FortiNAC Agent Types and Scan Controls

Questions and Answers

What are some tasks that FortiNAC agents can perform?

Endpoint compliance, Device registration, Passive agent installation

Software inventory collection, User authentication, Message pop-up display

Supplicant configuration installation, Mobile agent integration, Message pop-up display

Device registration, Endpoint compliance, User authentication (correct)

Which type of agent is installed on the host and remains to scan the computer as needed?

Persistent agent (correct)

Dissolvable agent

Passive agent

Mobile agent

What is the purpose of endpoint compliance in network security?

To install software inventory collection tools

To determine the mobile agent's location

To install a supplicant configuration for secure network access

To ensure hosts comply with network usage requirements (correct)

What action does the dissolvable agent take after the host has passed the security scan?

Removes itself from the host

Which of the following is NOT one of the main types of FortiNAC agents?

Translucent agent

What should be determined as the first step when implementing endpoint compliance?

Determining which type of agent to use

What type of information can be viewed in the zero-trust tag monitor?

Date and time FortiClient-EMS added the endpoint to the dynamic group

What does FortiClient-EMS do with dynamic groups based on zero-trust tags?

Syncs with FortiGate to grant or deny network access

How can you monitor FortiClient endpoint information on FortiGate?

By clicking on the endpoint name in Endpoints, All Endpoints

What signifies at-risk endpoints in FortiNAC?

A red plus icon

What information can be accessed by using the diagnose endpoint record list command?

Vulnerability status and device position relative to FortiGate

How can you determine the reason for a failed compliance on an endpoint in FortiNAC?

'Right-clicking' the host and checking Host Health

What is one thing the passive agent can do?

Verify hotfix, service, registry, file

Where can you access the passive agent rules?

From the Security Configuration, Passive Agent view

What is a limitation of the mobile agent?

Does not support custom scans

How often does the persistent agent communicate back to the FortiNAC server?

Every 15 minutes

What is a key aspect of Mobile Device Management (MDM) integration with FortiNAC?

Synchronize known hosts with an MDM

Which MDM solution is NOT among the supported vendors for integration with FortiNAC?

FortiSwitch

What action does the passive agent take when a user connects to the network and logs in?

Registers the user and associated host in FortiNAC

Which endpoint does the persistent agent scan for compliance?

'Hosts' associated with network users

What kind of SSL certificate is required for the mobile agent?

Valid SSL certificate

How can you create a passive agent configuration that applies to all domain group members?

Leave the checkbox empty

What type of agent is deployed using login scripts and launched when the user logs in to the domain?

Passive agent

Which agent offers scanning without end-user interaction and can be used for automatic registration?

Passive agent

Where is the mobile agent typically installed on?

Android devices

Which agent can work within the context of FortiNAC VPN integration?

Persistent agent

What is required if using version 3.x or higher of the FortiNAC persistent agent?

Valid SSL certificate

How are administrative templates used in configuring the passive agent?

Configured on the domain controller

The passive agent registers and scans endpoints that are joined to a domain when a domain user does what?

Logs in

Which type of agents are normally deployed from within the captive portal environment during endpoint onboarding?

"EXE, DMG, DEB, and RPM" types

Where are the administrative templates installed for configuring the persistent agents when deployed by group policy?

"Active Directory" for agent configuration

What must be executed on Linux systems for configuring values related to persistent agents?

Bash scripts

What must endpoint users do to disconnect from FortiClient-EMS?

Enter a password provided by the administrator

What is the purpose of integrating FortiNAC with FortiClient-EMS?

To speed up the registration process of devices

How does FortiNAC handle rogue mobile devices without FortiClient installed?

Redirects them to a captive portal to download FortiClient

What type of data does FortiClient-EMS send to FortiNAC when a registered device is detected?

Device type, operating system, user, host name, and compliance status

What does the Endpoint Compliance Configuration field in FortiNAC allow the user to define?

The type of scan and agents used to assess compliance

In the example shown, what is the name of the policy associated with the User and/or Host Profile in FortiNAC?

Domain-Connected-PA

How can installed application information be collected to enhance endpoint visibility in FortiNAC?

Through integration with MDMs or FortiNAC agent technology

What type of agent is available for Windows, Mac OS X, and Linux operating systems in FortiNAC?

FortiNAC Persistent Agent

In FortiNAC, what action is taken if Jailbreak Detection is selected for an iOS device?

The device is checked for jailbreak status.

In FortiNAC's Scan Creation, what does the Renew IP option do?

Initiates a release and renewal of the host IP-address.

What does the Failure remediation option in FortiNAC do when a scan fails?

Moves the host to the quarantine isolation network immediately.

Which agent type in FortiNAC is available for Android operating system?

FortiNAC Mobile Agent

What occurs when setting Root Detection in FortiNAC for an Android device?

Determining if the device has been rooted.

When does FortiNAC perform a policy validation scan based on the Scan Settings options?

Each time a host’s state changes from offline to online.

In FortiNAC's Custom Scan Creation, under what field can you select policy requirements by category for Windows hosts?

'Category' field

What action does 'Audit Only' remediation option take when a scan fails in FortiNAC?

'Delayed' moving to quarantine if failure is not addressed.

When should the 'Do not Register, Remediate' option be used in FortiNAC's Agent Order of Operations?

'Scan before Registering' scans are disabled.

What criteria does FortiClient check to validate the server certificate received from FortiClient-EMS?

Expiry date and CA root certificate in the chain

What process does FortiClient-EMS use to dynamically group endpoints based on zero-trust tagging rules?

Telemetry analysis

In the context of SSL certificates, what does FortiClient do if the EMS server certificate is invalid?

Rejects the connection immediately

What action can be taken if endpoint users want to disconnect from FortiClient-EMS according to the configuration options?

Use a password provided by an administrator

Which component sends zero-trust tagging rules to the endpoint for validation?

FortiClient-EMS

What settings can be configured in Endpoint Profiles, System Settings on FortiClient-EMS to prevent users from disconnecting?

Require Password to Disconnect from EMS

What protocol is used for the connection between FortiClient and FortiClient-EMS?

TCP and TLS 1.3

How does FortiOS utilize dynamic endpoint groups received from FortiClient-EMS?

To enforce firewall policies

What happens if the certificate issuer or root certificate in the chain is not from a publicly trusted CA?

'The certificate is considered invalid'

What security feature can be enabled in FortiClient-EMS to prevent endpoint users from disconnecting?

Require Password to Disconnect from EMS

Study Notes

FortiNAC Agents

• FortiNAC agents facilitate tasks like security scanning, policy enforcement, and endpoint registration within a network.
• A persistent agent is installed on the host and conducts ongoing security scans as needed.
• Key functionalities of a passive agent include registering devices on network login and scanning endpoints without user interaction.

Endpoint Compliance in Network Security

• Endpoint compliance ensures devices meet security policies before accessing network resources.
• The first step in implementing endpoint compliance is to define the security policies relevant to the organization.

Agent Types and Functions

• Dissolvable agents perform security scans and then remove themselves after verifying compliance.
• The mobile agent is typically installed on mobile devices and must have a specific SSL certificate.
• The persistent agent communicates back to the FortiNAC server at configurable intervals.

Monitoring and Management

• The zero-trust tag monitor provides insights into endpoint status, assessing compliance and security risks.
• FortiClient-EMS dynamically manages groups based on zero-trust tagging, optimizing endpoint visibility.
• FortiGate can monitor FortiClient endpoint information through diagnostic commands, enhancing oversight.

Compliance and Security Measures

• At-risk endpoints in FortiNAC are indicated by specific alerts, highlighting potential security concerns.
• Drilling down into endpoint records can reveal compliance failure reasons, aiding remediation efforts.
• Administrative templates for passive agents are installed in the FortiNAC framework for easier management and configuration.

Integration with FortiClient-EMS

• FortiNAC integrates with FortiClient-EMS to strengthen endpoint security, providing enhanced visibility and control.
• To disconnect from FortiClient-EMS, endpoint users must follow specific procedures configured by the administrator.
• In FortiNAC's control mechanisms, the SSL certificate validation process is critical for ensuring secure communications.

Device Specifics and Policies

• Various agent types are available for multiple operating systems, including Windows, Mac OS X, and Linux.
• Jailbreak detection for iOS and root detection for Android is facilitated to enhance security by preventing unauthorized access.

Scanning and Remediation

• The “Renew IP” function in scan settings helps refresh IP assignments for hosts during scanning processes.
• Failure remediation options in FortiNAC dictate the course of action when a compliance scan does not meet policy requirements.
• The “Audit Only” option allows tracking of compliance scores without initiating remedial actions.

User Controls and Preventative Measures

• FortiNAC can be configured to prevent endpoint users from disconnecting during critical monitoring phases.
• Unique settings within Endpoint Profiles on FortiClient-EMS dictate user access and disconnection protocols for devices.

Endpoint Management and Reporting

• Comprehensive visibility into installed applications enhances endpoint management capabilities through FortiNAC.
• When a device's security assurance is inadequate (e.g., an invalid SSL certificate), FortiClient will react based on predefined settings, ensuring continuous protection.

Description

Test your knowledge on FortiNAC Agent types, Advanced Scan Controls, and the Collect Application Inventory option. Learn about the actions that can be taken based on scan results and how to specify agent types for hosts in isolation captive portal.