Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tagayev
New Contributor II

Created on ‎08-18-2024 01:31 AM

FortiNAC Persistent Agent vs. FortiClient for Network Access Control

Hello Fortinet Community,

 

I'm seeking advice on the best approach to secure our network. Our goal is to allow access only to domain-joined PCs and implement compliance checks.

We currently have FortiClient installed on all user devices, and I’m trying to determine if we also need the FortiNAC Persistent Agent, or if integrating FortiNAC with EMS would be sufficient.

Is there a comparison matrix available that highlights the features of the Persistent Agent and FortiClient specifically related to FortiNAC?

Any insights or best practices would be greatly appreciated.

 

Thank you!

FortiNAC FortiClient 

1173
0 Kudos
3 Solutions
ebilcari
Staff
Staff

Created on ‎08-20-2024 01:20 AM

FNAC integration with EMS is treated as an MDM integration and mainly is used to facilitate the host registration process and checking the compliant or compromised status of the host. If the host status is not compliant a policy can be applied to isolate the host at L2 level (VLAN switching), more info on the guide page 10-11.

 

host-mdm.PNG

 

The PA is more flexible and offers a wide variety of options, you can read more about the Scan options in this section of the admin guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

1057
ndumaj
Staff
Staff

Created on ‎08-20-2024 07:56 AM

Hello @tagayev 

As Emirjon explained, I would go with Persistent Agent.
Persistent Agent and FortiNAC speak the same language, they can be upgraded at the same time when you have to do that. Also with Persistent Agent, we can cover, so many features that cannot be included in FCT.

The most important thing is there is no need for an extra license.

BR

- Happy to help, hit like and accept the solution -

View solution in original post

1031
Hatibi
Staff
Staff

Created on ‎08-20-2024 08:52 AM

Hello tagayev,

 

if you already have an existing EMS environment then that is enough for FortiNAC to register MDM compliant endpoints and move the to the correct VLAN.

In this case the compliance part is covered by EMS itself where you use the Endpoint profiles to apply your Corporate restriction and compliance checks.

FortiNAC in this case will benefit in the fast process of Host Registration since it gets this info directly from EMS.

 

Both FortiClient and Persistent Agent are similar in the aspect that they can register hosts automatically and can collect application inventory. However the best solution in terms of security is to use both the MDM solution (which you already have) and additionally have custom scans and scheduled scans provided by the persistent agent. 

They will complement each-other in different areas of endpoint security posture.

 

Scan options for Persistent Agent: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/92047/add-or-modify-a-scan

Scan categories: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/241076/scan-categories

Custom scan use casehttps://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/605737/use-case

Advanced scans (chaining scans)https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/370093/chaining-configurati...

 

View solution in original post

1012
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎08-18-2024 04:23 AM

Hello Tagayev

In case you have FortiSwitch then you can use L2 NAC with FortiGate-FortiSwitch-Forticlient. Otherwise you cannot perform isolation at L2 level, but at L3 level only (via FGT and tags). That's the main difference with FortiNAC that does L2 isolation at switch level with any switch brand.

AEK
AEK
1150
ebilcari
Staff
Staff

Created on ‎08-20-2024 01:20 AM

FNAC integration with EMS is treated as an MDM integration and mainly is used to facilitate the host registration process and checking the compliant or compromised status of the host. If the host status is not compliant a policy can be applied to isolate the host at L2 level (VLAN switching), more info on the guide page 10-11.

 

host-mdm.PNG

 

The PA is more flexible and offers a wide variety of options, you can read more about the Scan options in this section of the admin guide.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1058
ndumaj
Staff
Staff

Created on ‎08-20-2024 07:56 AM

Hello @tagayev 

As Emirjon explained, I would go with Persistent Agent.
Persistent Agent and FortiNAC speak the same language, they can be upgraded at the same time when you have to do that. Also with Persistent Agent, we can cover, so many features that cannot be included in FCT.

The most important thing is there is no need for an extra license.

BR

- Happy to help, hit like and accept the solution -
1032
Hatibi
Staff
Staff

Created on ‎08-20-2024 08:52 AM

Hello tagayev,

 

if you already have an existing EMS environment then that is enough for FortiNAC to register MDM compliant endpoints and move the to the correct VLAN.

In this case the compliance part is covered by EMS itself where you use the Endpoint profiles to apply your Corporate restriction and compliance checks.

FortiNAC in this case will benefit in the fast process of Host Registration since it gets this info directly from EMS.

 

Both FortiClient and Persistent Agent are similar in the aspect that they can register hosts automatically and can collect application inventory. However the best solution in terms of security is to use both the MDM solution (which you already have) and additionally have custom scans and scheduled scans provided by the persistent agent. 

They will complement each-other in different areas of endpoint security posture.

 

Scan options for Persistent Agent: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/92047/add-or-modify-a-scan

Scan categories: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/241076/scan-categories

Custom scan use casehttps://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/605737/use-case

Advanced scans (chaining scans)https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/370093/chaining-configurati...

 

1013
0 Kudos
tagayev
New Contributor II

Created on ‎08-22-2024 02:11 AM

@ebilcari @ndumaj @Hatibi thank you very much for your prompt replies.

950
ndumaj
Staff
Staff
In response to tagayev

Created on ‎08-22-2024 02:14 AM

Dear @tagayev 

Thank you for your feedback,
It was a pleasure to assist you!

BR

- Happy to help, hit like and accept the solution -
942
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.