Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tagayev
New Contributor II

Created on ‎08-18-2024 01:31 AM

FortiNAC Persistent Agent vs. FortiClient for Network Access Control

Hello Fortinet Community,

 

I'm seeking advice on the best approach to secure our network. Our goal is to allow access only to domain-joined PCs and implement compliance checks.

We currently have FortiClient installed on all user devices, and I’m trying to determine if we also need the FortiNAC Persistent Agent, or if integrating FortiNAC with EMS would be sufficient.

Is there a comparison matrix available that highlights the features of the Persistent Agent and FortiClient specifically related to FortiNAC?

Any insights or best practices would be greatly appreciated.

 

Thank you!

FortiNAC FortiClient 

997
0 Kudos
3 Solutions
ebilcari
Staff
Staff

Created on ‎08-20-2024 01:20 AM

FNAC integration with EMS is treated as an MDM integration and mainly is used to facilitate the host registration process and checking the compliant or compromised status of the host. If the host status is not compliant a policy can be applied to isolate the host at L2 level (VLAN switching), more info on the guide page 10-11.

 

host-mdm.PNG

 

The PA is more flexible and offers a wide variety of options, you can read more about the Scan options in this section of the admin guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

881
ndumaj
Staff
Staff

Created on ‎08-20-2024 07:56 AM

Hello @tagayev 

As Emirjon explained, I would go with Persistent Agent.
Persistent Agent and FortiNAC speak the same language, they can be upgraded at the same time when you have to do that. Also with Persistent Agent, we can cover, so many features that cannot be included in FCT.

The most important thing is there is no need for an extra license.

BR

- Happy to help, hit like and accept the solution -

View solution in original post

855
Sx11
Staff
Staff

Created on ‎08-20-2024 08:52 AM

Hello tagayev,

 

if you already have an existing EMS environment then that is enough for FortiNAC to register MDM compliant endpoints and move the to the correct VLAN.

In this case the compliance part is covered by EMS itself where you use the Endpoint profiles to apply your Corporate restriction and compliance checks.

FortiNAC in this case will benefit in the fast process of Host Registration since it gets this info directly from EMS.

 

Both FortiClient and Persistent Agent are similar in the aspect that they can register hosts automatically and can collect application inventory. However the best solution in terms of security is to use both the MDM solution (which you already have) and additionally have custom scans and scheduled scans provided by the persistent agent. 

They will complement each-other in different areas of endpoint security posture.

 

Scan options for Persistent Agent: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/92047/add-or-modify-a-scan

Scan categories: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/241076/scan-categories

Custom scan use casehttps://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/605737/use-case

Advanced scans (chaining scans)https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/370093/chaining-configurati...

 

sx11

View solution in original post

836
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎08-18-2024 04:23 AM

Hello Tagayev

In case you have FortiSwitch then you can use L2 NAC with FortiGate-FortiSwitch-Forticlient. Otherwise you cannot perform isolation at L2 level, but at L3 level only (via FGT and tags). That's the main difference with FortiNAC that does L2 isolation at switch level with any switch brand.

AEK
AEK
974
ebilcari
Staff
Staff

Created on ‎08-20-2024 01:20 AM

FNAC integration with EMS is treated as an MDM integration and mainly is used to facilitate the host registration process and checking the compliant or compromised status of the host. If the host status is not compliant a policy can be applied to isolate the host at L2 level (VLAN switching), more info on the guide page 10-11.

 

host-mdm.PNG

 

The PA is more flexible and offers a wide variety of options, you can read more about the Scan options in this section of the admin guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
882
ndumaj
Staff
Staff

Created on ‎08-20-2024 07:56 AM

Hello @tagayev 

As Emirjon explained, I would go with Persistent Agent.
Persistent Agent and FortiNAC speak the same language, they can be upgraded at the same time when you have to do that. Also with Persistent Agent, we can cover, so many features that cannot be included in FCT.

The most important thing is there is no need for an extra license.

BR

- Happy to help, hit like and accept the solution -
856
Sx11
Staff
Staff

Created on ‎08-20-2024 08:52 AM

Hello tagayev,

 

if you already have an existing EMS environment then that is enough for FortiNAC to register MDM compliant endpoints and move the to the correct VLAN.

In this case the compliance part is covered by EMS itself where you use the Endpoint profiles to apply your Corporate restriction and compliance checks.

FortiNAC in this case will benefit in the fast process of Host Registration since it gets this info directly from EMS.

 

Both FortiClient and Persistent Agent are similar in the aspect that they can register hosts automatically and can collect application inventory. However the best solution in terms of security is to use both the MDM solution (which you already have) and additionally have custom scans and scheduled scans provided by the persistent agent. 

They will complement each-other in different areas of endpoint security posture.

 

Scan options for Persistent Agent: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/92047/add-or-modify-a-scan

Scan categories: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/241076/scan-categories

Custom scan use casehttps://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/605737/use-case

Advanced scans (chaining scans)https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/370093/chaining-configurati...

 

sx11
837
0 Kudos
tagayev
New Contributor II

Created on ‎08-22-2024 02:11 AM

@ebilcari @ndumaj @Sx11 thank you very much for your prompt replies.

774
ndumaj
Staff
Staff
In response to tagayev

Created on ‎08-22-2024 02:14 AM

Dear @tagayev 

Thank you for your feedback,
It was a pleasure to assist you!

BR

- Happy to help, hit like and accept the solution -
766
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.