New to Fortinac so very low knowledge of it right now. But we recently upgraded our appliance and went to virtual server from physical. Some names got changed of the actual server and while everything looks good for the most part I see where no client i look up shows it has the persistent agent. I went into the logs and it looks like it is trying to reach out to the old Fortinac server and not the new. It has the most recent agent but not looking for new server, I've changed the DNS records of bradford_tcp and bradford_udp to the new server and still no luck. Is there any other places I need to make changes to point my clients to the new server???
Check the below registry value.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent
homeServer (SZ): fortinac.yourdomain.com
Make sure it points to the right FQDN or IP of your NAC server.
You can follow the verification steps shown in this article. Make sure the the 'Persistent Agent' certificate uploaded in the new FNAC includes the new domain.
If the registry entry in the end hosts shows the old domain in the 'Last Connected Server' that make take precedence temporarily as long as the old server still respond to the requests, more details in page 11. If the old server is put offline than the discovery process will be triggered.
This looks exactly how I have it, everything in DNS is there, and a nslookup from my machine shows the correct server and name. However when i restart the fortinac agent and look at the C:\ProgramData\Bradford Networks/general logs its not pointed to the same server, it's still trying to connect to the old retired server.
Have you checked the registry editor output, which domain is listed in 'Last Connected Server'? I have edited/added some more information in my previous reply.
last connected server is the old server, and I edited the home server to the new FQDN and let logs show it's still trying old server which is strange to me. Almost like it's ignoring my changes. Is it possible the completely delete the old registry settings and restart?
For testing, in one of the end hots you can try to manually stop the agent service, change the registry attributes (empty all the domains) and than start the agent service again.
The registry settings can also be applied via GPO from the DC verify that it is not actively pushing the old domain.
If you can isolate the communication with the old FNAC (from a 3rd party fw), the agent will be forced to discover other available FNAC servers in the network.
Also check in both FNAC servers if 'Require Connected Adapter' or 'Allowed IP Subnets' are configured:
So I had that question to myself. Currently that box is checked however no subnets are in that area. Would I need to put in all my subnets or would unchecking that box allow any connections from my domain. I have 46 different sites with all different subnets, I would need to enter them all here?
That option (disabled by default) means that FNAC will keep PA connections only from hosts that are connected to one of the network devices that are managed by that FNAC. So after the PA connects to a FNAC that doesn't see that host as connected it will trigger a disconnect.
During the migration phase you can choose to disable this feature. Also if there aren't multiple FNAC pods in the network this is not needed.
Ok found this, so I cleared all lines in regedit to make it search for one and it finds the old retired server still, I've removed it from DNS and manually from registry where possibly could it be finding this location from if this server is retired.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.