is there any sample of an initial endpoint policy for NAC-F ? I just want to see what a very simple basic initial policy looks like . Assuming this would be some sort of posture check? What is the most common policy type that is being used fort a simple deployment? Thanks,
As a start you have to deploy the agent (usually for enterprise networks) like shown in the PA deployment guide. After making sure that the agent can communicate with FNAC, you can create Scans and include it in an Endpoint Compliance Policies. Usually the Scan contains checks related to Antivirus and OS having the latest updates but many other options are available.
@ebilcari When you say agent can this be company devices which are already managed by EMS? Would this cancel out any requirement for additional agent to be installed on the endpoint?
This is a use case provided in Fortinet Docs: https://docs.fortinet.com/document/fortinac-f/7.6.0/administration-guide/605737/use-case
You can test something similar for another application or process.
For an initial endpoint policy in FortiNAC, a common and simple policy type used for a basic deployment is typically a posture check policy. This policy would involve checking basic security requirements such as antivirus presence, firewall status, and operating system updates. A sample initial endpoint policy could include criteria like antivirus software installed, firewall enabled, and OS patches up to date. This basic posture check helps ensure that devices connecting to the network meet minimum security standards before being granted access.
do we need to install agent or can I just use existing FortiClient / EMS?
Created on 12-05-2024 12:05 AM Edited on 12-05-2024 12:39 AM
Endpoint compliance in FortiNAC works only with persistent agent.
However you can use EMS integration to register compliant hosts. In such case you will not use endpoing compliance policies in FortiNAC since the compliance is done by EMS. FortiNAC simply receives the information from EMS that the endpoint is compliant or not and then enforces control.
So yes, you can use the existing FortiCLient/EMS integration with FortiNAC to enforce control for endpoints deemed compliant in EMS.
Check this for a comparison: https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-Persistent-Agent-comparison-to-FortiClien...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.