Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jucker
New Contributor III

Created on ‎05-28-2023 02:09 AM

FortiNAC Need help on Persistent Agent Rescan Safe/At Risk state

Hello,

I'm still new to FortiNAC,I did configure endpoint compliance schedule rescan each two 2 minutes(For testing), when i disable a specific service on the machine the rescan does not mark the host as At Risk and the verse versa with safe state even in the event it does trigger the scan, when i do a scan host manually it detect the service down or up.

 

Fortinac Rescan.JPG

My Endpoint Compliance policies as bellow:

ECP-AtRisk Host:Security Status:At-Risk And Type : Registered Host or Device

ECP-Rescan-Safe Host:Security Status:Safe And Type : Registered Host or Device

the Scheduled rescan:

Fortinac Rscan.JPG

 

Thank you!

Regards!

Labels:
744
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to Jucker

Created on ‎05-30-2023 03:02 AM

I tested the same in my lab and it looks like 2 minutes is set too aggressive (even the result maybe is not possible to get back to FNAC in such a short period). You can test it with 15 minutes at least. You should check the events named "Security Risk Host" and "Host Passed Security Test", this will show you the actual scan performed.

skan.PNG

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

663
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎05-29-2023 01:43 AM

If you go to Hosts, find the test host and check r-click "Policy Details". In Endpoint Compliance tab do you see "OS-Win10-check" as Scan Name?

scan name.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
699
0 Kudos
Jucker
New Contributor III
In response to ebilcari

Created on ‎05-29-2023 02:29 AM

Yes i do see it, if i perform scan host manually it does check the compliance and switch the vlan.

691
0 Kudos
ebilcari
Staff
Staff
In response to Jucker

Created on ‎05-30-2023 03:02 AM

I tested the same in my lab and it looks like 2 minutes is set too aggressive (even the result maybe is not possible to get back to FNAC in such a short period). You can test it with 15 minutes at least. You should check the events named "Security Risk Host" and "Host Passed Security Test", this will show you the actual scan performed.

skan.PNG

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
664
Jucker
New Contributor III
In response to ebilcari

Created on ‎06-06-2023 01:54 PM

Thank you for your response and sorry for being late, that make sense i'll try the 15min as a rescan timer.

Please is it supported to use a delayed scan only for the update signature for specific antivirus?, like:

Check Win10-OS if scan fail Remediate -> Remediation vlan

-> On success perform symantec antivirus scan which is a profile separated from Win10-OS but only for signature if not up to date, the enforcement delayed with 2 days, if the symantec antivirus is not installed remediate immediately.
Thanks and Regards!

610
0 Kudos
ebilcari
Staff
Staff
In response to Jucker

Created on ‎06-07-2023 01:05 AM

There is this feature that allows to match the signature with a buffer from 1 to 3 weeks

week.PNG

https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/67789/auto-definition-updates

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
593
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.