Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tagayev
New Contributor II

FortiNAC Persistent Agent vs. FortiClient for Network Access Control

Hello Fortinet Community,

 

I'm seeking advice on the best approach to secure our network. Our goal is to allow access only to domain-joined PCs and implement compliance checks.

We currently have FortiClient installed on all user devices, and I’m trying to determine if we also need the FortiNAC Persistent Agent, or if integrating FortiNAC with EMS would be sufficient.

Is there a comparison matrix available that highlights the features of the Persistent Agent and FortiClient specifically related to FortiNAC?

Any insights or best practices would be greatly appreciated.

 

Thank you!

FortiNAC FortiClient 

3 Solutions
ebilcari
Staff
Staff

FNAC integration with EMS is treated as an MDM integration and mainly is used to facilitate the host registration process and checking the compliant or compromised status of the host. If the host status is not compliant a policy can be applied to isolate the host at L2 level (VLAN switching), more info on the guide page 10-11.

 

host-mdm.PNG

 

The PA is more flexible and offers a wide variety of options, you can read more about the Scan options in this section of the admin guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

ndumaj
Staff
Staff

Hello @tagayev 

As Emirjon explained, I would go with Persistent Agent.
Persistent Agent and FortiNAC speak the same language, they can be upgraded at the same time when you have to do that. Also with Persistent Agent, we can cover, so many features that cannot be included in FCT.

The most important thing is there is no need for an extra license.

BR

- Happy to help, hit like and accept the solution -

View solution in original post

Sx11
Staff
Staff

Hello tagayev,

 

if you already have an existing EMS environment then that is enough for FortiNAC to register MDM compliant endpoints and move the to the correct VLAN.

In this case the compliance part is covered by EMS itself where you use the Endpoint profiles to apply your Corporate restriction and compliance checks.

FortiNAC in this case will benefit in the fast process of Host Registration since it gets this info directly from EMS.

 

Both FortiClient and Persistent Agent are similar in the aspect that they can register hosts automatically and can collect application inventory. However the best solution in terms of security is to use both the MDM solution (which you already have) and additionally have custom scans and scheduled scans provided by the persistent agent. 

They will complement each-other in different areas of endpoint security posture.

 

Scan options for Persistent Agent: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/92047/add-or-modify-a-scan

Scan categories: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/241076/scan-categories

Custom scan use casehttps://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/605737/use-case

Advanced scans (chaining scans)https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/370093/chaining-configurati...

 

sx11

View solution in original post

6 REPLIES 6
AEK
SuperUser
SuperUser

Hello Tagayev

In case you have FortiSwitch then you can use L2 NAC with FortiGate-FortiSwitch-Forticlient. Otherwise you cannot perform isolation at L2 level, but at L3 level only (via FGT and tags). That's the main difference with FortiNAC that does L2 isolation at switch level with any switch brand.

AEK
AEK
ebilcari
Staff
Staff

FNAC integration with EMS is treated as an MDM integration and mainly is used to facilitate the host registration process and checking the compliant or compromised status of the host. If the host status is not compliant a policy can be applied to isolate the host at L2 level (VLAN switching), more info on the guide page 10-11.

 

host-mdm.PNG

 

The PA is more flexible and offers a wide variety of options, you can read more about the Scan options in this section of the admin guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ndumaj
Staff
Staff

Hello @tagayev 

As Emirjon explained, I would go with Persistent Agent.
Persistent Agent and FortiNAC speak the same language, they can be upgraded at the same time when you have to do that. Also with Persistent Agent, we can cover, so many features that cannot be included in FCT.

The most important thing is there is no need for an extra license.

BR

- Happy to help, hit like and accept the solution -
Sx11
Staff
Staff

Hello tagayev,

 

if you already have an existing EMS environment then that is enough for FortiNAC to register MDM compliant endpoints and move the to the correct VLAN.

In this case the compliance part is covered by EMS itself where you use the Endpoint profiles to apply your Corporate restriction and compliance checks.

FortiNAC in this case will benefit in the fast process of Host Registration since it gets this info directly from EMS.

 

Both FortiClient and Persistent Agent are similar in the aspect that they can register hosts automatically and can collect application inventory. However the best solution in terms of security is to use both the MDM solution (which you already have) and additionally have custom scans and scheduled scans provided by the persistent agent. 

They will complement each-other in different areas of endpoint security posture.

 

Scan options for Persistent Agent: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/92047/add-or-modify-a-scan

Scan categories: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/241076/scan-categories

Custom scan use casehttps://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/605737/use-case

Advanced scans (chaining scans)https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/370093/chaining-configurati...

 

sx11
tagayev
New Contributor II

@ebilcari @ndumaj @Sx11 thank you very much for your prompt replies.

ndumaj

Dear @tagayev 

Thank you for your feedback,
It was a pleasure to assist you!

BR

- Happy to help, hit like and accept the solution -
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors