Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jucker
New Contributor III

FortiNAC Need help on Persistent Agent Rescan Safe/At Risk state

Hello,

I'm still new to FortiNAC,I did configure endpoint compliance schedule rescan each two 2 minutes(For testing), when i disable a specific service on the machine the rescan does not mark the host as At Risk and the verse versa with safe state even in the event it does trigger the scan, when i do a scan host manually it detect the service down or up.

 

Fortinac Rescan.JPG

My Endpoint Compliance policies as bellow:

ECP-AtRisk Host:Security Status:At-Risk And Type : Registered Host or Device

ECP-Rescan-Safe Host:Security Status:Safe And Type : Registered Host or Device

the Scheduled rescan:

Fortinac Rscan.JPG

 

Thank you!

Regards!

1 Solution
ebilcari

I tested the same in my lab and it looks like 2 minutes is set too aggressive (even the result maybe is not possible to get back to FNAC in such a short period). You can test it with 15 minutes at least. You should check the events named "Security Risk Host" and "Host Passed Security Test", this will show you the actual scan performed.

skan.PNG

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

5 REPLIES 5
ebilcari
Staff
Staff

If you go to Hosts, find the test host and check r-click "Policy Details". In Endpoint Compliance tab do you see "OS-Win10-check" as Scan Name?

scan name.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Jucker
New Contributor III

Yes i do see it, if i perform scan host manually it does check the compliance and switch the vlan.

ebilcari

I tested the same in my lab and it looks like 2 minutes is set too aggressive (even the result maybe is not possible to get back to FNAC in such a short period). You can test it with 15 minutes at least. You should check the events named "Security Risk Host" and "Host Passed Security Test", this will show you the actual scan performed.

skan.PNG

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Jucker
New Contributor III

Thank you for your response and sorry for being late, that make sense i'll try the 15min as a rescan timer.

Please is it supported to use a delayed scan only for the update signature for specific antivirus?, like:

Check Win10-OS if scan fail Remediate -> Remediation vlan

-> On success perform symantec antivirus scan which is a profile separated from Win10-OS but only for signature if not up to date, the enforcement delayed with 2 days, if the symantec antivirus is not installed remediate immediately.
Thanks and Regards!

ebilcari

There is this feature that allows to match the signature with a buffer from 1 to 3 weeks

week.PNG

https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/67789/auto-definition-updates

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors