Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Created on ‎04-17-2024 08:37 AM

FNAC persistence agent deployments

Hello team,

I have some points regarding persistence agent deployments:

1- is a DNS record mandatory or there is a way to configure the agent to reach FNAC via its IP

2- I understand that when registering endpoint as a host, the device is tied to a user, whereas as 
"device" it is not, so why we need "authentication" when choosing "register as device" under "system--persistence agent / credential management?

 

Labels:
360
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to Akmostafa

Created on ‎04-21-2024 12:33 AM Edited on ‎04-21-2024 12:34 AM

Technically the field "lastConnectedServer" in the registry will be populated for the host that had the agent running while being isolated but the DNS entries in production DNS are still needed even for this hosts.

 

On the link you shared there are two scenarios, the first one technically replaces the registration through the portal and does it via the agent, more like a friendly UI for rouge hosts that have the agent previously installed. This will happen if there is no EPC configured.

 

The 2nd scenario shown in guide: "(Persistent Agent installed via Captive Portal-Assumes network under enforcement)" assumes that there is an EPC that handles rouge hosts. It will automatically download the selected Agent to the end host:

agent-down.PNG

and than as shown in the previous reply based on the Scan options it will Remediate or Register the host.

 

As I know "Enable Registration" without "Register as Device" will try silent registration of the host to the current logged in user. If the currently logged user can't be found in the LDAP server, than the PA will pop up for credentials. Using "Register as Device" will register the host (without a user) regardless of the logged in user, so no verification will happen with the authentication server. A passive agent rule can be added to populate the "Logged On User" field in this type of hosts to be later used in UHP.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

164
0 Kudos
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎04-17-2024 08:50 AM

Hi Mostafa

PA needs you that you define the FNAC FQDN in the below variable.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent
   homeServer (SZ): fortinac.yourdomain.com

Didn't try to define it with IP address but I guess it should work.

So if defined as FQDN then either you need to create a DNS A record for fortinac.yourdomain.com, or I guess you also can define it in Windows /etc/hosts file (which is not so good solution).

For your second question, if I'm not wrong the "register as device" setting for PA is overridden by the authentication policy (Global Authentication Convention).

 

AEK
AEK
327
Akmostafa
New Contributor III
In response to AEK

Created on ‎04-17-2024 02:08 PM

Hi AEK, thanks for replying.

So, is editing the registry the only way to specify the Hostname/IP?

What if I configured primary host name and secondary hostname from the agent properties on FortiNAC, would this cause the downloaded agents to be preconfigured with the NAC hostname?

 

Properties | FortiNAC 9.4.0 | Fortinet Document Library

 

Also, do you have an idea how to change transport to UDP? cause I did not find from where to change that under transport settings.

 

Transport configurations | FortiNAC 9.4.0 | Fortinet Document Library

 

290
0 Kudos
AEK
SuperUser
SuperUser
In response to Akmostafa

Created on ‎04-17-2024 04:30 PM Edited on ‎04-18-2024 05:22 AM

Hi Mostafa

 

In normal deployment you should not edit the registry but you should deploy PA with GPO, and this will push the registry values as well on all your corp hosts.

Editing registry is just for test one agent in your lab.

 

What if I configured primary host name and secondary hostname from the agent properties on FortiNAC, would this cause the downloaded agents to be preconfigured with the NAC hostname?

 -> Honestly I don't remember if I used this section before and I don't know for what it is used for.

 

UDP for agent is not supported anymore cause not secure, it has been dropped since like 2 or 3 years. I've read it somewhere in official doc but don't remember where sorry.

AEK
AEK
278
ebilcari
Staff
Staff
In response to AEK

Created on ‎04-18-2024 04:44 AM

The agent installation file can't be customized to include FNACs IP. The changes need to be pushed via the GPO template or registry editor (via GPO or scripts) to the end hosts.

Another way is the DNS SRV records needed only for production networks. If the host is in isolation FNAC will handle it via its built in DNS server (no extra configuration needed).

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
258
Akmostafa
New Contributor III
In response to ebilcari

Created on ‎04-18-2024 05:38 AM

Hi Emirjon,

You mentioned the case of a host in an isolation network.

In such case, is it mandatory for the host to download the agent from the captive portal, and would an Endpoint compliance policy be necessary prior to the registeration?

 

And could you please advise regarding my second question:

 

2- I understand that when registering endpoint as a host, the device is tied to a user, whereas as 
"device" it is not, so why we need "authentication" when choosing "register as device" under "system--persistence agent / credential management?

249
0 Kudos
ebilcari
Staff
Staff
In response to Akmostafa

Created on ‎04-18-2024 08:16 AM

That depends on the Endpoint compliance policy, Scan configurations [Agent Order of Operations:]:

scan-register.PNG

If there is no EPC matching, the host can also be registered without scanning.

I was referring to, if the Agent need to find and reach FNAC while the host is in isolation the DHCP/DNS provided by FNAC will point the agent to FNAC (out of the box).

 

Authentication type is shown as a drop down but it will not be used when [Register As Device] is selected. The host entry will contain only the "Host Name" and an empty "Registered To" value.

register.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
234
Akmostafa
New Contributor III

Created on ‎04-20-2024 02:21 PM

Thanks Emirijon for the clarification, I am almost one step close to remove my confusion regarding this subject.

 

You mentioned that in case the client in an isolation network, FortiNAC will be handling the SRV record resolution. 

After successful registration and when the client moves to production network, would the name/IP of FortiNAC as obtained in the isolation step, be saved in the windows registries? I mean Do I still to prepare my DNS in the production VLAN?

 

Secondly, the existence of the ECP, is the ECP mandatory for the agent to be available within the captive portal or not? This is important to me to understand the workflow of FortiNAC registration.

(please see step 4 in the below link

 "

  1. FortiNAC matches the device with the appropriate Endpoint Compliance Policy (determines which agent type and version to distribute as well as which scan to run)"

 

Registration Use Cases: Personal Devices | FortiNAC-F 7.2.0 | Fortinet Document Library 

 

Finally, about the "register as device" point, and the relevant of hte authentication in this case, the below use case involves a scenario with "register as device" option being checked, and still relaying on Active directory for authentication, which brings me back to the confusion if authentication is still being taken place for device registration, so what is the difference between a device and a host??

 

Registration Use Cases: Company Assets | FortiNAC-F 7.2.0 | Fortinet Document Library

190
0 Kudos
AEK
SuperUser
SuperUser
In response to Akmostafa

Created on ‎04-20-2024 04:00 PM

I always use a "A" DNS record in corporate DNS for persistent agent, since the FQDN is installed in the client registry with GPO.

I find the SRV DNS record more suitable for dissolvable agent (lets call it DA), since it doesn't have such registry key.

Keep in mind it is more natural to use PA for corporate clients, and DA for non-corporate clients, like contractors or guest. However all companies I know never use DA for non-corporate clients because they find it intrusive to force a guest to install an agent on its host, they just drop them in a guest or contractor VLAN after portal authentication. So I think using DA is no so common.

All the above is applicable for agents in production VLAN, where the corporate DNS replies to any clients DNS query.

 

When a hosts exits from isolation to production VLAN it will not write the FNAC hostname/IP in the registry. PA already has the FQDN in its registry from its first deployment (GPO), and DA doesn't have such registry key, since it uses the SRV DNS record.

 

Hope this clarifies things a bit more.

AEK
AEK
181
0 Kudos
ebilcari
Staff
Staff
In response to Akmostafa

Created on ‎04-21-2024 12:33 AM Edited on ‎04-21-2024 12:34 AM

Technically the field "lastConnectedServer" in the registry will be populated for the host that had the agent running while being isolated but the DNS entries in production DNS are still needed even for this hosts.

 

On the link you shared there are two scenarios, the first one technically replaces the registration through the portal and does it via the agent, more like a friendly UI for rouge hosts that have the agent previously installed. This will happen if there is no EPC configured.

 

The 2nd scenario shown in guide: "(Persistent Agent installed via Captive Portal-Assumes network under enforcement)" assumes that there is an EPC that handles rouge hosts. It will automatically download the selected Agent to the end host:

agent-down.PNG

and than as shown in the previous reply based on the Scan options it will Remediate or Register the host.

 

As I know "Enable Registration" without "Register as Device" will try silent registration of the host to the current logged in user. If the currently logged user can't be found in the LDAP server, than the PA will pop up for credentials. Using "Register as Device" will register the host (without a user) regardless of the logged in user, so no verification will happen with the authentication server. A passive agent rule can be added to populate the "Logged On User" field in this type of hosts to be later used in UHP.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
165
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.