Hello,
I'm still new to FortiNAC,I did configure endpoint compliance schedule rescan each two 2 minutes(For testing), when i disable a specific service on the machine the rescan does not mark the host as At Risk and the verse versa with safe state even in the event it does trigger the scan, when i do a scan host manually it detect the service down or up.
My Endpoint Compliance policies as bellow:
ECP-AtRisk Host:Security Status:At-Risk And Type : Registered Host or Device
ECP-Rescan-Safe Host:Security Status:Safe And Type : Registered Host or Device
the Scheduled rescan:
Thank you!
Regards!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I tested the same in my lab and it looks like 2 minutes is set too aggressive (even the result maybe is not possible to get back to FNAC in such a short period). You can test it with 15 minutes at least. You should check the events named "Security Risk Host" and "Host Passed Security Test", this will show you the actual scan performed.
If you go to Hosts, find the test host and check r-click "Policy Details". In Endpoint Compliance tab do you see "OS-Win10-check" as Scan Name?
Yes i do see it, if i perform scan host manually it does check the compliance and switch the vlan.
I tested the same in my lab and it looks like 2 minutes is set too aggressive (even the result maybe is not possible to get back to FNAC in such a short period). You can test it with 15 minutes at least. You should check the events named "Security Risk Host" and "Host Passed Security Test", this will show you the actual scan performed.
Thank you for your response and sorry for being late, that make sense i'll try the 15min as a rescan timer.
Please is it supported to use a delayed scan only for the update signature for specific antivirus?, like:
Check Win10-OS if scan fail Remediate -> Remediation vlan
-> On success perform symantec antivirus scan which is a profile separated from Win10-OS but only for signature if not up to date, the enforcement delayed with 2 days, if the symantec antivirus is not installed remediate immediately.
Thanks and Regards!
There is this feature that allows to match the signature with a buffer from 1 to 3 weeks
https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/67789/auto-definition-updates
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.