Hello Fortinet Community,
I'm seeking advice on the best approach to secure our network. Our goal is to allow access only to domain-joined PCs and implement compliance checks.
We currently have FortiClient installed on all user devices, and I’m trying to determine if we also need the FortiNAC Persistent Agent, or if integrating FortiNAC with EMS would be sufficient.
Is there a comparison matrix available that highlights the features of the Persistent Agent and FortiClient specifically related to FortiNAC?
Any insights or best practices would be greatly appreciated.
Thank you!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
FNAC integration with EMS is treated as an MDM integration and mainly is used to facilitate the host registration process and checking the compliant or compromised status of the host. If the host status is not compliant a policy can be applied to isolate the host at L2 level (VLAN switching), more info on the guide page 10-11.
The PA is more flexible and offers a wide variety of options, you can read more about the Scan options in this section of the admin guide.
Hello @tagayev
As Emirjon explained, I would go with Persistent Agent.
Persistent Agent and FortiNAC speak the same language, they can be upgraded at the same time when you have to do that. Also with Persistent Agent, we can cover, so many features that cannot be included in FCT.
The most important thing is there is no need for an extra license.
BR
Hello tagayev,
if you already have an existing EMS environment then that is enough for FortiNAC to register MDM compliant endpoints and move the to the correct VLAN.
In this case the compliance part is covered by EMS itself where you use the Endpoint profiles to apply your Corporate restriction and compliance checks.
FortiNAC in this case will benefit in the fast process of Host Registration since it gets this info directly from EMS.
Both FortiClient and Persistent Agent are similar in the aspect that they can register hosts automatically and can collect application inventory. However the best solution in terms of security is to use both the MDM solution (which you already have) and additionally have custom scans and scheduled scans provided by the persistent agent.
They will complement each-other in different areas of endpoint security posture.
Scan options for Persistent Agent: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/92047/add-or-modify-a-scan
Scan categories: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/241076/scan-categories
Custom scan use case: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/605737/use-case
Advanced scans (chaining scans): https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/370093/chaining-configurati...
Hello Tagayev
In case you have FortiSwitch then you can use L2 NAC with FortiGate-FortiSwitch-Forticlient. Otherwise you cannot perform isolation at L2 level, but at L3 level only (via FGT and tags). That's the main difference with FortiNAC that does L2 isolation at switch level with any switch brand.
FNAC integration with EMS is treated as an MDM integration and mainly is used to facilitate the host registration process and checking the compliant or compromised status of the host. If the host status is not compliant a policy can be applied to isolate the host at L2 level (VLAN switching), more info on the guide page 10-11.
The PA is more flexible and offers a wide variety of options, you can read more about the Scan options in this section of the admin guide.
Hello @tagayev
As Emirjon explained, I would go with Persistent Agent.
Persistent Agent and FortiNAC speak the same language, they can be upgraded at the same time when you have to do that. Also with Persistent Agent, we can cover, so many features that cannot be included in FCT.
The most important thing is there is no need for an extra license.
BR
Hello tagayev,
if you already have an existing EMS environment then that is enough for FortiNAC to register MDM compliant endpoints and move the to the correct VLAN.
In this case the compliance part is covered by EMS itself where you use the Endpoint profiles to apply your Corporate restriction and compliance checks.
FortiNAC in this case will benefit in the fast process of Host Registration since it gets this info directly from EMS.
Both FortiClient and Persistent Agent are similar in the aspect that they can register hosts automatically and can collect application inventory. However the best solution in terms of security is to use both the MDM solution (which you already have) and additionally have custom scans and scheduled scans provided by the persistent agent.
They will complement each-other in different areas of endpoint security posture.
Scan options for Persistent Agent: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/92047/add-or-modify-a-scan
Scan categories: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/241076/scan-categories
Custom scan use case: https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/605737/use-case
Advanced scans (chaining scans): https://docs.fortinet.com/document/fortinac-f/7.4.0/administration-guide/370093/chaining-configurati...
Dear @tagayev
Thank you for your feedback,
It was a pleasure to assist you!
BR
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.