add" to create it (or any other event you need). And configure any notification you want for the event.

Also as far as I remember, once a user is quarantined he should automatically see a portal where he can read the reason for which is quarantined. Sorry I don't remember well because didn't use FNAC since a while.

AEK
AEK
373
ebilcari
Staff
Staff
In response to jbrines

Created on ‎04-03-2025 07:30 AM

Usually this is done through the remediation portal. The browser will be redirected to the appropriate page mentioning the Scan that has failed and the reason behind it. An internal or external page can also be add to include more details or the steps to follow as shown here Scan Failure Link Label.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
360
jbrines
New Contributor II
In response to ebilcari

Created on ‎04-03-2025 07:52 AM

Hi @ebilcari ,

 

Do you mean one of these?

 

 

Screenshot 2025-04-03 155154.jpg

352
0 Kudos
ebilcari
Staff
Staff
In response to jbrines

Created on ‎04-04-2025 03:37 AM

With the default portal settings it will also work. There is a built in page for Remediation that can also be customized if required. The content and the redirection URL need to be inserted in the Scan configuration:

 

failure.PNG

Scan Failure Link Label

Label displayed on the failure page when a network user's PC has failed a scan. If no label is provided, the scan name is used. The label or scan name is a link that takes the user to a page indicating why the PC has failed the scan.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
288
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.