0% found this document useful (0 votes)

6 views437 pages

FortiNAC 7.2.0 F Manager

The FortiNAC F 7.2.0 Manager Guide outlines the new features and enhancements in the software, including infrastructure upgrades, UI/UX improvements, and cloud integration capabilities. It provides detailed instructions for first-time users, system requirements, and configuration options for managing guests and hosts. Additionally, it includes information on licensing, user accounts, policies, and system logs.

Uploaded by

Aldozp

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

6 views437 pages

FortiNAC 7.2.0 F Manager

Uploaded by

Aldozp

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 437

FortiNAC - Manager Guide

Version F 7.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

March 10, 2023

FortiNAC F 7.2.0 Manager Guide
49-20-748677-20210922
TABLE OF CONTENTS

What's new in FortiNAC F 7.2.0 8

FortiNAC software re-versioning 8
Infrastructure upgrades 8
UI/UX/Workflow enhancements 10
UX/Policy enhancement backend 10
First time users 11
Requirements 12
FortiNAC Manager 13
Key features 13
Login procedure 13
Licenses 14
License count 14
Events and alarms 16
Licensing in a FortiNAC Manager environment 16
Manage guests in a FortiNAC Manager environment 17
Manage hosts in a FortiNAC Manager environment 18
Passwords 19
CLI/SSH passwords 19
Administrator passwords 20
Configuration (FNC-M-xx) 21
Configuration (FNC-MX-xx) 24
Dashboard 27
Terminology 27
Overview 28
Adding widgets 28
Widget Organization 29
System Summary 29
License Information 30
Alarms 30
Pending Tasks 31
Servers 32
Adding Servers 32
System Performance 33
Users 34
Administrators 35
Add an administrator 37
Modify an administrator 39
Delete an administrator 39
Copy an administrator 39
Modify an administrator profile 40
Administrator profiles 41
Default administrator profiles 42

FortiNAC F 7.2.0 Manager Guide 3

Fortinet Inc.
Permissions list 49
Add an administrator profile 55
Modify administrator profiles 59
Delete an administrator profile 60
Copy an administrator profile 60
Administrator profile mappings 60
Limit access with groups 64
Set privileges based on directory groups 65
Add administrators to groups 66
Group membership 67
Configure secure mode 67
User accounts 68
Navigation, menus, options, and buttons 70
Configure table columns and tooltips 72
Search settings 73
User properties 74
Modify a user 76
Delete a user 78
Add users to groups 78
Group membership 79
Guest accounts 80
Add a guest account 80
Portal page requirements 80
Guest account details 81
Set user expiration date 82
Guests & Contractors 83
Implementation 84
Guest & Contractor templates 85
Administrator profile 95
Add a guest manager profile 96
Add a guest kiosk profile 98
Add a guest self registration profile 99
Administrators 101
Add an administrator 101
Portal page setup 103
Printer settings for guest badges 105
Events and alarms 106
Accounts with sponsor privileges 106
Log in as a sponsor 106
Using a kiosk 108
Guest self registration 111
Locate 114
Network 116
Logical networks 116
Service Connectors 117
MDM services 121
Hosts 125
Hosts 125

FortiNAC F 7.2.0 Manager Guide 4

Fortinet Inc.
Adapter View 145
Locate 150
Device profiling rules 152
Policy & Objects 166
Policy overview 167
Policy assignment 167
Policy details 170
Policy simulator 173
User/host profiles 175
Add or modify a profile 176
Filter example 177
Profile example 177
Profiles in use 179
Delete a profile 179
Network access 179
Implementation 181
Manage policies 181
Create or edit a policy 183
Delete a policy 183
Network access configurations 183
Create or edit a configuration 184
Configurations in use 185
Delete a configuration 185
Endpoint compliance 186
Implementation 187
Agent overview 190
Dissolvable Agent 191
Persistent Agent 193
Mobile Agent 203
Agent server communications 205
SSL certificates 206
Auto-definition updates 229
Endpoint compliance policies 231
Add or modify a policy 234
Determining host operating system 234
Create or edit a policy 235
Delete a policy 235
Endpoint compliance configurations 236
Create or edit a configuration 237
Configurations in use 239
Delete a configuration 239
Chaining configuration scans 240
Scans 242
Custom scans 260
Scan parameters 280
Roles 291
Configuration 292
Assigning roles 292

FortiNAC F 7.2.0 Manager Guide 5

Fortinet Inc.
Roles view 295
Logs 298
Audit Logs 298
Configuration 298
Accessing the auditing log 299
Events 301
Event notes 302
Events and alarms list 302
Event management 322
Enable and disable events 323
Event thresholds 324
Log events to an external log host 325
SNMP trap format 328
Common event format (CEF) 329
Examples of syslog messages 330
View events currently mapped to alarms 332
Alarms 333
Show or hide alarm details 334
Map events to alarms 334
Add or modify alarm mapping 337
Bulk modify alarm mappings 341
Delete alarm mapping 342
System 343
Certificate management 344
Config wizard 344
Groups 345
Add groups 346
Copy a group 347
Delete a group 347
Limit user access with groups 347
Modify a group 348
Group membership 349
Show group members 349
Group in use 349
Aging hosts in a group 349
System groups 350
Customer defined groups 353
Feature Visibility 354
Scheduler 355
Add a task 356
Add other scheduled tasks 359
Copy a task 359
Delete a task 360
Modify a task 360
Run task now 360
Tasks 360
Settings 362

FortiNAC F 7.2.0 Manager Guide 6

Fortinet Inc.
Authentication 366
Automatic authentication 366
Directories 366
Radius 379
Identification 382
Vendor OUIs 382
Network control manager 385
Server synchronization 385
Global object synchronization 386
System communication 388
System management 398
Updates 411
Decommission Manager 425
Move server to another Manager (FNC-M/FNC-CA) 429
Use these steps to transfer an existing managed FortiNAC server from one FortiNAC
Manager to another. Requirements 429
Step 1: Review Global Objects 429
Step 2: Remove Server from Server List 430
Step 4: Update Existing Manager’s Allowed Serial Numbers (optional) 430
Step 5: Update CA’s Allowed Serial Numbers 431
Step 6: Update New Manager’s Allowed Serial Numbers 431
Step 7: Add Server to New Manager’s Server List 431
Step 8: Shut Down the Old Manager (optional) 432
Move server to another Manager (FNC-MX/FNC-CAX) 433
Requirements 433
Step 1: Review Global Objects 433
Step 2: Remove Server from Server List 434
Step 3: Validate 434
Step 4: Update Existing Manager’s Allowed Serial Numbers (optional) 434
Step 5: Update FortiNAC Server’s Allowed Serial Numbers 435
Step 6: Update New Manager’s Allowed Serial Numbers 435
Step 7: Add Server to New Manager’s Server List 436
Step 8: Shut Down the Old Manager (optional) 436

FortiNAC F 7.2.0 Manager Guide 7

Fortinet Inc.
What's new in FortiNAC F 7.2.0

What's new in FortiNAC F 7.2.0

FortiNAC software re-versioning

FortiNAC software re-versions to F 7.2 to match the Fortinet fabric. The label “F” in F 7.2 is added to indicate
that this is Fortinet Fabric versioning, distinct from the FortiNAC 7.2 that was previously released.

Infrastructure upgrades

An infrastructure change has been made and a new product offering is available for the FortiNAC solution. The
new FortiNAC appliances are being labeled FortiNAC-F.
l New SKU
FortiNAC Control and Application eXtended VM (SKU FNC-CAX-VM) is the continuation and extension of
the FortiNAC Control and Application VM, supporting FortiNAC version F 7.2.
FortiNAC Manager eXtended VM (SKU FNC-MX-VM) is the continuation and extension of the FortiNAC
Manager VM, supporting FortiNAC F 7.2.
l New operating system: CentOS is replaced with a FortiOS-like OS (FortiNAC-OS)
The previous CentOS 7 Operating System is replaced with a custom Linux image with a CLI similar to that
of FortiOS. It is called FortiNAC-OS in the documentation.
FortiNAC-OS is implemented as a firmware image, similar to other Fortinet products (i.e. FortiGate).
MySQL is replaced with MariaDB.
l An appliance migration is required to move an existing system on CentOS to the new FNC-CAX or FNC-
MX system.
l Software Compatibility

FortiNAC Description Operating Version 8.x Version Version F7.2

Products System 9.x

Name: FortiNAC Control and CentOS Yes Yes Yes

FortiNAC- Application
Control-and- Virtual Server
Application-VM

SKU: FNC-CA-
VM

Name: FortiNAC Manager CentOS Yes Yes Yes

FortiNAC- Virtual Server
Manager-VM
SKU: FNC-M-
VM

FortiNAC F 7.2.0 Manager Guide 8

Fortinet Inc.
What's new in FortiNAC F 7.2.0

FortiNAC Description Operating Version 8.x Version Version F7.2

Products System 9.x

Name: FortiNAC CentOS Yes Yes Yes

FortiNAC-CA- 500C/600C/700C,
500C Network Control and
SKU: FNC-CA- Application Server with
500C RAID and Redundant
Power Supplies

Name:
FortiNAC-CA-
600C
SKU: FNC-CA-
600C

Name:
FortiNAC-CA-
700C
SKU: FNC-CA-
700C

Name: FortiNAC Manager 550 CentOS Yes Yes Yes

FortiNAC-M- Server Server with RAID
550C and Redundant Power
SKU: FNC-M- Supplies
550C

FortiNAC-F Description Operating Version 8.x Version Version F7.2

Products System 9.x

Name: FortiNAC FortiNAC-OS No No Yes

FortiNAC- Control and
Control-and- Application
Application- next-gen Virtual
eXtended-VM Server
SKU: FNC-CAX-
VM

Name: FortiNAC FortiNAC-OS No No Yes

FortiNAC- Manager next-
Manager- gen Virtual
eXtended-VM Server
SKU: FNC-MX-
VM

FortiNAC F 7.2.0 Manager Guide 9

Fortinet Inc.
What's new in FortiNAC F 7.2.0

FortiNAC AWS secure deployment in cloud

FortiNAC F 7.2 changes its onboarding process to integrate with AWS to set up SSH keys during image
deployment. The FortiNAC appliance is now cloud-aware and will identify the cloud it is running on during boot,
read any provided metadata from the cloud, and initialize accordingly.

Cloud-init functionality with FortiNAC-OS

FortiNAC F 7.2 adds the ability to bootstrap the initial configuration of the FortiNAC Virtual Machines,
compatible with AWS, KVM, ESX, and Hyper-V VMs.
As part of "cloud-init," the user can run CLI commands to set the access credentials.
For more information, see the updated deployment guide for the appropriate appliance.

Report enforced and non-enforced ports

Added ability to report both enforced and non-enforced ports and AP's/SSID's
New Visualization added to the Network Device Summary dashboard tile, as well as Network Inventory.

UI/UX/Workflow enhancements

UI changes to policy creation

Policy and Logical Networks views are upgraded to the new UI, adding a common table search/filtering/drag-
and-drop. The following views have been changed:
l Supplicant EasyConnect
l Endpoint Compliance Policy
l Network Access Policy
l Authentication Policy
l Portal Policy

UX/Policy enhancement backend

Logical Network / Policy enhancements

FortiNAC F 7.2.0 Manager Guide 10

Fortinet Inc.
First time users

First time users

First time users of the FortiNAC device should follow the steps in the Deployment Guide.

FortiNAC F 7.2.0 Manager Guide 11

Fortinet Inc.
Requirements

Requirements

l Ensure the appropriate network ports are not blocked to allow inter-server communication. See Open ports
in the Administration guide for details.
l FortiNAC Manager is registered and installed with the appropriate licenses. Refer to the Deployment Guide
for details.
l FortiNAC Manager has the appropriate Endpoint License entitlements.
l (FortiNAC versions 9.4.3 and greater): Key files containing certificates are installed in the Manager(s) and
all the FortiNAC servers to be managed. License keys with certificates were introduced on January 1st
2020. Appliances registered after January 1st should have certificates. To confirm, login to the UI of each
appliance and review the System Summary Dashboard widget (Certificates = Yes). For additional details
on certificates see KB article 192245.
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Certificates-not-included-in-license-keys/ta-
p/192245

FortiNAC F 7.2.0 Manager Guide 12

Fortinet Inc.
FortiNAC Manager

FortiNAC Manager

The FortiNAC Manager simplifies managing multiple FortiNAC Server or FortiNAC Control Server appliances,
by acting as a central management node in the network. This central server allows you to take advantage of
FortiNAC’s features across the network.
The FortiNAC Manager is designed for configurations that consist of two or more FortiNAC Server or FortiNAC
Control Server appliances. The web-based interface provides an interactive management console that provides
enterprise-wide communication to multiple FortiNAC Server or FortiNAC Control Server appliances from a
central server. Instead of accessing each FortiNAC appliance separately to search for user or data records, you
can search and manage from one console.

Key features

l Global User Identity Database—Data records are maintained on each user accessing the network.
l Scalability—Manage an extensive number of FortiNAC Servers from a single location.
l Global Find—Quickly locate devices and users anywhere in the network. This includes user information
such as the MAC address, location, and the port where the user is connected. Perform searches by IP
address to resolve the IP address to a specific user or device.
l Seamless Network-wide Registration—Users register once and are tracked in the enterprise identity
database as they move freely to other managed locations within the network.
l Global Version Control—Manage version control on all FortiNAC appliances within the network, from a
single management device.
l Global License Management—Licenses are shared across FortiNAC Servers.
l Global Scan Management—Scans can be created and copied across FortiNAC Server or FortiNAC
Control Server appliances. You can configure network scans or sets of rules that are used to scan hosts for
compliance. Scans are included in Endpoint Compliance Configurations that are paired with User/Host
Profiles, which form Endpoint Compliance Polices.
l Global Synchronization—Enables automatic synchronization of the FortiNAC Server(s) with the
FortiNAC Manager. Views that include global information display the Global column to indicate which
information is synchronized with the FortiNAC Server(s). When enabled, automatic synchronization occurs
once per minute.
l Import button—Allows you to import information from the FortiNAC Server(s) to the FortiNAC Manager.
This eliminates the need to manually enter the information on the FortiNAC Manager. When it is imported
to the FortiNAC Manager, the information is global.

The FortiNAC user interface is browser based. When you log in as an Administrator, you may create other
administrators with an administrator profile.

FortiNAC F 7.2.0 Manager Guide 13

Fortinet Inc.
FortiNAC Manager

Any Administrator user account that you add to the FortiNAC Manager must also be created on the FortiNAC
appliance where the user will have access. If the Administrator user account does not exist on the FortiNAC
appliance, the user will not have access to that particular appliance.
There are different types of user records in FortiNAC: Standard users and Administrators. Administrators are
users with Admin UI login access. System Administrator is a specific set of permissions. You can have more
than one Administrator account with System Administrator permissions (Admin Profile).

There are no spaces in the entry. <hostname> is the name of the FortiNAC appliance.
You may substitute the IP address for the <hostname> if you wish.

1. Enter one of the following URLs in the Address field of the browser window:
https://<hostname>:8443/
or
http://<hostname>:8080/
2. Log in as an administrator. Enter the User Name and Password.
3. The End User License Agreement appears the first time any administrator logs in. Click to Accept the
terms. Clicking Disagree returns you to the Login dialog.
4. Add administrators as needed. See Add an administrator on page 37 for instructions.
5. The FortiNAC user interface displays. The interface provides the appropriate privileges for whoever logs in.
See Administrator profiles on page 41 for more information on administrator permissions.

Licenses

The license key installed on your FortiNAC controls both the feature set that is enabled and the number of
managed hosts, users and devices.
License types:
l Base: Network discovery, host profiling, and classification.
l Plus: Host registration, scanning, and access control, along with all base features.
l Pro: Automated Threat Response, along with all plus and base features.
All licenses include high availability.

License count

There are two types of license counts on FortiNAC: concurrent licenses and Pro licenses. See license usage
information on the Dashboard on page 27 and License management on page 404.
If you exceed your license count, FortiNAC does the following:
l No new registrations are allowed.
l Attempts at new registrations are presented with the message Exceeded concurrent connection
license limit.
l Rogues, at-risk, and disabled hosts continue to be placed in isolation as they normally would be.

FortiNAC F 7.2.0 Manager Guide 14

Fortinet Inc.
FortiNAC Manager

l Existing registered hosts and devices continue to have network access.

l Network Access provisioning based on policy will not occur

Concurrent licenses

The count of concurrent licenses is based on the total number of concurrent connections to your network
that are managed by FortiNAC. There may be parts of your network that are not managed by FortiNAC.
This count includes hosts, servers or devices that are online on your network at any given time. When a host,
server or device disconnects from the network, the license is released and can be used for another connection.
For example, you may have 1000 hosts in your database but if only 100 are connected, then only 100 licenses
are used.
A registered host will use a license if the host is seen by FortiNAC to be online, even if the host is not on an
enforced port. When a registered host shows online, even if no one is logged on, a license is still used. When
the licenses run out, no new devices can register and access the network.
The following devices use a concurrent license when connected:
l Online hosts in the Host View (including registered hosts and IP phones)
l Online, non-infrastructure devices in Inventory (servers, printers, IP phones)
The following devices don't use a concurrent license when connected:
l Rogue devices
l Switches, routers, wireless controllers and wireless access points in Inventory

Pro licenses

These licenses are based on the total number of licenses configured that are currently in use by devices
connected to your network.

Entitlements

Additional services at no cost come with licenses and are shown as entitlements in the license dashboard.

Entitlement Description

Telephone Support Global toll-free technical support available 24/7 over telephone.

IoT Detection Access to database of devices through the cloud-look up service hosted by
FortiGuard Labs used by FortiNAC to identify devices.

Vulnerability Management Vulnerability analysis and remediation for potential security weakness.

Firmware & General Updates Firmware updates and weekly network device database updates to keep
deployments up to date.

Enhanced Support 24/7 FortiCare Enhanced Support that includes real-time ticket system,
interactive chat features, and return/replace hardware support.

FortiNAC F 7.2.0 Manager Guide 15

Fortinet Inc.
FortiNAC Manager

Events and alarms

When the number of licenses used reaches 75%, 95% and 100% of total licenses an event is generated for
each threshold and an alarm is triggered to warn you. These percentages are default values. Modify thresholds
for these events under Event Management. See Event thresholds on page 324 for instructions.
Administrators must either monitor the Security Alarms view or the Alarm panel, or modify these alarms to
send a notification to administrators as they occur.

Event Definition

Maximum Concurrent Concurrent licenses in use has reached or exceeded 75% of total
Connections Warning licenses. Threshold is configurable.

Maximum Concurrent Concurrent licenses in use has reached or exceeded 95% of total
Connections Critical licenses. Threshold is configurable.

Maximum Concurrent Concurrent licenses in use has reached 100% of total licenses.
Connections Exceeded

Entitlement Polling Failure (Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when there is
an error communicating or processing license entitlements data from
Forticloud over TCP 443. Entitlement polling is required for Subscription
Licenses. Refer to the Deployment Guide in the Document Library for
Open Port requirements.

Entitlement Polling Success (Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when
communication and processing of license entitlements data from
Forticloud successfully completes.

Licenses are not released until users, hosts, devices or guests are disconnected from the network.

Licensing in a FortiNAC Manager environment

Licensed features

In a FortiNAC Manager environment, each appliance has its own license key that works in combination with the
license on the FortiNAC Manager. Licensed features, such as device profiler, integration suite, guest manager,
and endpoint compliance, can be enabled for all managed appliances by including the feature in the license key
for the FortiNAC Manager. To enable a licensed feature on a single appliance, the feature must be included in
the license key for that appliance, but must not be included in the FortiNAC Manager license key.

License totals

License counts are shared across all managed FortiNAC appliances, but the maximum number of licenses is
controlled by the FortiNAC Manager.
For example, if the total number of concurrent connection licenses on the FortiNAC Manager is 1000, any of the
managed appliances can use licenses from that pool, until all 1000 have been consumed. Appliance A may use
200 and Appliance B may use 150, leaving 650 available. Dashboards for all appliances, including the FortiNAC
Manager, would display the following:

FortiNAC F 7.2.0 Manager Guide 16

Fortinet Inc.
FortiNAC Manager

l Total Licenses: 1000

l Licenses In Use: 350
l Licenses Available: 650
Total licenses available and total licenses used are counted by the FortiNAC Manager and are displayed on the
dashboard of all appliances.
Any number of licenses can be used on any managed appliance as long as total for all combined does not
exceed the 1000 licenses configured on the FortiNAC Manager. This affects concurrent connection licenses.
In a multi-FortiNAC Server environment, a host that is connected to both wired and wireless FortiNAC Servers
will use two licenses.
If the FortiNAC Manager goes down, individual FortiNAC Servers will continue to use the license counts.

License accounting for users and hosts

When users and their corresponding hosts move from one part of the network to another the FortiNAC
appliance managing their network access may change. For example, if the switches on the first floor are
managed by FortiNAC Appliance A and the switches on the second floor are managed by FortiNAC Appliance
B, then network access control changes from Appliance A to Appliance B when a laptop is moved from the first
floor to the second floor.
Hosts consume licenses when they are connected to the network. When a host is moved the license is released
when the host disconnects. The same host consumes a license the next time it connects to the network
regardless of where it connects.

License accounting for devices

When devices are moved from one part of the network to another the FortiNAC appliance managing their
network access may change. If moving the device causes it to be managed by a different FortiNAC appliance,
one license is released on the original appliance when the device disconnects from the network and then a new
license is used when the device reconnects to the network. The device is included in the databases of both
appliances but only consumes one license because it only has one connection.

Manage guests in a FortiNAC Manager environment

When using Guest Manager in an environment where two or more FortiNAC appliances are managed by a
central FortiNAC Manager appliance, guest accounts are not centrally located. Guest accounts can be created
on any FortiNAC appliance, but are not replicated to other FortiNAC appliances. When guests arrive, they may
connect to the network in a location managed by an appliance other than the one where their accounts were
created. When a guest connects to the network and tries to register, the FortiNAC appliance to which the guest
is connected checks its own database for the guest's account. If the guest account exists on that FortiNAC
appliance, the guest can proceed with the registration process. If the guest account does not exist, the FortiNAC
Manager checks the other FortiNAC appliances it manages until it finds the guest account. The FortiNAC
Manager copies the guest account from the appliance on which it was created to the appliance where the guest
is attempting to connect to the network. Then the guest can continue the registration process.
Since guest records are copied and are not centrally located there are some limitations.

FortiNAC F 7.2.0 Manager Guide 17

Fortinet Inc.
FortiNAC Manager

l Guest accounts are only copied from one appliance to another as needed and are not synchronized at any
time.
l When a guest user account is copied from one appliance to another, FortiNAC Manager checks the status
of the Propagate Hosts setting on the user account. If this setting is enabled, hosts associated with the
guest are copied with the guest user account.
l If a guest account is manually deleted on one FortiNAC appliance, it is not deleted from all appliances
automatically.
l Because all appliances are not kept in sync, Guest reports on FortiNAC appliance A may not show the
same information as a guest report on FortiNAC appliance B. The guest may have been created on
appliance A, but registered and authenticated on appliance B. A report on appliance A will not reflect the
changes made to appliance B.
l Guest accounts cannot be limited to a particular appliance or set of appliances, which would subsequently
limit access to a subset of the network.
l There is no central location where all guest records can be viewed. A best practice would be to use the
same FortiNAC appliance to create all guest accounts.
l If the FortiNAC Manager is not running, guests will not be able to register on any appliance that does not
already contain their guest accounts.
l Guest users display under Users > User License. If a Guest User is deleted on the FortiNAC Manager, the
Guest User and corresponding host are also deleted on all the managed FortiNAC appliances. However,
the Guest Account is not deleted. This account remains in the database of the managed FortiNAC
appliance until it expires or is deleted. This allows a Guest User to re-register or in the case of conference
accounts, allows new guests to be assigned those accounts.

Manage hosts in a FortiNAC Manager environment

Host records are not synchronized across managed FortiNAC Servers. Host state changes are never
propagated from one FortiNAC Server to another.
In an environment where multiple FortiNAC Servers are managed by a FortiNAC Manager, hosts register with
the Server that manages the switch to which the hosts connect. The FortiNAC Manager can query the servers it
manages to locate hosts and view host or adapter properties regardless of the server on which the host record
resides.

Hosts That Move To A Different FortiNAC Server

When hosts are mobile, such as a laptop or an IPad, the host could connect to a switch that is not managed by
the FortiNAC Server where the host originally registered. In this case the process is as follows:
1. Host A connects to the network and registers on FortiNAC Server 1.
2. Later, Host A moves and connects to a switch managed by FortiNAC Server 2.
3. FortiNAC Server 2, does not have a record for that host and queries the FortiNAC Manager to find out if this
is a registered host on a different FortiNAC Server.
4. The FortiNAC Manager queries all of the FortiNAC Servers it manages and finds a record of Host A on
FortiNAC Server 1.
5. The record for Host A is copied from FortiNAC Server 1 to FortiNAC Server 2. If the security policy used to
scan Host A, exists on FortiNAC Server 2, then the host state is also copied. If the policy does not exist on
FortiNAC Server 2, then the host state is not copied.
6. From this point forward, the two host records are never synchronized. Changes in host state on one
FortiNAC Server are never propagated to any other FortiNAC Server.

FortiNAC F 7.2.0 Manager Guide 18

Fortinet Inc.
FortiNAC Manager

Hosts With Delayed Remediation State

When a host has been scanned with and failed for a policy set for Delayed Remediation, it is set to Pending - At
Risk. This particular host state indicates that the host has failed the policy but is not being prevented from
accessing the network until the configured delay for that policy elapses. If in the meantime the host moves
somewhere else on the network and connects to a switch managed by a different FortiNAC Server, the host
state is not propagated. If the host state is set to Pending - At Risk, the state is never sent to the second
FortiNAC Server. However, if the host returns to the first server it must resolve the issues that caused it to fail
and rescan before the delay elapses or it will be marked "At Risk" and will not be allowed on the network.

Passwords

There are several types of passwords that are used in conjunction with FortiNAC, such as passwords for CLI,
SSH, or admin UI access. Each type of password has its own set of rules or conventions.

CLI/SSH passwords

Passwords are set using the Guided Install during initial configuration.
Modify CLI Account passwords after initial configuration
FortiNAC appliances running CentOS (FNC-CA-xx/FNC-M-xx): Navigate to Users & Hosts > Administrators
> CLI Passwords.
FortiNAC appliances running FortiNAC-OS (FNC-CAX-xx/FNC-MX-xx): Change password via CLI.
Login as admin to the CLI and type:
config sys admin
edit admin
set password [<password>]
end

For additional details on editing the Admin user(s) in the FortiNAC-OS CLI, see Admin user in the CLI
Reference manual.
CLI/SSH passwords must be eight characters or longer and contain a lowercase letter, an uppercase letter, a
number, and one of the following symbols:

Required Symbols

! exclamation point @ at _ underscore

# pound $ dollar ~ tilde

^ caret - hyphen * asterisk

% percent ? question mark

The symbols listed below are not permitted in CLI/SSH and Configuration Wizard passwords.

FortiNAC F 7.2.0 Manager Guide 19

Fortinet Inc.
FortiNAC Manager

Prohibited Symbols

( open parenthesis ; semicolon { open curly bracket

) close parenthesis : colon } close curly bracket

‘ back quote “ double quote [ open square bracket

& ampersand ’ single quote ] close square bracket

+ plus < less than , comma

= equal > greater than . period

| pipe \ back slash / forward slash

Admin CLI and root CLI passwords are limited to 64 characters.

Administrator passwords

To modify Administrator passwords, navigate to Users & Hosts > Administrators.

Spaces are permitted in passwords with local authentication. Any other authentication
will depend on the vendor.

Administrator passwords for FortiNAC stored in the FortiNAC database must conform to the following:

Permitted Characters

Letters (upper and lower case) A, B, C... (and a, b, c...)

Numbers 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols All characters not defined as letters or numbers. Including:

~!@#$%^&*()_+-={}|[]\:<>?,./

Prohibited Symbols

’ single quote “ double quote

FortiNAC F 7.2.0 Manager Guide 20

Fortinet Inc.
Configuration (FNC-M-xx)

Configuration (FNC-M-xx)

FortiNAC Manager must be able to communicate with the FortiNAC servers to be managed.
Required in versions F7.2.2 and greater
Configure the security.allowedserialnumbers attribute on all appliances. This attribute contains all the allowed
serial numbers with which managed appliances can communicate.
Step 1: Configure the Manager
1. Compile the allowed serial number list. In a text file (Notepad,etc), document the serial numbers of each
appliance. Serial numbers can be obtained in the following ways:
l Customer Portal (https://support.fortinet.com)
l System Summery Dashboard widget in the Administration UI of each appliance
l CLI of each appliance using licensetool command

Example:
FortiNAC Manager A (primary) & B (secondary)
FortiNAC-CA servers A (primary) & B (secondary)
FortiNAC-CA server C

Record serial numbers for:

FortiNAC Manager A: FNVM-Mxxxxx1
FortiNAC Manager B: FNVM-Mxxxxx2
FortiNAC-CA server A: FNVM-CAxxxxx4
FortiNAC-CA server B: FNVM-CAxxxxx5
FortiNAC-CA server C: FNVM-CAxxxxx6

2. In the same text file, write the following command, listing all the serial numbers recorded in step 2:
Command:
globaloptiontool -name security.allowedserialnumbers -setRaw
"<serialnumber1>,<serialnumber2>,<serialnumber3>"
Example
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-
Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"

3. Perform the following steps on the Manager:

a. Log in to the CLI as root.
b. Paste the globaloptiontool command from the previous step.

Note:
l The message "Warning: There is no known option with name: security.allowedserialnumbers" may
appear. This is normal.

FortiNAC F 7.2.0 Manager Guide 21

Fortinet Inc.
Configuration (FNC-M-xx)

l In High Availability configurations, only the Primary Server need to have the command entered.
Database replication will copy the configuration to the Secondary Server. Using the above example,
CLI configuration would be applied to Manager A.

Example
> globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-
Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"
Warning: There is no known option with name: security.allowedserialnumbers
New option added

c. Confirm entry by typing:

globaloptiontool -name security.allowedserialnumbers

Example
> globaloptiontool -name security.allowedserialnumbers
Warning: There is no known option with name: security.allowedserialnumbers
122 security.allowedserialnumbers: FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-
CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6

4. Log out of the CLI. Type:

logout

5. (Optional) Configure Managers for High Availability. For instructions see High Availability - CentOS.

Step 2: Configure the FortiNAC Server

These steps must be performed on every FortiNAC server to be managed.
1. Log in to the CLI as root.
2. Create the Allowed Serial Numbers list. Specify the serial numbers of the FortiNAC Manager(s). Type:
globaloptiontool -name security.allowedserialnumbers -setRaw
"<Managerserialnumber1>,<Managerserialnumber2>”

Example
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-
Mxxxxxxx2"

Note:
l The message "Warning: There is no known option with name: security.allowedserialnumbers" may
appear. This is normal.
l In High Availability configurations, only the Primary Server need to have the command entered.
Database replication will copy the configuration to the Secondary Server. Using the above example,
CLI configuration would be applied to CA servers A & C.

Example

FortiNAC F 7.2.0 Manager Guide 22

Fortinet Inc.
Configuration (FNC-M-xx)

> globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-

Mxxxxxxx1,FNVM-Mxxxxxxx2"
Warning: There is no known option with name: security.allowedserialnumbers
New option added

c. Confirm entry by typing:

globaloptiontool -name security.allowedserialnumbers

3. Log out of the CLI. Type:

logout

4. Add servers to the Manager’s Server List. See Servers for instructions.

FortiNAC F 7.2.0 Manager Guide 23

Fortinet Inc.
Configuration (FNC-MX-xx)

Configuration (FNC-MX-xx)

This configuration applies to the FortiNAC Manager next-gen Server (FNC-MX-xx).

Step 1: Configure the Manager
FortiNAC Manager must be able to communicate with the FortiNAC servers to be managed. Follow the
instructions below to allow inter-server communication over port1.
1. Log in to the Manager CLI as admin and type:
show system interface

2. Confirm the command set allowaccess includes both nac-ipc and ssh.for port1.
In this example, nac-ipc needs to be added:
set allowaccess https-adminui ssh

3. Copy the existing set allowaccess line command to buffer. Important: Ensure all protocols listed are
copied. There is no “append” option.
4. Modify the access list. Type:
config system interface
edit port1
<Paste set allowaccess command copied to buffer> nac-ipc
end
end

Example:
config system interface
edit port1
set allowaccess https-adminui ssh nac-ipc
end
end

5. Review the entry to confirm the protocols were added. Type:

show system interface

Example output:
set allowaccess https-adminui ssh nac-ipc

6. Required in versions F7.2.2 and greater

Configure the security.allowedserialnumbers attribute on all appliances. This attribute contains all the
allowed serial numbers with which managed appliances can communicate.
Compile the allowed serial number list. In a text file (Notepad,etc), document the serial numbers of each
appliance. Serial numbers can be obtained in the following ways:
l Customer Portal (https://support.fortinet.com)
l System Summery Dashboard widget in the Administration UI of each appliance

FortiNAC F 7.2.0 Manager Guide 24

Fortinet Inc.
Configuration (FNC-MX-xx)

l CLI of each appliance using licensetool command

Example:
FortiNAC Manager A (primary) & B (secondary)
FortiNAC-CA servers A (primary) & B (secondary)
FortiNAC-CA server C

Record serial numbers for:

FortiNAC Manager A: FNVM-Mxxxxx1
FortiNAC Manager B: FNVM-Mxxxxx2
FortiNAC-CA server A: FNVM-CAxxxxx4
FortiNAC-CA server B: FNVM-CAxxxxx5
FortiNAC-CA server C: FNVM-CAxxxxx6

7. In the same text file, write the following command, listing all the serial numbers recorded in step 2:
Command:
globaloptiontool -name security.allowedserialnumbers -setRaw
"<serialnumber1>,<serialnumber2>,<serialnumber3>”

Example
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-
Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"

8. Perform the following steps on the Manager:

a. Log in to the CLI as admin and type:
execute enter-shell

Hit <ENTER>
b. Paste the globaloptiontool command from the previous step.
Note:
l The message "Warning: There is no known option with name: security.allowedserialnumbers" may
appear. This is normal.
l In High Availability configurations, only the Primary Server need to have the command entered.
Database replication will copy the configuration to the Secondary Server. Using the above example,
CLI configuration would be applied to Manager A.
Example
> globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-
Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"
Warning: There is no known option with name: security.allowedserialnumbers
New option added

c. Confirm entry by typing:

globaloptiontool -name security.allowedserialnumbers

Example

FortiNAC F 7.2.0 Manager Guide 25

Fortinet Inc.
Configuration (FNC-MX-xx)

> globaloptiontool -name security.allowedserialnumbers

Warning: There is no known option with name: security.allowedserialnumbers
122 security.allowedserialnumbers: FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-
CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6

9. Restart FortiNAC services. Type:

shutdownNAC
<wait 30 seconds>
startupNAC

10. Log out of the CLI. Type:

exit
exit

11. (Optional) Configure Managers for High Availability. For instructions see High Availability - FortiNACOS.

Step 2: Configure the FortiNAC Server

These steps must be performed on every FortiNAC server to be managed.
1. Configure the FortiNAC server to allow inter-server communication. Log in to the FortiNAC server’s CLI as
admin and type:
show system interface

2. Confirm the command set allowaccess includes both nac-ipc and ssh for port1.
3. If these need to be added, copy the existing set allowaccess line command to buffer. Important:
Ensure all protocols listed are copied. There is no “append” option.
4. Modify the access list. Type:
config system interface
edit port1
<Paste set allowaccess command copied to buffer> nac-ipc
end
end

Example:
config system interface
edit port1
set allowaccess https-adminui ssh nac-ipc
end
end

5. Review the entry to confirm the protocols were added. Type:

show system interface

6. Confirm the appliances can connect to each other via SSH. Type:
execute ssh admin@<Manager IP address>

FortiNAC F 7.2.0 Manager Guide 26

Fortinet Inc.
Configuration (FNC-MX-xx)

7. Type:
execute enter-shell

Hit <ENTER>
8. Create the Allowed Serial Numbers list. Specify the serial numbers of the FortiNAC Manager(s). Type:
globaloptiontool -name security.allowedserialnumbers -setRaw
"<Managerserialnumber1>,<Managerserialnumber2>”

Example
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-
Mxxxxxxx2"

9. Restart FortiNAC services. Type:

shutdownNAC

startupNAC

10. Log out of the CLI. Type:

exit
exit

11. Add servers to the Manager’s Server List. See Servers for instructions.

Dashboard

Terminology

The following terminology is used throughout this document and is defined here to avoid confusion.
l Legacy View - A view that is only available if the Legacy View Architecture flag is enabled. A Legacy View
is one that has been rewritten in the new UI and displays in that form by default.
l Legacy Dashboard - This refers to the Dashboard available in FortiNAC through 9.1 as a Legacy View.

FortiNAC F 7.2.0 Manager Guide 27

Fortinet Inc.
Configuration (FNC-MX-xx)

l Dashboard - Refers to the redesigned Dashboard built for 9.2.

l Widget - Formerly called Panel in our documentation, this term is used instead to align with the FortiGate.
l Visualization - A replacement for the tabbed view that the Legacy Dashboard had, a Widget has a
selected Visualization which defines how it should render. Examples include "Pie Chart," "Table," and "Top
Hosts." The set of available Visualizations differs per Widget.

Overview

The FortiNAC dashboard plays an essential role in gaining visibility upon all the devices connected to your
network. Because some IT professionals may have very large numbers of devices, the dashboard is essential
for gaining a "lay of the land" view of all network activity. You can choose which widgets are displayed and
rearrange their order.
Upon booting up FortiNAC for the first time, you will see an empty dashboard. A fully running FortiNAC
dashboard will look like this:

This section will cover details about the dashboard.

Note: FortiNAC saves dashboard preferences for each administrator, so one administrator's view on the same
FortiNAC appliance may look different from another's without conflict. If the administrator has no defined
dashboards, a dashboard is created with the name Main by default for all users, but this name may be changed.

Adding widgets

1. Go to any Dashboard.
2. Click Add Widget.

FortiNAC F 7.2.0 Manager Guide 28

Fortinet Inc.
Configuration (FNC-MX-xx)

3. Select a widget from the list. When you select a widget, the settings for that widget are shown, if available
for that type of widget. From the widget settings, if you would like to select a different widget, press Cancel
to return to the list of widgets. You may add additional instances of widgets which already exist in the
dashboard.
4. Click OK.

Widget Organization

The right hand corner of the widget contains a widget menu that contains options to resize, modify settings, and
remove the widget.

All Widgets have a fixed height, but users can adjust the width set to the number of columns they should span.

System Summary

The System Summary widget displays information about the FortiNAC cluster. This widget contains no settings.
A cluster may contain up to 4 FortiNAC appliance by having a High Availability configuration with both Control

FortiNAC F 7.2.0 Manager Guide 29

Fortinet Inc.
Configuration (FNC-MX-xx)

and Application servers.

Status displays the current status of each FortiNAC appliance:
l Running: The FortiNAC is running.
l Not Reachable: The dashboard cannot communicate with the FortiNAC.
l Management Down: The FortiNAC is running but the software is down.
l Running - Idle: The FortiNAC is running but there is currently no activity.
l Running - In Control: The FortiNAC is running and is in control in a high availability environment.
l Running - Not In Control: The FortiNAC is running and is not in control in a high availability environment.
To restart the primary server and resynchronize data in a high availability environment, click Resume Control.
This option is available only when the secondary server is in control. For more information, see High availability
on page 1.

License Information

This widget displays information about the licneses for our device, including the total number of licenses, how
many are currently in use, how many unused licenses are available, and entitlements.
Note: Entitlements will only display for FortiNAC appliances installed with licenses that include certificates. This
type of license was introduced January 1st, 2020.

Table View

The more complete view of license information, this visualization displays the number of available and used
licenses, and all entitlements.
You can modify the thresholds used to determine when % Used displays as Warning or Critical. By default, the
threshold for Warning is 75% and Critical is 95%. To modify the thresholds, click on the colored bar and enter
the new thresholds. Threshold changes are global and affect all users. Changing these thresholds also
influences when the associated Events will be generated.
For more information, see Licenses on page 14.

Pie Chart

A summary of the available and in use licenses are displayed as slices in a pie chart.

Alarms

The Alarms widget has three different visualizations: Table, Summary, and Graph that can be swapped in the
widget settings. FortiNAC can display alarm information from up to 60 days, available in Summary and Graph
visualizations. The user has the ability to Acknowledge an alarm, thus marking for their own memory that they
have seen this alarm. Control this function under Alarms settings.

FortiNAC F 7.2.0 Manager Guide 30

Fortinet Inc.
Configuration (FNC-MX-xx)

Table

The Table visualization shows information about recent alarms, including when they occured, what type of
alarm, and the element affected. When you select an alarm from the list, you can perform the following actions:
l Details: View more details about the alarm, including the cause
l Acknowledge: Mark the alarm as acknowledged and sets the Time Acknowledged
l Delete: Deletes the alarm from the list
You can filter the list of alarms using the Filter button, displayed at the right side of each column header when
you hover with your mouse.

Summary

Customize the time frame of this visualization under Alarm Settings > Previous Graph/Summary Days. The max
archive age is 60 days. "For more information on the Archive Age Time setting, see Database archive on page
399.

Graph

Customize the time frame of this visualization under Alarm Settings > Previous Graph/Summary Days. The
max archive age is 60 days.

Pending Tasks

For details on creating and managing Tasks, see Tasks.

Widget Capabilities
l Communicate with other system administrators to reduce workload on any single admin
l If you are the supervisor, provide daily tasks to other admins
l You can give other admins less privileges in User & Hosts > Administrators

Tasks may also be automatically created by the system, such as when running the
Guided Install .

This widget displays a tree of tasks which either have been assigned to the currently logged in administrator or
are assigned to everyone. This widget contains no settings.
Each record in the widget contains the same controls which appear in the menu in the header. Progress meters
will appear within this widget, but will only update based upon the update interval settings of the widget.

FortiNAC F 7.2.0 Manager Guide 31

Fortinet Inc.
Configuration (FNC-MX-xx)

Servers

The Servers widget displays a list of the servers managed by this FortiNAC Manager. Servers are listed in
alphanumeric order.
Available functions:
l View server properties and status. See table below.
l Add or remove managed servers using the Create New and Delete buttons. See Adding servers at the
bottom of this page.
l Access the individual server's Administration UI using the Open Server UI button. Important: Administrator
user must exist on both the Manager and FortiNAC server in order to access. See Login procedure.
l Manually push global objects from the Manager to the selected Server using the Synchronize button. Upon
manual synchronization, all information on the FortiNAC Server that is shared globally with the FortiNAC
Manager is overwritten. For details on Server synchronization, see Network control manager.

Field Definition

Name Name of the appliance on which FortiNAC is running.

Product Software that is installed and running on the appliance.

IP Address IP Address of the appliance being managed.

Status Indicates the current status of each appliance displayed. Statuses include:
Running — Appliance and software are running.
Not Reachable — Dashboard cannot communicate with the server.
Management Down — Appliance is running but the software is down.
Running - Idle — Appliance and software are up and running but there is
currently no activity.
Running - In Control — Appliance and software are up and running. This
appliance is in control vs. an appliance that may be the secondary appliance for
high availability.
Running - Not In Control — Applies in a High Availability environment, where a
secondary server is ready to take over in the event of a failure on the primary
server. Indicates that the appliance and software are running, but are not in
control.

Adding Servers

Important: Before proceeding, ensure the steps in the following applicable section have been completed:
l Configuration (FNC-MX-xx)
l Configuration (FNC-M-xx)
1. In the Manager Administration UI, navigate to the Dashboard.
2. Locate the Servers widget. If not listed, add to the Dashboard. See Adding widgets.
3. Select Create New in the Servers widget and add the FortiNAC server IP address.

FortiNAC F 7.2.0 Manager Guide 32

Fortinet Inc.
Configuration (FNC-MX-xx)

System Performance

This panel displays information about the current performance of your FortiNAC
It has two visualizations: Table View and Chart.

Table View

This visualization displays a detailed look into the total, free, and used percentage of the FortiNAC appliance's
memory and partitions. You can modify the thresholds used to determine when % Used displays as Warning or
Critical in both the Hardware and Software tabs. By default, the threshold for Warning is 85% and Critical is
95%. Threshold changes are global and affect all users. Changing these thresholds also influences when the
associated Events will be generated.

Chart

The Graph visualization monitors the system's overall CPU and memory usage. A maximum number of data
points, up to 100, may be configured in the settings as the "Maximum Graph Size." The oldest data points are
removed from the graph when any are added in excess of this value.

FortiNAC F 7.2.0 Manager Guide 33

Fortinet Inc.
Users

Users

FortiNAC F 7.2.0 Manager Guide 34

Fortinet Inc.
Administrators

FortiNAC's administrator system allows you to organize admins to better delegate work and also to limit which admins
have what kind of access. On this page, you can add admins, edit them, and apply an Admin Profile. (See: Administrator
profiles). An Admin Profile is a highly useful profile that you can create to determine what kind of privileges you, as the
supervising System Administrator, want to give them.
Simply go to the Profiles tab under Users & Hosts > Administrators.
Some examples include Help Desk, Operator, Security Analyst, etc. This differentiation of admin types allows your team
to work together while maintaining segmentation of data access. The process can be automated, too. You can well
imagine how it might be helpful to automatically apply profiles for a very large number of temporary administrators for a
conference, whose privileges should expire after a certain time period that you determine.
The profiles are ranked, so that you won't run into the problem of one user having two profiles. The user will automatically
be assigned the top profile.
Here's some things you should know:
l When adding Administrator accounts to the FortiNAC Manager, be sure these accounts also exist on the managed
FortiNAC Servers so the Administrator users can have access to the data. Important: Account must use the same
password on both Manager and FortiNAC Server.
l If you're the System Administrator, you cannot delete your account, as you control everything.
l The underling administrators can't select their own profile. The profile is forced upon them.
l If you want to use a different profile, then you have to use a different account.
l If there are more than 1000 administrators in the database, the users are not automatically displayed. Large
numbers of records may load slowly if not filtered.
l Admin user accounts for appliance CLI access are independent of the Administrator users for UI access. CLI users
are not listed in the UI.
l To modify passwords for UI and appliance CLI accounts, see Passwords.
l For details on FortiNAC-OS CLI admin users, see "Admin user" section in the CLI Reference manual.
Note: Administrators are also network users, therefore, FortiNAC also displays them in the Users View.

Settings

Fields used in filters are also defined in this table.

Field Definition

Add Filter Allows you to select a field from the current view to filter information. Select the field from the
drop-down list, and then enter the information you wish to filter. See Filters on page 1.

Update Displays the filtered data in the table.

Administrators

User ID Unique alphanumeric ID for this user. Required.

First Name User's first name.

FortiNAC F 7.2.0 Manager Guide 35

Fortinet Inc.
Users

Field Definition

Last Name User's last name. Required.

Admin Profile Administrators must have an associated administrator profile that provides them with
permissions for features in FortiNAC. Click the link in the administrators table for the selected
user to go to the profile displayed. See Administrator profile on page 95.

Auth Type Authentication method used for this administrator. Types include:
l Local: Validates the user to a database on the local FortiNAC appliance.

l LDAP: Validates the user to a directory database. FortiNAC uses the LDAP protocol to

communicate to an organization’s directory.

l RADIUS: Validates the user to a RADIUS server.

E-mail E-mail address used to send system notifications associated with features such as alarms or
profiled devices.

Phone Optional demographic information.

Address

City

State

Postal Code

Title

Mobile Number Mobile Phone number used for sending SMS messages to administrators.

Mobile Provider Mobile provider for the mobile phone number entered in the previous field. Used to send SMS
messages to administrators. This field also displays the format of the SMS address that will be
used to send the message. For example, if the provider is US Cellular, the format is
xxxxxxxxxx@emai.uscc.net, where the x's represent the user's mobile phone number. The
number is followed by the email domain of the provider's message server.

User Expires The user is deleted from the database when the date specified here has passed. The date is
automatically calculated based on the information entered when Aging is configured. The
default setting for administrators is blank or Never Expire. Administrators may or may not have
an expiration date depending on how the account was created. See Aging out host or user
records on page 1 and Set user expiration date on page 82.
Administrators assigned the System Administrator profile cannot be aged out.

User Inactivity Date Controls the number of days a User is authorized on the network. User is deleted from the
database when the date specified here has passed. The date is continuously recalculated
based on the information entered in the Days Inactive field. See Aging out host or user records
on page 1.

User Inactivity Limit Number of days the user must remain continuously inactive on the network to be removed
from the database. See Aging out host or user records on page 1.

Last Login/Logout Date of the last time the user logged into or out of the network or the FortiNAC admin UI. This
date is used to count the number of days of inactivity.

Last Modified By User name of the last user to modify the administrator.

FortiNAC F 7.2.0 Manager Guide 36

Fortinet Inc.
Users

Field Definition

Last Modified Date Date and time of the last modification to this administrator.

Right click menu options

Copy Copy the selected User to create a new record.

Delete Deletes the selected User.

Group Membership Displays groups in which the selected user is a member.

Administrators are also regular users, therefore, separate options are displayed for
administrator groups and user groups. Options are Group Membership (User) and Group
Membership (Administrator).

Groups Displays groups in which the selected user is a member. See Group membership on page 67.

Modify Opens the Modify User window for the selected profile.

Set Admin Profile Allows you to modify the administrator profile for one or more users. This also allows you to
remove the "Administrator" Profile for a user without the need to first delete and then recreate
the user. See Modify an administrator profile on page 40

Set Expiration Launches a tool to set the date and time for the user to age out of the database. See Set user
expiration date on page 82.

Edit Theme Opens the User Theme dialog and allows you to modify the look and feel of the user interface
for each administrator.

Import/Export Import and Export options allow you to import users into the database from a CSV file or
export a list of selected hosts to CSV, Excel, PDF, or RTF formats. See Import an
administrator on page 1 and Export data on page 1.

Add an administrator

If you are creating administrators to manage guests or devices, you must create an administrator who has the
appropriate administrator profile associated. See Administrator profiles on page 41.
1. Select Users > Administrators.
2. Click Add.
3. Enter a User ID for the new administrator and click OK.
As you enter the user ID, the network user database is checked to see if there is a current user with the same ID and
a drop-down list of matching users is displayed. If you enter an ID that already exists as a regular network user, the
network user and the administrator become the same person with a single account.
This allows you to give a network user administrator privileges to help with some administrative tasks.
4. Use the table of below to complete the information in the Add User dialog:

Field Definition

Authentication Type Authentication method used for this administrator. Types include:
l Local: Validates the user to a database on the local FortiNAC appliance.

l LDAP: Validates the user to a directory database. FortiNAC uses the LDAP

protocol to communicate to an organization’s directory.

FortiNAC F 7.2.0 Manager Guide 37

Fortinet Inc.
Users

Field Definition
l RADIUS: Validates the user to a RADIUS server.

Admin Profile Profiles control permissions for administrators. See Administrator profiles on page
41.
Add: Opens the administrator profiles window allowing you to create a new profile
without exiting the Add User window.
Modify: Allows you to modify the selected administrator profile. Note that
modifications to the profile affect all administrators that have been assigned that
profile.

User ID Unique alphanumeric ID for this user.

Password Password used for local authentication.

Note: You cannot view the password of the administrator you have created.

If you authenticate users through LDAP or RADIUS, the

password field is disabled and the user must log in with his LDAP
or RADIUS password.

First Name User's first name.

Last Name User's last name.

Address Optional demographic information.

City

State

Zip/Postal Code

Phone

E-mail E-mail address used to send system notifications associated with features such as
alarms or profiled devices. Also used to send Guest self registration requests from
guests requesting an account. For multiple e-mail addresses, enter addresses
separated by commas or semi-colons. Messages are sent to all e-mail addresses
provided.

Title User's title, such as Mr. or Ms.

Mobile Number Mobile Phone number used for sending SMS messages to administrators.

Mobile Provider Mobile provider for the mobile phone number entered in the previous field. Used to
send SMS messages to administrators. This field also displays the format of the
SMS address that will be used to send the message. For example, if the provider is
US Cellular, the format is xxxxxxxxxx@email.uscc.net, where the x's represent the
user's mobile phone number. The number is followed by the email domain of the
provider's message server.

Notes Free form notes field for additional information.

FortiNAC F 7.2.0 Manager Guide 38

Fortinet Inc.
Users

Field Definition

User Never Expires If enabled, administrators are never aged out of the database. The default is
enabled.

Administrators assigned the System Administrator profile

cannot be aged out.

Propagate Hosts The Propagate Hosts setting controls whether or not the record for the host owned
by the user is copied to all managed FortiNAC appliances. This field is only
displayed if the FortiNAC server is managed by a FortiNAC Control Manager.

5. Click OK to save the new user.

Modify an administrator

Administrators cannot select a different administrator profile for their own account. Use a second administrator account
to select a different profile.
1. Select Users > Administrators.
2. Select a user from the list.
3. Click Modify.
4. On the Modify User window, edit your data as needed.
5. Click Change Password to modify this user's password. This option is only available if the user is set for Local
authentication. Users who authenticate through the directory or a RADIUS server must change their passwords in
the directory or RADIUS server directly.
6. Click OK to save your changes.
For information on individual fields, see Add an administrator on page 37.

Delete an administrator

1. Select Users > Administrators.

2. Select a user from the list.
3. Click Delete.
4. A message is displayed asking if you are sure. Click OK to continue.
You are asked if you would like to delete registered hosts. If the administrator is also the owner of any registered hosts, it
is recommended that you delete the registered hosts. If they are not deleted, registered hosts associated with a deleted
user become registered devices. If a user connects to the network with one of these devices, there is nothing to prevent
network access because the device is known in the database.

Copy an administrator

You may copy a user, save it under another name, and use it as the basis for a new user.

FortiNAC F 7.2.0 Manager Guide 39

Fortinet Inc.
Users

1. Click Users > Administrators.

2. The Admin Users window opens with a list of current users.
3. Select the user and click, Copy.
4. In the User ID window displayed, enter an alphanumeric ID for the new administrator and click OK. As you enter the
user ID, the network user database is checked to see if there is a current user with the same ID and a drop-down list
of matching users is displayed. If you enter an ID that already exists as a regular network user, the network user and
the administrator become the same person with a single account.
This allows you to give administrator privileges to a network user to help with some administrative tasks.
5. Change the name of the user, or other information and parameters.
6. Click OK.

Modify an administrator profile

You can modify the administrator profile for one or multiple users at a time. This also allows you to remove the
"Administrator" Profile for a user without the need to first delete and then recreate the user.
1. Select Users > Administrators.
2. Select one or more users from the list.
3. Right-click and select Set Admin Profile.
4. Select the Admin Profile from the drop-down list.
5. Click Add to add a new profile or Edit to modify the selected profile.
6. Click OK.

FortiNAC F 7.2.0 Manager Guide 40

Fortinet Inc.
Administrator profiles

Administrator profiles are templates assigned to administrators to define what a user can do in FortiNAC. Every
administrator is required to have an administrator profile. An administrator profile can be assigned to more than one
administrator.
Each administrator profile contains a list of permissions that are inherited by the associated administrators. Permissions
configured in administrator profiles control the views in FortiNAC that can be accessed. If permission for access is given,
in most cases, the administrator can Add/Modify and Delete data.

If an administrator profile in use is changed, the changes do not take effect until the associated
administrators log out of FortiNAC and log in again.

Custom setting

For guest manager or device profiler, advanced permissions control items such as the guest account templates that can
be used by someone with permission for guest/contractor accounts.

Landing page

Administrator profiles also designate the first screen or landing page displayed when the administrator logs into
FortiNAC, days and times that users can log in and the number of minutes of inactivity that trigger an automatic logout.
Due to the complexity of the permissions structure, it is recommended that you define the job functions of your
administrators to ensure that you have considered the permissions required for each administrator profile.

Profile mapping

You can create profiles for groups of administrators so that new administrators are automatically added with your
specified configurations. If administrator profile mapping is configured, moving an administrator to a group which is
mapped changes the administrator to fit the group's profile. See Mappings process on page 61 for additional information.

System Administrator

The System Administrator profile is a default system profile. See Default administrator profiles on page 42.

Settings

Field Definition

Name User specified name for the profile. This name is displayed in the administrator window
when you are attaching the profile to an administrator.

Inactivity Time User is logged out after this amount of time has elapsed without any activity.

FortiNAC F 7.2.0 Manager Guide 41

Fortinet Inc.
Users

Field Definition

Login Availability Indicates when users with this profile can log in to FortiNAC. Options include: Always or
Specify Time. If you choose Specify Time, the user is limited to certain times of day and
days of the week.

Landing Page Indicates the first view displayed when an administrator with this profile logs into
FortiNAC.

Note User specified note field. This field may contain notes regarding the data conversion
from a previous version of FortiNAC

Lock Out After Attempts Indicates the number of allowed login attempts before the user is locked out.

Lock Out Duration Indicates the amount of time a user is locked out before another login attempt in
allowed.

Last Modified By User name of the last user to modify the profile.

Last Modified Date Date and time of the last modification to this profile.

Right click options

Export Exports the data displayed to a file in the default downloads location. File types include
CSV, Excel, PDF, or RTF. See Export data on page 1.

Copy Copy the selected Profile to create a new record. The Administrator Profile cannot be
copied.

Delete Deletes the selected Profile. Profiles cannot be deleted if they are in use. The
Administrator Profile can never be deleted.

Modify Opens the Modify Admin Profile window for the selected profile. On the administrator
profile, only the Inactivity Time can be modified.

In Use Opens a list of administrators that have the selected profile attached.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add
an administrator profile on page 55.

Default administrator profiles

FortiNAC has some default profiles that can be used to control system access. These profiles are always included in the
database. They can be modified, deleted or copied.

Default profiles - new database

The table below describes the profiles that are in any new FortiNAC database and the default settings for each profile.

FortiNAC F 7.2.0 Manager Guide 42

Fortinet Inc.
Users

View Access Permissions enabled

System Administrator
All This profile cannot be deleted or copied. The only All
attribute of this profile that can be modified is the
Inactivity Time. The System Administrator profile has
access to every part of FortiNAC.
Help desk
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Locate Hosts & Users User can search for Hosts and Users but cannot modify Access
data.
This is the default landing page when a user with this
profile logs into FortiNAC.
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Operator
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify
Operators are restricted to the host and user groups they
are configured to manage. They do not have access to
all hosts and users
Locate Hosts & Users User can view adapter, host, user, and device identity. Access
User can modify Host information but cannot delete any
records.
Manage Hosts & Ports l Adapter List: Disable adapters. Access
l Adapter Properties: View only.

l Host Properties: View and modify access, but

cannot send a message.

l User Properties - View Only.
l Device Identity - View and export data.
This is the default landing page when a user with this
profile logs into FortiNAC.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Profile_Sample
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Custom Settings

FortiNAC F 7.2.0 Manager Guide 43

Fortinet Inc.
Users

View Access Permissions enabled

User is limited to the GuestAccess_Sample template,
can create accounts 45 days in advance and can create
accounts with a maximum duration of 15 days.
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Security analyst
Dashboard User can access and view the dashboard. Access

Network Devices User can view, add, modify, or delete network devices in Access
the following views: Add/Modify
l CLI configuration
Delete
l Device profiling rules

l L2 polling

l L3 polling

l Locate

l Port changes

l Topology

Users/Hosts/ User can access, add, modify, or delete users, hosts, Access
Adapters and adapters in the following views: Add/Modify
l Adapters View
Delete
l Connections

l Device Identity

l Hosts View

l Scan Results

l Users View

Possible profiles - upgraded database

Prior versions of FortiNAC contained several user types with varying permissions. From Version 7.0 forward there is only
one type of administrator and access is controlled based on the settings of the administrator profile associated with each
user. During the upgrade process any existing administrator types and their corresponding permissions are converted to
administrator profiles and assigned to administrators. There may be many as two Help Desk profiles and eight Operator
profiles created during the upgrade. The table below contains the full list of administrator profiles that could be created.

View Access Permissions enabled

Administrator
All This profile cannot be deleted or copied. The only All
attribute of this profile that can be modified is the
Inactivity Time. The System Administrator profile has
access to every part of FortiNAC.
Help desk
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete

FortiNAC F 7.2.0 Manager Guide 44

Fortinet Inc.
Users

View Access Permissions enabled

Locate Hosts & Users User can search for Hosts and Users but cannot modify Access
data.
This is the default landing page when a user with this
profile logs into FortiNAC.
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Help desk with messaging
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Locate Hosts & Users User can search for Hosts and Users but cannot modify Access
data.
This is the default landing page when a user with this
profile logs into FortiNAC.
Send Message User can send messages to hosts with the Persistent Access
Agent or Mobile Agent installed.
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Operator
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify
Operators are restricted to the host and user groups they
are configured to manage. They do not have access to
all hosts and users
Locate Hosts & Users User can view adapter, host, user, and device identity. Access
User can modify Host information but cannot delete any
records.
Manage Hosts & Ports Adapter List - Disable adapters. Access
Adapter Properties- View only.
Host Properties-View and modify access, but cannot
send a message.
User Properties - View Only.
Device Identity - View and export data.
This is the default landing page when a user with this
profile logs into FortiNAC.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Operator with messaging
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify

FortiNAC F 7.2.0 Manager Guide 45

Fortinet Inc.
Users

View Access Permissions enabled

Locate Hosts & Users User can view adapter, host, user, and device identity. Access
User can modify Host information but cannot delete any
records.
Manage Hosts & Ports l Adapter List - Disable adapters. Access
l Adapter Properties- View only.

l Host Properties-View and modify access, and can

send a message.
l User Properties-View Only.

l Device Identity - View and export data.

This is the default landing page when a user with this

profile logs into FortiNAC.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Send Message User can send messages to hosts with the Persistent Access
Agent installed.
Operator with add hosts
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify
Locate Hosts & Users User can view adapter, host, user, and device identity. Access
User can modify Host information but cannot delete any
records.
Manage Hosts & Ports l Adapter List - Disable adapters. Access
l Adapter Properties- View only.
Add/Modify
l Host Properties-View and modify access, but

cannot send a message.

l User Properties-View only.

l Device Identity - View and export data.

l User can add hosts.

This is the default landing page when a user with this

FortiNAC F 7.2.0 Manager Guide 46

Fortinet Inc.
Users

View Access Permissions enabled

l Host Properties-View and modify access, but Delete
cannot send a message.
l User Properties-View only.

l Device Identity - View and export data.

This is the default landing page when a user with this

profile logs into FortiNAC.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Operator with add hosts and messaging
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify
Locate Hosts & Users User can view adapter, host, user, and device identity. Access
User can modify Host information but cannot delete any
records.
Manage Hosts & Ports l Adapter List - Disable adapters. Access
l Adapter Properties- View only.
Add/Modify
l Host Properties-View and modify access, and can

send a message.
l User Properties-View only.

l Device Identity - View and export data.

l User can add hosts.

This is the default landing page when a user with this

profile logs into FortiNAC.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Send Message User can send messages to hosts with the Persistent Access
Agent installed.
Operator with delete hosts and messaging
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify
Locate Hosts & Users User can view adapter, host, user, and device identity. Access
User can modify Host information and delete host and
adapter records.
Manage Hosts & Ports l Adapter List - Disable adapters. Access
l Adapter Properties- View only.
Delete
l Host Properties-View and modify access, and can

send a message.
l User Properties-View only.

l Device Identity - View and export data.

FortiNAC F 7.2.0 Manager Guide 47

Fortinet Inc.
Users

View Access Permissions enabled

This is the default landing page when a user with this
profile logs into FortiNAC.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Send Message User can send messages to hosts with the Persistent Access
Agent installed.
Operator with delete hosts, add hosts, and messaging
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify
Locate Hosts & Users User can view adapter, host, user, and device identity. Access
User can modify Host information and delete host and
adapter records.
Manage Hosts & Ports l Adapter List - Disable adapters. Access
l Adapter Properties- View only.
Add/Modify
l Host Properties-View and modify access, and can
Delete
send a message.
l User Properties-View only.

l Device Identity - View and export data.

l User can add hosts.

This is the default landing page when a user with this

profile logs into FortiNAC.
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Delete
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Send Message User can send messages to hosts with the Persistent Access
Agent installed.
Profile_Sample
Group Membership User can access the group membership for Hosts and Access
add or modify the selected host's membership in groups. Add/Modify
Guest/Contractor Accounts User can add, modify or delete guest accounts, send Access,
email and SMS messages to guests with their Add/Modify
credentials. Custom Settings
User is limited to the GuestAccess_Sample template,
can create accounts 45 days in advance and can create
accounts with a maximum duration of 15 days.
Self Registration Requests User can view self registration requests and allow or Access
deny those requests. Add/Modify
Security analyst
Dashboard User can access and view the dashboard Access

FortiNAC F 7.2.0 Manager Guide 48

Fortinet Inc.
Users

View Access Permissions enabled

Network Devices User can view, add, modify, or delete network devices in Access
the following views: Add/Modify
l CLI configuration
Delete
l Device profiling rules

l L2 polling

l L3 polling

l Locate

l Port changes

l Topology

Permissions list

Administrator profiles contain permissions settings. An administrator inherits permissions from the administrator profile
applied to his user account. The table below contains a list of the permissions that can be set in an administrator profile
and any special information about each setting.

Access levels

Level Definition

Access If enabled, the user will be able to see data in the views shown in the Permission Set, but
not add, modify or delete. There are some exceptions to this that are noted in the table of
permissions.
In some cases, by enabling Access, other permissions are automatically enabled. For
example, if you enable Access for guest/contractor accounts, Add/Modify and Delete are
automatically enabled and cannot be disabled.

Add/Modify If enabled, the user can add or modify data in the views shown in the Permission Set.

Delete If enabled, the user can delete data in the views shown in the Permission Set.

Custom If enabled, an additional tab is shown that contains advanced settings for the Permission
Set. For example, if Access to guest/contractor accounts is enabled and Custom is
enabled, advanced options can be set on the Manage Guests tab.

Permissions list

Where applicable, this table assumes that Access, Add/Modify, Delete and Custom options are enabled.

Views Permissions Notes

Admin auditing

Admin Auditing Provides access to the admin auditing log.

Admin profiles

Admin profiles Provides access to admin profiles.

Config wizard

FortiNAC F 7.2.0 Manager Guide 49

Fortinet Inc.
Users

Views Permissions Notes

Config wizard Provides access to config wizard.

Dashboard
Dashboard Provides access to the dashboard tiles. Tiles require Requires that other
additional permissions as follows: permissions be selected to
l Alarms Panel: Requires access to Event/Alarm, display associated tiles.
links and buttons are enabled if Add/Modify is
enabled.
Note: Events/Alarms permissions are located
under the Logs permission group.
l Summary Panel: Requires access to System
Settings.
l Network Device Summary Panel: Requires
access to Devices, links are enabled if
Add/Modify or Delete are enabled for Devices.
l Host Summary Panel: Requires access to
Users/Hosts/Adapters.
l Scans Panel—Requires access to Policy.
l User Summary Panel—Requires access to
Users/Hosts/Adapters.
l License Information Panel—Requires access
to System Settings.
l Persistent Agent Summary Panel—Requires
access to Policy.
l Performance Summary Panel—Requires
access to Event/Alarm.
Event/alarm management
Event to Alarm Mappings If enabled, the views shown in the left column can be Reports can be accessed
accessed. but not all options can be
Event Management used without access to
User/Host/Adapter being
enabled.
Group membership
Group Membership Allows access to Host, User, Device or Port group
membership. Requires that one of the following
additional permissions be enabled:
l Devices

l Locate Hosts & Users

l Manage Hosts & Ports

l Users/Hosts/Adapters

Groups
Groups If enabled, allows access to the Groups View where
you can view, add, modify or delete a group.
Guest/Contractor Accounts

FortiNAC F 7.2.0 Manager Guide 50

Fortinet Inc.
Users

Views Permissions Notes

Guest/Contractor Accounts If enabled, allows access to the Guest Contractor Has a Custom option that
Accounts View where you can view, add, modify or enables the Manage
delete a guest account. Guests Tab.
Custom/Manage Guests This tab displays when the Custom permission is
enabled. Custom Options include:
l Guest Account Access: Indicates whether user

can access All, Own or No guest accounts after

they have been created.
l Account Types: Allows user to create

Individual, Bulk and or Contractor accounts

l Create Accounts Days in Advance

(Maximum): Number of days before guest

registers that the account can be created.
l Create Accounts Active For Days

(Maximum): Maximum number of days that

accounts created by this user are allowed to be
active.
l Allowed Templates: Templates that can be

used to create guest accounts

Refer to Add a guest manager profile for detailed
information.
Hosts
Adapters view Provides access to Hosts views.
Application view
Endpoint fingerprints
FortiGate sessions
Hosts view
Incoming events parser Provides access to incoming events parser.
Locate hosts & users
Locate Hosts & Users If enabled, the views shown in the column on the left
can be accessed.
l User can view adapter, host, user, and device

identity.
l User can view group membership for Hosts and

Users.
l User can modify Host information including

registering a host.
l User can modify User properties for network

users and administrators.

l User can delete Host and Adapter records.

Logs
Alarms If enabled, the views shown in the column on the left
Connections can be accessed.
Events Users can view information about events within the
Scan Results system and on the network.

FortiNAC F 7.2.0 Manager Guide 51

Fortinet Inc.
Users

Views Permissions Notes

Manage hosts & ports
Manage Hosts & Ports If enabled, the views shown in the column on the left
can be accessed. Access is limited to users, hosts
and adapters in groups for which user has
permission. See Limit user access with groups on
page 1.
User can view adapter, host, user, and device
identity.
User can modify Host information including
registering a host.
User can modify User properties for network user.
User can enable or disable an adapter.
User can view Port properties for the ports where an
adapter is connected.
Network devices
Network Device If enabled, the views shown in the left column can be To see Profiled Devices
Summary Dashboard Tile accessed. that option must be enabled
CLI Configuration separately.
Device Profiling Rules
L2 Polling
L3 Poling
Locate
Port Changes
Inventory
Policy
Authentication Policy If enabled, the views shown in the left column can be
Endpoint Compliance Policy accessed. Add/Modify & Delete permissions are
Network Access Policy enabled by default and cannot be modified.

Network Device Roles The Passive Agent registration view requires access
to Groups to add or modify Passive Agent
Persistent Agent Properties
Configurations.
Policy Configuration
Portal Policy
Remediation Configuration
Roles
Security Actions
Supplicant EasyConnect Policy
Portal configuration
Portal Configuration If enabled, allows the user to view and edit settings for
Portal SSL portals. Users with the Policies permission set
Request Processing Rules enabled will also have this permission set enabled.
Custom options include:
l Access: Allows the user to view the portal

settings.

FortiNAC F 7.2.0 Manager Guide 52

Fortinet Inc.
Users

Views Permissions Notes

l Add/Modify: Allows the user to view the
settings, add new portal settings, and delete
existing portal configurations. Requires that
Access permissions be enabled. Permissions
can be further modified to prevent the user from
adding new portal configurations or modifying
the default portal configuration.
l Delete: Allows the user to view portal settings,
add new ones, and modify and delete existing
portal configurations. Requires that Add/Modify
permissions be enabled.
Profiled devices
Profiled Devices If enabled, allows the user to view the list of profiled Has a Custom option that
devices. User can also Export devices, register a enables the Profile Devices
device, enable or disable a device, delete the device Tab.
from the list and view details and notes for a selected
device.
The Views column on the Profiled Devices View
contains icons that provide access to details about
the selected device. these icons only display if
additional permissions are enabled for the
administrator. Possible views include: Adapter
Properties, group membership, port properties and
Device Properties.
Adapter Properties: Requires permission for users,
hosts, and adapters.
Group Membership: Requires permission for group
membership.
Port Properties: Requires permission for Devices.
Device Properties: Requires permission for users,
hosts, and adapters or Devices.
Custom/Profile Devices This tab displays when the Custom permission is
enabled. Custom Options include:
l Register, Delete, and Disable Profiled

Devices: If enabled, the user can register, delete

and disable devices that have been profiled by
device profiler.
l Modify Device Rule Confirmation Settings: If

enabled, the user can change rule confirmation

settings on devices that have been profiled by
device profiler. Rule confirmation settings control
whether or not device profiler checks a
previously profiled device to determine if it still
meets the criteria of the rule that categorized the
device.
l Manage Profiled Devices Using These Rules:

FortiNAC F 7.2.0 Manager Guide 53

Fortinet Inc.
Users

Views Permissions Notes

l All Rules: includes current rules and any
rules created in the future.
l Specify Rules: you must choose the rules
from the Available Rules field and manually
move them to the Specify Rules field.
l Available Rules: Shows the existing rules you

can select for this profile. Select the rule and click
the right arrow to move it to the Selected Rules
pane.
l Selected Rules: Shows the rules you selected

from the Available Rules section. The user can

only access the devices associated with the rules
in this list.
Refer to for detailed information.
RADIUS
Local RADIUS Service Provides access to RADIUS views.
RADIUS Attribute Groups
RADIUS Proxy
Windbind Configuration
Reporting
Analytics If enabled, the views shown in the left column can be
Reports accessed.
Security logs
Security Alarms If enabled, the views shown in the left column can be This permission set is only
Security Events accessed. available when Security
User has access to view security alarms created Incidents is enabled within
when a security rule is matched. Users can take your current license
action on a security alarm if it was not done package.
automatically. The user's administrator profile Has a Custom option that
settings determine the actions they are allowed to enables the Security
complete. Events tab.
Security rules
Security Actions If enabled, the views shown in the left column can be This permission set is only
Security Rules accessed. available when Security
Security Triggers User can create security devices, and security event Incidents is enabled within
rules. Users will establish and maintain all rules and your current license
the default actions associated with each rule. package.
Self registration requests
Self Registration Requests If enabled, user can manage requests for network
Host Registration Requests access submitted by Guests from the captive portal.
Send message
Send Message User can send messages to hosts with the Persistent
Agent or Mobile Agent installed.
Service connectors

FortiNAC F 7.2.0 Manager Guide 54

Fortinet Inc.
Users

Views Permissions Notes

Service connectors Provides access to service connectors.
Shared host filters
Shared host filters Provides access to shared host filters.
System settings
Scheduler If enabled, the views shown in the left column can be All settings can be
Settings accessed. accessed when this
Certificate Management permission is enabled.
Refer to Settings for a
Network Settings
complete list.
System Settings
User Settings
Users/hosts/adapters
Adapters View If enabled, the views shown in the left column can be
Device Identity accessed.
Hosts View
Users View

Add an administrator profile

Administrator profiles control permissions for administrators.

1. Click Users & Hosts > Administrators > Profiles.
2. Click Add. The Add Admin Profile screen appears with the General tab highlighted.
3. Enter a name for the profile.
4. Use the table below to configure the new administrator profile.
5. On the Permissions tab note that some permissions are dependent on each other. Refer to the Permissions list on
page 49 for additional information.
6. Click OK to save.

General tab settings

Field Definition

Name Enter a name that describes the profile, such as librarian or IT staff.

Login Availability Indicates when users with this profile can log in to FortiNAC. Options include: Always
or Specify Time. If you choose Specify Time, user access to FortiNAC is limited to
certain times of day and days of the week.

Logout After ... Minutes of User is logged out after this amount of time has elapsed without any activity in the user
Inactivity interface.

Lock Out After...failed User is locked out after this amount of allowed failed attempts.
attempts

Lock Out User is locked out for this amount of time before another login attempt is allowed.
Duration...seconds

FortiNAC F 7.2.0 Manager Guide 55

Fortinet Inc.
Users

Field Definition

Manage Hosts And Ports Restricts an administrator to a specific set of hosts or ports. The set is defined by host
and port groups that are assigned to be managed by a specific group of administrators.
Any administrator that has a profile with this option enabled can only view and or modify
a subset of the data in FortiNAC. Typically, this type of user would only have the
Manage Hosts & Ports permission set on the Permissions tab, therefore, this setting
is not used frequently. Default = All.
l All: All groups containing hosts and ports can be accessed.

l Restrict By Groups: Enables the restriction of administrators to specific hosts and

ports.
For an overview and additional setup information, see Limit access with groups on page
64.

Note User specified note field. This field may contain notes regarding the data conversion
from a previous version of FortiNAC for an existing administrator profile record.

Enable Guest Kiosk If you enable this mode, the ONLY thing that the administrator can access is the self-
service Kiosk. Everything else in FortiNAC is disabled.
The administrator can log into FortiNAC to provide visitors self-serve account creation
through a kiosk. For added security, use a kiosk browser.

Kiosk Template Field displays only if Enable Guest Kiosk is selected.

Select a kiosk template for this administrator profile. All visitors who use the self-service
kiosk when this administrator is logged in are assigned this guest template.

Kiosk Welcome Field displays only if Enable Guest Kiosk is selected.

Message Enter the message that will appear when the kiosk user creates a guest account.

Permissions tab settings

Field Definition

Landing Page Indicates the first view displayed when an administrator with this profile logs into
FortiNAC. There are no options displayed in this field until permissions are selected.

Permission Set Click the arrow next to a permission set to see the Views that can be accessed when
this permission set is enabled. For example, if Devices is selected, this profile provides
access to the following: CLI configuration, device profiling rules, L2 Polling, L3 Polling,
Locate, Port Changes, and Topology

Access Indicates that the user will have view access to the permission set in the left column.
Depending on the permission set, enabling Access automatically enables Add/Modify
and/or Delete.

Add/Modify Indicates that the user will be able to add or modify records in the permission set in the
left column.

Delete Indicates that the user will be able to delete records in the permission set in the left
column.

FortiNAC F 7.2.0 Manager Guide 56

Fortinet Inc.
Users

Field Definition

Custom When Custom is enabled for a permission set an addition tab is displayed. For
example, if Custom is enabled for Guest Contractor Accounts, a Manage Guests
tab is displayed allowing you to configure additional controls for guest account creation.
See Add a guest manager profile on page 96 for information on the Manage Guest tab.
See Profiles for device managers on page 1 for information on the Profile Devices tab.

Check All Checks or unchecks all permissions.

Uncheck All Buttons

Specify login availability time

This option allows you to limit access to FortiNAC for an administrator based on the time of day and the day of the week.
Any administrator associated with this profile can only access FortiNAC as specified in the Login Availability field for the
administrator profile.
1. Click Users & Hosts > Administrators > Profiles.
2. Click select an administrator profile and click Modify.
3. In the Login Availability field, select Specify Time.
4. In the Time Range section of the Specify Time dialog, enter the From and To times for the time of day that
administrators should be able to access the network.
5. In the Days of the Week section, select the days during which these users should be allowed to access the
network.
6. Click OK.

Manage guests tab settings

Field Definition

Guest Account Access You can give administrators with this profile privileges that allow them to manage all
guest contractor accounts, regardless of who created them, only their own accounts, or
no accounts.
The privileges include whether the sponsors can add or modify accounts, locate guests
or contractors, and view reports.
No: Users can only see guest accounts they create and send credentials to those
guests. Users cannot modify or delete any guest accounts.
Own Accounts: Users can see guest accounts they create, send credentials to those
guests, and modify or delete their own guest accounts.
All Accounts: User can see all guest accounts in the database, send credentials to
guests and modify or delete any guest accounts.

FortiNAC F 7.2.0 Manager Guide 57

Fortinet Inc.
Users

Field Definition

Conference: Sponsors may create any number of conference accounts, or the number
may be limited by a template. Conference accounts may be named identically but have
a unique password for each attendee, have the same name and password, or have
unique names and passwords.

Create Accounts Days in The maximum number of days in advance this sponsor is allowed to create accounts.
Advance (Maximum)

Create Accounts Active For Determines the length of time the guest account remains active in the database.
Days (Maximum)

database when creating guest accounts.

l Specify Templates: Profile gives the administrator access to the templates listed

in Selected Templates.

Specify Templates Allows you to select guest/contractor templates available for administrators with this
administrator profile. Use the arrows to place the templates needed in the Selected
Templates column and the unwanted templates in the Available Templates column.
If All Templates is selected in the Allowed Templates field, all templates are moved to
the Selected Templates column and the arrows are hidden.

Available Templates Shows the templates that have not been selected to be included in this administrator
profile.

Selected Templates Shows the templates selected to be included in this administrator profile.

Add Icon Create a new guest/contractor template.

Modify Icon Modify the selected guest/contractor template.

Profile devices tab settings

Field Definition

Register, Delete, and If enabled, the user can register, delete and disable devices that have been profiled by
Disable Profiled Devices device profiler.

Modify Device Rule If enabled, the user can change rule confirmation settings on devices that have been
Confirmation Settings profiled by device profiler. Rule confirmation settings control whether or not device
profiler checks a previously profiled device to determine if it still meets the criteria of the
rule that categorized the device.

Manage Profiled Devices All Rules: includes current rules and any rules created in the future.
Using These Rules Specify Rules: you must choose the rules from the Available Rules field and manually
move them to the Specify Rules field.

FortiNAC F 7.2.0 Manager Guide 58

Fortinet Inc.
Users

Field Definition

Available Rules Shows the existing rules you can select for this profile. Select the rule and click the right
arrow to move it to the Selected Rules pane.

Selected Rules Shows the rules you selected from the Available Rules section. The user can only
access the devices associated with the rules in this list.

Add Icon Create a new Device Profiling Rule.

For information on rules, see Adding a rule on page 156.

Modify Icon Modify the selected Device Profiling Rule.

For information on rules, see Adding a rule on page 156.

Security events tab settings

The Security Events tab is only available when Security Incidents is enabled within your
current license package.

Field Definition

Allow Overriding of If enabled, the user can override the associated action when taking action on the alarm.
Recommended Actions

Allowed Actions for All Actions: includes current actions and any actions created in the future.
Security Events Specify Actions: you must choose the rules from the Available Actions field and
manually move them to the Selected field.

Available Actions Shows the existing actions you can select for this profile. Select the action and click the
right arrow to move it to the Selected Actions pane.

Selected Actions Shows the actions you selected from the Available Actions section. The user can only
complete the actions in this list.

Modify administrator profiles

1. Click Users > Administrators > Profile Mappings.

2. A list of existing profiles is displayed.
3. Select a profile and click Modify. Refer to Add an administrator profile on page 55 for settings.
4. Change the information and click OK to save.
If you modify an administrator profile, the changes apply to all administrators it is attached to, including those created
before you modified the profile. Changes do not take effect until the associated administrators log out of FortiNAC and
log in again.
The Modify Admin Profile window can also be accessed from the Admin Users view by clicking on the profile link
associated with each administrator.

FortiNAC F 7.2.0 Manager Guide 59

Fortinet Inc.
Users

Delete an administrator profile

You can not delete an administrator profile if it is in use.

1. Click Users > Administrators > Profile Mappings.
2. Select an administrator profile and click Delete.
3. A message displays asking if you are sure. Click Yes to continue.

Copy an administrator profile

You can create a copy of an existing administrator profile and save it with a different name. This saves time when you
create administrator profiles if you are only changing a few fields.
1. Click Users > Administrators > Profile Mappings.
2. The Admin Profiles option opens a window containing existing profiles.
3. To copy an administrator profile, select the profile and click Copy.
4. Modify information as needed.
5. Click OK.

Administrator profile mappings

Administrator profile mappings allow you to apply an administrator profile to an administrator when the user is added to
an administrator group. An administrator profile mapping consists of an administrator profile that is linked to an
administrator group.
Administrator profiles can be assigned to administrators based on the users' group membership. Administrator profile
Mappings Policies are ranked in priority starting with number 1. When an administrator is added to an administrator
group the group name is compared to the group in each administrator profile mapping starting with the first mapping
(Rank 1) in the list. If the group does not match in the first mapping, the next one is checked until a match is found.
When groups are nested within a parent group, administrator profiles must be mapped to the groups that contain the
users, and not the parent group only.
There may be more than one administrator group that is matched to this administrator; however, the first match found is
the one that is used.
Administrator profile assignments are not permanent. The administrator is reevaluated each time that user is added to or
deleted from an administrator group.

Settings

Field Definition

Rank Buttons Moves the selected mapping up or down in the list. Administrators are compared to
administrator profile mappings in order by rank.

Table columns

Rank Mapping's rank in the list of mappings. Rank controls the order in which administrators are
compared to mappings.

FortiNAC F 7.2.0 Manager Guide 60

Fortinet Inc.
Users

Field Definition

Admin Profile Name of the profile that is assigned when an administrator becomes a member of the
associated group. See Administrator profiles on page 41.

Group Contains the required group for an administrator.

Last Modified By User name of the last user to modify the mapping.

Last Modified Date Date and time of the last modification to this mapping.

Right click options

Export Exports the data displayed to a file in the default downloads location. File types include CSV,
Excel, PDF, or RTF. See Export data on page 1.

Copy Copies the selected mapping.

Delete Deletes the selected mapping.

Modify Opens the Modify Mapping window for the selected mapping.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add an
administrator profile on page 55.

Mappings process

Administrator profile mappings establishes a profile for administrators who are members of a particular administrator
group. Administrator profile mappings are ranked so that if an administrator is a member of more than one group,
FortiNAC can determine which administrator profile should be applied to the user.

Example:

1. Administrator John is in Group A and Group B.

2. Group A is mapped to a guest sponsor profile and Ranked #5.
3. Group B is mapped to a Device Manager Profile and Ranked #2.
4. FortiNAC associates John with the Device Manager Profile because that mapping is higher in Rank and is the first
match for John.

Adding an administrator to a group that has an administrator profile mapped can change the
administrator profile applied to that user.

Administrator profiles are only applied to members of an administrator group when the administrator is added to the
group or deleted from a higher ranking group. The administrator could be added to the group manually or on directory
resynchronization. Review the scenarios below for information on the behavior of administrator profile mappings.

FortiNAC F 7.2.0 Manager Guide 61

Fortinet Inc.
Users

Administrator added to a group manually

l An existing administrator is added to administrator group A that is mapped to administrator profile C. The user is not
in any other administrator groups. The administrator's profile is updated to profile C because it is mapped to group
A.
l An existing administrator is added manually to administrator group A that is mapped to administrator profile C. The
user is also in administrator groups B and C, but the new group A is ranked higher in the administrator profile
mappings list and the new administrator profile C is assigned.

Administrator added to a group based on directory group membership

l Administrators are created automatically in FortiNAC when users authenticate to the directory and then access
FortiNAC through the admin UI or by registering a host. The users are then assigned group membership according
to their directory groups.
Possible scenarios that create administrators automatically are:
l If a user exists in the directory, for example jdoe, but the user is not a user of any kind in FortiNAC, when jdoe
logs into the FortiNAC User Interface using a directory user id and password, a user "jdoe" is created in
FortiNAC as an administrator.
l If a user exists in the directory, for example asmith, but the user is not a user of any kind in FortiNAC, when

asmith registers a host via FortiNAC, a user for asmith, of type "user" is created. Then, when the directory
Synchronization task runs, asmith becomes an administrator user in FortiNAC.
l If a user exists in the directory, for example tjones, but the user is not a user of any kind in FortiNAC, when

tjones registers a host via FortiNAC, a user for tjones, of type "user" is created. If, before the directory
Synchronization task runs, the user logs into the FortiNAC admin UI, the tjones user will transition to be an
administrator at that time (i.e., not waiting for the directory sync.)
l When the directory synchronization is run, users are added to FortiNAC administrator groups that match the groups
in the directory. Adding administrators to a group triggers an evaluation of administrator profile mappings. If the
administrator is in multiple directory groups, the user will be assigned to multiple groups in FortiNAC, and the
administrator profile will be assigned according to the administrator profile ranking.

When an administrator group is created in FortiNAC with the same name as a group being
synchronized from a directory, the administrator group members will remain the same as the
directory group members. Therefore, if you add a non-directory user to the administrator group
and then synchronize the directory, the non-directory user is removed from the administrator
group because the user is not a member of the directory group.

Modify ranks of administrator profile mappings

l The order of the administrator profile mapping records is changed modifying the ranking. A scheduled directory
synchronization runs. Administrators' groups are updated each time the synchronization is run causing the
administrator profile mappings to be analyzed again. Since the ranking has changed, some administrators that are
members of more than one group are assigned different administrator profiles based on the new ranking.
l The order of the administrator profile mapping records is changed modifying the ranking. No directory is being used.
Administrators continue to have the same administrator profiles because there is no mechanism to trigger a re-
evaluation of group membership.

FortiNAC F 7.2.0 Manager Guide 62

Fortinet Inc.
Users

Administrator deleted from a group manually

l An existing administrator is deleted from administrator group A that is mapped to administrator profile C. The user is
a member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other
groups used in the administrator profile mapping with the highest rank.
Administrator group B is mapped to administrator profile D. Administrator group C is mapped to administrator profile
F. The mapping for Group B has the highest rank, therefore the administrator's profile us updated to administrator
profile D.
l An existing administrator is deleted from Group A that is mapped to an administrator profile C. The user is not a
member of any other group mapped to a profile. The user's administrator profile C is completely removed. The user
loses his administrator status and becomes only a regular network user under Users & Hosts > User Accounts.
To restore the user to an administrator you must add the administrator again with the same user ID and assign an
administrator profile.

Administrator deleted from a group in the directory

l An existing administrator is deleted from administrator group A in the directory. The directory resynchronizes with
FortiNAC which deletes the administrator from Group A that is mapped to administrator profile C. The user is a
member of Groups B and C mapped to Profiles D and F. A new profile is assigned based on one of the other groups
used in the administrator profile mapping with the highest rank.
Administrator group B is mapped to administrator profile D. Administrator group C is mapped to administrator profile
F. The mapping for Group B has the highest rank, therefore the administrator's profile us updated to administrator
profile D.
l An existing administrator is deleted from administrator group A in the directory. The directory resynchronizes with
FortiNAC which deletes the administrator from Group A that is mapped to administrator profile C. The user is not a
member of any other group mapped to a profile. The user's administrator profile C is completely removed. The user
loses his administrator status and becomes only a regular network user under Users & Hosts > User Accounts.
To restore the user to an administrator you must add the administrator again with the same user ID and assign an
administrator profile.

Administrator group is deleted from FortiNAC

l An existing administrator is in group A that is mapped to administrator profile C. The user is not a member of any
other group mapped to a profile. Group A is deleted from the groups view. The user's administrator profile C is
completely removed. The user loses his administrator status and becomes only a regular network user under Users
& Hosts > User Accounts. To restore the user to an administrator you must add the administrator again with the
same user ID and assign an administrator profile.

Administrator profile mapping is deleted from FortiNAC

l Administrators are not affected when an administrator profile mapping is deleted from the data base until a user is
added to or deleted from a Group. If the group is no longer mapped their profile is not updated. If the group
continues to be mapped, their profile is updated as described in the previous scenarios.
When groups are nested within a parent group, administrator profiles must be mapped to the groups that contain the
users, and not the parent group only.
Changing the ranking on existing administrator profile mapping records does not change profiles on administrators
unless those users are in the directory and the directory is resynchronized.
Adding a new administrator profile mapping does not affect existing administrators until the directory is resynchronized
or a user's membership in a mapped group changes.

FortiNAC F 7.2.0 Manager Guide 63

Fortinet Inc.
Users

If you are not using a directory, there is no mechanism for administrators to be reevaluated.

Add or modify a mapping

1. Click Users > Administrators > Profile Mappings.

2. Select an existing mapping and click Modify or click Add.
3. In the Admin Profile drop-down, select a profile. If the profile you need is not in the list, select New to create it. See
Add an administrator profile on page 55 for instructions.
4. In the Group drop-down, select an administrator group. If the group you need is not in the list, select New to create
it. See Add groups on page 346 for instructions.
5. Click OK to save.

Delete a mapping

Deleting an administrator profile mapping does not affect profiles assigned to administrators. They continue to have the
same administrator profile until something triggers a re-evaluation such as a directory synchronization.
1. Click Users > Administrators > Profile Mappings.
2. Select an existing mapping and click Delete.
3. Confirm that you want to delete the mapping.

Limit access with groups

To control which hosts and ports administrators can access you can place those administrators in special groups. Then
designate those special Admin groups to manage groups of hosts or ports.

Example:

Assume you have two administrators that are responsible for monitoring medical devices and nurses in a hospital. They
should not see any other data. To accomplish this you must configure the following:
l Place the nurses' workstations into a host group.
l Place the medical devices to be monitored into a host group.
l Place the ports where the medical devices connect into a port group.
l Place these two administrators in a special administrator group.
l Assign these two administrator to a profile with permissions for Manage Hosts & Ports. Make sure the Manage
Hosts & Ports setting on the General tab of the profile is set to Restrict by Groups.
l Set the administrator group to manage the nurses group, the medical device group and the port group.
l Remove these two administrators from the All Management group or they will have access to all hosts and ports.
When those administrators log into the admin UI, they can only see data associated with the nurses, medical devices or
the ports in the groups they manage.
Make sure to remove affected administrators from the All Management group or they will continue to have access to all
hosts and ports.
Administrators can still view all hosts and users from the Locate View if their administrator profile gives them permission
for that view, but they can only modify those that are in the group they are managing.

FortiNAC F 7.2.0 Manager Guide 64

Fortinet Inc.
Users

1. Create the group of hosts or ports. See Add groups on page 346 for instructions.
2. Create an administrator profile for with permissions for manage hosts & ports. Make sure the Manage Hosts &
Ports setting on the General Tab of the profile is set to Restrict by Groups. See Add an administrator profile on
page 55
3. Create an administrator group that contains the administrators responsible for the devices or ports.
4. Remove the administrators from the All Management group. See Modify a group on page 348 for instructions.
5. Right-click on the administrator group and select Manages.
6. On the Manages window select the group(s) to be managed by marking them with a check mark.
7. Click OK.

Set privileges based on directory groups

To provide access to the FortiNAC user interface you can place administrators in special groups that set the appropriate
privileges. Typically this is done for users in your directory, by placing them in special groups within the directory that
correspond to matching groups in FortiNAC. When the directory is synchronized with FortiNAC, users in the appropriate
groups will be given administrator privileges based on their group settings and the administrator profile mapping that
matches the user's group.
The domain users group cannot be used to set administrator privileges because user details for users in that group are
not populated in FortiNAC when a directory synchronization is done.
When an administrator group is created in FortiNAC with the same name as a group being synchronized from a
directory, the administrator group members will remain the same as the directory group members. Therefore, if you add
a non-directory user to the administrator group and then synchronize the directory, the non-directory user is removed
from the administrator group because the user is not a member of the directory group.

Implementation

FortiNAC F 7.2.0 Manager Guide 65

Fortinet Inc.
Users

FortiNAC

l All administrators require an administrator profile that provides permissions. Create the appropriate administrator
profiles first. See Administrator profiles on page 41.
l Go to the Groups View and create Administrator groups to contain the users who will be given access to FortiNAC.
The group name must be absolutely identical to the name of the group in the directory.
l Since groups automatically brought over from the directory are typically Host groups, you must create the
Administrator groups manually. If a group already exists with the name of one of the Administrator groups, you must
delete that group and add it again as an Administrator group.
l Map administrator groups to administrator profiles. These mappings allow FortiNAC to determine the administrator
profile that should be associated with an administrator based on the group that contains that user. Mappings are
ranked and administrators are associated with the first mapping they match. See Administrator profile mappings on
page 60.

Example:

l Administrator John is in Group A and Group B.

l Group A is mapped to a guest sponsor profile and Ranked #5.

l Group B is mapped to a Device Manager Profile and Ranked #2.

l FortiNAC associates John with the Device Manager Profile because that mapping has a higher Rank and is the

first match for John.

l Go to the Scheduler View in FortiNAC and enable the directory synchronization task. Run the task to update the
groups. Users that have already registered in FortiNAC are updated immediately. New users that are not in the
FortiNAC database but do exist in the directory are added to FortiNAC groups when they log into the admin UI the
first time.
l Go to the groups view and verify that the correct users have been placed in each group. See Groups on page 345.
l Go to the administrators view and verify that the administrator profile is correct for each user. See Administrators on
page 35.

If the root account for FortiNAC is placed in a group with an administrator profile other than the
System Administrator profile, the administrator profile of this account will change. This could
potentially leave you without a root or admin login that provides access to the entire FortiNAC
product.

Aging for new administrators created by being added to a directory group is determined by
Global Aging settings. See Aging on page 1 and Aging out host or user records on page 1.

Add administrators to groups

You can add selected administrators to groups you have created. See Groups on page 345 for detailed information on
Groups and how they are used in FortiNAC.
1. Select Users > Administrators.
2. Use the filters to locate the appropriate administrator(s).
3. Use Ctrl-click or Shift-click to select the records you wish to add to the group.
4. Right click Click and select Add Admin Users To Groups.

FortiNAC F 7.2.0 Manager Guide 66

Fortinet Inc.
Users

5. The Group Membership view lists the available groups and sub-groups. Sub-groups are displayed under their
parent group or groups.
6. To add the users to a group, click the box next to the group name and then click OK.
7. To create a missing group:
a. Click Create Group.
b. Enter a group name.
c. If the new group should be a sub-group of an existing group, enable the Parent Group option and select the
appropriate group from the list.
d. Description is optional.
e. Click OK to save the new group.
8. Click OK.

Group membership

You can view or modify the group membership of an individual user.

1. Select Users > Administrators.
2. Select the user, right-click and select Group Membership.
3. The Group Membership view lists the available administrator groups. A check next to a group name indicates that
this user is contained in that group.
4. To add the user to a group, click the box next to the group name and then click OK.
5. To remove the user from a group, click to uncheck the box next to the group name and then click OK.

Configure secure mode

Secure SSL Mode can be used for administrator access. Unique security certificates for the appliances are required to
use secure mode. Secure certificates in a high availability configuration may be used on both the primary and secondary
appliances if the certificate provider licensing allows them to be transferred to their counterpart in the configuration.
FortiNAC appliances are pre-configured with a self-signed security certificate. The administrator logs in at the following
URL, which provides secure access:
https://<hostname_or_IP>:8443

See SSL certificates on page 206.

FortiNAC F 7.2.0 Manager Guide 67

Fortinet Inc.
User accounts

Use this view to add, delete, modify, locate and manage users on your network. Users include network users, guest or
contractor users and Administrators. Administrators can also be managed from the administrators view. Administrator
are also network users, therefore, they are included in the users view with a slightly different icon. See Icons on page 1
for information on each icon.
If you have an LDAP or Active Directory configured, user information is added from the directory as users register on the
network. The FortiNAC database is periodically synchronized with the directory to make sure that data is the same in
both places. User information from the directory is matched to user information in the FortiNAC database based on user
ID. If you manually create a user with an ID that is the same as a user in the directory, then directory data will overwrite
your manually entered data.
The relationship between users, hosts, and adapters is hierarchical. Users own or are associated with one or more
hosts. Hosts contain one or more Adapters or network interfaces that connect to the network. For example, if you search
for a host with IP address 192.168.5.105, you are in fact searching for the IP address of the adapter on that host. When
the search displays the host, you can click on the Adapters tab, the search is automatically re-run and you see the
adapter itself. If there is an associated user, you can click on the Users tab to re-run the search and see the associated
user.
Click on the arrow in the left column to drill-down and display the hosts associated with the selected user. Hover over the
icon in the Status column to display a tooltip with detailed information about this user. For settings, see Search settings
on page 73.

Settings

Field Definition

Address User's street address.

Allowed Hosts The number of hosts that can be associated with or registered to this user and connect
to the network. There are two ways to reach this total.
If the host is scanned by an agent or if adapters have been manually associated with
hosts, then a single host with up to five adapters counts as one host.
If the host is not scanned by an agent or if the adapters have not been associated with
specific hosts, then each adapter is counted individually as a host. In this scenario one
host with two network adapters would be counted as two hosts.
Numbers entered in this field override the default setting in System > Settings >
Network Device. Blank indicates that the default is used. See Network device on page
1.
If an administrator exceeds the number of hosts when registering a host to a user, a
warning message is displayed indicating that the number of Allowed Hosts has been
incremented and the additional hosts are registered to the user.

City User's city of residence.

Created Date Date the user record was created in the database. Options include Before, After, and
Between.

FortiNAC F 7.2.0 Manager Guide 68

Fortinet Inc.
Field Definition

Delete Hosts When User Indicates whether hosts registered to this user should be deleted from the database
Expires when the user's record ages out of the database.

Email User's email address.

Expiration Date Controls the number of days a user is authorized on the network. Options include
Before, After, Between, Never, and None. The user is deleted from the database when
the date specified here has passed. The date is automatically calculated based on the
information entered when Aging is configured. See Aging out host or user records on
page 1.

Delete Hosts When User Indicates whether hosts owned by this user should be deleted when the user ages out
Expires of the database. It is recommended that you set this to Yes.

Inactivity Date Controls the number of days a User is authorized on the network. Options include
Before, After, Between, Never, and None. User is deleted from the database when the
date specified here has passed. The date is continuously recalculated based on the
information entered in the Days Inactive field. See Aging out host or user records on
page 1 or Set user expiration date on page 82.

Inactivity Limit Number of days the user must remain continuously inactive on the network to be
removed from the database. See Aging out host or user records on page 1 or Set user
expiration date on page 82.

Last Login/Logout Date of the last time the user logged into or out of the network or the FortiNAC admin UI.
This date is used to count the number of days of inactivity. Options include Before,
After, Between, and Never.

Last Name User's last name.

Mobile Number User's mobile phone number. Can be used to send SMS messages based on alarms.
Requires the Mobile Provider to send SMS messages.

Mobile Provider Provider or carrier for user's mobile phone.

Notes Notes about this user.

Phone User's telephone number.

User Role Role assigned to the user. Roles are attributes of users and are used as filters for
user/host profiles. See Roles on page 291.

User Security & Access Value that typically comes from a field in the directory, but can be added manually. This
Value value groups users and can be used to determine which role to apply to a user or which
policy to use when scanning a user's computer. The data in this field could be a
department name, a type of user, a graduation class, a location or anything that
distinguishes a group of users.

Server The local FortiNAC server containing the user record. If there are multiple FortiNAC
servers with the same record, that record will be associated with each server. Example:
Servers A and B both contain user ASmith. If "ASmith" is searched, two records will
return, one for each server.

FortiNAC F 7.2.0 Manager Guide 69

Fortinet Inc.
Field Definition

State User's state of residence.

Status Current or last known status is indicated by an icon. See Icons on page 1. Hover over
the icon to display additional details about this User in a tool tip.
Access: Indicates whether user is enabled or disabled.

Title User's title, this could be a form of address or their title within the organization.

Type Type of user. Allows you to differentiate between network users and guest/contractor
users.

User ID Unique alphanumeric ID. If you are using a directory for authentication, this should
match an entry in the directory. If it does not, FortiNAC assumes that this user is
authenticating locally and asks you for a password.
When using a directory for authentication, fields such as name, address, email, are
updated from the directory based on the user ID when the database synchronizes with
the directory. This is true regardless of how the user is created and whether the user is
locally authenticated or authenticated through the directory. If the user ID matches a
user ID in the directory, the FortiNAC database is updated with the directory data.

Postal Code User's zip code based on their state of residence.

Last Modified By User name of the last user to modify the user.

Last Modified Date Date and time of the last modification to this user.

Navigation, menus, options, and buttons

For information on selecting columns displayed in the user view see Configure table columns and tooltips on page 72.
Some menu options are not available for all Users. Options may vary depending on user state.

Field Definition

Quick Search Enter a single piece of data to quickly display a list of users. Search options include: IP
address, MAC address, host name, User Name, and user ID. Drop-down arrow on the
right is used to create and use custom filters.
If you are doing a wild card search for a MAC address you must include colons as
separators, such as 00:B6:5*. Without the separators the search option cannot
distinguish that it is a MAC address.
When quick search is enabled, the word Search appears before the search field. When
a custom filter is enabled, Edit appears before the search field.

Right click options

User Properties Opens the Properties window for the selected user. See User properties on page 74.

Add Users To Groups Add the selected user(s) to one or more group(s). See Add users to groups on page 78.

Delete Users Deletes the selected user(s) from the database. See Delete a user on page 78.

FortiNAC F 7.2.0 Manager Guide 70

Fortinet Inc.
Field Definition

Disable Users Disables the selected user (s) preventing them from accessing the network regardless
of the host they are using. Hosts registered to a disabled user will remain disabled
regardless of the logged on user (if different).

Enable Users Enables the selected user(s) if they were previously disabled. Restores network
access.

Group Membership Displays groups in which the selected user is a member.

If the User is also an administrator, separate options are displayed for administrator
Groups and User Groups. Options are Group Membership (User) and Group
Membership (Administrator).

Guest Account Details Displays account details for the selected guest record, such as: user ID, account status,
sponsor, account type, start and end dates, availability, role, authentication, security
policy, account duration, reauthentication period, success URL, and the guest's
password. See Guest account details on page 81.

Modify User Opens the Modify User window. See Add or modify a user on page 1.

Policy Details Opens the Policy Details window and displays the policies that would apply to the
selected user at this time, such as endpoint compliance policies, network access
policies or Supplicant Policies. See Policy details on page 170.

Set Expiration Launches a tool to set the date and time for the user to age out of the database. See Set
user expiration date on page 82.

Set Role Assigns a role to the selected user. See Roles on page 291.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add
an administrator profile on page 55.

Show Events Displays all events for the selected user.

Collapse All Collapses all records that have been expanded.

Expand Selected Expands selected user records to display host information.

Buttons

Import/Export Import and Export options allow you to import users into the database from a CSV file or
export a list of selected hosts to CSV, Excel, PDF, or RTF formats. See (linked
document is not in XML format) or Export data on page 1.

Options Displays the same series of menu picks displayed when the right-mouse button is
clicked on a selected user.

FortiNAC F 7.2.0 Manager Guide 71

Fortinet Inc.
Configure table columns and tooltips

Use the configuration button on the User View, Adapter View, Host View, and Applications View to open the
Settings window. The settings window controls the columns displayed in each view and the details displayed in tooltips
when you hover over an icon.

Table columns

1. Click Configuration.
2. When the Settings window displays, select the Table Columns tab.
3. Mark the columns to be displayed in the table on the User, Adapter or Host View with a check mark and click OK.
4. These settings are saved for the logged in user.

Tooltips

Select the fields to be displayed in the tooltip when you hover the mouse over the status icon of either a User, an
Adapter, or a Host. Available fields vary depending on which item you are configuring.
1. Click Configuration.
2. When the Settings window displays, select the Table Tooltip tab.
3. The Available Fields column displays fields that can be displayed, but have not yet been selected. The Selected
Fields column displays fields that will display in the tooltip.
4. Use the arrows in the center of the window to move fields from one column to the other until the appropriate set of
fields is displayed in the Selected Fields column.
5. Select a field in the Selected Fields column and use the up and down arrows to change the order of display. Use the
Sort button to sort fields alphabetically.
6. The Hide Blank Fields option is enabled by default. It reduces the size of the tooltip when selected fields are blank
for a particular item. For example, if you have selected Host Expires and the selected Host does not have an
expiration date, then when the tooltip for that host is displayed, the Host Expires field is hidden.
7. Click OK to save your changes. These settings are saved for the logged in user.

Using tooltips

Tooltips are displayed when you hover the mouse over a status icon in the User, Adapter, or Host Views. Tooltip details
are configured using the Settings window shown in the previous section.

l When a tooltip is displayed, click the Push Pin icon to anchor it to the screen. Now you can move the tooltip around
your desktop without it closing.
l High-light text in a tooltip and press Ctrl-C to copy it. Press Ctrl-V to paste the text in a field.

FortiNAC F 7.2.0 Manager Guide 72

Fortinet Inc.
l Open and anchor multiple tooltips to quickly compare data.
l Hover over the status icon in the top left corner for text based status information.

Search settings

The fields listed in the table below are displayed in columns on the user view based on the selections you make in the
Settings window, see Configure table columns and tooltips on page 72. Most of these fields are also used in custom
filters to search for hosts. Additional fields that can be displayed on the user view are fields for the host associated with
the selected user, see Settings on page 128.
You may not have access to all of the fields listed in this table. Access depends on the type of license key installed and
which features are enabled in that license.

Field Definition

Access Indicates whether host is enabled or disabled

Address Users's street address.

City User's city of residence.

Created Date Date the user record was created in the database. Options include Last, Between,
Before, and After.

Email User's email address.

Expiration Date Controls the number of days a user is authorized on the network. Options include: next,
before, after, between, never, and none. The user is deleted from the database when
the date specified here has passed. The date is automatically calculated based on the
information entered when aging is configured. See Aging out host or user records on
page 1.

First Name User's first name.

Inactivity Date Controls the number of days a user is authorized on the network. Options include next,
before, after, between, never, and none. User is deleted from the database when the
date specified here has passed. The date is continuously recalculated based on the
information entered in the Days Inactive field. See Aging out host or user records on
page 1 or Set user expiration date on page 82.

Inactivity Limit Number of days the user must remain continuously inactive on the network to be
removed from the database.

Last Name User's last name.

Mobile Number User's mobile phone number. Can be used to send SMS messages based on alarms.
Requires the mobile provider to send SMS messages.

Mobile Provider Provider or carrier for user's mobile phone.

Notes Notes about this user.

FortiNAC F 7.2.0 Manager Guide 73

Fortinet Inc.
Field Definition

Phone User's telephone number.

Role Role assigned to the user. Roles are attributes of users and are used as filters for
user/host profiles. See Roles on page 291.

Security & Access Value Value that typically comes from a field in the directory, but can be added manually. This
value groups users and can be used to determine which role to apply to a user or which
policy to use when scanning a user's computer. The data in this field could be a
department name, a type of user, a graduation class, a location or anything that
distinguishes a group of users.

State User's state of residence.

Title User's title, this could be a form of address or their title within the organization.

Type Type of user. Allows you to differentiate between network users and guest/contractor
users.

Postal Code User's zip code based on their state of residence.

User properties

The User Properties view provides access to detailed information about a single user. From this view you can access the
associated host by clicking on the adapter's physical address displayed in the Registered Hosts tab at the bottom of the
window.

Access user properties

1. Select Users & Hosts > User Accounts.

2. Search for the appropriate user.
3. Select the user and either right-click or click Options.
4. From the menu, select User Properties.

Settings

Field Description

General

First Name User's first name.

FortiNAC F 7.2.0 Manager Guide 74

Fortinet Inc.
Field Description

Last Name User's last name.

ID Unique alphanumeric ID for this user. Typically comes from the directory but if you are
not using a directory, this field can be created manually. This field cannot be modified.
When using a directory for authentication, fields such as name, address, and email, are
updated from the directory based on the user ID when the database synchronizes with
the directory. This is true regardless of how the user is created and whether the user is
locally authenticated or authenticated through the directory. If the user ID matches a
user ID in the directory, the FortiNAC database is updated with the directory data.

Title User's title, this could be a form of address or their title within the organization.

Role Role assigned to the user. Roles are attributes of users that can be used as filters in
user/host profiles. See Roles on page 291.

Security And Access Value that typically comes from a field in the directory, but can be added manually. This
Attribute Value value can be used as a filter to determine which policy to use when scanning a user's
computer. The data in this field could be a department name, a type of user, a
graduation class, a location or anything that distinguishes a group of users.

User Status Radio buttons indicating whether the user is Enabled or Disabled. To enable or disable
the user, click the appropriate button and then click Apply.

Time

Expiration Date Controls the number of days a user is authorized on the network. User is deleted from
the database when the date specified here has passed. The date is automatically
calculated based on the information entered in the Set User Expiration date window.
To modify click Set. See Set user expiration date on page 82 for additional information.

Inactivity Date Controls the number of days a user is authorized on the network. User is deleted from
the database when the date specified here has passed. The date is continuously
recalculated based on the number of days entered for Inactivity Limit.

FortiNAC F 7.2.0 Manager Guide 75

Fortinet Inc.
Field Description

For example, if the user logs off the network on August 1st and Inactivity Limit is set to 2
days, the Inactivity Date becomes August 3rd. If on August 2nd the user logs back in
again, the Inactivity Date is blank until the next time he logs out. Then the value is
recalculated again. To modify click Set.

Inactivity Limit Number of days the user must remain continuously inactive to be removed from the
database. See Aging Out Host Or User Records.

Last Login/Logout Date of the last time the user logged into or out of the network or the FortiNAC admin UI.
This date is used to count the number of days of inactivity.

Delete Hosts Upon If set to Yes, hosts registered to the user are deleted when the user ages out of the
Expiration database. To modify click Set.

Created Indicates when this record was created in the database.

Tabs

Registered Hosts Displays a list of hosts, by the MAC address of their adapters, registered to this user.
Click on a MAC address to open the Host Properties.

Logged In Hosts List of hosts by host name registered to this user that are currently logged onto the
network.

Notes Notes entered by the administrator. If this user registered as a guest, this section also
contains information gathered at registration that does not have designated database
fields, such as Person Visiting or Reason for Visit.

Buttons

Apply Saves changes to the user properties.

Reset Resets the values in the User Properties window to their previous settings. This option
is only available if you have not clicked Apply.

Modify a user

Users can be modified, enabled, disabled or deleted in this view. Once a change is made, the Manager communicates
with the associated local FortiNAC server in the Servers column to update the record.
Locate a user
1. Select Users & Hosts > User Accounts.
2. Use the search or filter mechanisms to locate the appropriate user.
3. Click on the user to select it, then perform the desired action (see below).

Enable or disable a user Click the Enable or Disable button.

Delete a user Click the Delete button.

Modify a user 1. Click Modify.

2. See the table below for detailed information on each field.
3. Click OK to save.

FortiNAC F 7.2.0 Manager Guide 76

Fortinet Inc.
Field Definitions

Required fields

User ID

Change Password Allows you to change the password for this user. Users who authenticate through the
directory will not have a Change Password button. Only users who are locally authenticated
by FortiNAC have a change password option.

First Name User's name as it is retrieved from the directory. If you are using a directory, these fields are
Last Name updated every time the directory is re-synchronized with the database. If you are not using a
directory, enter the user's first and last name.

Role Roles are attributes of users and can be used as filters in user/host profiles. These profiles
are used to determine which network access policy, endpoint compliance policy or
Supplicant EasyConnect Policy is applied.

Additional info

Address User's address of residence.

City User's city of residence.

State Two letter abbreviation for state of residence.

Zip/Postal Code Postal code for the user's city and state of residence.

Email User's email address. For multiple e-mail addresses, enter addresses separated by commas
or semi-colons. Messages are sent to all e-mail addresses provided.

Title This can be a form of address, such a as Mr., or a title within the organization.

Mobile Number Mobile Phone number used for sending SMS messages to guests and administrators.

Mobile Provider Mobile provider for the mobile phone number entered in the previous field. Used to send
SMS messages to guests and administrators. This field also displays the format of the SMS
address that will be used to send the message. For example, if the provider is US Cellular,
the format is xxxxxxxxxx@emai.uscc.net, where the x's represent the user's mobile phone
number. The number is followed by the email domain of the provider's message server.

Allowed Hosts The number of hosts that can be associated with or registered to this user and connect to the
network. There are two ways to reach this total.
If the host is scanned by an agent or if adapters have been manually associated with hosts,
then a single host with up to five adapters counts as one host.
If the host is not scanned by an agent or if the adapters have not been associated with
specific hosts, then each adapter is counted individually as a host. In this scenario one host
with two network adapters would be counted as two hosts.
Numbers entered in this field override the default setting in System > Settings > Network
Device. Blank indicates that the default is used. See Network device on page 1.
If an administrator exceeds the number of hosts when registering a host to a user, a warning
message is displayed indicating that the number of Allowed Hosts has been incremented
and the additional hosts are registered to the user.

FortiNAC F 7.2.0 Manager Guide 77

Fortinet Inc.
Field Definitions

Global Default Default number of Allowed Hosts used if the Allowed Hosts field is empty. The default is set
in System > Settings > User/Host Management > Allowed Hosts.

Notes Free form notes entered by the Administrator.

Security and Access This value is an attribute of users and can be used as a filter in user/host profiles. These
Attribute Value profiles are used to determine which network access policy, endpoint compliance policy or
Supplicant EasyConnect Policy is applied. If a directory is in use, the Security and Access
Attribute value comes from the directory when it is synchronized with the database.
Otherwise the value can be entered manually.

Delete a user

When you delete a user, you have the option to delete hosts registered to this user or leave them in the database. It is
recommended that you delete the registered hosts. If they are not deleted, registered hosts associated with a deleted
user become registered devices. If a user connects to the network with one of these devices, there is nothing to prevent
network access because the device is known in the database.
1. Select Users & Hosts > User Accounts.
2. Use the Quick Search or Custom Filter to locate the appropriate user.
3. Select the user and click Delete.
4. A warning message is displayed asking if you would like to delete registered hosts associated with this user.
5. To delete hosts, enable the check box labeled Delete Hosts Registered to User and click Yes.
6. To convert hosts to registered devices, disable the check box labeled Delete Hosts Registered to User and
click Yes.

Add users to groups

You can add selected users to groups you have created. See Groups on page 345 for detailed information on Groups
and how they are used in FortiNAC.
1. Select Users & Hosts > User Accounts.
2. Use the Quick Search or Custom Filter to locate the appropriate user(s).
3. Use Ctrl-click or Shift-click to select the records you wish to add to the group.
4. Right-click or click Options and select Add Users To Groups. The Add Users to Groups view lists the available
user groups and sub-groups. Sub-groups are displayed under their parent group or groups.
5. To add the users to a group, click the box next to the group name and then click OK.
6. To create a missing group:
a. Click Create Group.
b. Enter a group name.
c. If the new group should be a sub-group of an existing group, enable the Parent Group option and select the
appropriate group from the list.
d. Description is optional.
e. Click OK to save the new group.
7. Click OK.

FortiNAC F 7.2.0 Manager Guide 78

Fortinet Inc.
Group membership

From the user view window you can view or modify the group membership of an individual user. Use this option to open a
window that displays a list of all groups to which the selected user belongs.
1. Select Users & Hosts > User Accounts.
2. Use the Quick Search or Custom Filter to locate the appropriate user(s).
3. Click on a user to select it.
4. Right-click or click Options and select Group Membership.
5. The Group Membership view lists the available user groups and sub-groups. Sub-groups are displayed under their
parent group or groups. A check next to a group name indicates that this user is contained in that group.
6. To add the user to a group, click the box next to the group name and then click OK.
7. To remove the user from a group, click to uncheck the box next to the group name and then click OK.
8. To create a missing group:
a. Click Create Group.
b. Enter a group name.
c. If the new group should be a sub-group of an existing group, enable the Parent Group option and select the
appropriate group from the list.
d. Description is optional.
e. Click OK to save the new group.
9. Click OK.

FortiNAC F 7.2.0 Manager Guide 79

Fortinet Inc.
Guest accounts

This option allows you to create accounts for guests visiting your facility. It provides a user name and password for each
guest. Guests are authenticated through FortiNAC. Administrators, operators, and help desk users all have permission
to create guest accounts.
The guest account option is not available if you are using the guest manager feature. The guest manager feature
provides extensive guest creation and management options.

Add a guest account

Guest accounts can be viewed and modified in User Accounts. Guest accounts are provided with a default Security and
Access value of "guest" allowing you to use this as a filter for user/host profiles. When a guest matches a profile the
guest receives the endpoint compliance policy associated with that profile. You can use the same user/host profile to
assign a network access policy and assign guest hosts to a VLAN. See Endpoint compliance policies on page 231 and
Network access on page 179 for additional information.
1. Select User & Hosts > User Accounts. Select Create New
2. Enter an ID. This field is required.
3. Enter a Password. This field is required.
4. Select the guest role for the account in Role.
5. Enter the guest's First and Last names.
6. Click OK to save the guest account.
When a guest connects to the network and reaches the login page, the last name is used as the user name. If you are
using the Version 1 Portal pages, you can edit the .html files directly to modify the labels on the fields on the login page. If
you have disabled the Version 1 Portal pages and are using the portal pages that shipped with FortiNAC, the field labels
can be modified using the content editor in the portal configuration window.

Portal page requirements

If you are using your Version 1 Portal pages and you already have guest pages set up, you do not need to make any
modifications. If you have disabled the Version 1 Portal pages and chose to use the Portal pages provided with
FortiNAC, there are a few fields that must be edited to allow guests to login using accounts created with the Guest
Account tab on the dashboard. These options do not apply to guest accounts created with guest manager.

If you are using local authentication for guests, do not enable the First Name and Last Name
fields on the Custom Login Form. Information entered by guests at login in these fields is
added to the database and will modify their authentication credentials. Guests would no longer
be able to log in with their original credentials.

Configure guest login

The Guest Login designated in the portal configuration content editor is used to configure settings for guest manager. If
you are not using guest manager you must disable that login and enable the custom registration login.

FortiNAC F 7.2.0 Manager Guide 80

Fortinet Inc.
1. Select Portal > Portal Configuration.
2. Click on Registration.
3. Click on Login Menu. The properties for that page are displayed in the right pane.
4. Scroll down to the Guest Login Enabled check box and remove the check mark.
5. Scroll to the Custom Registration Enabled check box and mark it with a check mark.
6. Scroll to the Custom Registration Link Text field and enter the text for the link to the guest login page, such as
guest login or guest registration.
7. Scroll to the Custom Registration Title field and enter the text that should display above the link to the guest login
page.
8. Click Apply to save your changes. When changes are made to the portal pages there is a delay before the changes
are displayed.

Configure guest authentication

1. Select Portal > Portal Configuration. See Portals.

2. Click on Global in the left hand pane to expand it.
3. Click on Settings within Global. The properties for that page are displayed in the right pane.
4. Scroll down to Custom Login Type and select Local from the drop-down menu.
5. Click Apply to save your changes. When changes are made to the portal pages there is a delay before the changes
are displayed.

Modify user name field label

When guest accounts are created, the guest's last name is considered the User Name for login. The Login page asks for
User Name and Password. You can either advise your guests that their last name is their user name or you can modify
the Login page and set the label appropriately.
1. Select Portal > Portal Configuration
2. Click on Registration.
3. Click on Custom Login Form. The properties for that page are displayed in the right pane.
4. Scroll to the User Name Field Label field and change the label to Last Name or some other user-specified name.
5. Click Apply to save your changes. When changes are made to the portal pages there is a delay before the changes
are displayed.

Guest account details

Guest user records created when guest accounts are generated are displayed in the user view with network and
administrator users. The Guest Account Details window displays data from the guest template used to create the guest
user.
1. Select Users & Hosts > User Accounts.
2. Search for the appropriate user.
3. Select the user and either right-click or click Options.
4. From the menu select Guest Account Details.

FortiNAC F 7.2.0 Manager Guide 81

Fortinet Inc.
Settings

Field Description

User ID Guest's email account which is used as the user ID at login.

Account Status Indicates whether the guest account is enabled or disabled.

Sponsor The administrator who created the guest account.

Account Type Guest account type. Types include:

l Guest: A visitor to your facility with limited or Internet-only network access.

l Conference: A group of short- or long-term visitors to your organization who

require identical but limited access to your network for typically one to five days.
l Contractor: A temporary employee of your organization who may be granted all or

limited network access for a specific time period generally defined in weeks or
months.

Start Date Date and time (using a 24-hour clock format) the account will become active for the
guest or contractor.

End Date Date and time the account will expire.

Role Role is an attribute of a user or a host. It is used in User/Host Profiles as a filter when
assigning network access policies, endpoint compliance policies, and Supplicant
EasyConnect policies.

Authentication Indicates type of authentication used. Options include: Local, LDAP or RADIUS. Guests
typically use Local authentication.

Account Duration Amount of time this account will remain valid and usable.

Reauthentication Period Number of hours the guest or contractor can access the network before
reauthentication is required.

URL for Successful Directs the guest or contractor to a specific web page when they have successfully
Landing Page logged into the network and passed the scan in an endpoint compliance policy. This
field is optional and is used only if you have Portal V1 enabled in portal configuration.

URL for Acceptable Use Directs the guest or contractor to a specific web page that details the acceptable use
Policy policy for the network.

Password The Guest's assigned password. Passwords are usually generated by the system
unless the guests were bulk imported. Toggle Show Password/Hide Password to
alternately display the password in plain text or as asterisks.

Set user expiration date

The expiration date on a user determines when the user record is automatically deleted or aged out of the database.
Administrators default to No Expiration. See Aging out host or user records on page 1 for information on other methods.
The user inactivity timer is started when all hosts registered to a user are seen as offline. When a host is seen as
connected, the timer is cleared. The timer is also cleared when the user logs into FortiNAC.

FortiNAC F 7.2.0 Manager Guide 82

Fortinet Inc.
Administrators assigned the System Administrator profile cannot be aged out.
The Set User Expiration Date feature can be accessed either from the user view or the Host View.
1. Select Users & Hosts > User Accounts.
2. Use the Quick Search or Custom Filter to locate the appropriate user(s).
3. Select the users to be modified.
4. Right-click and select Set Expiration.
5. Use the table below to enter expiration criteria.
6. Click OK to set the expiration dates.

Settings

Field Definition

Specify Date Allows you to select a specific date that the user will be aged out of the database.

Days Valid From Now Enter the number of days from today that you would like the user to expire. The
expiration date is calculated based on this number.

Days Valid From This is the number of days from the date the user record was created. The expiration
Creation date is calculated based on this number.

No Expiration This user is never deleted from the database even if global or group aging options are
added or modified.

Default Expiration Defaults to the global aging settings configured in System > Settings > User/Host
Management > Aging.

Set User Inactivity Limit Enables the option to delete a user based on the number of days that the user did not
log onto the network or into the admin UI.

Days Inactive Number of consecutive days the user must be inactive to be aged out of the database.
For example, if this is set to 4 days, and after 2 days the user connects to the network
again, the counter is restarted.

No Inactivity Limit With this option enabled, the user is never deleted from the database due to inactivity
even if global or group aging options are added or modified.

Default Inactivity Limit Defaults to the global aging settings configured in System > Settings > User/Host
Management > Aging.

Delete Registered Hosts If enabled, hosts registered to the selected user are deleted when the user ages out of
the database. It is recommended that you delete hosts with the user or they become
registered devices when the user ages out of the database.

Guests & Contractors

Your enterprise may occasionally need to augment staff with contractors for short term projects. More often, you need to
provide controlled network access for guests or remote attendees of conferences. Guest manager meets these
demands by providing you with a set of tools to create limited network accounts for Guests and Contractors that are
secure, role-based and provide access for a specified time period. Guest manager allows you to:

FortiNAC F 7.2.0 Manager Guide 83

Fortinet Inc.
l Control the point of access for guests and contractors.
l Manage guest and contractor authorization.
l Ensure that guests and contractors receive the appropriate network resources for the amount of time the services
are needed.
l Provide IT staff with control and tracking capabilities.
l Provide administrators that allow non-IT staff to create accounts and manage accounts for visiting users.
You must have a license for the guest manager feature. You must be sure to have enough concurrent licenses to provide
a connection to the network for each guest. When a host connects to the network it uses one concurrent license. The
license is released as soon as that host disconnects from the network. See Licenses on page 14 for additional
information.
When guests or contractors enter their temporary user name, password, and other required information, guest manager
checks the credentials against the guest or contractor account. Guest manager denies access if the credentials do not
match the entries in the guest manager database or LDAP directory, depending on which is being used for guest or
contractor authentication. In addition, guests and contractors can be scanned to ensure that they have up-to-date
antivirus software and pose no threat to the network.

Implementation

Guest manager is implemented at several levels. The initial setup is done by a FortiNAC administrator. Guest and
contractor accounts are created and managed by an administrator called a sponsor. Finally, guests and contractors
themselves follow a login process.

Administrators

Administrators have full rights to all parts of the FortiNAC system and can fully implement guest manager without
needing a sponsor user to create accounts. However, in most organizations these responsibilities are divided up.
l Make sure that e-mail settings for your FortiNAC server or control server have been configured. If they are not
configured you will not be able to send email to guests with their account credentials.
l If you intend to use endpoint compliance policies and scan guest's and contractor's computers, set up the policies
before creating templates.
l Each guest account that is created must be associated with a template that controls configuration details about that
account, such as how long the account is valid or when the guest can access the network. Guest account types
include guest, contractor, conference, and self registered guest. See Guest & Contractor templates on page 85.
l Guest manager templates allow you to limit guest access to the network based on time of day or day of week.
During the time that the guest is not allowed to access the network it is marked "At Risk" for the Guest No Access
admin scan. If you choose to implement this feature for any template, the following requirements must be met:
l You must have a quarantine or remediation VLAN on your network.

l Under System > Settings > Quarantine, enable the quarantine VLAN option.

l Ports through which a guest would connect must be in the Forced Remediation Group (applies only to wired

ports).
l The Model Configuration for all switches to which guests connect must have an entry for the quarantine VLAN.

This applies to both wired and wireless switches and access points.
l Administrator profiles control what administrators can do when they are working in FortiNAC. If you intend to have
an administrator create and manage guest accounts you must create an administrator profile to provide that user
with the appropriate permissions. Sponsors profiles determine whether the sponsor can manage guest accounts,
Kiosk Accounts, or self-registered guest accounts.

FortiNAC F 7.2.0 Manager Guide 84

Fortinet Inc.
l Create any administrators or sponsors that will be responsible for creating and managing guests. Administrators
can also be created and associated with an administrator profile automatically based on users and groups in your
directory.
l To force guests and contractors to register and/or authenticate when they connect to the network, the ports to which
they connect must be in a controlled access group such as Forced Registration.
l When guests or contractors connect to the network they are presented with a registration page. This page can be
set up either by editing the existing registration pages directly (Portal V1) or using the portal configuration content
editor (Portal V2).
l If you would like to provide guests with badges containing their login credentials, you must make sure the printer is
set up correctly.
l If you would like to send guests their login credentials via an SMS message, enable any necessary Mobile
Providers. See Mobile providers on page 1. For guest account, enter Self Registered Guest. SMS messages are
enabled by default and requires that you enable Mobile Providers.
l If you decide to use network access policy features of FortiNAC you must configure user/host profiles that
correspond to guests. Then map a user/host profile to a network access configuration using a network access
policy. See Network access on page 179 for additional information.

Guest & Contractor templates

As an administrator, you control guest, contractor, conference, and self registration accounts by creating templates for
each account type. The templates include privileges you specify, such as account duration, and credential requirements.
Each time a visitor account is created one of these templates must be applied.
The templates you define:
l Restrict or allow certain privileges for the sponsors who create guest, contractor, and conference accounts.
l Ensure that sponsors set up appropriate accounts for guests and contractors.
l Define the number of characters in the automatically generated passwords.
l Make sure data from the guest or contractor is provided to the sponsor.
You may grant sponsor privileges to an administrator who uses the templates to create and manage temporary guest
and contractor accounts. Sponsors may also provide account details to guests by email, SMS message or printout. The
entire process, from account creation to guest network access, is stored for audit and reporting.

FortiNAC F 7.2.0 Manager Guide 85

Fortinet Inc.
From the Guest/Contractor Templates window you can add, delete, modify or copy templates.

Settings

Field Definition

Name Descriptive name for the template. Sponsors use this name when they select a template
to create accounts.

Visitor Type User type for the template. Corresponds to the account types of Guest and Contractor
so that the correct view is presented to the user.

Role Role is an attribute added to the user and the host. Roles can be used in user/host
profiles as a filter. Note that these roles must first be configured in the Role
Management view. If they are not configured, no role-based restrictions apply. Any
additional roles you have configured are also listed here. The available default options
are Contractor, Guest and NAC-Default. If you have not configured a Guest or
Contractor role, any Host you register has the NAC-Default common role applied to it.
See Visitor types on page 87. For more on roles, see Roles on page 291.

Authentication Indicates type of authentication used for Guests or Contractors associated with this
template. Options include:
Local: User name and password credentials are stored in the local database.

For Conference accounts, authentication is Local only.

LDAP: The email of the user is required, and is what guests and contractors use to log
in. The email address maps to the created Guest user. When the email address is
located in the LDAP directory, it is compared with the given password for the user. If it
matches, the guest or contractor’s credentials are accepted and they are granted
access.
RADIUS: Checks your RADIUS server for the email address (required) in the user's
created account. If a match is found, it is compared with the given password for the user.
If it matches, the guest or contractor’s credentials are accepted and they are granted
access.

Login Availability Indicates when guests or contractors with this template can login to the network. Login
Availability is within the timeframe you specify for the Account Duration. The available
options are:
l Always

l Time range

Guests created using this template are marked "At Risk" for the Guest No Access admin
scan during the times they are not permitted to access the network.

Password Length Required length of guest or contractor passwords. Must be between 5 and 64
characters.

Account Duration There are two methods that work together for determining the length of time a guest
account is active. The shortest duration of the two is the one that is used to remove a
guest account from the database.

FortiNAC F 7.2.0 Manager Guide 86

Fortinet Inc.
Field Definition

Account Duration (Hours): Option included in the guest template to limit the time a
guest account created with this template remains in the database. If this is blank, the
guest account end date is used. The Account Duration starts only when the guest user
first logs in. For example, you could create a guest account with a date range that spans
one week and if the account duration was 24 hours, they would be able to log in for one
24 hour period any time during that week
Account End Date: Option included on the Add Guest Account dialog to determine
the date on which the guest account expires. This field is required when a guest account
is created.

Reauth Period (hours) Number of hours the guest or contractor can access the network before reauthentication
is required.

Security & Access Value User specified text associated with guests created using this template that can be used
as a filter. Used to assign a policy to a guest by filtering for this value.

Password Exclusions List of characters that will not be included in generated passwords.

Last Modified By User name of the last user to modify the template.

Last Modified Date Date and time of the last modification to this template.

Right click menu options

Export Exports data to a file in the default downloads location. File types include CSV, Excel,
PDF, or RTF. See Export data on page 1.

Copy Copy the selected Template to create a new record.

Delete Deletes the selected Template. Accounts that were created with the template prior to
deletion are still valid and retain the data that was in the template.

Modify Opens the Modify Guest/Contractor Template window for the selected template.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add
an administrator profile on page 55.

Used By Display a list of users by administrator profile that are associated with the selected
template. Click on a specific administrator profile to see the associated users. To select
more than one profile use the Ctrl key.

Visitor types

Guest manager supports four basic types of accounts. They are identified on the Guest templates as Visitor types and
are loosely defined as follows:
l Guest: A visitor to your facility with limited or Internet-only network access. For example, a guest might be on the
premises for a one-day sales call or a three-day presentation. Any number of guest accounts may be created at one

FortiNAC F 7.2.0 Manager Guide 87

Fortinet Inc.
time as bulk accounts. In this case, the email address is the same as the user name. Guests who need access for
one day only may be managed by administrators with permission to manage guest self registration or self-serve
kiosks. For more on Kiosks see Using a kiosk on page 108.
l Self-Registered Guest: A visitor to your facility with limited or Internet-only network access who connects to your
network on their own device to request a temporary account. The account request goes to a sponsor via e-mail. The
sponsor can log into FortiNAC and approve or deny the request or, depending on your configuration, can approve or
deny the request for the account directly from the e-mail. The account is created when the request is approved.
l Conference: A group of short- or long-term visitors to your organization who require identical but limited access to
your network for typically one to five days. Conferences are often bulk accounts, in which attendees receive
notification of the conference via, for example, email. Conference members may be given an identical generated
user name and password that is specific to the conference: for example, conference-1 or training123, individual
passwords for individual attendees, or individual attendee names with a shared password. See Conference
accounts on page 1. When the conference members register they enter their email address. Once they have
registered, they fill in their name and other information.
l Contractor: A temporary employee of your organization who may be granted all or limited network access for a
specific time period generally defined in weeks or months. Any number of contractor accounts may be created at
one time as bulk accounts. In this case, the email address is the same as the user name.

Create templates

Use this option to create multiple templates for each of the Guest, Contractor, Conference and self-registered guest
visitor types with a variety of permissions. Data fields allow you to collect data from your guests and store it in User
Properties. If you are a FortiNAC administrator you have access to all templates and can assign any template of the
correct type to any guest, contractor or conference user when you create their accounts. If you choose to create a
sponsor user who is responsible for creating visitor accounts, the sponsor must be assigned a set of templates through
the administrator profile. When the sponsor creates visitor accounts, he can only choose templates from the list you have
assigned.
1. Click Users > Guest & Contractor Templates.
2. The Templates window appears. Click Add.
3. The Add Guest/Contractor Template window appears. Enter the information in the Required Fields tab as
described in Create templates on page 88.
4. Click the Data Fields tab to determine which fields will be required when a guest logs onto the network.
5. Click the Note tab to add a note to the printed access information to give the guest/contractor special login
instructions or an SSID. See Provide login information on page 1.
6. Click OK to create the template and add it to the list of templates.

Settings

All possible fields are included in this table. The fields shown on your screen will vary depending on the Visitor Type you
select.

Field Definition

Template Name Type a descriptive name for the template. Sponsors use this name when they select a
template to create accounts.

Visitor Type User type for the template. Corresponds to the account types of Guest and Contractor
so that the correct view is presented to the user. See Visitor types on page 87.

FortiNAC F 7.2.0 Manager Guide 88

Fortinet Inc.
Field Definition

Use A Unique Role Based Creates a role based on the template name and assigns that role to guests with
On This Template Name accounts created using this template. Using the template name as a role allows you to
limit network access based on the guest template by using the new role as a filter in a
user/host profile. See User/host profiles on page 175.
When using the Wireless Security feature to configure SSID mappings, the name of the
guest template selected is used to create the appropriate user/host profile allowing you
to limit SSID access based on guest template.

Select Role Role is an attribute added to the user and the host. Roles can be used in user/host
profiles as a filter. Note that these roles must first be configured in the Role
Management view. If they are not configured, no role-based restrictions apply. Any
additional roles you have configured are also listed here. The available default options
are Contractor, Guest and NAC-Default. If you have not configured a Guest or
Contractor role, any Host you register has the NAC-Default common role applied to it.
See Visitor types on page 87. For more on Roles see Roles on page 291.

Security & Access Value Enter a value, such as Guest or Visitor. This field is added to each guest user account
that is created based on this template and can be used as a filter. When creating
user/host profiles, you can filter for the contents of the Security & Access Value field to
control which endpoint compliance policy is used to scan guest hosts.

Send Email For Conference accounts, email cannot be sent until a guest has registered or you have
modified the account via the User View > Modify option to enter an email address.
Select this check box if you want a sponsor with this template to be able to send an e-
mail confirmation to the guest’s/contractor’s email address. If not selected (default)
guest or contractor credentials need to be printed or sent via SMS.
For self-registered guest accounts this option is automatically checked and cannot be
disabled.

Send SMS For Guest or Contractor accounts, select this check box if you want a sponsor with this
template to be able to send an SMS confirmation to the guest’s/contractor’s mobile
phone. If not selected guest or contractor credentials need to be e-mailed or printed.
For self-registered guest accounts this option is automatically checked and cannot be
disabled.
Requires that the guest or contractor provide both a mobile number and the mobile
provider. These fields default to Required in the Data Fields tab.

Max Number Of Accounts Only available when Visitor Type is set to Conference. Typically used when generating
a large number of accounts for a conference. Limits the total number of accounts that
can be created on the Conference Account window when this template is selected.
To limit accounts, enable the check box and enter the maximum number of accounts
that can ever be created using this template.
For an unlimited number of accounts, leave the check box empty.

Password Length Between 5 and 64 characters. Passwords that are automatically generated by guest
manager contain at least one capital letter, one lower case letter, one alphanumeric
character, and one symbol. If you have characters listed in Password Exclusions, those
characters will not be used.

FortiNAC F 7.2.0 Manager Guide 89

Fortinet Inc.
Field Definition

Note that for Conference accounts, once a template has been created, the sponsor may
specify the individual different passwords for attendees when the sponsor creates the
conference account. See Conference Accounts.

FortiNAC does not recognize or restrict system-generated

passwords that may be offensive.

Password Exclusions List of characters that will not be included in generated passwords.

Use Mobile Friendly Removes any existing entries and then populates the Password Exclusions field with a
Exclusions list of symbols that are typically difficult to enter on a mobile device. Modify the list of
characters as needed. Characters include:
!@#$%^&*()_+~{}|:"<>?-=[]\;',/

Reauthentication Period Specify the number of hours the guest or contractor can access the network before
(hours) reauthentication is required. To specify a reauthentication period you must first select
the check box. Next fill in the reauthentication period in hours. If you do not select this
check box, you will not have to specify a reauthentication period for guests or contractor
accounts created with this template.

Authentication Method Specify where authentication occurs:

l Local: User name and password credentials are stored in the local database.

For Conference accounts, authentication is Local only.

l LDAP: The email of the user is required, and is what guests and contractors use to
log in. The email address maps to the created Guest user. When the email address
is located in the LDAP directory, it is compared with the given password for the
user. If it matches, the guest or contractor’s credentials are accepted and they are
granted access.
l RADIUS: Checks your RADIUS server for the email address (required) in the
user's created account. If a match is found, it is compared with the given password
for the user. If it matches, the guest or contractor’s credentials are accepted and
they are granted access.

Account Duration Select the check box to specify the duration of the account in hours.
For all guests except those with shared conference accounts: The duration governs
how long from creation the account remains in the database, regardless of the end date
that is entered when creating the guest account.
For shared conference accounts: The duration governs how long from guest Login the
account remains in the database, regardless of the end date that is entered when
creating the conference.
For self-registered guest accounts this option is automatically checked and cannot be
disabled. You must enter a duration.

FortiNAC F 7.2.0 Manager Guide 90

Fortinet Inc.
Field Definition

There are two methods that work together for determining the length of time a guest
account is active. The shortest duration of the two is the one that is used to remove a
guest account from the database.
l Account Duration (Hours): Option included in the guest template to limit the time

a guest account created with this template remains in the database. If this is blank,
the guest account end date is used. The Account Duration starts only when the
guest user first logs in. For example, you could create a guest account with a date
range that spans one week and if the account duration was 24 hours, they would
be able to log in for one 24 hour period any time during that week
l Account End Date: Option included on the Add Guest Account dialog to

determine the date on which the guest account expires. This field is required when
a guest account is created.

Propagate Hosts Controls whether the Propagate Hosts setting is enabled or disabled on the user record
for guest users created with this template. If enabled, the record for the host owned by
the guest user is copied to all managed FortiNAC appliances. This field is only
displayed if the FortiNAC server is managed by a FortiNAC Manager.

Login Availability Select when guests or contractors with this template can login to the network. Login
Availability is within the timeframe you specify for the Account Duration.
The available options are:
l Always

l Specify Time: If you select this option, a window displays in which you specify the

time range and select the days of the week. Click OK.
Guests created using this template are marked "At Risk" for the Guest No Access
admin scan during the times they are not permitted to access the network.

URL for Acceptable Use Optional. Directs the guest or contractor to the page you specify with the network
Policy policies when they login.

Resolve URL Click to acquire the IP addresses for the URLs for Acceptable Use Policy and
Successful Landing page. If the URL is not reachable, specify the IP address in the IP
address field.

Portal version 1 settings

URL for Successful Directs the guest or contractor to a certain page when they have successfully logged
Landing Page into the network and passed the scan in an endpoint compliance policy. This field is
optional and is used only if you have Portal V1 enabled in portal configuration.
If you are using the portal pages included with FortiNAC and controlled by the content
editor in the portal configuration, this field is ignored.

Login availability time

This option allows you to limit network access for a guest or contractor based on the time of day and the day of the week.
Any guest associated with a template, can only access the network as specified in the Login Availability field for the
template.
If you set times for Login Availability, FortiNAC periodically checks the access time for each guest associated with the
template. When the guest is not allowed to access the network the host associated with the guest is marked "At Risk" for

FortiNAC F 7.2.0 Manager Guide 91

Fortinet Inc.
the Guest No Access admin scan. When the time is reached that the guest is allowed to access the network, the "At
Risk" state is removed from the host. These changes in state occur on the guest host record whether the guest is
connected to the network or not. If the guest host connects to the network outside its allowed timeframe, a web page is
displayed with the following message: "Your network access has been disabled. You are outside of your allowed time
window. To regain network access call the help desk.".

Data fields

Specify which pieces of data will appear on the form the guest or contractor will be required to fill out in the captive portal.
For self-registered guests this information is filled out with the request for an account. For Guests with an existing
account, this information is filled out after they enter their user name and password on the login page. If the field has a
corresponding database field, it is stored there and displayed on the User Properties window. If the field does not have
a corresponding database field, it is stored and displayed in the Notes tab of the User Properties window and the Host
Properties window. Hover over the field name to display a tool tip indicating where the data entered by the guest will be
stored.
l Required: The data in this field must be entered in order for the guest or contractor to log in.
l Optional: Appears on the form, but is not required data from the guest or contractor.
l Ignored: Will not appear on the form.
The E-mail field is required. The fields listed below are default fields that are included with the original setup of guest
manager. Field names can be modified by typing over the original name. Therefore, the fields on your template window
may not match any of the fields in this list. If you rename a field, the data entered into that field by the guest is still stored
in its original location. For example, if you modify the title of the Last Name field to say Mother's Maiden Name, the data
is still stored in the Last Name field on the User Properties window.

Field Definition

Last Name Maximum length 50 characters. Stored in the Last Name field.

First Name Maximum length 50 characters. Stored in the First Name field.

Address Maximum length 50 characters. Stored in the Address field.

City Maximum length 50 characters. Stored in the City field.

State Standard two-letter state abbreviation, or up to 50 characters. Stored in the State field.
(or Province/County)

Country Maximum length 50 characters. Stored on the Notes tab.

Zip or Postal Code Maximum length of 16. Stored in the Zip Code field.

Email Email address of the guest or contractor. Stored in the E-mail field.

This field can be modified however FortiNAC expects the contents

of the field to be an email address. This field tests for a valid email
address and will not allow the user to proceed without one. If the
label is something other than email and other types of data are
entered, the guest account may not be able to be created.

Phone Telephone number including international country codes (for example, +1, +44).
Maximum length 16. Stored in the Phone field.

Mobile Phone Mobile Telephone number. Maximum length 16. Stored in the Add/Modify User window.

FortiNAC F 7.2.0 Manager Guide 92

Fortinet Inc.
Field Definition

Mobile Provider The name of the company that provides the guest with Mobile service. The guest is
provided with a list of possible providers. Stored in the Add/Modify User window.

Asset Text field for computer serial numbers, manufacturer’s name and model number, or any
other asset identifier of the guest’s or contractor’s computing platform. Stored in the
Serial Number field. Max.length 80 characters.

Reason The reason for the guest’s or contractor’s visit. Max. length 80 characters. Stored on the
Notes tab.

Person Visiting Maximum length 50 characters. Stored on the Notes tab.

Buttons

Add Field Click to add new data fields to track additional guest or contractor data, such as license
plate numbers or demo equipment details. Maximum length 80 characters.
Type the name of the field in the pop-up window. Select whether to make the field
required or optional.
Once new fields have been added they are stored in the Notes tab of the user’s
account. To see these fields go to the User Properties window.

Delete Field Delete a data field from the list. Only those fields that have been created by an
administrator can be deleted. System fields can be set to Ignore so they do not display,
but cannot be deleted from the template.

Reorder Fields Changes the order of the fields as they appear in the Guest or Contractor Form. Click
this button to reorder account information fields. In the pop-up window, click Move Up or
Move Down and OK.

Notes

The Notes tab on the template creation window allows you to provide additional information to guests and contractors.
After you have created a Guest or Contractor account, you may want to provide that user with his login information. Login
information can be printed, viewed on the screen, sent via text message to a mobile telephone or included in an
amalgamate text added on the Notes tab is appended to the guest information included in the printout, email or text
message. See Provide Account Information To Guest Or Contractor for additional information.

Endpoint compliance policies for guests

Endpoint compliance policies and the agents that run associated scans are assigned based on the rules contained within
the Policy. FortiNAC selects a scan and an agent by comparing guest and host data to the user/host profile in each policy
beginning with the policy ranked number 1 until a match is found. When a match is found the scan and agent are
assigned and the guest's computer is scanned. If you want to create a specific policy for guests, you must define a policy
that searches for user data that only guests will match and place it at the beginning of the list of policies.

Example 1

In this example the policy will apply to guests based on their Role. Create a policy that has the following settings:

FortiNAC F 7.2.0 Manager Guide 93

Fortinet Inc.
User/host profile

l Where: Leave this field blank.

l Who/What by Group: Leave this field blank.
l Who/What by Attribute: Add a filter for users. Within the filter enable Role and enter the name of the Role assigned
to guests. Typically the Role is named Guest, but you may have chosen to use a different role for Guests. Roles are
assigned by the guest template used to create the guest account.
l When: Set to Always.

Scan

l Scan: Create a scan to evaluate guest computers for compliance.

Endpoint compliance configuration

l Scan: Select the scan you wish to apply to guests.

l Agent Tab: Select the agent that should be used.

Endpoint compliance policy

l User/Host Profile: Select the profile that determines who is assigned this policy.
l Endpoint Compliance Configuration: Select the configuration that determines the scan and agent used.

Example 2

In this example the policy will apply to guests based on their Security & Access Value. Create a policy that has the
following settings:

User/host profile

l Where: Leave this field blank.

l Who/What by Group: Leave this field blank.
l Who/What by Attribute: Add a filter for users. Within the filter enable Security & Access Value and enter the name
of the Security & Access Value assigned to guests. These values are assigned by the guest template used to create
the guest account.
l When : Set to Always.

Scan

l Scan: Create a scan to evaluate guest computers for compliance.

Endpoint compliance configuration

l Scan: Select the scan you wish to apply to guests.

l Agent Tab: Select the agent that should be used.

Endpoint compliance policy

l User/Host Profile: Select the profile that determines who is assigned this policy.
l Endpoint Compliance Configuration: Select the configuration that determines the scan and agent used.

FortiNAC F 7.2.0 Manager Guide 94

Fortinet Inc.
Modify templates

1. Click Users > Guest & Contractor Templates.

2. The Guest/Contractor Template Management window opens with a list of created templates.
3. Select the template and click Modify. Change the name of the template, or other information and parameters.

Once the template has been modified the modifications will only apply to new accounts
created from the template. All old accounts made from the template remain the same.

4. Click OK.

Copy templates

You may copy a template, save it under another name, and use it as the basis for a new template.
1. Click Users > Guest & Contractor Templates.
2. The Guest/Contractor Template Management window opens with a list of created templates.
3. Select the template and click Copy.
4. Change the name of the template, or other information and parameters.
5. Click OK.

Delete templates

You may delete a template at any time. Accounts that were created with the template prior to deletion are still valid and
retain the data that was in the template.
1. Click Users > Guest & Contractor Templates.
2. The Guest/Contractor Template Management window opens with a list of created templates.
3. Select the template and click Delete.
4. A confirmation message is displayed. Click Yes to delete the template.

Administrator profile

In FortiNAC, you can create an administrator and give that user an administrator profile that contains special
permissions for the Guest/Contractor feature set. These privileges are designed to restrict this user to certain parts of the
program. See Administrator profiles on page 41.
For guest manager, this type of user is referred to as a sponsor in documentation because that person sponsors
incoming guests and contractors. Creating a sponsor administrator profile allows the user to manage guest, contractor,
conference or self-registered guest accounts. For more information on the types of accounts, see Visitor types on page
87.
Guest manager supports multiple UPN formats (for example, @gcs.xyztech.com) so sponsors do not have to type their
full user login name. As administrators create guest or contractor accounts, their user name is added as a part of the
guest or contractor record for reporting purposes.

FortiNAC F 7.2.0 Manager Guide 95

Fortinet Inc.
Additional permissions can be given to sponsors based on the parameters of their responsibilities. Create one or more
administrator profiles for these types of users. Sponsor administrator profiles determine whether the sponsor can
manage guest accounts, Kiosk Accounts, or self-registered guest accounts.

Add a guest manager profile

This procedure describes how to create a specific administrator profile for an administrator with permissions for guest
manager. As a sponsor, the administrator can create guest or contractor accounts. For details on all of the options that
can be include in an administrator profile, see Add an administrator profile on page 55.
If an administrator profile has Kiosk Mode enabled, the corresponding user can only log into the Kiosk computer to make
it available to arriving guests. That user cannot create accounts. You may need to create a sponsor who can manage
accounts and a second sponsor to use for the self-service Kiosk. See Add a guest kiosk profile on page 98.
To create an administrator profile you must first be logged into your Administrator account. Follow the steps below to add
an administrator profile for an administrator that is considered a sponsor for incoming guests:
1. Click Users > Administrators > Profile Mappings.
2. Click Add. The Add Admin Profile screen appears with the General tab highlighted.
3. On the General tab, enter a name for the profile, such as Guest Sponsor.
4. Under Manage Hosts and Ports select All.
5. Leave the defaults for the remaining fields and click on the Permissions tab.
6. On the Permissions tab note that some permissions are dependent on each other. Refer to the Permissions list on
page 49 for additional information.
7. The minimum that this sponsor must have is the Guest/Contractor Accounts permission set. Select all of the
check boxes for this set including the Custom check box.
8. When you select the Guest/Contractor permission set, the Landing Page field defaults to Guest/Contractor
Accounts.
9. In addition you may want include self registration requests, which allow a sponsor to Allow or Deny guest access to
a user who has registered through the captive portal. This is not required.
10. The Manage Guests tab is enabled when Custom is selected for the guest/contractor accounts permission set. Click
on the Manage Guests tab.
11. Use the table below to configure the settings.

Field Definition

Guest Account Access You can give administrators with this profile privileges that allow them to manage all
guest contractor accounts, regardless of who created them, only their own
accounts, or no accounts.
The privileges include whether the sponsors can add or modify accounts, locate
guests or contractors, and view reports.
No: Users can only see guest accounts they create and send credentials to those
guests. Users cannot modify or delete any guest accounts.
Own Accounts: Users can see guest accounts they create, send credentials to
those guests, and modify or delete their own guest accounts.
All Accounts: User can see all guest accounts in the database, send credentials to
guests and modify or delete any guest accounts.

FortiNAC F 7.2.0 Manager Guide 96

Fortinet Inc.
Field Definition

Account Types Individual: Sponsor can create single guest accounts. Within the constraints of the
template, the sponsor may specify account start and end date. Each account has a
unique name and password associated with it.
Bulk: Sponsors may create multiple accounts with unique passwords by importing a
bulk account file.
Conference: Sponsors may create any number of conference accounts, or the
number may be limited by a template. Conference accounts may be named
identically but have a unique password for each attendee, have the same name and
password, or have unique names and passwords.

Create Accounts Days in The maximum number of days in advance this sponsor is allowed to create
Advance (Maximum) accounts.

Create Accounts Active Determines the length of time the guest account remains active in the database.
For Days (Maximum)
There are two methods that work together for determining the length of time a guest
account is active. The shortest duration of the two is the one that is used to remove a
guest account from the database.
Account Duration (Hours): Option included in the guest template to limit the time a
guest account created with this template remains in the database. If this is blank, the
guest account end date is used. The Account Duration starts only when the guest
user first logs in. For example, you could create a guest account with a date range
that spans one week and if the account duration was 24 hours, they would be able to
log in for one 24 hour period any time during that week
Account End Date: Option included on the Add Guest Account dialog to
determine the date on which the guest account expires. This field is required when a
guest account is created.

Can View Passwords Enabled by default. Controls whether or not passwords generated for guest
accounts are displayed to the operator that created the account. If disabled, the
operator cannot view the password. Only random passwords are generated. Guests
can still be informed of their password using email or SMS, depending upon
template settings. See Create templates on page 88.

Allowed Templates Indicates whether the administrator can use all guest templates or only those in the
Specify Templates > Selected Templates field. Default = All. Options include:
All Templates: Profile gives the administrator access to all templates in the
database when creating guest accounts.
Specify Templates: Profile gives the administrator access to the templates listed in
Selected Templates.

Specify Templates Allows you to select guest/contractor templates available for administrators with this
administrator profile. Use the arrows to place the templates needed in the Selected
Templates column and the unwanted templates in the Available Templates
column.
If All Templates is selected in the Allowed Templates field, all templates are moved
to the Selected Templates column and the arrows are hidden.

FortiNAC F 7.2.0 Manager Guide 97

Fortinet Inc.
Field Definition

Available Templates Shows the templates that have not been selected to be included in this administrator
profile.

Selected Templates Shows the templates selected to be included in this administrator profile.

Add Icon Create a new guest/contractor template. For information on templates, see Create
templates on page 88.

Modify Icon Modify the selected guest/contractor template. For information on templates, see
Create templates on page 88.

12. Click OK to save.

Add a guest kiosk profile

A kiosk allows visitors to your facility to create their own account. Guests have a maximum of 24 hours of access to your
network, which may be only during certain hours of the day, or a pre-defined number of hours from when they log on.
Guests may simply be queried for pre-defined contact data. In any case, at 11:59 PM each day, or after the allowed
number of hours has elapsed, kiosk guest accounts expire.
All other profile options are disabled if kiosk mode is enabled, because guests creating their own accounts would not
need access to other options.
For added security, sponsors should use a kiosk browser. Kiosk browsers block users from accessing other programs on
the host or other web sites.
This procedure describes how to create a profile that gives a sponsor permission to manage a kiosk. A sponsor with
kiosk mode enabled cannot access any of the regular FortiNAC windows. That user can log in to display the guest login
web page and make it available on the kiosk PC.
To create a profile you must first be logged into your Administrator account.
1. Click Users > Administrators > Profile Mappings.
2. Click Add. The Add Admin Profile screen appears with the General tab highlighted.
3. On the General tab, enter a name for the profile, such as kiosk sponsor.
4. Use the table below to fill out the settings.
5. Under Manage Hosts and Ports select All.
6. Select Enable Guest Kiosk.
7. In the Kiosk Template field select a guest/contractor account template. All guest accounts created through the
Kiosk will use this template.
8. In the Kiosk Welcome Text field type the message that a guest will see when they create a guest account through
the Kiosk.
9. Click OK to save.

Settings

Field Definition

Name Enter a name that describes the profile, such as kiosk sponsor.

FortiNAC F 7.2.0 Manager Guide 98

Fortinet Inc.
Field Definition

Logout After User is logged out after this amount of time has elapsed without any activity in the user
interface.

l Specify Time

The Specify Time option requires you to specify an hourly time range and the days of
the week the sponsor can log in.

Manage Hosts And Ports Restricts an administrator to a specific set of hosts or ports. The set is defined by host
and port groups that are assigned to be managed by a specific group of administrators.
Any administrator that has a profile with this option enabled can only view and or modify
a subset of the data in FortiNAC. Typically, this type of user would ONLY have the
Manage Hosts & Ports permission set on the Permissions tab, therefore, this setting is
not used frequently. Default = All.
l All: All groups containing hosts and ports can be accessed.

l Restrict By Groups: Enables the restriction of administrator

l s to specific hosts and ports.

For an overview and additional setup information, see Limit access with groups on page
64.

Note User specified note field. This field may contain notes regarding the data conversion
from a previous version of FortiNAC for an existing administrator profile record.

Enable Guest Kiosk If you enable this mode, sponsors can log into FortiNAC to provide visitors self-serve
account creation through a kiosk. For added security, use a kiosk browser. See Using a
kiosk on page 108 to read the sponsor’s procedure.
Sponsors with this profile cannot do anything except log into the Kiosk PC to display the
Guest Login page. Sponsors who need to manually create visitor accounts cannot have
Kiosk mode enabled.

Kiosk Template Select a Kiosk template for this sponsor. All visitors who use the self-service Kiosk
when this sponsor is logged in will be assigned this template.

Kiosk Welcome Enter the message that will appear when the kiosk user creates a guest account.
Message

Add a guest self registration profile

Guest self registration allows visitors to request a temporary or guest account from their own device. A sponsor receives
an email indicating that a request has been received from a guest. The sponsor responds to the request by approving or
denying it. Sponsors with the guest self registration profile or with a guest manager profile and administrators can
respond to a self registration request from a guest.
Anyone in your organization can be a sponsor for guest self registration. They must be entered into FortiNAC as an
administrator and that user account must have a guest self registration administrator profile applied. You can quickly
create sponsors by using directory groups. See Set privileges based on directory groups on page 65.
Guests can access your network for the length of time specified by the account duration. Availability can be 24 hours a
day or limited to specific hours during the day.

FortiNAC F 7.2.0 Manager Guide 99

Fortinet Inc.
To create a profile you must first be logged into your administrator account.
1.Click Users > Administrators > Profile Mappings.
2.Click Add. The Add Admin Profile screen appears with the General tab highlighted.
3.On the General tab, enter a Name for the profile.
4.Use the table below for details on the fields in the General Tab.
5.Under Manage Hosts and Ports select All.
6.Leave the defaults for the remaining fields and click on the Permissions tab.
7.On the Permissions tab note that some permissions are dependent on each other. Refer to thePermissions list on
page 49 for additional information.
8. The minimum that this sponsor must have is the Self Registration Requests permission set. Select all of the check
boxes for this set.
9. When you select the Self Registration Requests permission set, the Landing Page field defaults to Self
Registration Requests.
10. Click OK.

Settings

Field Definition

Name Enter a name that describes the profile, such as kiosk sponsor.

Logout After User is logged out after this amount of time has elapsed without any activity in the user
interface.

l Specify Time

The Specify Time option requires you to specify an hourly time range and the days of
the week the sponsor can log in.

Manage Hosts And Ports Restricts an administrator to a specific set of hosts or ports. The set is defined by host
and port groups that are assigned to be managed by a specific group of administrators.
Any administrator that has a profile with this option enabled can only view and or modify
a subset of the data in FortiNAC. Typically, this type of user would ONLY have the
Manage Hosts & Ports permission set on the Permissions tab, therefore, this setting is
not used frequently. Default = All.
l All: All groups containing hosts and ports can be accessed.

l Restrict By Groups: Enables the restriction of administrators to specific hosts and

ports.
For an overview and additional setup information, see Limit access with groups on page
64.

Note User specified note field. This field may contain notes regarding the data conversion
from a previous version of FortiNAC for an existing administrator profile record.

Enable Guest Kiosk Do not enable this field for the Self Registered Guest administrator profile.
If you enable this mode, sponsors can log into FortiNAC to provide visitors self-serve
account creation through a kiosk. For added security, use a kiosk browser. See Using a
kiosk on page 108 to read the sponsor’s procedure.

FortiNAC F 7.2.0 Manager Guide 100

Fortinet Inc.
Field Definition

Sponsors with this profile cannot do anything except log into the Kiosk PC to display the
Guest Login page. Sponsors who need to manually create visitor accounts cannot have
Kiosk mode enabled.

Administrators

When you create or modify an administrator, you must attach an administrator profile to the account. Before adding
administrators to manage guests, create an administrator profile that contains the set of permissions that allow the
administrator to sponsor guest, contractor, or conference accounts. The profile limits the administrator's access to
FortiNAC features.
When an administrator with an administrator profile logs into FortiNAC, the system presents the views available based
on the user's default permissions. You can configure administrators to authenticate locally or externally via RADIUS or
LDAP. If the administrator cannot be authenticated, an error message specifying the problem displays.

Add an administrator

If you are creating administrators to manage guests or devices, you must create an administrator who has the
appropriate administrator profile associated. See Administrator profiles on page 41.
1. Select Users > Administrators.
2. Select Add.
3. Enter an alphanumeric User ID for the new administrator and click OK.
As you enter the user ID, the network user database is checked to see if there is a current user with the same ID and
a drop-down list of matching users is displayed.
If you enter an ID that already exists as a regular network user, the network user and the administrator become the
same person with a single account. This allows you to give a network user administrator privileges to help with some
administrative tasks.

FortiNAC F 7.2.0 Manager Guide 101

Fortinet Inc.
4. Use the table of below for settings:

Field Definition

Authentication Type Authentication method used for this administrator. Types include:
l Local: Validates the user to a database on the local FortiNAC appliance.

l LDAP: Validates the user to a directory database. FortiNAC uses the LDAP

protocol to communicate to an organization’s directory.

l RADIUS: Validates the user to a RADIUS server.

Admin Profile Profiles control permissions for administrators. See Administrator profiles on page
41.
l Add: Opens the administrator profiles window allowing you to create a new

profile without exiting the Add User window.

l Modify: Allows you to modify the selected administrator profile. Note that

modifications to the profile affect all administrators that have been assigned
that profile.

User ID Unique alphanumeric ID for this user.

Password Password used for local authentication.

If you authenticate users through LDAP or RADIUS, the password field is disabled
and the user must log in with his LDAP or RADIUS password.

First Name User's first name.

Last Name User's last name.

Address Optional demographic information.

City

State

Zip/Postal Code

Phone

E-mail E-mail address used to send system notifications associated with features such as
alarms or profiled devices. Also used to send guest self registration requests from
guests requesting an account. For multiple e-mail addresses, enter addresses
separated by commas or semi-colons. Messages are sent to all e-mail addresses
provided.

Title User's title, such as Mr. or Ms.

Mobile Number Mobile Phone number used for sending SMS messages to administrators.

Mobile Provider Mobile provider for the mobile phone number entered in the previous field. Used to
send SMS messages to administrators. This field also displays the format of the
SMS address that will be used to send the message. For example, if the provider is
US Cellular, the format is xxxxxxxxxx@email.uscc.net, where the x's represent the
user's mobile phone number. The number is followed by the email domain of the
provider's message server.

FortiNAC F 7.2.0 Manager Guide 102

Fortinet Inc.
Field Definition

Notes Free form notes field for additional information.

User Never Expires If enabled, administrators are never aged out of the database. The default is
enabled.

Administrators assigned the System Administrator profile

cannot be aged out.

5. Click OK to save the new user.

Portal page setup

If you are using the portal pages distributed with FortiNAC you may need or want to edit some of the settings that apply to
guest users. Below is a list of settings that should be edited for guests. For a description of each field and how to use it,
hover over the field in the portal content editor.
The portal content editor is arranged in a tree configuration. As you select an item on the left, the pane on the right
displays corresponding options or settings that can be edited to manipulate how guests are treated in the portal and what
is displayed on the web pages used by guests.
Options marked with an asterisk are not limited to being used for guest. These options may be displayed on many portal
pages. For example, the instructions page can be enabled as a link on the guest registration page and the user
registration page.

Tree Option Settings

Registration > l Guest Login Enabled

Registration > l Self Registration Guest

Login Menu l Self Registration Guest Login Title
l Self Registration Guest Login Link
l Anonymous Authentication Enabled
l Anonymous Authentication Title
l Anonymous Authentication Link
l Anonymous Authentication Order

Registration > l Window Title

Self Registration l Left Column Content
Login l Request Page Title
l Request Page Introduction

FortiNAC F 7.2.0 Manager Guide 103

Fortinet Inc.
Tree Option Settings
l Request Page Form Title
l Request Access Button Text
l Pending Page Title
l Default Sponsor Email
l Sponsor Email Label
l Notify Sponsor of Guest Details
l Accept Notification
l Login Username Label
l Login Password Label
l Require Sponsor Approval
l Guest Request Expiration (minutes)
l Request Pending Message
l Deny Notification
l Expired Notification
l Cancel Request Button Text
l Message from Sponsor Header
l Sponsor Email Intro Text
l Sponsor Approval Link Requires Login
l Sponsor Email Login Link Text
l Sponsor Email Approve Link Text
l Sponsor Email Deny Link Text
l Notify User via Portal Page
l Show Password in Portal Page Notification
l Notify User via Email
l Notify User via SMS
l Default Guest Template
l Acceptable Use Policy
l Acceptable Use Policy Checkbox Text
l URL for Acceptable Use Policy
l Link text for Acceptable Use Policy URL
l Text for Acceptable Use Policy
l Instructions

Registration > Primary l Window Title

Guest Login l Title
Authentication > l Left Column Content
Primary Guest Login l Introduction
l Form Title
l User Name Label
l Password Label
l Missing Fields
l Instructions

Registration > l Window Title

Secondary Guest Login l Title

FortiNAC F 7.2.0 Manager Guide 104

Fortinet Inc.
Tree Option Settings

Authentication > l Left Column Content

Secondary Guest Login l Main Content
l Introductory Paragraph
l Form Button Text
l Account Expiration Label
l Login Availability Label

*Registration > l Window Title

Instructions l Title
*Authentication > l Left Column Content
Instructions l Introduction
l Show Windows Instructions
l Windows Instructions
l Show macOS Instructions
l macOS Instructions
l Show Linux Instructions
l Linux Instructions
l Show Other Instructions
l Other Instructions Title
l Other Instructions
l Display as Accordion View

*Registration > Success l Window Title

*Authentication > l Title
Success l Left Column Content
l Progress Bar Enabled
l Progress Bar Title
l Please Wait message
l Success Message
l Finished Message

Printer settings for guest badges

Visibility of account passwords is limited. See Expected password display behavior under
Guest & Contractor users.

In guest manager, administrators you designate as sponsors can access guests' account credentials that show the user
name, password, and access start time and end time. Sponsors may print the account details, e-mail them or send them
via an SMS message directly to guests after account creation.
If sponsors managing guest kiosks or conferences need to print badges, contact your IT Manager to assure that printer
settings are optimized for badge creation:
Make sure the label printer is the default printer for kiosks.

FortiNAC F 7.2.0 Manager Guide 105

Fortinet Inc.
l In the Printer Properties, Paper Options settings, set the paper label size to a minimum of 2” x 2-3/4” (5.1 cm x 7
cm).
l In the Page Handling Settings, make sure that Auto-Rotate is enabled to automatically adjust the orientation to fit
the label’s orientation on the sheet.
l Test to make sure that text is centered and fits on each label.

Events and alarms

Certain actions within guest manager generate events that appear in the Event Log. Examples of guest manager events
are listed in the following table.

Event Definition

Conference Created Using guest/contractor accounts you can create a batch of conference user
accounts. This event is generated when those accounts are created and
indicates the number of accounts created.

Guest Account Created New guest account is created.

Guest Account Deleted Guest account is deleted.

If certain event conditions occur, you are immediately informed of the condition through the alarm notification system.
You can define and map additional events to alarms.
For more information on events and alarms, e-mail notifications, and how to map events to alarms see Map events to
alarms on page 334.

Accounts with sponsor privileges

As a guest manager sponsor, you must log into FortiNAC to create guest or contractor accounts. Once logged in, the
permissions defined by your administrator in your sponsor’s administrator profile are applied. Depending on the
permissions, you could be presented with a Locate tab, a Guest/Contractor Accounts tab, a View Reports tab, or all
three.

Visibility of account passwords is limited. See Expected password display behavior under
Guest & Contractor users.

You can access the sponsor privileges assigned to you only when you log into your account.
1. Use a web browser to access URL: https://<Hostname>:8080
2. Enter the username and password that was given to you by the administrator.
3. A screen with the end-user license agreement opens. To access your sponsor account, read the agreement and
press Accept.
4. Based on your privileges, this screen will show a Bookmarks drop-down menu. From this menu you can select
Guest/Contractor Accounts or Locate to locate hosts and users.

FortiNAC F 7.2.0 Manager Guide 106

Fortinet Inc.
As a sponsor, you can:
l Create and manage Guest, Contractor, and Conference accounts.
l Locate guests, contractors, and other sponsors.
l Sign-in to the kiosk you are in charge of to allow guests to create their own accounts for network access.
Guest sponsor users who sign in to the kiosk to prepare it for arriving guests have very limited permissions. If you
are responsible for both the kiosk and managing Guest, Contractor and Conference accounts, you will need to have
separate logins for each responsibility.
l To search for host or user records, click the Locate tab to open the Locate screen. See Locate on page 1.
l As a sponsor you will typically want to create accounts for guest, contractors, and conference members before they
arrive. To create and manage accounts, click Bookmarks > Guest/Contractor to open the Create screen. See on
page 107, Create bulk or multiple accounts on page 1, or Conference accounts on page 1.
l To view reports of guest or contractor accounts and registrations, click the View Reports link at the top of the
Guest/Contractor Accounts view.
In addition to these privileges, guest manager sponsor users may also have permission to manage a self-serve kiosk or
to manage guest self registration. The kiosk allows guests to create their own accounts for network access. The guest
self registration option allows guests to send a request for network access which can be approved or denied by the
sponsor. A sponsor with permissions to manage a self-serve kiosk or guest self registration, does not have permission to
manage Guest, Contractor and Conference accounts. A user who is responsible for all of these types of guest account
creation, must have a separate login for the Kiosk.
A kiosk is unique within guest manager. Once the sponsor's credentials for the kiosk have been entered, guests use the
kiosk computer to create their own accounts. Network access is limited and there are generally time constraints. For
more information on a self serve kiosk see Using a kiosk on page 108.

Guest account details

Setting

Field Description

User ID Guest's email account which is used as the user ID at login.

Account Status Indicates whether the guest account is enabled or disabled.

Sponsor The administrator who created the guest account.

Account Type Guest account type. Types include:

Guest: A visitor to your facility with limited or Internet-only network access.

FortiNAC F 7.2.0 Manager Guide 107

Fortinet Inc.
Field Description

Conference: A group of short- or long-term visitors to your organization who require

identical but limited access to your network for typically one to five days.
Contractor: A temporary employee of your organization who may be granted all or
limited network access for a specific time period generally defined in weeks or months.

Start Date Date and time (using a 24-hour clock format) the account will become active for the
guest or contractor.

End Date Date and time the account will expire.

Role Role is an attribute of a user or a host. It is used in user/host profiles as a filter when
assigning network access policies, endpoint compliance policies, and Supplicant
EasyConnect policies.

Authentication Indicates type of authentication used. Options include: Local, LDAP or RADIUS. Guests
typically use Local authentication.

Account Duration Amount of time this account will remain valid and usable.

Reauthentication Period Number of hours the guest or contractor can access the network before
reauthentication is required.

URL for Acceptable Use Directs the guest or contractor to a specific web page that details the acceptable use
Policy policy for the network.

Using a kiosk

A sponsor is an individual who is granted permission by an administrator to create accounts for guests or contractors. If
you are a kiosk sponsor, you log in to a self-serve kiosk with your credentials and display the self-serve web page.
Depending on the parameters defined in the Kiosk administrator profile by the administrator, the kiosk may only be
available on specified days of the week during certain times of the day. As long as you, the kiosk sponsor, remain logged
onto the kiosk, guests can create their own accounts. It is strongly recommended that you use a kiosk browser. Kiosk
browsers block users from accessing other programs on the host or other web sites.
The required data for guest accounts is pre-defined by the administrator in the Guest template. The required data may
include a guest’s name, e-mail, and address. Once guests have created their accounts they can go anywhere within the
facility to access the network.
A self serve kiosk:
l Reduces a sponsor’s workload because guests create their own accounts.
l Frees up IT staff from having to create accounts.

FortiNAC F 7.2.0 Manager Guide 108

Fortinet Inc.
l Makes it easier for guests visiting short-term to have network access.
l Allows guests immediate network access without depending on someone to do it for them.
To set up your kiosk:
1. Install a Kiosk browser on the computer being used as the kiosk. See Kiosk browser on page 109.
2. If you plan to have guests print out their credentials, make sure that printer settings are correct for printing guest
badges with login information. See Printer settings for guest badges on page 105.
3. If you plan to allow guests to send credentials to a mobile telephone using an SMS message the following
requirements must be met:
l The guest template associated with the kiosk administrator profile must have Send SMS enabled and Mobile

Number and Mobile Provider must be included in the data fields required for the guest account.
l Enable the Mobile Providers that guests might be using in the Mobile Provider view. See Mobile providers on

page 1.
4. Create a guest template that will be used in the Kiosk. The settings in this template control all aspects of the guest
account created through the kiosk. See Create templates on page 88.
5. Create an administrator profile that permits only kiosk access and associate the kiosk guest template. See Add a
guest kiosk profile on page 98 .
6. Create a new administrator and apply the Kiosk administrator profile to that user.
7. When the Kiosk user has been created, have the that user log into the computer being used as the kiosk. See Log
into a kiosk on page 109.
You are now ready to allow guests to create their own accounts.

Kiosk browser

Many browsers can be set to Kiosk mode to prevent access to everything on the computer on which the browser is
running. If your guests will be creating their own network accounts on a publicly available computer, it is recommended
that you install a browser that can run as a Kiosk browser. The example and instructions show below are for Firefox.
Many other browsers have similar capabilities.
1. Download and install Firefox.
2. Download and install the Real Kiosk add-on.

Once the Real Kiosk add-on is installed, this browser will always run in Kiosk mode.

3. To close Firefox once it is in Kiosk mode type Alt+F4.

4. To go to the homepage type Alt+Home.
5. To temporarily access Firefox in normal mode, right-click on the Firefox icon and select Properties. In the Target
field go to the end of the path, add safe-mode and click OK.
6. Launch Firefox.

Log into a kiosk

As an administrator, your administrator has enabled Kiosk Mode in your administrator profile. This means that once you
have logged into a self-serve kiosk, guests can create their own accounts. Guests have access to the network according
to the parameters defined by your administrator in the Guest template.

FortiNAC F 7.2.0 Manager Guide 109

Fortinet Inc.
The use of a kiosk browser is recommended to prevent the guests or contractors from logging out and to provide more
security.
1. Bring up a web browser and type in the URL: http://<Hostname>:8080
2. This brings you to the administrator login screen.
3. Enter the Username and Password given to you by your Administrator. The Kiosk Welcome Message Screen
appears. Guests also see this Welcome screen.
4. A screen appears with Information Required to Create an Account.
5. From this screen, guests can create their own accounts.

Account creation

1. A guest sees a welcome screen with instructions supplied by the administrator.

2. The guest clicks Start in the welcome screen.
3. A screen opens with a form. Guests must enter their e-mail address, but the other information may be entered upon
their arrival or later, when they activate their account.

Parameter Description

E-mail The guest’s e-mail address. This becomes the guest's user name for logging on to
the network. It is also used to email credentials if desired. Required.

Account Start Date In Kiosk mode, the date and time cannot be changed. The account end date is
determined by the duration entered in the kiosk template specified in the kiosk
administrator profile. Accounts will never remain active beyond 11:59 PM each day.
Account End Date If no duration is specified in the template of if the duration extends beyond midnight,
the account will expire at 11:59 PM on the current day.
If the duration ends before midnight, the account will expire at the specified time.

Additional Account Guests enter Additional Account Information to create an account. The asterisk (*)
Information indicates required fields. Note that the fields that appear in this screen were
predefined in the template.

Mobile Number If you intend to allow guests to send themselves an SMS message with their login
Mobile Provider credentials, these two fields must appear on the Kiosk window.

4. The guest clicks Apply, which opens an account details screen containing the guest's e-mail and a generated
password. Depending on the configuration of the template used to create the account, guests can print out their
credentials so they have password available when they log in later, they can email credentials to themselves or they
can send an SMS message to their mobile telephones.
5. Click Finish.

Account activation

The following procedure describes the steps guests follow to activate their temporary account on their own regardless of
how it was created. Guest accounts can be created either by an administrator, a sponsor, or the guest themselves using
a kiosk. Once the guest has received his login credentials through one of these account creation methods, the activation
process is as follows:
1. Guests type in their e-mail address and the password that was generated when the account was created.
2. Guests click Register or Download.

FortiNAC F 7.2.0 Manager Guide 110

Fortinet Inc.
3. The Welcome screen opens.
4. The account information in this screen may be filled in if guests entered the data when they arrived. If they did not,
they need to do so at this time to create their account. The fields denoted with an asterisk (*) are the pre-defined
required fields.
5. Guests click Continue. After a few moments, a pop-up screen appears with the FortiNAC Dissolvable
Agent.exe file. Guests save this file on their computer.
6. Once guests are at the location in the facility where they will use their computer, they must run the .exe file, which
scans their computer. The guest receives a pass or fail message.
7. If the host does not pass the policy requirements, a remediation web page appears and directs the guest to correct
the problems that inhibited opening his account.
8. If the computer passes, the .exe file is automatically removed. Now the guest can go anywhere in the facility and
connect to the network.

Kiosk shut down

A self-serve kiosk is shut down when the specified login period for the kiosk sponsor has elapsed. Guests will no longer
be able to create their own accounts until the kiosk sponsor logs back into the kiosk. During the period that the kiosk is
shut down, guests should be directed to contact the help desk for account creation.

Guest self registration

Use the self registration feature to allow a guest to create a request for access to your network from their own device.
When the guest opens a browser he is redirected to the registration page in the captive portal. From that page he can
either login with previously assigned credentials or request access. Requests are forwarded to a sponsor or to a request
pool to be approved or denied. When a request is approved, the guest receives his credentials in the browser on the
login page, in an email or in an SMS message sent to his mobile telephone. All guest accounts are configured to expire
after a user specified amount of time based on the template with which they are created.

End user workflow

Steps
1. Connect to the network.
2. Open a browser. The Isolation message is displayed briefly.
3. The browser is redirected to the Registration page.
4. On the Registration page, click the Self Registration option. A request form is displayed.
5. Fill in the form and click Request Guest Access. Depending on the configuration of the web page, you may be
required to enter the email address of a sponsor. A sponsor is a person who has access to the FortiNAC
administration program and can approve or deny your access request.
6. The browser displays a welcome message and asks you to wait. You can click Cancel if you wish to cancel the
request.
7. The request expires if it is not responded to within the number of minutes configured in the portal. The default is 20
minutes.
8. When the sponsor approves the request, you are taken to the Login screen. Depending on the portal configuration,
credentials are filled in automatically, they are sent to the guest via email and in an SMS message.
9. Click Login on the Welcome page. The Success page is displayed.

FortiNAC F 7.2.0 Manager Guide 111

Fortinet Inc.
10. A message is displayed indicating that your network is being reconfigured and to close and reopen the browser.
Close the browser and reopen it. You are now on the Production network and should be able to access the internet
freely.
11. If you shut down your computer and access the network again later, you must open a browser and login again. If
cookies are enabled on your computer, the login screen is displayed and the User Name and Password fields may
be pre-populated.

Implementation

It is recommended that you review the Implementation process for guest manager for general setup details. This section
covers only those configuration details that are specifically required for Guest self registration.
l All guest accounts are created based on a template. For guest self registration you must create a template with
Visitor Type set to Self-Registered Guest and it must have an account duration to indicate when the account
should expire. There is a default template, GuestSelfRegistration, that can be used or you can create a new one. All
Self-Registered guests are configured with the same template. The template used is selected in the Portal content
editor under Registration > Self Registration Login.
l Create an administrator profile specifically for administrators that will respond to Guest self registration requests
these users could also have permission for guest/contractor accounts or other parts of FortiNAC that you deem
appropriate for their job. See Add a guest self registration profile on page 99.
l Create one or more administrator that will be responsible for processing Guest self registration requests and apply
the Guest self registration profile. Administrators must have an e-mail address if they are to receive and respond to
requests for guest accounts. Note that administrators can be created based on groups in your directory and
permissions or profiles can be automatically assigned based on those groups. This can be useful if many people in
your organization will be responsible for processing Guest self registration requests. See Set privileges based on
directory groups on page 65.
l Configure your portal pages for Guest self registration in the portal content editor. See Portal page setup on page
103.
l Within the Portal you can specify the sponsor or sponsors to which the request should go or you can enable the

Sponsor field for the guest to fill in when creating the request. The guest must enter the sponsor's email
address.
l If you do not enable the Require Sponsor Approval option for guest accounts, guests simply create their own

accounts using the template specified in the portal.

l If you require sponsors and other administrators to connect to the admin UI using https or if you are in a high
availability environment where redundant servers do not share an IP address because those servers are on
different subnets you must configure settings to generate the correct links in the emails sent to sponsors.

Sponsor Approval Email Links

In Guest Manager when Self Registration Requests are sent to sponsors, the email messages contain links for the
sponsor to either automatically accept/deny the request, or to login to the Admin UI to do this. The default links provided
use https access and authenticate against the SSL certificate securing the FortiNAC Admin UI.
Modifying Host Name, Security Level and Port
The link contained in the email is composed by FortiNAC. The link contains the URL of the FortiNAC Server or Control
Server. Any of the following URL components can be modified:
l FQDN (default: FQDN as appears in /etc/hosts file and Configuration Wizard Basic Network screen)
l Security Level (default: https)
l Port (default: 8443)

FortiNAC F 7.2.0 Manager Guide 112

Fortinet Inc.
In some situations, it may be desired to modify any or all of these components depending upon the appliance
configuration. For example, in a High Availability environment with an L3 configuration where redundant FortiNAC
servers do not use a shared IP address, the URL should contain the FQDN of the correct FortiNAC Server or Control
Server. Typically, FortiNAC can determine the FQDN; however if there is an issue, the FQDN can be configured.
To modify any of the above components for the email links, a property file must be modified on the FortiNAC Server.
Modify the property file as follows on both Primary and Secondary Servers:
1. Log into the CLI as root on your FortiNAC Server or Control Server.
2. Navigate to the following directory: /bsc/campusMgr/master_loader/
3. Using vi or another editor, open the .masterPropertyFile file.
4. At the top of the file there is a sample entry that is commented out. Use the syntax and below to create your own
changes.
Syntax:
FILE_NAME=./properties_plugin/selfRegRequest.properties
{
com.bsc.plugin.guest.SelfRegRequestServer.EmailLinkHost=<security
level>://<FQDN>:<port>
}

Example:
#############################################################
# FILE_NAME=./properties_plugin/bridgeManager.properties
# {
# com.bsc.plugin.bridge.BridgeManager.verifyRegisterdClients=true
# }
#############################################################
FILE_NAME=./properties_plugin/selfRegRequest.properties
{
com.bsc.plugin.guest.SelfRegRequestServer.EmailLinkHost=https://myNACServer.Fortinetnet
works.com:8443
}

5. Save the changes to the file.

6. Restart the FortiNAC Server.
shutdownCampusMgr
<wait 30 seconds>
startupCampusMgr
When the server restarts, the changes listed in the .masterPropertyFile are written to the selfRegRequest.properties
file.
Verify:
Log into the CLI of the FortiNAC Server or Control Server and verify that the changes have been written to
selfRegRequest.properties. At the prompt, enter:
grep -i EmailLinkHost /bsc/campusMgr/master_loader/properties_
plugin/selfRegRequest.properties

Now when FortiNAC sends sponsor approval email, the links included will use this modified URL.

FortiNAC F 7.2.0 Manager Guide 113

Fortinet Inc.
Locate

Use this option to locate hosts or users.

Option Description

Registered Hosts/Devices

Search Type Drop down menu with the following options:

Devices - Search only records that are registered as a device
Hosts/Users - Search only user records and records that are registered as a host
All - Search all records

Server List List of servers being managed. Select one or more servers to be included in the
search.
Click Select All to select all servers to be included in the search.
Click Save Server Selections to save the list of servers you have selected for the
search.

Name The last name of a user associated with the registered host or the vendor name of
a rogue host.

Name (v7.2.6 and greater): The last name of a user associated with the registered host, the host's vendor
name or host name. The wildcard (*) option is also available.

IP Address The IP Address of the host machine.

Additional Adapter Info

MAC Type The MAC Type for the host. The available options are: Invalid, Valid or Both.

Connect State The Connect State of the adapter. Options include: Both, Off line or On line.

Access The Access state of the adapter. Options include, Enabled, Disabled or Both.

Physical Address The MAC Address of the adapter on the host.

Media Type Searches the Media Type field in the Adapter Properties. Typically this would be
either wired or wireless.

Access Value Directory Attribute used when determining which security policy the hosts are
scanned against. Data contained in this field is copied from the user's account in
the directory to the Security and Access value field on the User, Host and Adapter
Properties. It can also be entered manually.

Additional Host Info

Host Name Name of the host machine.

Agent Version Version number of the Persistent or Dissolvable Agent on the host.

Operating System Operating system on the host.

Hardware Hardware type of the host machine.

Host Type Narrow the search by a specific type of host: All, IP Phone, Registered or Rogue.

FortiNAC F 7.2.0 Manager Guide 114

Fortinet Inc.
Option Description

Authenticated State Include hosts on which a user has Authenticated, Not-authenticated or Both.

Security State Include hosts that are Safe, At Risk or Both.

Persistent Agent The Persistent Agent usage of the host. Options include:
No Agent — Hosts with no agent.
Agent — Hosts using the Persistent Agent.
Both — Hosts using either the Persistent Agent or the Dissolvable Agent.

Connect State The Connect State of the adapter. Options include: Both, Off line or On line.

Access The Access state of the host. Options include, Enabled, Disabled or Both.

Host Role Name of the Role assigned to the host. Roles are used to group hosts and control
their access to the network.

Security & Access Value Directory Attribute used when determining which security policy the hosts are
scanned against. Data contained in this field is copied from the user's account in
the directory to the Security and Access value field on the User, Host and Adapter
Properties. It can also be entered manually.

Additional User Info

First Name First name of the user associated with the host.

User ID Unique alphanumeric ID. Typically comes from the directory but if you are not
using a directory, this field can be created manually.

Title User's title, this could be a form of address or their title within the organization.

User Type Searches both Admin Users and network users. Options include: All,
Administrative, Administrator, Operator or Helpdesk. To search network users and
guests or contractors, select All.

Sponsor If the administrative user performing the search has Sponsor privileges, his User
Name may be filled in this field. Depending on permissions, a Sponsor's search
may be limited to the hosts he created.
Sponsors with the ability to view all accounts can use this field to find hosts
created by a specific Sponsor by entering that Sponsor's User Name in this field.

User Role Name of the Role assigned to the user. Roles are used to group users and control
their network access.

Access The Access state of the user. Options include, Enabled, Disabled or Both.

FortiNAC F 7.2.0 Manager Guide 115

Fortinet Inc.
Network

Network

Logical networks 116

Service Connectors 117

Logical networks

Use logical networks to separate network access policies from device specific values. Each logical network has an
access value, which is translated to the physical value of network infrastructure devices. FortiNAC uses this value to
provision the appropriate network access. Using logical networks can simplify network policy management by reducing
the number of required policies.
Once you create a logical network, you then assign access values on individual devices, then assign a network access
configuration for the logical network.
In a FortiNAC Manager environment, you can create logical networks on the FortiNAC Manager and push this
information to other managed FortiNAC appliances.

Configuring logical networks

You can create, modify, or delete all logical networks shown in the Logical Networks tab, including the pre-defined
logical networks if they were added using the 'Add Predefined Network Access Policies' task during the guided
installation.

Creating a logical network

1. Go to Network > Logical Networks.

2. Click Create New.
3. Enter a Name for the logical network.
4. (Optional) Enter a Description.
5. Click OK.

Modifying a logical network

1. Go to Network > Logical Networks.

2. Click the logical network and click Modify.
3. Modify the Name and/or Description.
4. Click OK.

Deleting a logical network

1. Go to Network > Logical Networks.

2. Click the logical network and click Delete.

FortiNAC F 7.2.0 Manager Guide 116

Fortinet Inc.
Network

You cannot delete a logical network that is currently in use. Click In Use to check if a logical network is in use.
3. Click OK to confirm.

Configuring network access policies

If you initialized network access policies to include the pre-defined sample configuration using the 'Add Predefined
Network Access Policies' task in the guided installation, then the pre-defined logical networks are assigned network
access policies. By default, these policies are disabled.
To assign logical networks using network access policies, see Create or edit a policy.

Service Connectors

This view acts as the main panel for creating and modifying connections and authentication between FortiNAC and
different services.

Service Description

MDM Servers MDM Services allows configuring the connection or integration between FortiNAC
and a Mobile Device Management (MDM) system. FortiNAC and the MDM
system work together sharing data via an API to secure the network. FortiNAC
leverages the data in the MDM database and registers hosts using that data as
they connect to the network. For more information see MDM services on page
121.
List of MDM servers supported by FortiNAC CA:
Air Watch
Fortinet EMS
Google GSuite
JAMF
MaaS360
MicrosoftInTune
Mobile Iron
Nozomi
Citrix Endpoint Management

Emails/SMS

Email Server This allows FortiNAC to send emails to Administrators and network users. See
Email settings on page 390.

Authentication Sources Service Connectors used to configure the connection between FortiNAC and the
desired authentication server.
The authentication source is used in the following use cases:
l User registration

l Captive Portal and Dissolvable Agent (see Global properties and

Configure Authentication credentials)

FortiNAC F 7.2.0 Manager Guide 117

Fortinet Inc.
Network

Service Description
l Persistent Agent (see Credential configuration)
l Import (see Import hosts users or devices)
l Administration UI Login
l Add Administrators (see Administrators)
l Import Administrators (see Import an administrator)

Google Auth See Google authentication.

Radius See RADIUS.

Syslog/Messaging

Security Fabric Connection See Security Fabric Connection.

Email/SMS

This section covers the following:

l Email Server
l SMTP SMS Gateway
l REST SMS Gateway

Email server

This feature is available under Network > Connectors > Create New > Email/SMS > SMTP SMS Gateway.
For information on Email Server, see Email Settings.

SMTP SMS Gateway

Adding SMTP SMS gateway

This feature is available under Network > Connectors > Create New > Email/SMS > SMTP SMS Gateway.

Feature Description

Name Name of the Messaging Gateway

Gateway The provider's email domain, such as nextel.messaging.com

Address
(Email
domain)

Country Country to which this SMS Address corresponds. You may have providers that have a different SMS
Address for each country in which they operate. You need a separate record for each one.

Prefix Any numbers that are required before the user's mobile number. For example, you may have users that
are in an adjacent country, therefore you may need to enter a number, such as 1, ahead of the mobile
number.

FortiNAC F 7.2.0 Manager Guide 118

Fortinet Inc.
Network

Feature Description

Suffix Any numbers required after the user's mobile number.

Max Maximum allowed message length for each provider.

Message
Length

Enabled Enables the Messaging Gateway.

Modifying SMTP SMS gateway

Once you add an SMTP SMS gateway, all SMTP SMS gateways are put under one card in Network > Service
Connectors view under the name SMTP SMS gateway. To modify the gateway configuration that's been added, right
click the Network > Service Connectors > SMTP SMS gateway card and search for the name of your gateway. Go to the
configuration by clicking the pencil icon.
Deleting SMTP SMS gateway
To delete SMTP SMS gateway, right click the Network > Service Connectors > SMTP SMS gateway card and search for
the name of your gateway. Go to the configuration by clicking the pencil icon. Delete the config by clicking delete button.
Configuring Global Max Message Length for SMTP SMS gateway
Right click the Network > Service Connectors > SMTP SMS gateway card and select Set Global Max Message Length.

REST SMS Gateway

Adding REST SMS gateway

This feature is available under Network > Connectors > Create New > Email/SMS > SMTP SMS Gateway.

Feature Description

Name Unique name of the SMS Gateway. A name may only be used once across all types of SMS
Gateways.

API URL API URL that is used to send SMS (Example: gateway.provider.com/sms/send).

HTTPS Is the connection to the service HTTPS? If the Scheme is not included in the Gateway Address, the
user has to specify it via the Toggle. Default is HTTP

HTTP Method HTTP Method used to send SMS.

User Name The User name that is used for HTTP basic Authentication to the gateway.

Password The password that is used for HTTP basic Authentication to the gateway.

Content Type Content Type used to contact the API URL.

Enabled If Enabled, this SMS Gateway will appear in the list of Mobile Providers available to a user in both the
Admin GUI and Portal. This is only a visual toggle, and the Gateway will still be used if a User has it
selected as their Mobile Provider.

Form These are various headers that are used to contact the API URL.
Parameters

FortiNAC F 7.2.0 Manager Guide 119

Fortinet Inc.
Network

To make setting up a new gateway easier, FortiNAC ships with Twilio and Vonage based
configuration settings under the names Twilio-example-config and Vonage-example-config.
These configurations use placeholders which should be filled with details that are specific to
the account.

Modifying REST SMS gateway

Once you add a REST SMS gateway, all REST SMS gateways are put under their own card in Network > Service
Connectors view under the name you used while creating. To modify the gateway configuration that's been added, right
click the Network > Service Connectors > "Name" card and go to the configuration by clicking Edit.
Deleting REST SMS gateway
To delete REST SMS gateway, right click the Network > Service Connectors > Name of the Gateway, and click Delete.
Testing REST SMS gateway connection
To test the REST SMS gateway connection, you can right click the Network > Service Connectors > Name of the
Gateway, and test the config by clicking Test Connection.
You can also edit the configuration and test the connection once you are in the configuration window.
Once the test connection overlay is opened, select the user with which you wish to test the connection.
The user has to be configured with the phone number and the messaging gateway that you wish to test the connection
with. Remember to include the country code for the phone number.
Note: Remember to save the configuration before actually trying to test the connection.
REST SMS gateway can be used at all places where SMTP SMS gateways are used to send the SMS.
Setting Default REST SMS gateway
To set a REST SMS gateway as Default, right click the Network > Service Connectors > Name of the Gateway, and set
the configuration as default by clicking Set as Default.
Debug options
To debug, enable debugging in the CLI and the user should be able to see what the Request was and its corresponding
response from output.master.

FortiNAC F 7.2.0 Manager Guide 120

Fortinet Inc.
Network

MDM services

MDM Services allows you to configure the connection or integration between FortiNAC and a Mobile Device
Management (MDM) system. FortiNAC and the MDM system work together sharing data via an API to secure the
network. FortiNAC leverages the data in the MDM database and registers hosts using that data as they connect to the
network.
The MDM Service Connector can be configured either on the FortiNAC Manager or the individual managed FortiNAC
servers. Choose the appropriate option based upon which FortiNAC servers require the MDM host record information.
Option 1
Requirement: All servers managed by FortiNAC Manager require MDM host record information.
Configuration: Configure the MDM Service Connector on the FortiNAC Manager. No other configuration is required.
Behavior: The Manager copies all MDM host record information to the servers after each MDM poll.
Benefit: Provides a single point of contact for the MDM server. Reduces the overall number of queries the MDM server
has to process.
Option 2
Requirement: Only certain FortiNAC servers require MDM host record information.
Configuration: Configure the MDM Service Connector on the FortiNAC servers requiring the data.
Behavior: The MDM server is polled by each FortiNAC server configured with the MDM Service Connector.

Proxy communication is not supported.

Supported vendors

l Air Watch
l Fortinet EMS
l Google GSuite
l JAMF
l MaaS360
l MicrosoftInTune
l Mobile Iron
l Nozomi
l Citrix Endpoint Management
For more information about supported vendors, refer to the appropriate reference manual in the the Fortinet
Documentation Library:
l Fortinet EMS: FortiClient EMS Device Integration
l All others: Third Party MDM Device Integration

FortiNAC F 7.2.0 Manager Guide 121

Fortinet Inc.
Network

Settings

Field Definition

MDM Vendor Name of the vendor of the MDM system.

Name Name of the connection configuration for the connection between an MDM system and
FortiNAC.

Request URL The URL for the API to which FortiNAC must connect to request data. This will be a
unique URL based on your MDM system.

Identifier A type of key used to identify FortiNAC to the MDM server. This field is not required for
all MDM products.
In the case of AirWatch, this is the API Key generated during the AirWatch
Configuration. An API key is a unique code that identifies the FortiNAC server to
AirWatch and is part of the authentication process for AirWatch.

Application ID Enter the application ID.

Authentication Type Select one of the following options:

l Application Secret: Option for Application Access that uses an application
(v7.2.6 and greater)
password to authenticate with the MSIntune API.
l Certificate: Option for Application Access that uses an X509 certificate to
authenticate with the MSIntune API.
l Delegated Permissions: Option for delegated access that requires the user to
sign in to the MS Azure portal to give FortiNAC permissions to make calls to the
MSIntune on behalf of the user.

Platform ID Enter the platform version number.

Application Version Enter the application version number.

Access Key Enter the application access key (API key).

Enable Delegated If enabled, API permissions are delegated by a signed-in user. When disabled, API
Permissions permissions are configured and granted in the MDM application registration portal
(recommended configuration).
Note: Existing MS Intune connectors created prior to versions 9.1.6/9.2.3/9.4.0 will have
this setting enabled.

User ID User name of the account used by FortiNAC to log into the MDM system when
requesting data.

Password Password for the account used by FortiNAC to log into the MDM system when
requesting data.
This field displays only when adding a new MDM connection configuration. It is not
displayed in the table of MDM servers.

Poll Interval Indicates how often FortiNAC should poll the MDM system for information.

Last Poll Date and time of the last poll.

Last Successful Poll Date and time of the last poll that successfully retrieved data.

FortiNAC F 7.2.0 Manager Guide 122

Fortinet Inc.
Network

Field Definition

Create Date Date that this connection configuration was set up.

On Demand If enabled, when an unknown host reaches the captive portal, FortiNAC queries the
Registration MDM server for information about that host. If the host exists in the MDM server, it is
registered in FortiNAC using the data from the MDM server.

Revalidate Health Status If enabled, when the host connects to the network FortiNAC queries the MDM server to
On Connect determine if the host is compliant with MDM policies. This setting is disabled by default.
When enabled, the MDM may not be able to manage the rate of queries from FortiNAC,
causing performance issues. Instead of enabling Revalidate Health Status On Connect,
you can enable automatic registration polling to occur once a day, which will also
retrieve Health Status, but with less frequency.

Remove Hosts If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC
database if they have been removed or disabled on the MDM server.

Update Applications If enabled, when FortiNAC polls the MDM server it retrieves and stores the Application
Inventory for hosts that are in the FortiNAC database. This setting is disabled by default.
When enabled, the MDM may not be able to manage the rate of queries from FortiNAC,
causing performance issues.

Last Modified By User name of the last user to modify the connection configuration.

Last Modified Date Date and time of the last modification to this connection configuration.

Credential JSON GSuite: (Introduced in FortiNAC version 9.4) Imports the Service Account Key JSON file
downloaded from the Google Developers Console.
1) Select the "Modify Credential JSON" button.
2) Populate the Credential JSON field with the Service Account Key file downloaded
from the Google Developers Console. This can be done in two ways:
Option 1 (Recommended): Click Browse and select the file. It's contents will appear in
the Credential JSON window.
Option 2: Copy and paste the file contents.

Right click options

Delete Deletes the MDM Service.

Modify Opens the Modify MDM Service dialog.

Poll Now Polls the MDM server immediately.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add
an administrator profile on page 55.

Test Connection Tests the connection between the selected MDM server and FortiNAC. Error messages
indicate which fields are missing or incorrect.

FortiNAC F 7.2.0 Manager Guide 123

Fortinet Inc.
Network

Field Definition

Buttons

Add Opens the Add MDM Service dialog.

Modify Opens the Modify MDM Service dialog.

Export Exports the data displayed to a file in the default downloads location. File types include
CSV, Excel, PDF, or RTF. See Export data on page 1.

Test Connection Tests the connection between the selected MDM server and FortiNAC. Error messages
indicate which fields are missing or incorrect.

Poll Now Polls the MDM server immediately.

Add or modify MDM service

1. Go to Network > Service Connectors

2. Select Create New and select a vendor or Edit an existing MDM Server.
3. Use the settings for the MDM Services to enter the MDM Service information.
4. Click OK to save.

The Revalidate Health Status On Connect and Update Applications settings are disabled by
default. When enabled, the MDM may not be able to manage the rate of queries from
FortiNAC, causing performance issues.

Instead of enabling Revalidate Health Status On Connect, you can enable automatic
registration polling to occur once a day, which will also retrieve Health Status, but with less
frequency.

Delete MDM service

1. Go to Network > Service Connectors

2. Select an MDM Service record from the table.
3. Click Delete at the top of the view.
4. Click Yes on the confirmation message.

FortiNAC F 7.2.0 Manager Guide 124

Fortinet Inc.
Hosts

Hosts

Hosts are devices that require network services and can be associated with a user, such as a PC or a gaming device.
Adapters are the network interfaces on these devices. There are other types of hosts not associated with users, such as
IP phones or printers. The hosts, adapters, and users views provide an individual menu option for each, but uses a
shared search capability to simplify management of hosts, adapters and their associated users on your network.
Regardless of the menu item selected and displayed, the navigation and search or filter options are the same.
Applications that are contained on a host are scanned when the host is connected to the network, and appear in the
applications view. The list of applications is continuously updated as hosts are scanned.
The quick search field at the top of the Host View and Adapter View windows allows you to search based on an IP
address, MAC address, user ID, User First and Last Name or host name. Wild card searches, such as 192.168.10.1* can
be used. The drop-down arrow at the end of the Search field allows you to set up a filter and use it once or save it for
future use.

Hosts

Add, delete, modify, locate and manage hosts connected to your network.
The relationship between users, hosts, and adapters is hierarchical. Users own or are associated with one or more
hosts. Hosts contain one or more Adapters or network interfaces that connect to the network. By displaying user, host
and adapter data in a group, the relationships are maintained. For example, if you search for a host with IP address
192.168.5.105, you are in fact searching for the IP address of the adapter on that host. When the search displays the
host, you can click on the Adapters option, the search is automatically re-run and you see the adapter itself. If there is an
associated user, you can click on the Users option to re-run the search and see the associated user.
Click on the arrow in the left column to drill-down and display the adapters and their connection status on this host. Hover
over the icon in the Status column to display a tooltip with detailed information about this host. For more information, see
Settings on page 128. For information on status icons, see Icons on page 1.
The Displayed and Total fields in the title bar represent the number of records displayed versus the total number of
records in the database.

If a host fails one scan and is denied access to the network, but passes another scan at a
different time or location and is allowed access to the network, the host will still be marked At
Risk because it failed the first scan. The host will continue to be marked At Risk until actions
are taken to pass the failed scan.

There is a limit to the maximum number of records the view is able to display (50,000). If the
amount of records to export is greater than what can be displayed, export in multiple parts and
combine the files manually.
Example: Use three different "Host Created dates" that divide it into three parts: before the first
date, between the first and second dates, and after the second date.

FortiNAC F 7.2.0 Manager Guide 125

Fortinet Inc.
Hosts

Navigation, menus, options, and buttons

For information on selecting columns displayed in the Host View Some menu options are not available for all hosts.
Options may vary depending on host state.

Field Definition

Navigation Across the top of the Hosts View are navigation tools that allow you to quickly move
through large numbers of records. These tools include the following:
l <<first: Takes you to the first page of records.

l <prev: Takes you back one page.

l Page Number: Current page number is displayed.

l next>: Takes you forward one page.

l last>>: Takes you to the last page.

l Drop-down Box: Allows you to select the number of records to be displayed on

each page.

Quick Search Enter a single piece of data to quickly display a list of hosts. Search options include: IP
address, MAC address, host name, User Name, and user ID. Drop-down arrow on the
right is used to create and use custom filters.
If you are doing a wild card search for a MAC address you must include colons as
separators, such as 00:B6:5*. Without the separators the search option cannot
distinguish that it is a MAC address.
When quick search is enabled, the word Search appears before the search field.
When a custom filter is enabled, Edit appears before the search field.

Right click options

Add Hosts To Groups Add the selected host(s) to one or more group(s). See Add hosts to groups on page
142.

Delete Hosts Deletes the selected host(s) from the database. Deleting a host from the Host View
that is also displayed in the Inventory, removes that host from both views. Deleting a
host from the Inventory does not delete it from the Host View. See Delete a host on
page 141.

Disable Hosts Disables the selected host(s) preventing them from accessing the network. See
Enable or disable hosts on page 142.

Enable Hosts Enables the selected host(s) if they were previously disabled. Restores network
access.

Group Membership Displays groups in which the selected host is a member. See Group membership on
page 143.

Host Health Opens a dialog with the contents of the Host Health tab from the Host Properties view.
See Host health and scanning on page 135.

Host Applications Opens the Applications window for the selected host and lists installed applications.
See Application inventory on page 137.

Host Properties Opens the Properties window for the selected host. See Properties on page 133.

FortiNAC F 7.2.0 Manager Guide 126

Fortinet Inc.
Hosts

Field Definition

Modify Host Opens the Modify Host window. See Modify a host on page 139.

Policy Details Opens the Policy Details window and displays the policies that would apply to the
selected host at this time, such as endpoint compliance policies, network access
policies, portal policies, or supplicant policies. See Policy details on page 170.

Register As Device Changes the selected host to a device in the FortiNAC database. See Register a host
as a device on page 1.

Register As Host Changes the selected rogue host to a registered host. Displays the Modify Host
window. See Modify a host on page 139.

Run Agentless Scan Manually run an agentless scan for selected hosts. Hosts must be Windows Hosts,
members of the domain, have an IP address and be connected to the network.

Scan Hosts Evaluates the selected host with the scan that applies to the host at that moment. The
host must be online and must have a Persistent Agent. If the host is online but does
not have a Persistent Agent, it is marked "at risk" for the Scan that most closely
matches the host at the moment.

Send Message Sends a text box message to the selected host(s). The host must be using the
Persistent Agent or Mobile Agent. See Send a message to a host on page 144.

Set Host Expiration Launches a tool to set the date and time for the selected host(s) to age out of the
database. See Set host expiration date on page 143.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See
Add an administrator profile on page 55.

Set Host Role Assigns a role to the selected host.

Show Events Displays the events for the selected host.

Show Network Sessions View the list of sessions on the host. For more information, see Network sessions on
page 1.

Update Persistent Agent Opens a dialog that allows you to update the Persistent Agent for the selected host.

Go To Logged On User(s) Opens the Users tab and displays the users currently logged onto the selected hosts.
The logged on user may not be the registered user for the selected host.

Set Logged On User Launches a tool to set the date and time for the user currently logged on to the
Expiration selected host to age out of the database. See Set user expiration date on page 82.

Set Logged On User Role Assigns a role to the user currently logged on to the selected host. See Roles on page
291.

Go To Registered User(s) Opens the Users tab and displays the registered users for the selected hosts.

FortiNAC F 7.2.0 Manager Guide 127

Fortinet Inc.
Hosts

Field Definition

Set Registered User Launches a tool to set the date and time for the registered user for the selected host to
Expiration age out of the database. See Set user expiration date on page 82.

Set Registered User Role Assigns a role to the registered user for the selected host. See Roles on page 291.

Collapse All Collapses all host records that have been expanded.

Expand Selected Expands selected host records to display adapter information.

Buttons

Import/Export Use Import and Export options to import hosts into the database from a CSV file or
export a list of selected hosts to CSV, Excel, PDF, or RTF formats. See Import Hosts,
Users Or Devices or Export Data.

Options Displays the same series of menu picks displayed when the right-mouse button is
clicked on a selected host.

Settings

The fields listed in the table below are displayed in columns on the Host View based on the selections you make in the
Settings window. These fields are also used in custom filters to search for hosts. See Search and filter options on page 1.
Additional fields that can be displayed on the Host View are fields for the user associated with the selected host. See
Search settings on page 73.
You may not have access to all of the fields listed in this table. Access depends on the type of license key installed and
which features are enabled in that license.

Field Definition

Agent Platform Distinguishes between Windows, macOS, iOS, and Mobile Agent.

Agent Version The version number of the Persistent Agent, Mobile Agent, or Dissolvable Agent
installed on the host.
None is displayed if the host is a type set to by-pass the agent scan in the endpoint
compliance configuration.

FortiNAC F 7.2.0 Manager Guide 128

Fortinet Inc.
Hosts

Field Definition

Applications Applications running on the host. Categories of applications include: antivirus, Hotfixes
and operating system.

Asset Tag The Asset Tag of the host that is populated by the agent when the asset tag is readable
by the agent. The asset tag is derived from the System Management BIOS (SMBIOS).

Authenticated Indicates whether the host is authenticated.

Delete Hosts When User If set to Yes, hosts registered to the user are deleted when the user ages out of the
Expires database. To modify click Set.

Device Type If the Host is a pingable device that is being managed in Hosts view, this field indicates
the specific type of device.
The list includes:
l Alarm System

l Android

l Apple iOS

l Camera

l Card Reader

l Cash Register

l Dialup Server

l Environmental Control

l Gaming Device

l Generic Monitoring System

l Health Care Device

l Hub

l IP Phone

l IPS / IDS

l Linux

l Mobile Device

l Network

l PBX

l Pingable

l Printer

l Registered Host

l Server

l StealthWatch

l Top Layer IPS

l Unix

l UPS

l Vending Machine

l VPN

l Windows

l Wireless Access Point

l macOS

FortiNAC F 7.2.0 Manager Guide 129

Fortinet Inc.
Hosts

Field Definition

Container (Inventory) Indicates whether this host is also displayed in the Inventory and shows the Container
in which it is stored.

First Name User's first name.

Last Name User's last name.

Email User's email address.

Address User's physical address.

City User's city.

State User's state.

Postal Code User's postal code.

Phone User's phone number.

Mobile Phone User's cell phone number.

Mobile Provider User's mobile provider.

Include IP Phones Appears when any option except Rogue is in the Host Type drop-down list. When
selected, hosts that are IP Phones are included in the Host View.

Hardware Type Type of Hardware, such as a PC.

Created Date Date the host record was created in the database. Options include last, between,
before, and after.

Expiration Date Controls the number of days a Host is authorized on the network. Options include Next,
Before, After, Between, Never, and None. Host is deleted from the database when the
date specified here has passed. The date is automatically calculated based on the
information entered when Aging is configured. See Aging out host or user records on
page 1.

Inactivity Date Controls the number of days a Host is authorized on the network. Options include Next,
Before, After, Between, Never, and None. Host is deleted from the database when the
date specified here has passed. The date is continuously recalculated based on the
information entered in the Days Inactive field. See Aging out host or user records on
page 1.

Last Connected Date and time of the last communication with the Host. Options include Last, Before,
After, Between, and Never.

Host Name Name of the host.

Host Notes Notes about this host.

Host Role Role assigned to the Host. Roles are attributes of hosts and can be used as filters in a
user/host profile. See Roles on page 291.

FortiNAC F 7.2.0 Manager Guide 130

Fortinet Inc.
Hosts

Field Definition

Host Security & Access Value that typically comes from a field in the directory, but can be added manually. This
Value value groups users and can be used as a filter in a user/host profile, which in turn are
used to assign endpoint compliance policies, network access policies and Supplicant
EasyConnect policies. The data in this field could be a department name, a type of user,
a graduation class, a location or anything that distinguishes a group of users.
The access value is inherited from the user associated with this host.

Last Modified By User name of the last user to modify the host.

Last Modified Date Date and time of the last modification to this host.

Logged On User Name of the user currently logged into the Host.

Managed By MDM Host is managed by a Mobile Device Management system and data was retrieved from
that system for registration.

MDM Compliant Host is compliant with MDM policies. This data is retrieved directly from the MDM
system.

MDM Compromised MDM system has found this host to be compromised, such as jailbroken or rooted.

MDM Data Encryption MDM system has detected that the host is using data protection.

MDM Passcode MDM system has detected that the host is locked by a passcode when not in use.

Operating System Host operating system. This is usually determined based on the DHCP fingerprint of the
device or is returned by an agent.

Passed Tests Shows passed scans.

Persistent Agent Indicates whether the Persistent Agent has been seen on this Host before.

Persistent Agent Indicates whether or not the agent is currently communicating.

Communicating

Registered To User ID of the user to which this host is registered.

Serial Number Serial number on the host.

Status Current or last known status is indicated by an icon. See Icons on page 1. Hover over
the icon to display additional details about this Host in a tool tip.
l Connected: Indicates whether host is online or offline.

l Access: Indicates whether host is enabled or disabled.

l Security: Indicates whether host is safe, at risk or pending at risk.

l Authentication: Indicates whether or not the user associated with this host has

been authenticated.
When searching for a host based on Security, search results for Safe include Pending
at Risk hosts. Those hosts are a sub-set of Safe hosts. Search results for Pending at
Risk do not include Safe hosts.

System UUID The universal unique identifier used to identify the host.

Title User's title, this could be a form of address or their title within the organization.

Type Select the type of host.

FortiNAC F 7.2.0 Manager Guide 131

Fortinet Inc.
Hosts

Field Definition

Host types include:

l Rogue: Unknown device that has connected to the network.

l Registered Host With Owner: Device that is registered to a known user.

Note:The owner is not the same as the logged on user.

l Registered Device: Device that is registered by its own host name and is not

associated with a single user, such as a library computer or a shared workstation.

l Registered Host or Device: Both devices that are registered to users and devices

that are registered by host name.

l Registered Device In Host View: Pingable device not associated with a user that

is managed in the Host View, such as a printer.

l Registered Device In Host and Topology: Pingable device not associated with a

user that displays in both the Host View and Topology.

User Created Indicates when this record was created in the database.

User Expires Controls the number of days a user is authorized on the network. User is deleted from
the database when the date specified here has passed. The date is automatically
calculated based on the information entered in the Set User Expiration date window.
To modify click Set. See Set user expiration date on page 82 for additional information.

User Inactivity Date Controls the number of days a user is authorized on the network. User is deleted from
the database when the date specified here has passed. The date is continuously
recalculated based on the number of days entered for Inactivity Limit.
For example, if the user logs off the network on August 1st and Inactivity Limit is set to 2
days, the Inactivity Date becomes August 3rd. If on August 2nd the user logs back in
again, the Inactivity Date is blank until the next time he logs out. Then the value is
recalculated again. To modify click Set.

User Inactivity Limit Number of days the user must remain continuously inactive to be removed from the
database. See Aging out host or user records on page 1.

User Notes Notes entered by the administrator. If this user registered as a guest, this section also
contains information gathered at registration that does not have designated database
fields, such as Person Visiting or Reason for Visit.

User Role Role assigned to the user. Roles are attributes of users that can be used as filters in
user/host profiles. See Roles on page 291.

User Security And Access Value that typically comes from a field in the directory, but can be added manually. This
Value value can be used as a filter to determine which policy to use when scanning a user's
computer. The data in this field could be a department name, a type of user, a
graduation class, a location or anything that distinguishes a group of users.

VPN Client Indicates whether the host connects to the network using a VPN connection.

Vulnerability Last Scanned Lets you filter hosts by defining the time/date when Vulnerability scan results were last
processed for the host.

Vulnerability Scan Status Lets you display hosts that passed or failed the vulnerability scan, or were not scanned.

FortiNAC F 7.2.0 Manager Guide 132

Fortinet Inc.
Hosts

Drill-down settings

Use the arrow in the far left column of the Host View to expand a host and view adapter details. Expand or collapse
multiple hosts by selecting them and using the right mouse button or Options. All adapters associated with a host are
contained within the expanded section of the window. Adapters on the same host are considered siblings.
To copy an IP address or physical address, click on the address to highlight it. Press Ctrl+C to copy it.

Settings

Field Definition

Status Status of the adapter. Options are Online or Offline and Enabled or Disabled. See Icons
on page 1.

IP address IP address assigned to the adapter. If the adapter is offline, this is the last known IP
address. Supports both IPv4 and IPv6 addresses.

Physical Address MAC address of the adapter.

Media Type Indicates whether the adapter is wired or wireless.

Location The switch and port where the adapter last connected.

Actions Use the action icons to do the following:

l Enable/disable adapter

l Access adapter droperties

l Access port properties for the port where the adapter last connected

l Go to the Adapters tab and display the adapter for this host

Properties

The Host Properties view provides access to detailed information about a single host. From this view you can access the
associated user's properties by clicking on the User option in the menu or the associated adapter's by clicking on the
adapter's physical address displayed in the Adapters tab at the bottom of the window.
1. Select Users & Hosts > Hosts.
2. Search for the appropriate host.
3. Select the host and either right-click or click Options.
4. From the menu select Host Properties.

Settings

Field Definition

General

Host Name Name of the host.

Hardware Type Type of host such as workstation.

FortiNAC F 7.2.0 Manager Guide 133

Fortinet Inc.
Hosts

Field Definition

Operating System Operating system installed on the host. Only hosts with a valid operating system can be
rescanned. Valid operating systems are Windows, Mac, and Linux.

Serial Number Serial number of the host.

Host Status Radio buttons indicating whether the host is Enabled or Disabled. To enable or disable
the host, click the appropriate button and then click Apply.

Time

Created Indicates when this host record was created in the database. Options include Before,
After, and Between.

Expiration Date Controls the number of days a host is authorized on the network. Host is deleted from
the database when the date specified here has passed. Options include Before, After,
Between, Never, and None. If Never is displayed, this indicates that the host will not age
out of the database. To modify click Set. See Set host expiration date on page 143.

Inactivity Date Controls the number of days a host is authorized on the network. Host is deleted from
the database when the date specified here has passed. Options include Before, After,
Between, Never, and None. The date is continuously recalculated based on the number
of days entered for Inactivity Limit.
For example, if the host logs off the network on August 1st and Inactivity Limit is set to 2
days, the Inactivity Date becomes August 3rd. If on August 2nd the host logs back in
again, the Inactivity Date is blank until the next time it logs out. Then the value is
recalculated again. To modify click Set.

Inactivity Limit Number of days the host must remain continuously inactive to be removed from the
database. See Aging out host or user records on page 1.

Last Connected Last time the host was heard on the network. Options include Before, After, Between,
and Never.

Policy Agent/access

Role Role assigned to the host. Use the drop-down list to select a new role.

Agent Version The version number of the Persistent Agent or Dissolvable Agent installed on the host.

"None" is displayed if the host is part of a group with an endpoint

compliance policy set to by-pass the agent scan.

Update Button Button only displays if the Persistent Agent is installed. Allows you to update this host to
a different version of the Persistent Agent.

Security And Access The value of the attribute that can be used as a filter in user/host profiles. Data for this
Attribute Value field can come from a guest template, can be entered automatically from an LDAP
directory based on attribute mappings or manually by typing a value in this field. If
entered from a directory, the data is copied from the user record of the associated user.

FortiNAC F 7.2.0 Manager Guide 134

Fortinet Inc.
Hosts

Field Definition

For example, if you have a policy for staff and a separate policy for executives, you
could enter the word staff for each staff member and executive for each member of the
executive group. Enter a matching word on the appropriate user/host profile to match
the host to an endpoint compliance or network access policy. See Policy & Objects on
page 166.

Tabs

Adapters Displays a list of adapters on this host by MAC address. Click on a MAC address to
open the Adapter Properties.

Applications Displays a list of applications installed on the device. This information is provided by the
agent. Typically includes antivirus, Hotfixes and operating system. This information is
updated with each successful scan.

Notes Notes entered by the administrator. If this host is the registered host for a guest, this
section also contains information gathered at registration that does not have designated
database fields, such as Person Visiting or Reason for Visit.

Health Lists all the Scans and System scripts, and Administrative states for which the host has
been scanned or had applied. Each scan the host is eligible for is shown along with the
Name, Status, and Action. Click Show History for short-term historical data. See Host
health and scanning on page 135.

Patch Management Displays information on patches that have been applied to the host by its associated
patch management server. The patch management vendor name and the ID number of
the most recent patch is displayed.

Logged In Users User name of the user logged into this host.

Buttons

Send Message Opens the Send Message window and allows you to send a message to a host. If the
host has the Persistent Agent or Mobile Agent installed, the message can be sent to the
host desktop.

For more details see Send a message to a host on page 144.

Groups Displays a list of available host groups. If the host is a member of a group the check box
is selected. You may add or remove the host from one or more groups.

Apply Saves changes to the host properties.

Reset Resets the values in the host properties window to their previous settings. This option is
only available if you have not clicked Apply.

Host health and scanning

Host health is determined by the endpoint compliance policies, system and administrative states, or scans run on the
host. Each time a scan is run a record of that scan is stored in the database and displayed on the Heath tab of the Host

FortiNAC F 7.2.0 Manager Guide 135

Fortinet Inc.
Hosts

Properties window. Each scan and scan type the host is eligible for is shown along with the name, status, and action.
The agent scan shown in bold text and highlighted with a gray bar indicates the scan that is currently applied to the host.
Click Show History for short-term historical data.
Scan Configuration Changes
Changes made to a scan configuration only affect the hosts that fail the scan after the change is made. Any hosts that
failed the scan prior to the change are not affected. The host must pass the scan before it can take on another host state.
Examples:
l If Host A is scanned, fails Scan A and is assigned a delay of 2 days, changing Scan A to a delay of 5 days does not
alter the delay for Host A. It remains 2 days.
l If Host A is scanned, fails Scan A and is marked "At Risk", changing Scan A to Delayed Remediation does not alter
Host A. It remains "At Risk" until it passes Scan A.
Multiple Scans Applying to a Host
When multiple scans exist in a host record in Host Health, the combination of the Status fields can affect the host state. If
the scan associated with the policy is changed, the results of the original scan are no longer in affect. The endpoint
compliance policy that applies to the host now uses a different scan. Failing an Admin or System Scan; however, are still
in affect. Refer to the table below for the effects of the Status fields on network access.

Scan type/status Network access

Admin System Agent scan A Agent scan B*

Initial Initial Failure Initial No. Must pass scan

Initial Initial Failure Success Yes

Failure Initial Failure Success No. Must pass Admin

Scan.

Success Failure Failure Success No. Must pass

System Scan.

Success Success Failure Success Yes

*Agent Scan B is the scan that currently applies to the host in the example in the table.

Access the health tab

1. Select Users & Hosts > Hosts.

2. Search for the appropriate host.
3. Select the host and either right-click or click Options.
4. From the menu select Host Properties.
5. Click on the Health tab.

FortiNAC F 7.2.0 Manager Guide 136

Fortinet Inc.
Hosts

Settings

Option Description

Type Admin: Indicates the reason why a host was manually marked at risk. They are not actually scanning
the host but provide a configuration or profile with which to associate the host state. Admin Scans can
be used to mark hosts At Risk or Safe based on an alarm action triggered by an event. These scans can
also be used to enable or disable access based on the time of day, for example to limit access for
guests after 5:00 pm.
System: These scans run scripts on the FortiNAC platform.
Agent: Scans run by an agent installed on the host based on an endpoint compliance policy or set of
requirements with which the host must comply. The Agent scan listed in bold and highlighted by a gray
bar indicates the scan that is currently applied to the host.

Name The Name of the scan. There may be more than one scan of a particular type that the host is eligible to
be scanned against.

Status Initial: Default setting indicating that the host has not been scanned, therefore it has neither passed nor
failed. For Admin scans, manually setting the scan to Initial is the equivalent of Success. For other scan
types, setting the status to Initial has no effect.
Failure: Indicates that the host has failed the scan. This option can also be set manually. When the
status is set to Failure the host is marked "At Risk" for the selected scan.
Failure Pending: The host has been scanned and failed a scan that has the Delayed Remediation
option enabled. The host is not placed in remediation and it is marked "Pending At Risk". See Delayed
remediation on page 246 for additional information.
Success: Indicates that the host has passed the scan. This option can also be set manually. When the
status is set to Success the host is marked "Safe" for the selected scan.

Actions ReScan appears in the Actions column for Agent scans. Clicking ReScan places the host into the
queue to be re-scanned.
If FortiNAC cannot contact the host when ReScan is clicked, a message is displayed indicating that the
host was not rescanned.

View history

1. On the Host Properties Health tab, click Show History.

2. View the list of scans, results, and when the scan(s) were performed. Results are sorted with the most recent at the
top of the list. Note that if there are no Admin, System, or endpoint compliance policy scan results to display when
you click History, the History window opens with the message, "There are no scan results for this host."
3. Inside the History window, click the Script/Profile name to view the details of the scan. The details view opens in a
new browser window.
4. Close the scan details window.
5. Click Refresh on the History view to refresh the list with the most recent data.
6. Close the window when finished.

Application inventory

Application Inventory lists all of the programs found on a selected host either by a FortiNAC Windows, MAC, Linux, or
Mobile Agent or an agent from an MDM Service that is integrated with FortiNAC.

FortiNAC F 7.2.0 Manager Guide 137

Fortinet Inc.
Hosts

Right-click a host in the Host View and select Host Applications.

The application inventory is not populated during the initial scan. Subsequent manual or
scheduled scans will perform this function.

FortiNAC agents must be version 3.1 or higher to collect application data.

Settings

Field Definition

Threat Score The threat score assigned to the application.

This field appears only when the Security Incidents license is

enabled.

Operating System Device operating system, such as iOS.

Operating System The operating system version for the device. (This information may not be available.)
Version

Source Source of the application data, such as an MDM Service.

Version Operating system version.

Threat Override Indicates whether an application as Trusted or Untrusted according to the threat score.

This field appears only when the Security Incidents license is

enabled.

Package Name The namespace in which the application is run. (This information may not be available.)

Submit Date The date when the application was last submitted to a Threat Analysis Engine.

This field appears only when the Security Incidents license is

enabled.

Host Count The number of hosts that have the application.

Learned Time Date and time that FortiNAC first learned about this device.

Last Updated Date and time of the last update t this device in FortiNAC.

Name Name of the installed application.

FortiNAC F 7.2.0 Manager Guide 138

Fortinet Inc.
Hosts

Field Definition

Vendor Domain name of the application vendor.

Version Version number of the installed application.

Learned Time Date and time that FortiNAC first learned about this application.

Export Exports the data displayed to a file in the default downloads location. File types include
CSV, Excel, PDF, or RTF. See Export data on page 1.

Set Threat Override Marks an application as Trusted or Untrusted, overriding the existing threat score. The
original threat score is not changed, and the override may be set back to "none". Users
can also right-click in the Applications table to access this option.

This field appears only when the Security Incidents license is

enabled.

Modify a host

Hosts records are created as hosts connect to the network and register. Hosts can be added by importing or by entering
the data manually. See Import hosts, users or devices on page 1. Add or modify host allows you to create new hosts or
edit existing ones. Hosts added through this process are either registered to a user or registered as a device.

Register host to user

A host registered to a user is associated with that user, inherits network access parameters from the user and
contributes to the Allowed Hosts count for the user. Each registered device or host consumes one license when it is
online. If the host is registered here, the user will not have to go through the registration process elsewhere, such as the
captive portal.
Only hosts with a valid operating system can be rescanned. Valid operating systems are Windows or macOS.

Register host as device

A host registered as a device can be displayed in the Host View or both the Host View and Inventory. This type of host
consumes license only when it is online. Typically hosts registered as devices are items such as IP phones, security
cameras, alarm systems or printers.
Modify hosts
1. Select Hosts > Hosts.
2. Use the search or filter mechanisms on the Host View to locate the appropriate host.
3. Click on the host to select it.
4. Click Modify.
5. See the table below for detailed information on each field.
6. Click OK to save your data.

FortiNAC F 7.2.0 Manager Guide 139

Fortinet Inc.
Hosts

Settings

Field Definitions

Register host to user

User ID ID of the user who owns this host. As you type a list of matching user IDs drops down. For
example if you type ab, user IDs that start with ab are displayed. If the user ID does not exist
in the database, but does exist in the directory used to authenticate users, the user is created
at the same time. If the user does not exist either in the directory or in your database, you
cannot save the host.
If registering this host to a User exceeds the number of Allowed Hosts for that user, a
message is displayed indicating that Allowed Hosts has been automatically incremented and
the host is registered to the user.

Register host as device

Create In Indicates where the device should be displayed. Options include Host view or Host view
and Inventory.

Container If the host is created in both Host View and Inventory, you must choose a Inventory container
to contain the host. Containers in Inventory are used to group devices.

General

Role Roles are attributes of hosts and users that can be used as filters in user/host profiles.
If the host is registered to a user, there are two options for selecting the host role.
Use Role From User: Indicates that the host role is inherited from the registered user
associated with the host.
Specify Role: Indicates that the host role is manually selected. This enables a drop-down
list of possible roles from which you can choose.
If the host is registered as a device in Inventory only, its role is used to control network
access or can be used to apply a CLI configuration. For example, a CLI configuration could
be used to reduce the baud rate of a device when it connects to the network.

Host Name Name of the host being registered.

Hardware Type Type of hardware such as Printer, Server or Workstation.

Serial Number Serial number on the device. May be of assistance if the device is ever stolen.

Operating System Operating system on the host.

Only hosts with a valid operating system can be rescanned. Valid

operating systems are Windows, macOS, and Linux.

Device Type Indicates the type of device being registered. When registering a host to a user this field
defaults to Registered Host With Owner. It could also be set to a gaming or mobile device.
When registering as a device, this might be set to devices that are not typically associated
with an owner, such as a printer or an alarm system. An icon representing the device
selected displays beside the Device Type field.

FortiNAC F 7.2.0 Manager Guide 140

Fortinet Inc.
Hosts

Field Definitions

If the device is an Access Point and you register it in Host View, it is removed from the Host
View and moved to Inventory after the first poll. It is also removed from the Concurrent
License count once it is recognized as an Access Point.

Notes Free form notes entered by the Administrator.

Security and Access This value can be included in a filter when determining the Security Policy that should scan
Attribute Value this host when it connects to the network. If a directory is in use and a user is associated with
this host, the value comes from the directory when it is synchronized with the database.
Otherwise the value can be entered manually.

Adapters Lists the adapters or network interfaces that exist on this host. By listing all adapter's on the
host here, you establish that these adapters are siblings. Number of adapters per host is
limited to five. See Edit Adapters below.
Physical Address: MAC address of the adapter
Media Type: Indicates whether the adapter is wired or wireless.

Edit adapters

1. Go to the Adapter section of the Add or Modify Host Window.

2. To add an adapter: Click Add and provide the Physical Address and the Media Type, such as wired or wireless.
3. To modify an adapter: Select an Adapter and click Modify. Change the Media Type as needed. To change the
Physical Address you must delete the adapter and add it again.
4. To delete an adapter: Click on the Adapter to select it and click Delete.
5. Click OK to save.

The number of adapters per host is limited to five.

Delete a host

This option deletes the selected host(s) from the Host View.

Deleting a host from the Host View that is also displayed in the Inventory, removes that host
from both views. Deleting a host from the Inventory does not delete it from the Host View.

If a device has been detected as a Rogue host and then later manually entered as a device,
the Rogue host record remains in the database. It is important to remove the corresponding
Rogue host record so there is no conflict between the two records with the same MAC
address.

1. Select Users & Hosts > Hosts.

2. Use the Quick Search or Custom Filter to locate the appropriate host(s).

FortiNAC F 7.2.0 Manager Guide 141

Fortinet Inc.
Hosts

3. Select the hosts to be deleted.

4. Click Delete.

Enable or disable hosts

Use this option to disable or enable hosts. A message window appears indicating the successful disabling or enabling of
the host. When a host is disabled all of its adapters are disabled.
1. Select Users & Hosts > Hosts.
2. Use the Quick Search or Custom Filter to locate the appropriate host(s).
3. Select the hosts to be enabled/disabled.
4. Click either Enable or Disable.

Enabling and disabling hosts can be automated using events and alarm mappings. Specific
events, such as Possible Mac address Spoof, can be mapped to an alarm that has the action
"Disable Hosts" configured. See Add or modify alarm mapping on page 337.

If Security Incidents is enabled

The Security Incidents license must be enabled in order to use the following option.

When enabling a host that was disabled by a security alarm action, a dialog appears that provides the option to:
l Undo the security alarm on the host, which will also undo the associated actions on the host
l Enable the host while leaving the security alarm and its associated actions on the host.
Do one of the following:
l Click Yes to undo the security alarm on the host. This will undo the security alarm and the action(s) associated with
the security alarm on the host. The number of actions that were undone is displayed. Secondary tasks are
performed on the host, if enabled.
l Click No to enable the host but maintain the security alarm. All actions associated with the security alarm will remain
on the host.

Add hosts to groups

You can add selected host(s) to groups you have created. See Groups on page 345 for detailed information on Groups
and how they are used in FortiNAC. Only registered hosts can be added to groups.
IP phones have a special group type and can only be added to IP phone groups. If you select IP phones with other
registered hosts you will not be allowed to use the Add Hosts To Groups option. Select IP phones separately. Only IP
phone groups will be displayed.
1. Select Hosts > Hosts.
2. To select host(s) with specific parameters use the custom filter to set the criteria.
3. Use Ctrl-click or Shift-click to select the records you wish to add to the group.
4. Right-click and select Group Membership.

FortiNAC F 7.2.0 Manager Guide 142

Fortinet Inc.
Hosts

5. The Group Membership view lists the available host groups and sub-groups. Sub-groups are displayed under their
parent group or groups.
6. To add the hosts to a group, click the box next to the group name and then click OK.
7. To create a missing group:
a. Click Create Group.
b. Enter a group name.
c. If the new group should be a sub-group of an existing group, enable the Parent Group option and select the
appropriate group from the list.
d. Description is optional.
e. Click OK to save the new group.
8. Click OK.

Group membership

From the Host View, you can view or modify the group membership of an individual host. Use this option to open a
window that displays a list of all groups to which the selected host belongs.
IP phones have a special group type and can only be added to IP phone groups. If you select an IP phone only IP Phone
groups will be displayed.
1. Select Users & Hosts > Hosts.
2. To select host(s) with specific parameters use the custom filter to set the criteria.
3. Click on a host to select it.
4. Right-click or click Options and select Group Membership. The Group Membership option displays only for
registered hosts.
5. The Group Membership view lists the available host groups and sub-groups. Sub-groups are displayed under their
parent group or groups. A check next to a group name indicates that this host is contained in that group.
6. To add the host to a group, click the box next to the group name and then click OK.
7. To remove the host from a group, click to uncheck the box next to the group name and then click OK.
8. Click OK to save your group selections.

Set host expiration date

The expiration date on a host determines when it is automatically deleted or aged out of the database. Aging out of the
database can be triggered by an expiration date, the amount of time the host has been inactive or both. There are many
methods for setting an Expiration date. See Aging out host or user records on page 1 for information on other methods.
The Set Host Expiration Date feature is used from the Host View.
1. Select Users & Hosts > Hosts.
2. Use the Quick Search or Custom Filter to locate the appropriate host(s).
3. Select the hosts to be modified.
4. Right-click and select Set Host Expiration.
5. Use the table below to enter expiration criteria.
6. Click OK to set the expiration dates.
Set Host Expiration Settings

FortiNAC F 7.2.0 Manager Guide 143

Fortinet Inc.
Hosts

Field Definition

Set Host Expiration Enables the expiration date option and corresponding calculation methods.

Specify Date Allows you to select a specific date that the host will be aged out of the database.
Host age times are evaluated every ten minutes. If you specify a date and time, the host
may not be removed from the database for up to ten minutes after the time selected.

Days Valid From Now Enter the number of days from today that you would like the host to expire. The
expiration date is calculated based on this number.

Days Valid From This is the number of days from the date the host record was created. The expiration
Creation date is calculated based on this number.

No Expiration This host is never deleted from the database even if global or group aging options are
added or modified.

Default Expiration Defaults to the global aging settings configured in System > Settings > User/ Host
Management > Aging.

Set Host Inactivity Limit Enables the option to delete a host based on the number of days that it did not log onto
the network.

Days Inactive Number of consecutive days the host must be inactive to be aged out of the database.
For example, if this is set to 4 days, and after 2 days the host connects to the network
again, the counter is restarted.

No Inactivity Limit With this option enabled, the host is never deleted from the database due to inactivity
even if global or group aging options are added or modified.

Default Inactivity Limit Defaults to the global aging settings configured in System > Settings > User/ Host
Management > Aging.

Send a message to a host

You can send a text message to the selected host from the Host View.
l If the host is online (connected) the message is sent.
l If the host is offline when the message is sent, by default the message expires immediately. If you set a specific
expiration time, the message remains active until either the host comes online or the message lifetime is reached.
l If the message is still active when the host comes online, the message is delivered. Otherwise, the host does not
receive the message.
1. Select Users & Hosts > Hosts.
2. Use the Quick Search or Custom Filter to locate the appropriate host(s).
3. Click the host(s) to select it. Right-click and select Send Message.
4. Enter the message in the Message block.
5. Optionally, enter a Web Address that will be sent as part of the message.
6. This web address must include the http:// or ftp:// or other information. The page must also be in a location that the
host(s) can access from their VLAN such as Remediation, Quarantine, Dead End, or other. For example, if a host is
in Remediation, the web page must be accessible from the Remediation VLAN.

FortiNAC F 7.2.0 Manager Guide 144

Fortinet Inc.
Hosts

7. Click the radio button next to the Message Lifetime option and enter the required information.

Options Description

Expires after sending to The message expires immediately after it has been sent.
currently connected users

Expires after The message expires after the specified amount of time.
Enter a number and select the timeframe of Minutes, Days, or Hours. The message
remains active on the server for the selected timeframe.
The server sends the message the next time it communicates with a host as long as
communication occurs before the message expires.

Expires at The message expires on the specified date and time.

The format is MM/DD/YY hh:mm AM/PM. The message remains active on the
server until the specified date and time.
The server sends the message the next time it communicates with a host as long as
communication occurs before the message expires.

The server can only send messages to hosts with which it is communicating that have
Persistent Agent or are registered with Mobile Agent.

8. Click OK.

Adapter View

Adapter View is part of a window that includes menu options for users, adapters, hosts, and applications. Use the
adapter view to locate and manage adapters connected to your network.
The relationship between users, hosts, and adapters is hierarchical. Users own or are associated with one or more
hosts. Hosts contain one or more Adapters or network interfaces that connect to the network. By displaying User, Host
and Adapter data in a group, the relationships are maintained. For example, if you search for a host with IP address
192.168.5.105, you are in fact searching for the IP address of the adapter on that host. When the search displays the
host, you can click on the Adapters option, the search is automatically re-run and you see the adapter itself. If there is an
associated user, you can click on the Users option to re-run the search and see the associated user.
Hover over the icon in the Status column to display a tooltip with detailed information about this adapter. For settings,
see View and search settings on page 148. For information on status icons, see the Icons on page 1.
The Displayed and Total fields in the title bar represent the number of records displayed versus the total number of
records in the database.

Navigation, menus, options, and buttons

Some menu options are not available for all adapters. Options may vary depending on adapter state.
Double-click on an adapter to display adapter properties.

FortiNAC F 7.2.0 Manager Guide 145

Fortinet Inc.
Hosts

Field Definition

Navigation Across the top of the Adapters tab are navigation tools that allow you to quickly move
through large numbers of records. These tools include the following:
l <<first: Takes you to the first page of records.

l <prev: Takes you back one page.

l Page Number: Current page number is displayed.

l next>: Takes you forward one page.

l last>>: Takes you to the last page.

l Drop-down Box: Allows you to select the number of records to be displayed on

each page.

Quick Search Enter a single piece of data to quickly display a list of adapters. Search options include:
IP address, MAC address, host name, User Name, and user ID. Drop-down arrow on
the right is used to create and use custom filters.
If you are doing a wild card search for a MAC address you must include colons as
separators, such as 00:B6:5*. Without the separators the search option cannot
distinguish that it is a MAC address.
When Quick Search is enabled, the word Search appears before the search field. When
a custom filter is enabled, Edit appears before the search field.

Right click options

Adapter Properties Opens the Properties window for the selected adapter. See Properties on page 149.

Disable Adapters Disables the selected adapter(s) preventing them from accessing the network. See
Enable or disable an adapter on page 149.

Enable Adapters Enables the selected adapter(s) if they were previously disabled. Restores network
access.

Modify Adapter Opens the Modify Adapter window for the selected adapter. See Modify an adapter on
page 150.

Port Properties Opens Port Properties for the port where the selected adapter is connected. See Port
properties on page 1.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add
an administrator profile on page 55.

Enable Hosts Enables the host(s) associated with the selected adapter(s) if they were previously
disabled. Restores network access.

Disable Hosts Disables the host(s) associated with the selected adapter(s) and all of its other adapters
preventing them from accessing the network. See Enable or disable an adapter on
page 149.

FortiNAC F 7.2.0 Manager Guide 146

Fortinet Inc.
Hosts

Field Definition

Host Health Opens a dialog with the contents of the Host Health tab from the Host Properties view.
See Host health and scanning on page 135.

Host Applications Opens the Applications window for the selected host and lists installed applications.
See Application inventory on page 137.

Go To Host(s) Opens the Hosts tab and displays the hosts associated with the selected adapters.

Show Network Sessions View the list of sessions on the adapter. For more information, see Network sessions on
page 1.

Modify Host Opens the Modify Host window for the host associated with the selected adapter.
Applies only to registered hosts.

Register As Device Changes the host associated with the selected adapter to a device in the FortiNAC
database. See Register a host as a device on page 1.

Register As Host Changes the Rogue host associated with the selected adapter to a registered host.
Displays the Modify Host window. See Modify a host on page 139.

Scan Hosts Scans the associated host with the Security Policy that applies to the host at that
moment. The host must be online and must have a Persistent Agent. If the host is online
but does not have a Persistent Agent, it is marked "at risk" for the Security Policy that
most closely matches the host at the moment.

Run NMAP Scan Determines open ports and operating systems on the device being scanned

Send Message Sends a text box message to the associated host(s). User can send messages to hosts
with the Persistent Agent or Mobile Agent installed. See Send a message to a host on
page 144.

Set Host Expiration Launches a tool to set the date and time for the associated host(s) to age out of the
database. See Set host expiration date on page 143.

Set Host Role Assigns a role to the associated host.

Create Device Profiling Displays the Add Device Profiling Rule dialog with some information pre populated from
Rule the selected Adapter.

Test Device Profiling Rule Ability to test an adapter against a DPC Rule to see if it matches or not
Note: Test uses data currently stored in the database (such as IP address information)
and does not attempt to update this information prior to running the test.

Go To User(s) Opens the Users tab and displays the users associated with the selected adapters.

Set User Expiration Launches a tool to set the date and time for the user associated with the selected
adapter to age out of the database. See Set user expiration date on page 82.

Reprofile Rogue(s) Ability to run DPC rules against one or more rogues seleted.

Set User Role Assigns a role to the user associated with the selected adapter. See Roles on page
291.

Buttons

FortiNAC F 7.2.0 Manager Guide 147

Fortinet Inc.
Hosts

Field Definition

Import/Export Use Import and Export options to import hosts into the database from a CSV file or
export a list of selected hosts to CSV, Excel, PDF, or RTF formats. See Import hosts,
users or devices on page 1 or Export data on page 1.

Options Displays the same series of menu picks displayed when the right-mouse button is
clicked on a selected host.

View and search settings

The fields listed in the table below are displayed in columns on the Adapter View based on the selections you make in
the Settings window. These fields are also used in custom filters to search for adapters. See Search and filter options on
page 1. Additional fields that can be displayed on the Adapter View are fields for the user or the host associated with the
selected adapter.

Settings

Field Definition

Access Value Name or number of the network access identifier given to this adapter based on the
state of the host and the device to which the adapter is connected, such as VLAN ID,
VLAN Name or Aruba Role.

Description Free form notes entered by the Administrator about this adapter.

IP address The primary IP address assigned to this adapter that is used to communicate with
FortiNAC. If the adapter is offline, this is the last known IP address for the adapter.
Supports both IPv4 and IPv6 addresses.

All IPs All IP addresses assigned to the adapter. Supports both IPv4 and IPv6 addresses.
l For IPv6, all addresses used for IPv6 communication will be displayed.

l For IPv4, IP addresses used for registration, remediation, isolation, etc., will be

displayed along with the production IP until a L3 poll determines the single IP being
used.
l Depending on the ARP cache aging of the L3 device itself and the poll interval that

FortiNAC polls it, multiple production IP addresses may be displayed

simultaneously for an adapter.

Location Name of the switch and port where this adapter is connected to the network. If the
adapter is offline, this is the last known location where the adapter connected to the
network.

Media Type Indicates whether this is a wired or wireless adapter.

Physical Address MAC address of the adapter.

Status Current or last known status is indicated by an icon, see Icons on page 1. Hover over
the icon to display additional details about this adapter in a tool tip.
l Connected: Indicates whether host is online or offline.

l Access: Indicates whether host is enabled or disabled.

l Valid Physical Address: Indicates whether or not the system knows the MAC

FortiNAC F 7.2.0 Manager Guide 148

Fortinet Inc.
Hosts

Field Definition

address for the adapter that has connected to the network.

Vendor Name Name of the vendor that matches the vendor OUI for this device.

Properties

The Adapter Properties view provides access to detailed information about a single adapter. From this view you can
access the associated user's properties by clicking on the User tab or the associated host by clicking on the Host tab.
Adapter properties also provides access to the Device Identity tab. See Device identity on page 1.
1. Select Users & Hosts > Adapters.
2. Search for the appropriate adapter.
3. Select the adapter and either right-click.
4. From the menu, select Adapter Properties.

Settings

Field Description

IP address IP address assigned to the adapter. This field displays the last known IP address until a
new one is found. If the adapter no longer has an IP address, the last known IP will
continue to display.

Physical Address MAC address of the adapter.

Location Switch and port where the adapter is connected to the network.

Media Type Indicates whether this is a wired or wireless adapter.

Adapter Status Radio buttons indicating whether the adapter is Enabled or Disabled. To enable or
disable the adapter, click the appropriate button and then click Apply.

Description Free form notes section for the administrator.

Apply Saves changes to the adapter properties.

Reset Resets the values in the Adapter Properties window to their previous settings. This
option is only available if you have not clicked Apply.

Enable or disable an adapter

Use this option to disable or enable adapters. A message window appears indicating the successful disabling or
enabling of the selected adapters. If a host has more than one adapter, only the selected adapter is disabled.
1. Select Users & Hosts > Adapters.
2. Use the Quick Search or Custom Filter to locate the appropriate adapter(s).
3. Select the adapters to be enabled/disabled.
4. Click either Enable or Disable at the bottom of the Adapter View.

FortiNAC F 7.2.0 Manager Guide 149

Fortinet Inc.
Hosts

Modify an adapter

1. Select Users & Hosts > Adapters.

2. Search for the appropriate adapter.
3. Select the adapter and either right-click and select Edit or click Edit at the top of the view.
4. The Physical Address field cannot be modified.
5. Click in the Media Type field and select either Wired, Wireless or Unknown.
6. In the Description field, enter any notes on this adapter.
7. Click OK to save your changes.

Locate

Use this option to locate hosts or users.

Option Description

Registered Hosts/Devices

Search Type Drop down menu with the following options:

Devices - Search only records that are registered as a device
Hosts/Users - Search only user records and records that are registered as a host
All - Search all records

Name The last name of a user associated with the registered host or the vendor name of
a rogue host.

Name (v7.2.6 and greater): The last name of a user associated with the registered host, the host's vendor
name or host name. The wildcard (*) option is also available.

IP Address The IP Address of the host machine.

Additional Adapter Info

MAC Type The MAC Type for the host. The available options are: Invalid, Valid or Both.

Connect State The Connect State of the adapter. Options include: Both, Off line or On line.

Access The Access state of the adapter. Options include, Enabled, Disabled or Both.

Physical Address The MAC Address of the adapter on the host.

Media Type Searches the Media Type field in the Adapter Properties. Typically this would be
either wired or wireless.

FortiNAC F 7.2.0 Manager Guide 150

Fortinet Inc.
Hosts

Option Description

Additional Host Info

Host Name Name of the host machine.

Agent Version Version number of the Persistent or Dissolvable Agent on the host.

Operating System Operating system on the host.

Hardware Hardware type of the host machine.

Host Type Narrow the search by a specific type of host: All, IP Phone, Registered or Rogue.

Authenticated State Include hosts on which a user has Authenticated, Not-authenticated or Both.

Security State Include hosts that are Safe, At Risk or Both.

Connect State The Connect State of the adapter. Options include: Both, Off line or On line.

Access The Access state of the host. Options include, Enabled, Disabled or Both.

Host Role Name of the Role assigned to the host. Roles are used to group hosts and control
their access to the network.

Additional User Info

First Name First name of the user associated with the host.

User ID Unique alphanumeric ID. Typically comes from the directory but if you are not
using a directory, this field can be created manually.

Title User's title, this could be a form of address or their title within the organization.

User Type Searches both Admin Users and network users. Options include: All,
Administrative, Administrator, Operator or Helpdesk. To search network users and
guests or contractors, select All.

FortiNAC F 7.2.0 Manager Guide 151

Fortinet Inc.
Hosts

Option Description

Sponsors with the ability to view all accounts can use this field to find hosts
created by a specific Sponsor by entering that Sponsor's User Name in this field.

User Role Name of the Role assigned to the user. Roles are used to group users and control
their network access.

Access The Access state of the user. Options include, Enabled, Disabled or Both.

Device profiling rules

Device profiling rules are used by the device profiler feature to categorize rogue hosts that connect to the network. As a
rogue connects to the network and receives an IP address its information is compared to all methods within each
enabled rule in turn until a match is found. The rogue device can be managed in a variety of ways depending on the
configuration of the rule.
Any of the following scenarios could result from a match.
l The rogue matches a rule and is placed in the Inventory as a device. It cannot be seen in the Profiled Devices
window and cannot be managed by a Device manager. Future rules cannot be run against this device unless it is
deleted from the system and becomes a rogue again when it connects to the network.
l The rogue matches a rule and is registered. It is displayed in the Host View as a registered host and can be seen in
the Profiled Devices window. It remains associated with the matching rule and can be managed by a Device
manager. Future rules cannot be run against this device unless it is deleted from the system and becomes a rogue
again when it connects to the network.
l The rogue matches a rule and is registered. It is displayed in the Host View as a registered host and is associated
with a specific user, thus creating an identity for that device. It is removed from the Profiled Devices window and
cannot be managed by a Device manager. Future rules cannot be run against this device unless it is deleted from
the system and becomes a rogue again when it connects to the network.
l The rogue matches a rule, but the rule is not configured to place the device in Inventory or Host View. The device
remains a rogue, but is associated with the rule. Future rules can be run against this device as long as it remains
unregistered. The device can be seen in the Profiled Devices window. If Notify Sponsor is enabled, the Device
manager receives an e-mail that there was a match. The device can be managed by the Device manager. The
Device manager can register the device which places it in the Host View or can delete the device. An administrator
can access the device in the Host View and change it to a device if it needs to be in Inventory.
Device profiler does not see devices that are no longer rogues and cannot match those devices with new or
modified rules.
In summary, Devices placed in the Inventory only cannot be seen in the Profiled Devices window. Devices placed in the
Host View display in the Profiled Devices window until the device is associated with a user. Devices placed in both Host
and Inventory display in the Profiled Devices window until the device is associated with a user.

FortiNAC F 7.2.0 Manager Guide 152

Fortinet Inc.
Hosts

Host view vs. Inventory

Device profiling rules can be used to place rogue devices in the Hosts, in Network > Inventory or both. There are certain
advantages to each option that should be kept in mind when determining where to place a device.
Devices that are kept in the Host View have a connection history and can be associated with a user. Devices that are
placed in the Inventory can be polled for their connection status. Devices that are not connected display in red on the
Inventory. If the connection to the device fails, events and alarms can be configured to notify you that the device is no
longer communicating.

Managing rules

The Device Profiling Rules view displays the default set of rules provided. Use this window to modify the default rules or
to create your own set of rules. Default rules vary depending on the version of the software and the firmware installed.
Upgrading to a newer version of the software does not add or modify default rules.
Disabled rules are ignored when processing rogues. Device Profiling rules are disabled by default and are set not to
register devices. When you are ready to begin profiling, enable the rule or rules you wish to use.
Enabling certain rules could result in all unregistered devices on your network being displayed in the Profiled Devices
window. Review each rule carefully before enabling it.
The Catch All rule is always at the end of the list and its rank cannot be changed. As new rules are added they are
inserted into the list immediately above the Catch All rule. This guarantees that all rogues profiled by device profiler are
associated with a rule and can be managed by an administrator with the appropriate administrator profile, a Device
manager. Device managers cannot manage devices that are not associated with a rule. This rule has no identification
methods and no device type.
Device profiling rules created on the FortiNAC will be ranked above global device profiling rules created on the NCM.
The rank of a local Device Profiling Rule can be adjusted above or below another local Device Profiling Rule, but cannot
be ranked below a global Device Profiling Rule. The rank for a global Device Profiling Rule cannot be modified from the
FortiNAC.

Settings

An empty field in a column indicates that the option has not been set.

Field Definition

Add Add a device profiling rule. See Adding a Rule.

Modify See Adding a Rule.

Delete See Deleting a Rule.

Copy See Copying a Rule.

Run Used to re-run the device profiler process when rules have been modified or added.
Devices that have already been categorized are not affected. Only rogues that
remain in the Host View are processed. If rules are set to notify Device managers via
e-mail when rogues connect, processing existing rogues triggers those e-mails
again.
Rogues that are no longer connected are ignored.

FortiNAC F 7.2.0 Manager Guide 153

Fortinet Inc.
Hosts

Field Definition

Import Imports data from a selected XML file. File must be of type XML.

Export to Exports the displayed data to a file of the selected type in the default downloads
section. File types include CSV, Excel, PDF, RTF, and XML.

Rank Moves the selected rule up or down in the list. Devices are compared to rules in
order by rank.

Set Rank Button Allows you to type a different rank number for a rule and immediately move the rule
to that position. In an environment with a large number of rules this process is faster
than using the up and down Rank buttons.
Rank can only be set on local policies, rank changes for global policies must be
done at the NCM.

Enable/Disable Enables or disables the selected rule. If a rule is disabled it is not used when
processing a rogue host.

Rogue Evaluation Queue Size Indicates the number of Rogues waiting to be processed by the device profiling
rules. The queue is filled by Rogues as they connect to the network. If you select
Run, any rogues that were not previously categorized are added to the queue
immediately. This number moves up and down as the system processes rogues.

Name User defined name for the rule.

Type Device type that is assigned when the rule is a match for a rogue host.

Registration Indicates whether devices matching this rule are registered automatically or
manually.

Methods The method or methods used to identify a device. Methods include: IP Range,
DHCP Fingerprinting, Location, TCP, NMAP, Passive Fingerprinting,
RADIUS Request, Vendor OUI and UDP.

Register as Device When a device is registered it can be placed in the Host View, the Inventory, or both.
This column indicates where the device is placed when it is registered. If the column
is blank, then the registration option has not been set for this rule.

Notify A green check mark indicates that Notify is enabled. When a new device is detected
and it matches this rule, an email is sent to all Device managers that have this rule
associated with their administrator profile.
A red circle indicates that the Notify option is disabled.

Role Role assigned to devices matching this rule.

Access Times that devices matching this rule are permitted to access the network. Devices
Availability matching this rule are marked "At Risk" for the Guest No Access admin scan
during the times they are not permitted to access the network.

Add to Group Devices matching this rule are added to the group displayed. Add to Group is only
available for devices that are added to the Host View.

Container Devices matching this rule are added to the Container displayed. Devices can only
be placed in a Container if they are being added to the Inventory.

FortiNAC F 7.2.0 Manager Guide 154

Fortinet Inc.
Hosts

Field Definition

Confirm Rule On Connect If enabled, device profiler confirms that previously profiled devices associated with
this rule still match this rule the next time they connect to the network. A green check
mark indicates that the option is enabled. A red circle indicates that the option is
disabled.

Confirm Rule If enabled, device profiler confirms at set intervals that previously profiled devices
Interval associated with this rule still match this rule.

Confirmation If enabled, device profiler disables previously profiled devices that no longer match
Failure Action their associated rule.

Last Modified By User name of the last user to modify the rule.

Last Modified Date Date and time of the last modification to this rule.

Right click options

Copy Copy the selected Rule to create a new record.

Delete Deletes the selected Rule(s). Removes the association between that rule and the
devices it matched. Devices associated with deleted rules will no longer display in
the Profiled Devices window.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298

You must have permission to view the admin auditing log. See
Add an administrator profile on page 55.

Modify Opens the Modify Device Profiling Rule window for the selected rule.

Best practices

The configuration of Device Profiling rules should be considered carefully to optimize performance. The list below
outlines concepts that should be taken into account when configuring rules.
1. When a device or host connects to the network, the device profiling rules are checked in order starting with the rule
ranked number 1. The order of the rules is important. For the best performance, it is recommended that you rank
rules based on the Methods used to categorize devices and hosts as follows: OUI rules first, DHCP rules next and
Active, TCP/UDP port, IP Range, Location rules last.
In an environment where static IP addresses are used, DHCP rules should be at the end of the list. Devices with
static IP addresses do not send out DHCP broadcast packets. Therefore, FortiNAC will never receive a DHCP
fingerprint for those devices and the profiling process will not continue past the DHCP rules.
It is recommended that you set up IP Helper addresses for DHCP on your routers when using DHCP fingerprinting.
Use the IP address of eth0 on the FortiNAC Server or the Application Server. Do not use the IP address of the
FortiNAC Control Server.
2. The device information necessary to compare against a rule, must be available for device profiler to successfully
move from one rule to the next. If the information required for a rule to be matched is unavailable, the evaluation of
that device ends. For example, if the IP address of the device cannot be determined, device profiler cannot move
past any rule that uses IP address as match criteria. The reason that the device profiler does not skip the rule and

FortiNAC F 7.2.0 Manager Guide 155

Fortinet Inc.
Hosts

continue with the next one is that combinations of rules would not work. In the example below, if the device profiler
skips the first rule because the TCP port cannot be found, the Apple iPhone will be miscategorized. If the device
profiler does not skip the rule, Apple iPhone remains uncategorized and the user can either manually determine
what the device is or can adjust the rules to catch it.

Example:

This example outlines how two rules can be used together to provide greater accuracy when profiling devices.
Apple iPhone and MAC OS fingerprints tend to be almost identical, but the iPhone can be distinguished by a TCP
port which can be used in a rule to identify that device. In this case, you can create two rules: the first to identify
iPhones by scanning for the iPhone TCP port and the second to scan for MAC OS in general. The iPhone rule is
more granular and will catch the phone before it is categorized by the MAC OS rule.
3. OUI only rules are the quickest to process because no outside data is necessary.
4. Rules that require an IP address take longer to process because the FortiNAC server may need to read the DHCP
leases file or layer 3 tables from the routers.
5. Device profiler uses the latest IP address from the IP-to-MAC cache, if the IP address exists. It does not rely on the
IP address seen in the Adapter View because it may be stale. If the IP address does not exist in the cache,
FortiNAC starts an IP –to-MAC lookup on all L3 devices. FortiNAC stops the lookup as soon as the address is
found, therefore, in most cases every L3 device will not be polled. If the FortiNAC server is not properly configured
to read layer 3 from the routers, it may cause Device Profiling rules that require an IP address to fail.

Adding a rule

1. Go to Users & Hosts > Device Profiling Rules.

2. Click Add.
3. In the General tab, select Enabled.
4. Enter a Name, Description, and Note.
5. (Optional) Select Notify Sponsor. If selected, administrators with permission to manage devices associated with
this rule are notified when a new device matches the rule.
6. Use the table below to configure Registration Settings:

Registration Automatic: The device is registered immediately if the Register as option is

selected.
Manual: The device is registered manually from Profiled Devices. Register
as must be selected in order to manually register the device.

Type Select the device category in which a device matching this rule is placed.

To create a new type, click .

Role If you are using role-based access for hosts and devices managed in
Inventory, select the role that controls access to the network for this device. If
you are not using role-based access, select NAC-Default.

To create a new role, click .

Register as Select where the registered device is placed. Options include:

l Device in Host View

l Device in Topology (if you select this option, select the Container)

l Device in Host View and Topology (if you select this option, select the

FortiNAC F 7.2.0 Manager Guide 156

Fortinet Inc.
Hosts

Container)
lHost to User (if you select this option, enter the User ID)
l Host to Logged In User (If Present)

If the device is an access point and you register it in Host View, it is removed
from Host View and moved to Inventory after the first poll. It is also removed
from the concurrent license count once it is recognized as an access point.

Add to Group Select this option to add the device to a group. This option is not available if
Register as is set to Device in Topology.

To create a new group, click .

Access Availability Determine when devices that match this rule are permitted to access the
network. You can either select Always or specify a time.

7. Select the appropriate Rule Confirmation Settings:

l Confirm Device Rule On Connect: Check that a previously profiled device still matches the rule every time it

connects.
l Confirm Device Rule On Interval: Check that a previously profiled device still matches the rule at regular time

intervals. You can set the interval for a set number of minutes, hours, or days.
l Disable Device If Rule No Longer Matches Device: Disable a previously profiled device if it no longer

matches the rule.

8. In the Methods tab, select one or more methods to use for device identification. The device must meet the criteria
established for all of the methods selected to match the rule.
Use the table below to select the method(s):

Active Select a method to determine rule matching:

l Match Type

l Match Custom

If you select Match Custom, enter either an exact string or regular expression to
match.

DHCP Fingerprinting It is recommended to set up IP helper addresses for DHCP on routers when using
DHCP fingerprinting.
When evaluating a host using the DHCP fingerprint method, FortiNAC compares the
last DHCP packet received. Previous entries evaluated are considered historical.
Select a method to determine rule matching with DHCP:
l Match Type

l Match Custom Attributes

o Fields left blank are ignored.
o For best performance, it is recommended to make custom strings only as
specific as necessary to match appropriately:
i. Define a parameter list. Avoid wildcarding the parameter list
(example: 1,3,252,42,*).
ii. If criteria is not specific enough to match properly, add hostname or
vendor class second.
iii. If criteria is not specific enough to match properly with parameter list
and hostname or vendor class, add "Option List" or "Message Type".

FortiNAC F 7.2.0 Manager Guide 157

Fortinet Inc.
Hosts

HTTP/HTTPS Determine rule matching by sending an HTTP/HTTPS request. Select the Protocol,
Port, and Path used to send requests to the device.
If required, select Authentication and enter user credentials.
(Optional) Select Match and enter a response message. If you enter multiple
response values, the device matches if any of the values are found.

IP Range Click Add and enter an IP range to match.

Examples:
Starting IP: 10.10.124.140
Ending IP: 10.10.124.180
Wilcard examples:
Starting IP: 10.10.124.*
Ending IP: 10.10.125.*
Starting IP: 10.10.*.140
Ending IP: 10.10.*.180
Starting IP: *.*.*.140
Ending IP: *.*.*.180

Location Click Add and select the container(s) to match.

Passive Select a Match Type to use with passive fingerprinting.

Persistent Agent Set Match Type to an operating system. To use this method, devices must have a
FortiNAC agent installed.
To register hosts running the Persistent Agent using this method, you must disable
registration under Persistent Agent Properties. For more information, see
Credential configuration on page 1.

RADIUS Requests Local RADIUS Access Requests will add endpoint fingerprints which can be used in
Device Profiling rules to profile devices post-connect.

SNMP Determine rule matching by sending an SNMP GET request for the OID specified.
l OID: Enter OID to be queried (required) Example: 1.3.6.1.2.1.1.1.0

l Port: Enter the port used for SNMP (required - Default is 161)
l Under SNMP V1/V2c and/or SNMP V3 (required): Click Add and enter
security credentials. If multiple credentials are entered, the device matches if
any of the credentials are found.
(Optional) Select Match and enter a response string. If you enter multiple string
values, the device matches if any of the values are found.

SSH Determine rule matching by sending an SSH client session request.

Credentials: Click Add and enter user credentials. If you enter multiple credentials,
the device matches if any of the credentials are found.
Commands: Click Add and enter commands for the request. The possible
commands are:
l expect: A regular expression string that matches the response from the

device.
l send: A string sent to the device that has two keywords, %USERNAME% and

%PASSWORD%.

FortiNAC F 7.2.0 Manager Guide 158

Fortinet Inc.
Hosts

A series of commands can be configured as an automated way to interact with the

CLI on the device. The commands are executed in order, starting from the top.
Only a single command can be executed at a time. Multiple commands cannot be
chained together (pipes "|" are not supported).
Example
expect: User Name:
send: %USERNAME%\n
expect: Password:
send: %PASSWORD%\n
expect: Dell-3324#
send: show system\n
(Optional) Select Match and enter a response string. If you enter multiple string
values, the device matches if any of the values are found.

TCP Click Add and enter a TCP port to match. You can enter multiple ports, separated by
commas, or a port range using a hyphen. If you enter multiple ports, all ports must
match.

Telnet Determine rule matching by sending a telnet client session request.

(Optional) Click Add and enter user credentials. If you enter multiple credentials, the
device matches if any of the credentials are found.
Click Add and enter commands for the request. The possible commands are:
l expect: A regular expression string that matches the response from the

device.
l send: A string sent to the device that has two keywords, %USERNAME% and

%PASSWORD%.
(Optional) Select Match and enter a response string. If you enter multiple string
values, the device matches if any of the values are found.

UDP Click Add and enter a UDP port to match. You can enter multiple ports, separated
by commas, or a port range using a hyphen. If you enter multiple ports, all ports
must match.

Vendor OUI Determine rule matching using the vendor OUI.

Click Add to configure an OUI. You can add the following field types:
l Vendor Code: To use a vendor code, enter the first characters in the code,

then select a code from the available list.

l Vendor Name: To use a vendor name, enter the first characters in the name,

then select a code from the available list. You can use a wildcard (*) at the
beginning and end of the vendor name.
l Vendor Alias: Enter a vendor alias that exists in the FortiNAC vendor

database. You can use a wildcard (*) at the beginning and end of the vendor
alias.
l Device Type: Select a device type. If you select this option, the device type

associated with the connecting device must match the device type for the
vendor in the FortiNAC database.
For more information, see Vendor OUIs on page 382.
Note: Invalid Physical Addresses: If the MAC address matches a rule, the host will
be registered regardless if vendor OUI is in the database. Device Profiler does not
check to determine if the MAC address is valid.

FortiNAC F 7.2.0 Manager Guide 159

Fortinet Inc.
Hosts

WinRM Determine rule matching by sending a WinRM client session request.

Click Add and enter user credentials. If you enter multiple credentials, the device
matches if any of the credentials are found.
Click Add and enter commands for the request.
(Optional) Select Match and enter a response string. If you enter multiple string
values, the device matches if any of the values are found.
For more information on requirements and setup, see WinRM Device Profile
Requirements and Setup on page 162.

WMI Profile Determine rule matching by sending a WinRM or SSH client session request and
creating a WMI profile.
Set Protocol to WinRM or SSH and enter the Port.
Click Add and enter user credentials. If you enter multiple credentials, the device
matches if any of the credentials are found.
Additional options allow you to match specific versions of Microsoft Windows,
installed applications, Windows Service statuses, running processes, serial
numbers, and asset tags (with wildcard matching).
For more information on requirements and setup, see WinRM Device Profile
Requirements and Setup on page 162.

Network Traffic Determine rule matching using network flow.

Set Protocol to TCP, UDP, or Other.
Enter the Destination Port.
(Optional) Enable Apply Destination as Source Device and enter the
Destination IP.
You must configure firewall session polling to use this method. For more
information, see Firewall session polling on page 1.

FortiGate Select a method to determine rule matching using information from firewall
sessions:
l Match Type

l Match Custom

If you select Match Custom, enter either an exact string match or regular
expression to match.
You must configure firewall session polling to use this method. For more
information, see Firewall session polling on page 1.

ONVIF Determine rule matching using ONVIF.

l Select Add to define the ONVIF profiles that the device must support.

o Profile A – For products used in an electronic access control system

o Profile C - For door control and event management systems.
o Profile G - For IP-based video systems. A Profile G device (e.g., an IP
network camera or video encoder).
o Profile Q - For IP-based video systems and its aim is to provide quick
discovery and basic configuration of Profile Q conformant products (e.g.,
network camera, network switch, network monitor) on a network.
o Profile S - For IP-based video systems. A Profile S device (e.g., an IP

FortiNAC F 7.2.0 Manager Guide 160

Fortinet Inc.
Hosts

network camera or video encoder)

o Profile T - For IP-based video systems. Profile T supports video streaming
features such as the use of H.264 and H.265 encoding formats.
l (Optional) Select Match and enter a response string. If you enter multiple string
values, the device matches if any of the values are found.

FortiGuard This method pulls IoT device information from the FortiGuard IoT Service based on
the MAC address.
Note:
l Requires FortiCare support contract to enable FortiGuard IoT Service.

Otherwise, the checkbox will not be selectable.

l IoT service responses are enhanced when the "FortiGuard Collect Service" is

enabled in Users & Hosts > Settings > Device Profiler

Match Type
l The Fortinet IoT query service is used to determine the OS of the device.

Matches if the device type selected corresponds to the Operating System of the
device being profiled.
Match Custom Attributes
l Category

l Subcategory

l Vendor

l Model

l Operating System

l Sub Operating System

Script Execute one of the command line scripts located in /home/cm/scripts. These
command line scripts are for advanced use, such as administrator-created Perl
scripts. MAC address and IP Address are passed to the script as arguments.
Matches if the exit status of the script is zero.
Note: If separate Control Server and Application Server appliances, command line
scripts must be located in /home/cm/scripts of the Application Server.

9. Click OK.

Deleting a rule

When a Device Profiling Rule is deleted the association between that rule and the devices it matched is removed.
Devices associated with that rule will no longer display on the Profiled Devices window. They will continue to display in
the Host View.
The Catch All rule is a default system rule that cannot be removed. Other default rules can be removed.
1. Click Users & Hosts > Device Profiling Rules.
2. Click select a rule and click Delete.
3. A message displays asking if you are sure. Click Yes to continue.

FortiNAC F 7.2.0 Manager Guide 161

Fortinet Inc.
Hosts

Copying a rule

1. Click Users & Hosts > Device Profiling Rules.

2. Click select a rule and click Copy.
3. The Add Device Profiling Rule window displays with the information from the selected rule.
4. You must, at minimum, modify the name of the rule. Modify other fields as needed and click OK to save.
5. For Settings, see Adding a rule on page 156.

Evaluating rogue hosts

Over time you may have hosts that remain rogues because they do not match any of the rules enabled in the device
profiling rules. You may also have hosts that have been categorized incorrectly. At any time you can modify the rules or
create additional rules and then re-evaluate hosts. Only those hosts that remain unregistered can be re-evaluated.
If a host has been categorized incorrectly and has been registered, you have two options. Either manually modify the
host or delete the host and when it connects to the network again, it will be evaluated by the rules.
Rogues that are no longer connected or are offline are ignored.
1. Click Users & Hosts > Device Profiling Rules.
2. Click Run.
3. A message displays asking if you would like to evaluate rogues. Click Yes to continue.
4. A new message displays indicating that x number of rogues are being evaluated.
5. Device profiler compares any rogue hosts to the list of enabled device profiling rules and processes them
accordingly. See Process on page 1 for additional information.
6. When the process is complete, click OK to close the message box.

WinRM Device Profile Requirements and Setup

Requirements:
l WinRM service must be enabled on endpoints.
l The WinRM HTTP port(s) (5986 or 5985 (insecure)) must be enabled and available through the firewall to the
FortiNAC App. server. HTTPS (5986) is strongly encouraged for security purposes.
l NTLM Authentication with domain credentials authorized to run powershell commands get-wmiobject, get-
itemproperty, get-service, get-process, convertto-json, and read the registry.
l Minimum Windows Management Framework (WMF) version: 3.0
Supported Windows Versions:

Windows Server 2008 R2 SP1 - With WMF 3.0 Windows 10 (All versions)
Windows 7 SP1 - With WMF 3.0 Windows Server 2016
Windows 8.1 Windows Server 2019
Windows Server 2012 R2

Endpoint Setup Instructions

If desired, the configuration of domain endpoints to support WinRM can be done through these steps. They are required
to configure a secure HTTPS connection from FortiNAC to endpoints using WinRM. The following settings should be the
result:

FortiNAC F 7.2.0 Manager Guide 162

Fortinet Inc.
Hosts

l WinRM Listener on port 5986 with transport HTTPS

l Certificate enrollment resulting in a certificate on the endpoint with hostname as subject (e.g.
CN=hostname.example.com) and "Server Authentication" key usage.
l Inbound Windows Firewall rule for port 5986
l Windows Remote Management service enabled.

If you want to fore go security, you can use alternate steps to configure and use HTTP while
allowing unencrypted content. However, this is not recommended for security reasons.

1. Open Windows PowerShell or a command prompt. Run the following command to determine if you already have
WinRM over HTTPS configured:
winrm enumerate winrm/config/listener

If you see a listener on port 5986 with Transport = HTTPS, WinRM over HTTPS is already configured and no further
steps are necessary.
2. If WinRM over HTTPS is not already configured, run the following command on a typical domain-joined workstation
as an administrator:
winrm quickconfig -transport:https -force
If an error is returned indicating there is no appropriate certificate, a certificate template will need to be configured
for enrollment. Other wise, run step 1 again. If a listener is shown, skip to the Group Policy Configuration.
Create a Certificate Template
1. Open Active Directory Certificate Services. This can be done through the Server Manager or from Administrative
Tools.
2. Expand the Certificate Authority (CA) and select Certificate Templates. Select Action > Manage.
3. Select the Workstation Authentication template. Select Action > Duplicate.
4. Change Template Display Name to FortiNAC WinRM
5. Select the Subject Name tab > Build from this Active Directory Information.Fill in the following fields:
a. Subject name format: DNS name
b. Alternate subject name: DNS name

FortiNAC F 7.2.0 Manager Guide 163

Fortinet Inc.
Hosts

6. Select Security tab > Application Policies > Edit > Add > Server Authentication.
(Optionally, select Client Authentication and click the remove button)
7. Select OK to dismiss the Edit Application Policies Extension dialog.
8. Select OK to dismiss the FortiNAC WinRM Properties dialog.
9. Close the window.
10. Select Certificate Template and choose Action > New > Certificate to issue
11. Choose FortiNAC WinRM and select OK.
12. If required, create a new Group Policy Object for Certificate Enrollment.
Create a Group Policy Object to configure WinRM
1. Create a Group Policy Object (GPO) named FortiNAC WinRM
2. Select the GPO and choose Action > Edit
3. Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > System Services
4. Double-click Windows Remote Management (WS-Management)
5. Tick the box for Define this policy setting and select Automatic.
6. Select OK
7. Navigate to Computer Configurations > Policies > Windows Settings > Security Settings > Windows
Firewall with Advanced Security > Expand > Inbound Rules
8. Right-click and select New Rule
9. Select Port > Next > TCP. Enter 5986 in Specific local ports. Select Next.
10. Select Allow the Connection > Next.
11. Un-tick the box for Private and Public. Leave only Domain ticked.
12. Name the rule WinRM HTTPS for FortiNAC. Select Finish.
Optionally, restrict to your FortiNAC Application Server IP Address.
1. Double-click the rule.
2. Click the scope tab
3. Under Remote IP Address, select These IP Addresses
4. Select Add and enter the addresses for your FortiNAC appliances.
5. Navigate to Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown)
6. Double-click Startup
7. Select Show Files
8. Create a new batch file or other script you're comfortable with. Name it winrm-enable.bat
9. The contents of the file should be the following command:
winrm quickconfig -transport:https -force
10. Select Add > Browse
11. Select winrm-enable.bat
12. Select OKto dismiss any dialogs.
13. Close the Group Policy Management Editor
14. Link the FortiNAC WinRM GPO as needed
Alternate steps to configure WinRM.

Typically insecure configuration

FortiNAC F 7.2.0 Manager Guide 164

Fortinet Inc.
Hosts

1. Create a GPO FortiNAC WinRM

2. Select the GPO and choose Action->Edit
3. Navigate to Computer configuration -> Policies -> Windows Settings -> Security Settings -> System
Services
4. Double-click Windows Remote Management (WS-Management)
5. Tick Define this policy setting and select "Automatic"
6. Click Ok.
7. Navigate to Computer configuration -> Policies -> Windows Settings -> Security Settings -> Windows
Firewall with Advanced Security -> Expand -> Inbound Rules
8. Right-click and select New Rule
9. Select Predefined > Windows Remote Management > Next
10. Untick the compatibility mode which opens port 80 and click Next.
11. Select Allow the Connection and click Finished.
Optionally, restrict to your FortiNAC Application Server IP Address.
1. Double-click the rule.
2. Click the scope tab
3. Under Remote IP Address, select These IP Addresses
4. Select Add and enter the addresses for your FortiNAC appliances.
5. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components ->
Windows Remote Management (WinRM) -> WinRM Service
6. Enable Allow remote server management through WinRM with * as the IPv4 and IPv6 filters.
7. Enable Allow unencrypted traffic
8. Close the Group Policy Management Editor
9. Link the FortiNAC WinRM GPO as needed.

FortiNAC F 7.2.0 Manager Guide 165

Fortinet Inc.
Policy & Objects

Policy & Objects

Policies are assigned to hosts based on the user/host profile associated with each policy. User/host profiles allow you to
select one or more pieces of user or host data to match with users and hosts and determine which policy is applied to
that host. Policies are ranked in priority starting with number 1. When a host requires a particular service, such as
network access, the host and user data are compared to the user/host profile in each policy starting with the first policy in
the list. If the host and user do not match criteria in the first policy, the next one is checked until a match is found.
Types of data used to determine whether or not the host/user is a match include the following:

Data Definition

Who/What Attributes
A host or user must meet all parameters within a single filter, but is only required to
match one filter in the list. The attribute must be known at the time of connection. See
Filter example on page 177.
RADIUS Attributes
Used to match against endpoints pre- and post-authentication.
Groups
l Any — Matches any group.

l Any Of — Matches any of the listed groups. Does not have to match everything,
but has to match at least one group that has been selected.
l All Of — Has to match every group that's been selected.
l None Of — Has to match no group that's been selected.

Where One or more port or device groups. A user/host profile can include more than one port
or device group; however the connection location only needs to be contained in one of
the selected groups. If the Where field is empty it is set to Any, indicating that location is
not being used as criteria for the match, therefore any host connection location would
be a match.

When Allows you to create matches based on the current time. If Always is selected, then time
of day is not used. If Specify Time is selected, then the current time must be within the
days and times included in the list to be a match for the host.

The host/user must match at least one item in each field that contains criteria other than Any. If the host/user does not
match something in all fields, the policy is not selected and the next policy is checked.
A host that has had a policy applied based on time of day, may be moved to a different policy when the window of time in
the current policy has passed. For example, the host may be moved to another VLAN or disconnected from the network
when the window of time in the applied endpoint compliance policy has passed. Hosts are re-evaluated frequently, such
as when the device where they are connected is polled or when the Persistent Agent contacts the server. If another
Policy exists that applies to this host, the host will be provided with configuration parameters from that new policy.
There may be more than one Policy that is a match for this host/user; however, the first match found is the one that is
used.
Policy assignments are not permanent. Each time a host is re-evaluated by FortiNAC, the user/host profile data is re-
evaluated and a Policy is selected.

FortiNAC F 7.2.0 Manager Guide 166

Fortinet Inc.
Policy & Objects

Policy Consistency Check

FortiNAC makes the Consistency Check on Policies before applying new policies. This
process is handled at the OS level to keep the integrity of the objects synchronized across the
FortiNAC CA devices managed by the FortiNAC Manager.

Policy overview

This section applies to all policy views.

Policy assignment

Policies are applied to hosts by comparing user and host data to the user/host profile contained in each policy until a
match is found. The example below demonstrates this process.

Types

Policy Type Location Groups Attributes Time Host Notes

Location One or more Any None Always Host connects to a port or device
Port or in one of the selected groups and
Device is assigned this policy.
Groups

Role Any Any User Role = Always Host connects to the network. If
(Role Name) the logged in user has the
selected role, the host is
assigned this policy.

Security and Any Any User SaAV = Always Host connects to the network. If
Access Attribute (Attribute the logged in user has the
Value Value) selected Security and Access
Value, the host is assigned this
policy.

Group Any User None Always Host connects to the network. If

Group1 the logged in user is a member of
User either one of the selected
Group2 groups, the host is assigned this
policy.

Guest Any Any Guest Role = Always Host connects to the network. If
Role Name the Guest has the selected role,
the host is assigned this policy.

FortiNAC F 7.2.0 Manager Guide 167

Fortinet Inc.
Policy & Objects

Policy Type Location Groups Attributes Time Host Notes

Registration Any Any Host = Rogue Always Host connects to the network. If
the host is a rogue, it is assigned
this policy.

Remediation Any Any Host State = Always Host connects to the network. If
At Risk the host state is At Risk, it is
assigned this policy.

VPN Any Any Host = VPN Always Host connects to the network. If
Client the host is a VPN Client, it is
assigned this policy.

Time of Day Any Any None Monday - Host connects to the network. If
Friday 9 am the connection time is on any day
to 5 pm Monday through Friday and
between 9 am and 5 pm, it is
assigned this policy.

Default or Any Any None None This policy will match ALL hosts
Catch All and users. Host connects to the
network. If the host does not
match any other policy, it is
assigned this policy. When this
policy is reached, no other
policies after it will be
considered.

Example endpoint compliance policy

The example below outlines how FortiNAC would choose an endpoint compliance policy for a specific host.
Assume the Host has the following characteristics:
l Connects on a port that is contained within the Library Ports group.
l Host is a member of the Accounting Group and the Finance Group.
l Host is running a Persistent Agent.
l Logged in user has a Role called Management.
l Logged in user has a Security and Access Attribute value of Accounting.

Rank Policy Location Groups Attributes Process

1 Policy A Port Group = Accounting Filter1=User Role Location - Not a match

Lobby Ports "Staff" Group - Matches
Attribute1 - Not a Match
Go to the next policy.

FortiNAC F 7.2.0 Manager Guide 168

Fortinet Inc.
Policy & Objects

Rank Policy Location Groups Attributes Process

2 Policy B Port Group = Accounting Filter1=User Role Location - Matches

Library Ports "Management" and Group - Matches
User Security and Filter1 - Does not match both
Access Value "Human pieces of data.
Resources"
Filter2 - Does not match.
Filter2=User Role
Go to the next policy.
"Staff"

3 Policy C Port Group1 = Finance Filter1=User Role Location - Not a match for
Lobby Ports Admin "Staff" and User either location.
Port Group2 = Security and Access Group - Matches Finance
Second Floor Value "Accounting" group
Ports Filter2=User Role Filter1 - Does not match both
"Management" and pieces of data.
Host has Persistent Filter2 - Matches all data.
Agent
In this case, the fact that
neither location matches
prevents the host from getting
this policy.In the Group field,
the host or user need only
match one group. In the filter
field, the host or user need only
match one filter as long as it
matches all parts of the filter.
Go to the next policy.

4 Policy D Any Finance Filter1=User Role Location - No location

Admin "Management" and selected so this field is not
Host has Persistent used.
Agent Group - Matches Finance
Filter2=User Role group
"Executives" and Host Filter1=Matches all data
has Persistent Agent Filter2=Does not match both
pieces of data
This policy is selected for the
host because Location is
irrelevant, one group matches
and one filter matches.

5 Policy E Port Group1 = Finance Filter1=User Role Location - Matches Port

Library Ports Admin "Management" and Group1
Port Group2 = Host has Persistent Group - Matches Finance
Second Floor Agent group
Ports Filter2=User Role Filter1=Matches all data
"Executives" and Host Filter2=Does not match both
has Persistent Agent pieces of data

FortiNAC F 7.2.0 Manager Guide 169

Fortinet Inc.
Policy & Objects

Rank Policy Location Groups Attributes Process

This policy is not selected

because policies are checked
in order by rank. The policy in
rank 4 has already been
selected even though this
policy matches on more points.
You must be careful about the
order of the policies to ensure
that the correct policy is
applied to a host.

Policy details

Policy Details assesses the selected host or user and displays the specific profile and policies that apply to the host at
the moment the dialog was opened. User/host profiles have a time component and hosts may be connected at different
locations. Therefore, the profile and policy displayed in Policy Details now may be different than the profile and policies
that display tomorrow. Each type of policy is displayed in a separate tab that also contains a Debug Log.
Note: This Debug Log can be sent to Customer Support for analysis.
To access Policy Details from Hosts:
1. Select Hosts > Hosts.
2. Search for the appropriate host to access the context menu.
3. Select the host and right-click.
4. From the menu, select Policy Details.
To access Policy Details from User Accounts:
1. Select Users > User Accounts.
2. Search for the appropriate user to access the context menu.
3. Select the user and right-click.
4. From the menu, select Policy Details.

Network Access tab settings

Field Definition

Profile Name Name of the user/host profile that matched the selected host or user when it was assessed by
policy details. This profile contains the required criteria for a connecting host, such as
connection location, host or user group membership, host or user attributes or time of day.
Host connections that match the criteria within the user/host profile are assigned the
associated network access policy and network access configuration. See User/host profiles
on page 175.

Policy Name Name of the network access policy that currently applies to the host. See Network access on
page 179.

FortiNAC F 7.2.0 Manager Guide 170

Fortinet Inc.
Policy & Objects

Field Definition

Configuration Name Name of the configuration that currently applies to the host. This is the configuration for the
VLAN, CLI configuration, or VPN Group Policy for the host. See Network access
configurations on page 183.

Access Value/VLAN The specific network access that would be provided to the host, such as a VLAN ID or Name.

CLI Name of the CLI configuration that currently applies to this host or the connection port. This
field may be blank.

Tags Firewall Tags - defined in a Logical Network Configuration as part of a device's Model
Configuration.

Debug Log Click this link to display a log of the policy assessment process. Text within the log can be
copied and pasted into a text file for analysis by Customer Support.

Edit Test Opens the Test Policy dialog where you can simulate host, adapter, and user combinations to
create test scenarios for policies and profiles. See Policy simulator on page 173.

Authentication tab settings

Field Definition

Profile Name Name of the user/host profile that matched the selected host or user when it was
assessed by Policy Details. This profile contains the required criteria for a connecting
host, such as connection location, host or user group membership, host or user attributes
or time of day. Host connections that match the criteria within the user/host profile are
assigned the associated network access policy and network access configuration. See
User/host profiles on page 175.

Policy Name Name of the authentication policy that currently applies to the host.

Configuration Name Name of the configuration that currently applies to the host. This is the configuration for
the VLAN, CLI configuration, or VPN Group Policy for the host.

Authentication Method When enabled, the selected authentication method will override all other authentication
methods configured in the portal, guest/contractor template, and Persistent Agent
credential configuration.

Authentication Enabled Indicates whether authentication is enabled. When enabled, the user is authenticated
against a directory, the FortiNAC database, or a RADIUS server when logging on to
access the network.

Time in Production before When a user is waiting to authenticate, the host remains in the production VLAN until this
Authentication time expires. If the user fails to authenticate within the time specified, the host is moved
to the authentication VLAN.

Time Offline before Once the host is offline, the user remains authenticated for this period of time. If the host
Deauthentication comes back online before the time period ends, the user does not have to reauthenticate.
If the host comes back online after the time period ends, the user is required to re-
authenticate.

FortiNAC F 7.2.0 Manager Guide 171

Fortinet Inc.
Policy & Objects

Field Definition

Reauthentication When set, this forces users to re-authenticate after the amount of time defined in this field
Frequency passes since the last authentication regardless of the host's state. The host is moved to
the authentication VLAN until the user reauthenticates.

Debug Log Click this link to display a log of the policy assessment process. Text within the log can be
copied and pasted into a text file for analysis by Customer Support.

Supplicant EasyConnect tab settings

Field Definition

Profile Name Name of the user/host profile that matched the selected host or user when it was assessed by
Policy Details. This profile contains the required criteria for a connecting host, such as
connection location, host or user group membership, host or user attributes or time of day.
Host connections that match the criteria within the user/host profile are assigned the
associated supplicant easy connect policy and supplicant configuration. See User/host
profiles on page 175.

Policy Name Name of the most recent supplicant easy connect policy that currently applies to the host. See
Supplicant EasyConnect policies on page 1.

Configuration Name Name of the configuration that currently applies to the host. This is the configuration for the
supplicant on the host to allow access on a particular SSID. See Supplicant configurations on
page 1.

SSID Name of the SSID for which the supplicant is being configured.

Security Type of encryption used for connections to this SSID, such as WEP or WPA.

EAP Type Currently only PEAP is supported. Not always required. This field may be blank.

Cipher Encryption/decryption method used in conjunction with the information in the Security field to
secure this connection.

Debug Log Click this link to display a log of the policy assessment process. Text within the log can be
copied and pasted into a text file for analysis by Customer Support.

Endpoint compliance tab settings

Field Definition

Select Platform The platform is used to determine the agent that would be assigned to the host.
Not all platforms are displayed here. Only the platforms that support the Persistent Agent or
Mobile Agent are displayed.

Profile Name Name of the user/host profile that matched the selected host. This profile contains the
required criteria for a connecting host, such as connection location, host or user group
membership, host or user attributes or time of day. Host connections that match the criteria
within the user/host profile are assigned the associated endpoint compliance policy and
endpoint compliance configuration. See User/host profiles on page 175.

FortiNAC F 7.2.0 Manager Guide 172

Fortinet Inc.
Policy & Objects

Field Definition

Policy Name Name of the endpoint compliance policy currently applied to the selected host. See Endpoint
compliance policies on page 231.

Configuration Name Name of the configuration that currently applies to the host. This is the configuration for the
scan and agent for the host. See Endpoint compliance configurations on page 236.

Scan Name Name of the scan currently used to evaluate this host. See Scans on page 242.

Detected Platform The device type, such as iPhone or Android, that FortiNAC thinks the host is, based on the
information currently available in the system.

Agent Agent setting to be applied to the host. Determines whether or not an agent is used and which
agent is required. Agent settings are selected in the endpoint compliance configuration.

Debug Log Click this link to display a log of the policy assessment process. Text within the log can be
copied and pasted into a text file for analysis by Customer Support.

Portal tab settings

Field Definition

Profile Name Name of the user/host profile that matched the selected host or user when it was assessed by
Policy Details. This profile contains the required criteria for a connecting host, such as
connection location. Host connections that match the criteria within the user/host profile are
assigned the associated portal configuration. See User/host profiles on page 175.

Policy Name Name of the portal policy that currently applies to the host. See Portal Policies.

Configuration Name Name of the portal configuration that currently applies to the host. See Portal content editor on
page 1.

Debug Log Click this link to display a log of the policy assessment process. Text within the log can be
copied and pasted into a text file for analysis by Customer Support.

Policy simulator

The policy simulator allows users to customize information and create scenarios to be used to virtually test policies.
Instead of connecting a physical device to the network at a specific time and location in order to test a policy, the Policy
Simulator allows users to test policies by virtually simulating multiple host, adapter, and user combinations. The ability to
reproduce complicated scenarios without being limited to the information currently available in the system provides more
accurate test results for policies, such as authentication or portal.
You can test policies from the host and user views.

Host view

1. Select Hosts > Hosts.

2. Search for the appropriate host.
3. Select the user and right-click to access the context menu.
4. From the menu, select Policy Details.
5. Select the tab for the policy you want to test.

FortiNAC F 7.2.0 Manager Guide 173

Fortinet Inc.
Policy & Objects

6. Click Edit Test.

7. In the Test Policy dialog, click the tabs to enter the information for each scenario you want to test.
8. Click OK to see the matching policy and profile to verify that the policy and profiles are correctly configured.

User view

1. Select Users > User Accounts.

2. Search for the appropriate user.
3. Select the user and right-click to access the context menu.
4. From the menu, select Policy Details.
5. Select the tab for the policy you want to test.
6. Click Edit Test.
7. In the Test Policy dialog, click the tabs to enter the information for each scenario you want to test.
8. Click OK to see the matching policy and profile to verify that the policy and profiles are correctly configured.

Adapter tab

Enter information for the adapter you want to use to test the policy, or click Populate from an Existing Adapter to enter
an existing adapter's information. See View and search settings on page 148.

User tab

Enter information for the user you want to use to test the policy, or click Populate from an Existing User to enter an
existing user's information. See Search settings on page 73.
To add or change the user or administrator group, click Group Membership.

Host tab

Enter information for the host you want to use to test the policy, or click Populate from an Existing Host to enter an
existing host's information. For more information, see Settings on page 128.
To add or change Host Groups, click Group Membership.

Applications tab

Add, modify, or delete application(s) you want to use to test the policy. See Application view on page 1 for information
about the fields in the Applications tab.
All changes are for testing purposes only, and do not affect applications in the system.

Tests tab

Enter the required anti-spyware tests, anti-virus tests, operating system tests, and hot fix tests to test the policy. Multiple
entries for each category must be comma-separated.

FortiNAC F 7.2.0 Manager Guide 174

Fortinet Inc.
Policy & Objects

Date & Time tab

Select the day and time criteria to be used to test the policy.

User/host profiles

User/host profiles are used to map sets of hosts and users to Network Access policies, Endpoint Compliance policies,
Authentication policies, Supplicant EasyConnect policies, Portal policies, or Security Rules (Security Incidents must be
enabled). User/host profiles can be reused across many different policies.
For example, network access policies are used to assign the VLAN in which a host is placed. Each network access
policy has a specific user/host profile and a network access configuration containing a VLAN, CLI configuration or VPN
Group. When a host requires network access, FortiNAC looks at the network access policies starting with the first policy
in the list and checks that the user/host profile is a match. If it is not, the next network access policy is checked until a
match is found.
User/host profiles are combinations of user/host data. A host's or user's profile is not fixed but can change based on the
user/host being moved to a different group, having a new attribute applied, connecting to the network in a different place
or the current time of day. Users/hosts are only classified at the time that they need a service, such as a network access
policy. When FortiNAC evaluates a host connection, the data for the user and host are prioritized as follows:
l Logged in user and host
l Registered user and host
l Registered host
If you create a user/host profile with Where set to Any, Who/What by Group set to Any, Who/What by Attribute set to
Any, and When set to Always, it matches all users and hosts. This is essentially a catch all profile. If this user/host
profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To
highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.
The best way to use a catch all profile is to create a general policy with that profile and place it last in the list of policies.

Settings

Field Definition

Name Each profile must have a unique name.

Who/What Attributes
A host or user must meet all parameters within a single filter, but is only
required to match one filter in the list. The attribute must be known at the time of
connection. See Filter example on page 177.
RADIUS Attributes
Used to match against endpoints pre- and post-authentication.
Groups
l Any — Matches any group.

l Any Of — Matches any of the listed groups. Does not have to match
everything, but has to match at least one group that has been selected.
l All Of — Has to match every group that's been selected.

FortiNAC F 7.2.0 Manager Guide 175

Fortinet Inc.
Policy & Objects

Field Definition
l None Of — Has to match no group that's been selected.

Who/What by RADIUS Request Attribute in User/Host

Profiles only works with Local RADIUS Mode.
In 7.4+, Legacy Proxy will support Who/What by RADIUS
Request Attribute in User/Host Profiles.

Where Location on the network where the host is connected. This field lists groups of
ports, SSIDs or devices. Hosts are checked to determine whether they have
connected to the network via one of the selected devices, ports or SSIDs. Host
must connect on one of the items contained within one of the selected groups to
match this profile. When set to Any, this field is a match for all hosts or users.
Note: FortiSwitch in Link Mode: Port groups must be used. Device groups will
not match.

When If the host is on the network during the specified time frame, it matches this
profile. Time options include Always or a specific set of days of the week and
times of the day.

Notes User specified note field. This field may contain notes regarding the data
conversion from a previous version of FortiNAC.

Last Modified By User name of the last user to modify the profile.

Last Modified Date Date and time of the last modification to this profile.

Right click options

Edit Opens the Create view pre-populated with the settings from the selected
Profile.

Copy Copy the selected Profile to create a new record.

Delete Deletes the selected Profile. Profiles that are currently in use cannot be
deleted.

Used By Indicates whether or not the selected Profile is currently being used by any
other FortiNAC element. See Profiles in use on page 179.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log.

See Add an administrator profile on page 55.

Add or modify a profile

You are not required to complete all of the fields when creating a user/host profile. If you leave a field blank, it is set to
Any or is left blank. When set to Any or blank, the field is a match for all hosts or users. You can create a profile with only

FortiNAC F 7.2.0 Manager Guide 176

Fortinet Inc.
Policy & Objects

location, only a group, only an attribute filter, only a time range or any combination of those options.
1. Select Policy & Objects.
2. Select User/Host Profiles.
3. Click Create New or select an existing Profile and click Edit.
4. Click in the Name field and enter a name for this Profile.
5. Specify the details according to the User/Host profiles settings listed above.

If the user wishes to configure multiple attributes in a single line in an AND relationship, the
user should use the + at the far right. However, if the user wishes to configure the
attributes in an OR relationship, the user should use the + at the bottom.

6. Click OK to save your data.

Filter example

User/host profiles contain filters to narrow the group of hosts or users that match a particular profile. This allows you to
create special profiles for certain hosts or users and filter by host, adapter, user criteria, or RADIUS attribute. For
example, if you had hosts that were running on different operating systems, you might want to have a special profile for
each operating system. By filtering for the operating system, you could provide different treatment for each type of host
without having to create and maintain special host groups.

Filter examples

Filters are based on Host, Adapter, User, Application, and RADIUS attributes and can be applied such that the host or
user must meet all criteria or only some criteria. Within the Who/What by Attribute filter, the user/host must match all of
the data specified. If there are multiple Who/What by Attribute filters, the user/host must match all of the data specified in
only one of the filters.
Assume that you want to create user/host profile A to handle rogue hosts by operating system. In this case, the host
must meet the following criteria to match user/host profile A:
l Location = Connected to a device in Device Group A
l Host Filter = Running a Windows operating system and is a Rogue (not registered).
In the second example, the user/host profile contains two options under Who/What by Attribute. The first filter requires
that the host state be Safe and Authenticated. The second filter requires that the host be a VPN client. In this case the
host must meet the following criteria to match the user/host profile:
l Location = Connected to a device in Device Group A
l Host Filter = One of the following sets of options from the filters:
l Host must be Safe and Authenticated

l Host must be a VPN Client

Profile example

Assume that you are running a network at a University. You have Students and Faculty that must be allowed on the
network. Due to the volume of traffic, you determine that you will have four VLANs. This division of network users
requires a mechanism for matching them to the appropriate VLANs. To accomplish this task, you must do the following:

FortiNAC F 7.2.0 Manager Guide 177

Fortinet Inc.
Policy & Objects

l Determine how you are going to divide your network users into four groups. In this case you decide that you will
break up users as follows:
l Students that connect to devices in Dorm A

l Students that connect to devices in Dorm B

l Faculty running Windows

l Faculty running macOS

l Make sure that Students are in a group labeled Students and Faculty are in a group labeled Faculty.
l Make sure that you have two device groups, one for devices in Dorm A and another for devices in Dorm B.
l Based on the divisions you have selected, you must create four user/host profiles. You need one profile for each
combination of data that defines a set of users, such as Students that connect to devices in Dorm A.
l Create four network access configurations to configure the VLANs for your four groups of users.
l Create four network access policies to map the four user/host profiles to the appropriate VLANs.

User/host profiles

Create four user/host profiles that have the following settings:

Name Where Who/What by Who/What by Time

Group Attribute

Students Dorm Device Group = Dorm A Devices User Group = None Always
A Students

Students Dorm Device Group = Dorm B Devices User Group = None Always
B Students

Faculty Any User Group = Host OS = Always

Windows Faculty Windows

Faculty Any User Group = Host OS = Always

macOS Faculty macOS

Network access configurations

Create a network access configuration for each of the four VLANs that you wish to assign. For this example we will
create configurations for VLANS 10, 20, 30 and 40.

Name Access Value

Students Dorm A VLAN 10

Students Dorm B VLAN 20

Faculty Windows VLAN 30

Faculty macOS VLAN 40

FortiNAC F 7.2.0 Manager Guide 178

Fortinet Inc.
Policy & Objects

Network access policies

Now you must map the user/host profiles to the network access configurations you created. That will tie the different
types of users to the appropriate VLAN. Create four network access policies that contain the following data:

Name User/host profile Network access configuration

Students Connecting in Dorm A Students Dorm A Students Dorm A VLAN

Students Connecting in Dorm B Students Dorm B Students Dorm B VLAN

Faculty running Windows Faculty Windows Faculty Windows VLAN

Faculty running macOS Faculty macOS Faculty macOS VLAN

Profiles in use

To find the list of FortiNAC features that reference a specific user/host profile, select the profile from the User/Host
Profiles View and click Used By. A panel is displayed indicating whether or not the profile is associated with any other
features. If the profile is referenced elsewhere, a list of each feature that references the profile is displayed.

Delete a profile

1. Click Policy & Objects.

2. Select User/Host Profiles.
3. Select the profile to be removed.
4. Click Delete.
5. Click OK to confirm that you wish to remove the profile.

When attempting to delete a profile which is currently being used by other elements, an
error message will be displayed stating "One or more selected User/Host Profiles are
currently in use" - it will not list which items are using it. The user would need to then
access the "Used By" action to see which items are using it.

Network access

A network access policy consists of one user/host profile and one network access configuration. The user/host profile is
used to determine the users and hosts to which this policy might apply. The network access configuration assigns the
treatment those users and hosts receive when they connect to the network.

Network access policies are used for registered hosts only.

FortiNAC F 7.2.0 Manager Guide 179

Fortinet Inc.
Policy & Objects

The network access configuration specifies the VLAN, CLI configuration or VPN Group Policy that apply to a host that
requires network access. If the user or host matches the selected user/host profile they are given the network access
defined in the configuration.
Network access policies follow a pattern, such as when anyone in group X of people connects to a device in group Y of
devices only put those users on VLAN 10. Devices that are end-stations, such as a gaming device, a printer or a medical
device can be treated as if they were people. For example, if a gaming device that matches the specified user/host
profile is connected to a switch that also matches the user/host profile it can be moved to a special VLAN for gaming
devices defined in the network access configuration.
Network access policies are very flexible and can be used in more complex situations. For example, network access
policies can be created for medical devices that are end stations. When a medical device is connected to any port in the
hospital, FortiNAC can use a network access policy that contains a CLI configuration to reduce the rate of data transfer
on those ports.
Network access policies can also be used to pass a group policy to a user connecting through a VPN concentrator.
When a user connects through a VPN you do not want to disconnect the user in order to move the user from one VLAN
to another. However, when the user is authenticated and the authentication is returned to the VPN concentrator,
FortiNAC can also send a group policy for that user. The policy can then restrict the user's network access to certain
areas. Group policies are configured on the VPN concentrator. When the name of the Group policy is entered into the
Access Value/VLAN field on the Network Access Configuration window, that VPN group policy is then enforced for
the connecting user.
Policies are assigned based on matching data when a host requires network access. The host/user and the connection
location are compared to each network access policy starting with the first policy in the list. When a policy is found where
the host and user data and the connection location match the selected user/host profile, that policy is assigned. Policy
assignments are not permanent. Hosts are re-evaluated frequently, such as when a switch is polled or the Persistent
Agent contacts the server. When host and user data are re-evaluated a different network access policy may be selected.

There may be more than one network access policy that is a match for this host/user; however,
the first match found is the one that is used.

FortiNAC F 7.2.0 Manager Guide 180

Fortinet Inc.
Policy & Objects

If you create a user/host profile with fields Where set to Any, Who/What by Group set to Any, Who/What by Attribute set
to Any and When set to Always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host
profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To
highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.
The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Implementation

l Determine which device(s) will be used to support a specific network access policy.
l Configure the device(s) with the VLAN or Interface ID information for the network access policy. Note: Network
Access Policy application to switches without the specified VLAN configured may cause unexpected results.
l Create a device group and add the device(s) for each set of devices that will be used for network access policies.
For example, you might have a group of devices that provide network access in Building A. That group of devices
will provide different types of access than the devices in Building B, therefore you would create two separate device
groups. See Groups on page 345 for information on groups.
l If only some ports on a device or devices will be used for network access policies, you can place just the required
ports in a Port group specifically for use in network access policies. First, determine which ports will participate in
network access policies and place those ports in the Role Based Access Group. Ports that are not in this group
cannot apply policies. Once ports are in the Role Based Access group, place them in groups that will be associated
with specific user/host profiles and network access policies. See Groups on page 345 for information on groups.
Ports that are designated as connection locations for network access policies are typically included in the Role
Based Access Group. If a port is used in a policy but is not included in the Role Based Access Group, devices
connecting to that port are placed in the default VLAN entered on model configuration for that device. They are not
placed on the VLAN defined for the network access policy.
l Determine which hosts or users will receive which network access. Create user/host profiles that would match each
set of Users or Hosts that require different treatment. For example, if you want your Executives on VLAN 10 and you
Admin Staff on VLAN 20 you must create a user/host profile for each set of users. See User/host profiles on page
175.
l Create a network access configuration for each VLAN, CLI configuration or VPN Group Policy that you wish to
assign to connecting hosts. See Network access configurations on page 183.
l Create your network access policies by mapping a user/host profile to a network access configuration. See Network
access on page 179.

Manage policies

Create network access policies to assign a VLAN, implement a CLI configuration or assign a VPN Group Policy when a
host requires network access. Policies are selected for a connecting host by matching host and user data to the criteria
defined in the associated user/host profile. The first policy that matches the host and user data is assigned.

If the host does not match any policy, it is assigned the default VLAN configured on the switch.

FortiNAC F 7.2.0 Manager Guide 181

Fortinet Inc.
Policy & Objects

profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To
highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.
The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Settings

An empty field in a column indicates that the option has not been set.

Field Definition

Rank Policy's rank in the list of policies. Rank controls the order in which host connections are
compared to Policies.

Set Rank is now legacy architecture.

In 7.2, use drag and drop to reorder the rank from the left column, click
edit from within the cell.

Name User defined name for the policy.

Configuration Contains the configuration for the VLAN, CLI configuration or VPN Group Policy that will be
assigned if this Access Policy matches the connecting host. See Network access
configurations on page 183.

Who/What Attributes
A host or user must meet all parameters within a single filter, but is only required to match one
filter in the list. The attribute must be known at the time of connection. See Filter example on
page 177.
RADIUS Attributes
Used to match against endpoints pre- and post-authentication.
Groups
l Any — Matches any group.

l Any Of — Matches any of the listed groups. Does not have to match everything, but has
to match at least one group that has been selected.
l All Of — Has to match every group that's been selected.
l None Of — Has to match no group that's been selected.

Where The connection location specified in the user/host profile. The host must connect to the
network on a device, port or SSID contained within one of the groups shown here to be a
match. When set to Any, this field is a match for all hosts or users.

When The time frame specified in the selected user/host profile. The host must be on the network
within this time frame to be a match. When set to Always this field is a match for all hosts or
users.

Used By Lists all elements which are using this component.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

FortiNAC F 7.2.0 Manager Guide 182

Fortinet Inc.
Policy & Objects

Field Definition

You must have permission to view the admin auditing log. See Add an
administrator profile on page 55.

Create or edit a policy

1. Select Policy & Objects.

2. Select Network Access.
3. Click Create New or select an existing Policy and click Edit.
4. Click in the Name field and enter a name for this Policy.
5. Select a User/Host Profile from the drop-down menu. Note that if you modify this profile, it is modified for all
features that make use of the profile. Connecting hosts must match this user/host profile to be assigned the network
access configuration specified in the next step.
6. Select a configuration from the drop-down menu. Note that if you modify this configuration, it is modified for all
features that make use of it. See Create or edit a configuration on page 184.
7. The Note field is optional.
8. Click OK to save your policy.

Delete a policy

1. Click Policy & Objects.

2. Select Network Access.
3. Select the policy to be removed.
4. Click Delete.
5. Click OK to confirm that you wish to remove the policy.

Network access configurations

Network access configurations define access treatments for connecting hosts and users. Hosts can be placed in a
particular VLAN, have a CLI configuration applied or be passed a VPN Group Policy. The network access configuration
that is assigned to a particular host is determined by the pairing of a network access configuration and a user/host profile
within a network access policy.
When a host requires network access, the host and user are compared to the user/host profile in each network access
policy starting with the first policy in the list. When a policy is found where the host and user data match the user/host
profile in the policy, that policy is assigned. The network access configuration contained within that policy specifies the
treatment received by the host.

Settings

An empty field in a column indicates that the option has not been set.

FortiNAC F 7.2.0 Manager Guide 183

Fortinet Inc.
Policy & Objects

Field Definition

Name User defined name for the Configuration.

Logical Network The Logical Network to assign. Logical networks are access values that translate to the
physical value of network infrastructure devices. They are used to separate network access
policies from device specific values. See Logical networks.

Note User specified note field. This field may contain notes regarding the conversion from a
previous version of FortiNAC.

Last Modified By User name of the last user to modify the configuration.

Last Modified Date Date and time of the last modification to this configuration.

Right click options

Delete Deletes the selected network access configuration.

In Use Indicates whether or not the selected configuration is currently being used by any other
FortiNAC element. See Configurations in use on page 185.

Modify Opens the Modify Network Access Configuration window for the selected configuration.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add an
administrator profile on page 55.

Buttons

Export Exports the data displayed to a file in the default downloads location. File types include CSV,
Excel, PDF, or RTF. See Export Data.

Create or edit a configuration

1. Select Policy & Objects.

2. Expand Network Access.
3. Select Configuration.
4. On the Network Access Configurations window, click Create New or select an existing configuration and click
Edit.
5. Click in the Name field and enter a name for this configuration.
6. If you are using an alias instead of an actual Access Value, enable the Access Value is an alias check box. This
indicates that the Access Value/VLAN field contains an Alias that represents many VLANs across multiple devices
on your network.
7. Select a Logical Network from the drop down to assign to the configuration.
8. The Note field is optional.
9. Click OK to save the configuration.

FortiNAC F 7.2.0 Manager Guide 184

Fortinet Inc.
Policy & Objects

Configurations in use

To find the list of FortiNAC features that reference a specific network access configuration, select the configuration from
the Network Access Configurations view and click In Use. A message is displayed indicating whether or not the
configuration is associated with any other features. If the configuration is referenced elsewhere, a list of each feature that
references the configuration is displayed.

Delete a configuration

If a configuration is in use by another feature in FortiNAC, it cannot be deleted. A dialog displays with a list of the features
in which the configuration is used. Remove the association between the configuration and other features before deleting
the configuration.
1. Click Policy & Objects.
2. Expand Network Access.
3. Select Configuration from the menu.
4. Select the configuration to be removed.
5. Click Delete.
6. Click OK to confirm that you wish to remove the configuration.

FortiNAC F 7.2.0 Manager Guide 185

Fortinet Inc.
Endpoint compliance

Endpoint compliance is a feature set used to ensure that hosts connecting to your network comply with network usage
requirements. The cornerstone of endpoint compliance are endpoint compliance policies. Use these policies to establish
the parameters for security that will be enforced when hosts connect to the network. If you do not create policies, when
hosts connect to the network and users enter their credentials, they will be automatically registered without a policy
being applied. See Endpoint compliance policies on page 231.
Endpoint compliance can also use an agent on the host to ensure that compliance with established policies is
maintained. The Dissolvable Agent is downloaded during registration and is removed when the host is registered. The
Persistent Agent remains on the host. Mobile Agent devices are installed on and remain installed on mobile devices. The
Passive Agent is not installed, but is served as the user logs onto the network and does a scan in the background.
Endpoint compliance policies contain scans used to evaluate hosts and ensure that each host complies with your
configured list of acceptable operating systems and antivirus software. For a list of supported operating systems and
antivirus software, use the customer portal on our web site.

Features

Feature Description

Agent Distribution Download Agents for alternative distribution.

See Agent packages on page 412.

Auto-Def Update Schedule the task to automatically update virus definitions, spyware definitions and
Schedule operating systems for which you can scan.
See Auto-definition updates on page 229.

NAT Detection Enter the IP ranges where an agent will detect NAT'd hosts. IP addresses outside this
range could be NAT'd hosts and can generate an event and an alarm to notify the
network administrator.
See NAT detection on page 1.

Passive Agent Create customized configurations that register and scan hosts associated with network
Configuration users contained in your LDAP or Active directory.
See Passive Agent on page 1.

Policy Configuration Add, delete, modify, or schedule endpoint compliance policy.

See Endpoint compliance policies on page 231.

Persistent Agent Enter text that will be displayed in the header and footer area on any messages sent to
Properties a host running the Persistent Agent. Enable status pop-ups. Configure server
communication.
See Persistent Agent settings on page 1.

Remediation Add, remove, modify, or schedule security and admin script profile configurations.
Configuration See Remediation configurations on page 1.

FortiNAC F 7.2.0 Manager Guide 186

Fortinet Inc.
Implementation

Endpoint compliance allows you to create security policies and use those policies to scan network users' computers for
compliance with your organization's network usage rules. The implementation of this feature set can vary widely from
one organization to another based on how restrictive or open you choose to make it. You can simply monitor hosts for
non-compliance or go so far as to completely block network access. You can institute scans based on simple options
included in FortiNAC or create your own custom scans. This section of the documentation discusses the implementation
in the approximate order in which it should be done. It also details optional features that you may or may not choose to
implement. As the options are discussed, links to additional information are provided.
Before implementing endpoint compliance, it is recommended that you notify all users about your network usage
requirements. This helps users anticipate the changes and reduces calls to your IT Staff.

Agent

Choose one or more agents

The first step in implementing endpoint compliance is determining whether you will use the Persistent Agent, the
Dissolvable Agent, the Passive Agent, the Mobile Agent or a combination.
l The Persistent Agent is installed on the host and remains there to scan the computer as needed.
l The Dissolvable Agent is downloaded to the host and removes itself once the host has passed the security scan. If
the host does not pass the scan, the Dissolvable Agent remains on the host for the user to run again after
compliance issues have been resolved.
l The Passive Agent is provided using an external method, such as Group Policy Objects, and launched when the
user logs into the domain. Users experience a slight delay while logging in but are unaware that their hosts are
being scanned. See Passive Agent on page 1.
l The Mobile Agent is installed on Android devices and is downloaded from either the captive portal or Google Play.
You may have situations in which one agent works better than others. For example, network users who log into your
network every day could use the Persistent Agent and guest users could use the Dissolvable Agent. See Agent overview
on page 190 for additional information.

Use the latest agents

You may not have the most recent version of the selected agent on your FortiNAC appliance. Use the Agent Distribution
window to see which agents are installed. From this window download the latest agent from Fortinet, if you need it. See
Agent packages on page 412 . Not all agent versions are compatible with all FortiNAC versions. It is recommended that
you check with a sales or support representative before using a new agent.

Deploy selected agents

Once you have determined which agents to use, you must decide how to deploy them. Typically agents are deployed
using the portal pages or web pages that users see when they connect to your network. These web pages allow users to
download an agent and install it on their hosts. If this is the method you use to give the agent to your hosts, no special
setup is required. FortiNAC takes care of making the agent available via its own web pages based on the options
selected in the endpoint compliance policy. Go to the portal configuration window and edit the content displayed on
those web pages in order to customize them. See Portal content editor on page 1.
Deployment options for each agent are as follows:

FortiNAC F 7.2.0 Manager Guide 187

Fortinet Inc.
l Dissolvable Agent: Can be deployed from the captive portal or a separate web page.
l Passive Agent: Deployed using an external method, such as group policy objects. This agent is launched and
served to the host when the users logs onto the network.
l Mobile Agent: Deployed using the captive portal or Google Play.
l Persistent Agent: Deployed using the captive portal, a separate web page or some other software distribution
method.
l If you choose to deploy the agent outside of FortiNAC you must download the agent and make it available for

your chosen distribution method. See Agent packages on page 412 for information on downloading the latest
agent.
l Go to the Persistent Agent Settings to configure agent behavior and the server with which the agent must

communicate. See Persistent Agent settings on page 1.

Agent / server communications

All Agents must be configured to communicate with the FortiNAC server while they are scanning the host. The default
configuration is for the agent to communicate based on the server alias "ns8200". To ensure that this communication is
successful the alias must be resolvable through DNS. Agents distributed through the captive portal are set automatically
to communicate with the server. Additional settings in both FortiNAC and your Production DNS direct the agent to the
correct server. See and .
Agents at V3.0 or higher are designed to use a secure communication protocol with the FortiNAC Server or Application
Server; however, that does require some configuration.

Endpoint compliance policy

When you have determined the agent or agents to be used, you are ready to begin configuring your endpoint compliance
policy.
l Create user/host profiles to determine which users/hosts will match a policy. See User/host profiles on page 175.
l Create endpoint compliance policy to evaluate the hosts connecting to your network. See Endpoint compliance
policies on page 231.
l Policies contain Scans that rely on having up-to-date information about antivirus and operating systems. In order to
ensure that you have the latest information at all times you should configure a schedule for and run the Auto Def
Updates.
l If you plan to use custom scans, you must create them first and then associate them with a Scan. This can be done
at any time you feel that a custom scan is necessary. New custom scans can be associated with existing Scans.
See Custom scans on page 260.
l For each Scan that you create, decide how often to rescan hosts assigned to that policy. Setup a rescan schedule.
See Schedule a scan on page 255.
l If you are using the Dissolvable Agent and you want to allow hosts to rescan at their convenience, enable Proactive
scanning.
l When a host fails a scan the user sees a web page with a list of reasons for the failure. To comply with your
organization's requirements, that host may need access to certain web sites. For example, if the host failed because
virus definitions were not up to date, that host needs to access the antivirus software manufacturer's web page to
download new virus definitions. FortiNAC has a list of web sites that are made accessible even when a host has
failed a scan. Make sure that the web sites for the software you require are included in that list.
l To understand what determines the policy that is assigned to a host, see Policy assignment on page 167.

FortiNAC F 7.2.0 Manager Guide 188

Fortinet Inc.
Events & alarms

l Make sure the Security Risk Host event is enabled, so that an event is generated any time a host fails a scan. The
event message provides you with information about the host and why they failed. This is optional, but may be helpful
in troubleshooting. See Enable and disable events on page 323.
l You can view the list of events that have been generated by going to the Events View. See Events on page 301.
l If you would like to be notified that a host has failed a scan, map the Security Risk Host event to an alarm. Within
the alarm configuration you can specify that you would like to be notified via email or you can use the Alarm Panel
on the dashboard. This alarm notifies you when a host has failed a scan and helps you trouble shoot any problems.
You can also set up e-mail notification for users so they are aware that their host failed a scan. See Map events to
alarms on page 334 and Alarms on page 30.
l Make sure that your administrator e-mail address and your e-mail server have been configured or FortiNAC will not
be able to send e-mail notifications. See Email settings on page 390.

Ports - control access

l Place ports for wired switches in a Forced Registration group. This forces hosts connecting on those ports to the
Registration VLAN and displays the registration page. From this page they can download an agent and be scanned.
See and .
l Hosts who have an agent and have already registered are not forced to the registration page. They are sent directly
to the network. They are rescanned based on the schedule you have implemented for their policy.
l If you have a Remediation or quarantine VLAN where hosts are placed when they fail a scan, you must place ports
in a Forced Remediation group. Placing ports in this group enables the quarantine VLAN switching option. If you are
not ready to begin placing hosts in Remediation, you can disable this option.
l When quarantine VLAN switching is disabled, hosts are scanned and can see the passed and failed items from their
scans, but they are given access to the network instead of being put into the quarantine VLAN. This is a good option
to use when testing out the system. See Quarantine on page 1.
l Other groups you may choose to use are Forced authentication, Dead End and Role Based Access.

Scan hosts without enforcing remediation (optional)

To scan hosts without placing "at risk" hosts in remediation you can enable one or more options. See Scan hosts without
enforcing remediation on page 245 for more details.
l Disable quarantine VLAN switching to scan hosts but not mark them "at risk".
l Enable the Audit Only option on an endpoint compliance policy. Hosts that fail when scanned with that policy are not
marked "at risk" .
l Add hosts to the Forced Remediation Exceptions Group. Hosts in this group are scanned with the policy that
corresponds to them. Hosts that fail the scan are marked "at risk" but are not forced into remediation.

Delayed remediation for scanned hosts (optional)

Allows you to scan hosts, notify the users of hosts that fail the scan of any pending issues, but not place the host in
Remediation for a specified number of days. See Delayed remediation on page 246.
l Enable the Delayed Remediation setting on one or more endpoint compliance policies by entering the number of
days for the delay.

FortiNAC F 7.2.0 Manager Guide 189

Fortinet Inc.
Switches - model configuration

l Go to the Model Configuration for your wired and wireless switches and configure your VLANs. See Model
configuration on page 1.

Authentication

l If you are using the Persistent Agent, you must set the method for authenticating your users in the Credential
Configuration and in portal configuration. The authentication method selected must be the same in both places. See
Credential configuration on page 1.
l If you are using the Dissolvable Agent or the Mobile Agent, you must set the method for authenticating your users in
the portal configuration window.

Monitoring

l Use the Scan Results View to see a list of hosts with their current scan status. This view provides information on the
Scan used and whether or not the host passed the scan. See Scan Results View on page 1.
l Use Standard Reports to view lists of policies, the number of scans run that were passed or failed and details on the
Pass/Fail. See Standard report templates on page 1.
l Use the Health Tab under Host Properties to view detailed scan information for an individual host. See Host health
and scanning on page 135.

Testing

It is recommended that you spend considerable time testing your endpoint compliance policies, web pages and VLAN
switching before fully implementing endpoint compliance. Use your own hosts and go through as many failure scenarios
as possible to make sure that hosts are being managed correctly.

Agent overview

Agents are used to scan hosts and determine whether the host complies with the endpoint compliance policy assigned to
that host. Agents can perform additional functions, such as installing a Supplicant Configuration for a secure network.
Several types of agents are available with FortiNAC, the Dissolvable Agent, the Passive Agent, the Persistent Agent and
the Mobile Agent.
When hosts are scanned by an agent and fail, there are several options:
l Administrators can simply receive a warning that the host has failed the scan along with a list of what the failures
were, but the host is given access to the network.
l Users can receive a warning that they have failed and be given access to the network.
l The network can be configured to move failed hosts off the production VLAN into the quarantine or remediation
VLAN. This happens regardless of the agent type being used. Once remediation has taken place and the host has
passed the scan, the host is moved back to the production VLAN.
Custom scans using HKEY_CURRENT_USER or HKEY_CLASSES_ROOT may not behave the same with the
Persistent Agent as they do with the Dissolvable Agent. If HKEY_CLASSES_ROOT exists in HKEY_LOCAL_
MACHINE\Software\Classes, it should work the same for both agents.
If you experience any problems with your Multilanguage operating system, please contact TAC Support.

FortiNAC F 7.2.0 Manager Guide 190

Fortinet Inc.
Dissolvable Agent

The Dissolvable Agent is downloaded to the host by the user. The user runs the agent and the agent scans the host. If
the computer is compliant with the endpoint compliance policy used for the scan, it is allowed on the network and the
agent removes itself from the computer. If the computer is not compliant with the endpoint compliance policy, the
Dissolvable Agent remains on the host to be used in a future scan after compliance issues have been addressed.
This agent can run custom scans, verify that Hotfixes are installed, check for antivirus and antispyware and operating
system information.
The Dissolvable Agent files are different for Windows, macOS, and Linux.

Passive Agent

The Passive Agent is not installed, but is served as the user logs onto the network and does a scan in the background.
See Passive Agent on page 1. This agent can run custom scans, verify that Hotfixes are installed, check for antivirus and
antispyware and operating system information. This agent runs only on Windows.

Persistent Agent

The Persistent Agent can be downloaded to the host and installed by the user, by a login script or by any other software
distribution method your organization might use. The Persistent Agent remains installed on the host at all times. Once
the agent is installed it runs in the background and communicates with FortiNAC at intervals established by the FortiNAC
administrator.
The Persistent Agent can be configured to provide messages to the user when the host is scanned indicating the results
of the scan. In addition you can provide pop-up messages indicating the host's current state, such as disabled, requires
authentication or network access is normal. See Persistent Agent Settings.
The Persistent Agent can run custom scans and monitors, verify that Hotfixes are installed, check for AntiVirus and
AntiSpyware and operating system information and allow an administrator to send a message to the host.

Mobile Agent

The Mobile Agent is downloaded and installed either from the captive portal or from Google Play depending on device
settings. The Mobile Agent assist with authentication and registration and provide an inventory of installed apps. The
Mobile Agent can determine whether the device is rooted or not. A device is considered rooted when a user has
accessed the secure areas of the operating system on the device.

Dissolvable Agent

The Dissolvable Agent is an application that works on Windows, macOS, or Linux hosts to identify them to FortiNAC.
The agent scans them for compliance with an endpoint compliance policy. This agent is downloaded and installed on the
host until the host passes the scan. The agent then removes itself.
In a Windows environment, there are some operations that the Dissolvable Agent cannot perform unless the user has
administrator privileges on the PC, such as release and renew the IP address on the PC.

FortiNAC F 7.2.0 Manager Guide 191

Fortinet Inc.
Setup requirements and options

l Make sure the latest Dissolvable Agent package is installed on the FortiNAC server.
l The Dissolvable Agent can be downloaded and installed by the user through the captive portal. The portal itself can
be modified and personalized. Dissolvable Agent also has some settings in the portal under Agent > Dissolvable.
See Portal configuration on page 1.
l If you are using the Dissolvable Agent, the FortiNAC appliance must be configured with SSL and must have a valid
third party SSL certificate from a CA. A self-signed certificate cannot be used.
l Dissolvable Agent discovers the server to which it should connect using DNS SRV records. If for any reason, it
cannot discover the server, the user is presented with an option to enter either the URL or the FQDN of the server.
The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or
an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to
access the server over an insecure connection. Depending on your configuration you may need to supply this
information to users running the Dissolvable Agent.

Using the Dissolvable Agent

The Persistent Agent only works with the FortiNAC Control Server and FortiNAC Application
Server pair or the FortiNAC Server. If the FortiNAC Control Server is not paired with the
FortiNAC Application Server, the Dissolvable Agent must be used.

If you have chosen to use the Dissolvable Agent to scan Windows or macOS systems, the Dissolvable Agent is
downloaded to the host. Once the Dissolvable Agent runs and the host has successfully passed the scan, the agent is
removed from the host.
In a Windows environment, there are some operations that the Dissolvable Agent cannot perform unless the user has
administrator privileges on the PC, such as release and renew the IP address on the PC.

Registration

When an unknown host connects to the network and attempts to access the Internet, an entry in the DNS server
redirects the host to the Login page for registration.
During registration FortiNAC determines which endpoint compliance policy should be applied to this host based on the
user/host profile that the connecting user and host match.
Endpoint compliance policies contain a series of requirements for hosts that want to access the network. Endpoint
compliance policies contain scans that are configured by the Administrator and are run by the Agent. Policy
requirements can include scans for specific antivirus, operating system version and custom scans. Custom scans are
created by the Administrator. These allow the administrator to scan for the existence of things such as a specific file, a
registry entry, an installer package, a specific process or a domain.
The endpoint compliance policy determines which agent is made available to the user for download, such as Dissolvable
Agent or Persistent Agent.
Hosts connecting to the network will go through the process outlined below:
1. User connects to the network and is placed in registration. The registration web page is displayed.
2. User downloads the Dissolvable Agent to the default downloads location for the operating system.
3. Run the downloaded file and install it on the device.
4. After the Dissolvable Agent is installed, run the program. An Agent window is displayed and remains on the screen
until the user closes it.

FortiNAC F 7.2.0 Manager Guide 192

Fortinet Inc.
5. The Dissolvable Agent uses the DNS SRV records to locate the appropriate FortiNAC server.
6. If the Dissolvable Agent cannot locate the server, a message is displayed asking for the URL of the server. The user
is presented with an option to enter either the URL or the FQDN of the server. The URL field will accept an HTTPS
address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP
address is used, a warning is displayed asking the user to confirm that they wish to access the server over an
insecure connection.
7. The Agent window displays the results of the scan.
8. If the host fails scan, Rescan is displayed allowing the user to Rescan after correcting any issues.
9. When the host passes the scan, the user closes the Agent window and the Dissolvable Agent dissolves.

Persistent Agent

The Persistent Agent is an application that works on Windows, macOS, or Linux hosts to identify them to FortiNAC and
scan them for compliance with an endpoint compliance policy. This Agent is downloaded and installed on the host
permanently.

Communication

The Persistent Agent installed on a host is designed to "check in" through a periodic heartbeat sent to the Persistent
Agent server. This lets the server know that the Persistent Agent is still installed and running on the host. When this does
not happen, a "Lost Contact with Persistent Agent" event is generated indicating that the server cannot communicate
with the host. When the Persistent Agent eventually contacts the server again a "Regained Contact with Persistent
Agent" event is generated.
Lost contact with the Persistent Agent is intended to communicate to FortiNAC Administrators that hosts that are marked
as having the Persistent Agent are online and not communicating to the FortiNAC agent server. Lost contact with the
Persistent Agent detection can take up to approximately 90 minutes from the first failure to communicate detection to
generate the Event. This also depends on the L2 poll interval of the Network Device.
The Persistent Agent communicates using the following ports:
l tcp 4568
l tcp 80 (required for upgrades)

The "Lost Contact with Persistent Agent" event only detects that the agent is no longer
successfully communicating. This loss of contact could be caused by many things including: a
missing or disabled agent, a lack of network connectivity, a lack of network activity that would
prevent FortiNAC from polling to discover that the host was offline, a firewall that prevents
communication between the agent and the server or any other issue that would interrupt
communication.

The Persistent Agent does work within the context of FortiNAC's VPN integration.

Setup requirements and options

l FortiNAC-OS Requirement: "nac-agent" and "http" options must be included in the "set allowaccess" command.
See Open ports for details.
l Make sure the latest Agent package is installed on the FortiNAC server.
l Add SRV records to your production DNS server that allow the agent to locate the FortiNAC Server or Application
server to which it should connect.

FortiNAC F 7.2.0 Manager Guide 193

Fortinet Inc.
l If you are using Persistent Agent 3.X or higher, the FortiNAC appliance must be configured with SSL and must have
a valid third party SSL certificate from a CA. A self-signed certificate cannot be used.
l The 3.x Persistent Agent communication method requires not only SSL certificates be installed for the Persistent
Agent target in FortiNAC, but also the root certificate be installed on the endstation hosting the agent. The
Persistent Agent reads all certificates from the trusted root certification authorities store of the system account. If the
CA is not listed in this store, the Persistent Agent will not trust the connection to FortiNAC and will not communicate.
FortiNAC does not push root certificates to endstations. Root certificates come pre-installed with the host's
operating system. Any additions or updates to root certificates are distributed via the host's OS updates.
l The Persistent Agent can be downloaded and installed by the user through the captive portal, by a login script or by
any other software distribution method your organization might use. Determine your distribution method.
l If you plan to deliver the agent via the captive portal, configure the portal styles. See Portal configuration on page 1.
l You can configure FortiNAC to authenticate users with their Windows domain logon credentials eliminating the
need for the Persistent Agent to ask for credentials. See Using Windows domain logon credentials on page 199.
l The Persistent Agent can be configured to provide messages to the user when the host is scanned indicating the
results of the scan. In addition you can provide pop-up messages indicating the host's current state, such as
disabled, requires authentication or network access is normal. See Persistent Agent settings on page 1.
l In addition to the settings contained within the admin UI, registry settings on Windows hosts can be configured using
Group Policy Objects. These registry settings contain the URL of the FortiNAC Application Server, enable and
disable the system tray icon or Balloon Notifications and various security settings. See Agent packages on page
412.
l The Persistent Agent has different files for macOS and Windows operating systems. FortiNAC can be configured to
update the Persistent Agent automatically with a user-specified version or an updated agent can be pushed to a
specific host.
l The Persistent Agent can be used to apply a supplicant configuration to a host. See Supplicant EasyConnect
policies on page 1.

Host requirements and options

l The host must be running Windows, macOS, or Linux. Refer to the Agent Comparison table in Agent overview on
page 190 or the Release Notes for more detailed information about operating system versions that are supported.
l If the host is running a Virtual Machine (VM) with the Persistent Agent inside the VM, the VM must be bridged. The
Persistent Agent is not fully functional when it runs in a NATed Virtual Machine on a host. The agent can contact the
FortiNAC server and receive a response. However, unsolicited messages from the FortiNAC server fail to reach the
agent.
l For the Persistent Agent to detect guest VMs running on the host, the VMs must be bridged. The VM adapters will
then be associated with the host with the Medium of VirtualGuest.
l If the Persistent Agent is delivered via the captive portal, the user must install it manually. See Installation for
Windows on page 195 and Installation for macOS on page 196.
l For an overview of the host registration and scanning process using the Persistent Agent, refer to Using the
Persistent Agent on page 198.

Troubleshooting
l If you are troubleshooting an issue with the Persistent Agent, review the logs generated on the host. See Logging on
page 203.

FortiNAC F 7.2.0 Manager Guide 194

Fortinet Inc.
Installation for Windows

When a new host connects to the network, it is directed to a special web page that allows the user to download the
Persistent Agent. Once the Persistent Agent has been downloaded, it must be installed on the host.
The Persistent Agent can also be delivered as an .msi file. This allows it to be pushed automatically from Active
Directory.

Install

1. On the host, locate Persistent Agent.exe file that was downloaded. Double-click the to begin the installation
process.
2. The Welcome window displays. Click Next to continue.
3. A progress window appears showing the status of the installation. The Installation Complete window displays.
4. Click Finish.
5. The Agent Icon appears in the system tray on the right.

Several right click options are available:

Option Description

About Displays the agent version, copyright, and other information.

Show Displays the list of the messages sent through the Persistent Agent that have been received
Messages by the host.
If any URLs have been sent separate from a message, a list of these are also be displayed.

Log off the Appears when host is logged in and authenticated. When selected, the host is logged off the
Network network and is placed into isolation requiring authentication.

Show Network Appears when the host is isolated for remediation or being disabled. When selected, the user
Access Status is sent to either the remediation page for rescan or the dead end page if disabled.

6. The Agent automatically communicates with the FortiNAC Application Server to authenticate the user credentials.
7. Enter User Name and Password, then click OK. The user is authenticated and registered.

Host firewall

When a host is running a Windows Firewall, the Persistent Agent automatically adds a program exception for itself to the
Windows Firewall configuration. This is added to the currently active user profile, unless the "Domain" profile is active.
For hosts using a different firewall you must meet the following requirements:
l An exception for the Persistent Agent must be added to the firewall
l UPD/TCP ports 4567 and 4568 must be available for agent communication

FortiNAC F 7.2.0 Manager Guide 195

Fortinet Inc.
Installation for macOS

When a new host connects to the network, it is directed to a special web page that allows the user to download the
Persistent Agent. Once the Persistent Agent has been downloaded it must be installed on the host.

Install

1. On the host, locate and open the Persistent Agent.dmg folder that was downloaded.
2. Double-click the Persistent Agent.pkg on the desktop to begin the installation process. Then click Continue to
start the installation.
3. Select the drive where the Persistent Agent is to be installed, then click Continue.
4. Click Install to begin the installation of the agent on the local host.
5. Enter the local host’s administrator credentials and click OK.
6. Click Close when the installation is complete.
7. Go to the desktop and unmount the Persistent Agent Installer by dragging it to the trash bin. The trash bin icon turns
into an eject icon.
8. The Persistent Agent Icon appears in the system tray on the right. Click options for the icon are About and Show
Messages.

Several options are available when you click the icon:

Option Description

About Displays the agent version, copyright, and other information.

Log off the Appears when host is logged in and authenticated. When selected, the host is logged off the
Network network and is placed into isolation requiring authentication.

9. The Agent automatically communicates with the FortiNAC Application Server to authenticate the user's credentials.
Enter User Name and Password, then click OK. The user is authenticated and registered.
If the Agent will not run (e.g., there is no icon displayed), uninstall the PA and run the following command from the
command line (Terminal). Then, re-install the PA.

sudo /usr/sbin/pkgutil --forget com.bradfordnetworks.PersistentAgent

FortiNAC F 7.2.0 Manager Guide 196

Fortinet Inc.
Uninstall

Go to /Library/Application Support/Bradford Networks/Persistent Agent/Uninstall

Installation for Linux

When a host connects to the network, it is directed to a special web page that allows the user to download a rpm or deb
package of the Persistent Agent. Once the Persistent Agent has been downloaded, it must be installed on the host.

Install

1. On the host, locate the directory where the bni-persistent-agent-3.X.X.X-1.x86_64.rpm or bin-

persistent-agent-3.X.X.X-1.amd64.deb was downloaded.
2. To install the Persistent Agent package, do the following:
a. To install rpm, type: $ sudo rpm -Uvh bni-persistent-agent-3.X.X.X-1.x86_64.rpm
b. To install deb, type: $ sudo dpkg -i bni-persistent-agent-3.X.X.X-1.amd64.deb
3. The Persistent Agent Icon appears.

Several options are available when you click the icon:

Option Description

About Displays the agent version, copyright, and other information.

Log off the Appears when host is logged in and authenticated. When selected, the host is logged off the
Network network and is placed into isolation requiring authentication.

4. The Agent automatically communicates with the FortiNAC Application Server to authenticate the user’s credentials.
Enter the User Name and Password, then click OK.
The user is authenticated and registered.
If FortiNAC’s DNS does contain the specific SRV records used by the Persistent Agent to locate the server, the end user
must run the setup script to edit the configuration file for the Linux Persistent Agent.
To run the setup script, do the following:
1. To stop the Linux Persistent Agent service type: $ sudo service bndaemon stop
2. Run the setup script.
a. Type $ cd /opt/com.bradfordnetworks/PersistentAgent
b. Type $ sudo ./setup
c. Enter the following configuration values from the setup:

FortiNAC F 7.2.0 Manager Guide 197

Fortinet Inc.
Home Server: Enter the FQDN of your the FortiNAC Application Server
l

Allowed Servers: Enter any other FortiNAC servers the Agent would need to communicate with.
l

l Restrict roaming: Restrict the agent to only communicate with servers listed in the Home Server and

Allowed Servers fields.

3. To start the Linux Persistent Agent service type: $ sudo service bndaemon start

Right-click options

Option Description

About Displays the agent version, copyright, and other information.

Show Displays the list of the messages sent through the Persistent Agent that have been received by the
Messages host.
If any URLs have been sent separate from a message, a list of these are also be displayed.

Log off the Appears when host is logged in and authenticated. When selected, the host is logged off the
Network network and is placed into isolation requiring authentication.

Show Network Appears when the host is isolated for remediation or being disabled. When selected, the user is
Access Status sent to either the remediation page for rescan or the dead end page if disabled.

Host firewall

When a host is running a firewall (iptables), the Persistent Agent will need the ports 4567, 4568 open in order to
communicate with FortiNAC.

Uninstall

On the host, use the following commands to remove the Persistent Agent:
1. To uninstall rpm, type: $ sudo rpm -ev bni-persistent-agent
2. To uninstall deb, type: $ sudo dpkg --purge bni-persistent-agent

Using the Persistent Agent

If you have chosen to use the Persistent Agent to scan Windows, macOS, or Linux systems, hosts connecting to the
network will go through the following process. The PA is downloaded to the host and installed. Once PA is installed it
runs in the background and communicates with FortiNAC at intervals established by the network administrator.
The Persistent Agent will not detect the addition of a guest to a virtual host record unless the "Append to Host" or
"Register as New Host" options are enabled in the VM Detection settings, and the port they are connected to may be
subject to isolation and registration policies. See Security management on page 1.
The Persistent Agent only works with the FortiNAC Control Server and FortiNAC Application Server pair, or the FortiNAC
Server. If the FortiNAC Control Server is not paired with the FortiNAC Application Server, you must use the Dissolvable
Agent.

FortiNAC F 7.2.0 Manager Guide 198

Fortinet Inc.
Registration

When an unknown host connects to the network and attempts to access the Internet, an entry in the DNS server
redirects the host to the Login page for registration.
The Persistent Agent can also be used to register hosts passively (behind the scenes).
To begin the registration and policy check process, the user on the unknown host does the following:
1. Enter the User Name.
2. Enter the Password.
3. Click Download.
4. Save the file to the Desktop as directed by the browser download functionality or runs the file.
If a Persistent Agent is being used, the host must install the Persistent Agent the first time. If a Dissolvable Agent is being
used, the agent runs without installing any files.

Results

Once the security check has completed, if the host failed to meet the security policy, a results page shown in a browser
lists the items that failed and passed.
You can configure a link that the user can click that provides information about items that failed and what to do to correct
the problem. Enter this link when you configure the policy. See Add or modify a scan on page 247 for more information.
If you do not provide a link, modify the failure page to provide information for the user to correct the problem and find
assistance.

Rescan

Once the user has corrected any issue(s) that caused the failure, the Persistent Agent security check must be run again.
1. Open a browser window.
2. Host is placed in Remediation.
3. Click on the link associated with the security policy.
4. Click Rescan.
This process may need to be completed again if additional issues remain that cause the host to fail the security policy.

Successfully registered notification

Once all the items causing the host to fail the security policy have been corrected, the host is registered and the Success
message window is displayed.

Using Windows domain logon credentials

With the Persistent Agent, you can configure FortiNAC to authenticate users with their Windows domain logon
credentials eliminating the need for the Persistent Agent to ask for credentials. You must use Active Directory and Group
Policy Objects to manage your Windows hosts. To implement this feature your system must meet the following
requirements:
l Active Directory: You must be using Active Directory to authenticate users. The directory must be configured in
System > Settings > Authentication > LDAP. See Directories on page 366 for configuration information.

FortiNAC F 7.2.0 Manager Guide 199

Fortinet Inc.
l Authentication: In Policy & Objects. Under Authentication, click Configuration. Click Add, or select a
configuration and click Modify. Make sure that Enable Authentication is selected.
l Passive Agent Configuration: At least one Passive Agent rule or configuration must be set up. The Persistent
Agent uses this configuration to process session notification information from the host. Navigate to Policy &
Objects > Passive Agent. Add a configuration that is enabled and that applies to a directory group that contains all
the users for whom this feature is being implemented. If you plan to have the Persistent Agent register hosts as
devices, you must also include that setting in the Passive Agent configuration you are creating.
l Persistent Agent Properties: Navigate to System > Settings > Persistent Agent. Under Status Notifications,
disable the Provide a Log Off functionality from the tray icon for authenticated hosts option. This can remain
enabled; however, if the user were to log off using the Persistent Agent icon, the host would be automatically logged
on again the next time the server requests credentials. If you plan to have the Persistent Agent register hosts as
devices, click the Credential Configuration tab and enable the Register as Device option.
If you want to prevent users from being able to log off the network using the Agent Icon you must also disable the
display a special "Needs to Authenticate" icon when a host needs to authenticate option on the Status Notification
tab. This is optional, not required.
l GPO Templates: Download and install the latest Persistent Agent Administrative Templates.
After installing the templates on your Windows server you must modify the following Persistent Agent Template
settings:
l Host Name: Ensures that the Persistent Agent is communicating with the correct FortiNAC server.
l Login Dialog: Allows you to enable or disable the Login dialog that is presented by the Persistent Agent during
authentication. Disable the Login dialog to use the users' Windows login credentials.

GPO settings for high availability

If you are using Persistent Agent version 3.X or higher, this issue does not apply.

For the Persistent Agent to communicate with a FortiNAC appliance the agent must know the name or IP address of that
appliance. Group Policy Objects can leverage templates distributed by Fortinet to modify the host registry and provide
the Persistent Agent with the hostname of the FortiNAC appliance. However, in a high availability environment, the agent
must also know how to communicate with the secondary server in the event of a failover.
High availability or redundant servers can be set up in two ways. In an L2 or single subnet configuration, the FortiNAC
servers share a virtual IP address and server name. In a failover situation, the transition is seamless because agents
continue to communicate with the same virtual IP address or name no matter which FortiNAC appliance is in control. In
an L3 environment where redundant servers are on different subnets, there is no shared IP address. The agent must
know how to connect to both servers.
If you are running in a high availability environment, you must analyze the HA configuration, the version number of the
agent being used and the method used to establish communication between the FortiNAC appliance and the Persistent
Agent. You may need to alter the way you inform the Persistent Agent of the server name or IP address.
When a template is served to a host, the template writes to the following keys in the Windows registry:
l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent
l HKEY_LOCAL_MACHINE\SOFTWARE\Bradford Networks\Client Security Agent

FortiNAC F 7.2.0 Manager Guide 200

Fortinet Inc.
The Persistent Agent key takes precedence over the Client Security Agent key. However, in an L3 environment with
redundant servers on different subnets, if there is a fail over, FortiNAC can only update the value in the Client Security
Agent key. Since the Persistent Agent key takes precedence, the agent does not communicate with the correct server.
The sections below provide an overview of successful configuration combinations for Persistent Agent / Server
communication in a high availability environment. This is particularly important when hosts are configured using
templates served by Group Policy Objects to modify the host registry.

When FortiNAC is running on a Control Server/Application Server pair, the Persistent Agent
communicates with the Application Server. Be sure to use the correct server name or IP
address during configuration.

L2 high availability

In this environment, redundant servers share a virtual IP address and a server name. To configure communication
between the agent and the FortiNAC server, navigate to System > Settings > Passive Agent > Properties, and set
Primary and Secondary Host Name using the FortiNAC Server/Application Server Fully Qualified Domain Names. For
more details, refer to High Availability document.

L3 high availability

In this environment, redundant servers are on different subnets and have different IP addresses. In this scenario, there is
only one option.
You can use GPO to deliver a template to the host where the Persistent Agent is installed; however, you must NOT
configure ServerIP in the template. It is important that the associated registry keys not be configured on the host.
You must navigate to System > Settings > Passive Agent > Properties. Add the server name of both the primary and
secondary FortiNAC servers.
In the event of a failover, the name of the secondary FortiNAC server is pushed to the Persistent Agent.

Certificate validation

The Persistent Agent can be configured using a Windows custom scan to validate the certificate on a host against the
certificate provided by the administrator on Active Directory.
The application server must have access to the web server.
The certificate check custom scan allows the Persistent Agent to verify whether the certificate on the host matches the
certificate on the network. The Persistent Agent scans the host and sends the timestamp, client certificate, and signature
to the server. The server then completes the following process:
l Validates the certificate against a trusted CA that is provided by the administrator
l Verifies the revocation against the CRL (certificate Revocation List) provided through the LDAP or web server.
l Verifies the timestamp is within five minutes of receipt by the server.
l Verifies the signature with the certificate's public key.
l Updates the scan result to change the default failure state to success, and updates the overall result from failure to
success, if necessary.

FortiNAC F 7.2.0 Manager Guide 201

Fortinet Inc.
Implementation

1. Upload and install the certificate from a trusted CA for validation by the server, and select Persistent Agent Cert
Check as the target. See SSL certificates on page 206.
2. Create a Windows certificate check custom scan to verify the certificate on the host. See Windows on page 261.
3. Add the certificate check custom scan to a scan that is enabled within your endpoint compliance policy. See Create
a scan on page 261.

Upgrade the Persistent Agent

Global update

Hosts on your network that have a Persistent Agent installed can be updated automatically using the settings in System
> Settings > Persistent Agent > Agent Update. See Global updates on page 1 for instructions.

Update on a single host

Hosts on your network that already have a version of the Persistent Agent installed can be updated individually. The
FortiNAC administrator may choose to selectively update a few hosts to test a new version of the Agent or to install an
earlier version of the agent on an older host.

Clients upgrading the Persistent Agent must have access to Port 80 on the FortiNAC
appliances.

The update is sent immediately to the host. The host must be running and connected to the
network for the update to be successful.

If the host has software installed to reset the host to its original configuration after a re-boot,
the agent reverts to the previous version. The software must be disabled before updating the
Agent.

A special group, Global Agent Update Exceptions, has been created to stop selected hosts from being automatically
updated. Any host in this group is not updated. If you update a host to an agent version that is different from the version
selected for Global Agent Updates, this host is automatically moved to the Global Agent Update Exceptions Group. If
necessary, this host must be manually removed from that group. See Group membership on page 143 for instructions.
To select and update a host:
1. Click Users & Hosts > Hosts.
2. Right–click on the host and select Host Properties.
3. A window displays containing the host information. If the host has more than one MAC address, all are displayed.
4. In the Policy Agent/Access section of the window, locate the Agent Version field. The agent version that is
currently installed on the host is displayed.
5. Click Update.
6. Select the new Persistent Agent version from the drop-down list and click OK.

FortiNAC F 7.2.0 Manager Guide 202

Fortinet Inc.
When you select OK, FortiNAC “polls” the host to determine the point at which the version number changes to the new
version. This “polling” times out after a minute or when the new version number is returned. If the update times out
without returning a new version number, a message that the update has failed is displayed. If the new version number is
returned, a message that the update was successful is displayed.

No events are generated based on the success or failure of an individual host update.

Logging

The Persistent Agent has a logging feature for packet activity on the host. The log file automatically rotates every 24
hours based on the installation time of the Persistent Agent. The log file is stored in the following locations:

Windows

For Windows Operating systems look in the Common Application Data directory at %ProgramData%\Bradford
Networks\

macOS

For macOS log messages are sent to the system log via the "debug" syslog priority.
l On 10.5 and 10.6 messages show up in system.log
l On 10.4 these messages show up in console.log

Linux
l On Linux (Debian Based), these messages show up in /var/log/syslog
l On Linux (Red Hat Based), these messages show up in /var/log/messages

Time stamps included in the log file are displayed in UTC time. Coordinated Universal Time
(UTC) is a high precision atomic time standard that corresponds roughly to Greenwich Mean
Time.

Mobile Agent

Mobile Agent is an application that works on Android devices to identify them to FortiNAC, assist with authentication and
provide an inventory of installed Apps. The Mobile Agent can scan the device for indicators of rooting. Rooting is a
process allowing users of devices running the Android operating system to attain privileged control (known as "root
access") within Android's subsystem.
FortiNAC will only require or respond to a Mobile Agent if the Policy that applies to the host includes settings requiring
the Mobile Agent. If for any reason a mobile device had a Mobile Agent installed, the user would not be able to register
the device unless the policy assigned included the Mobile Agent. If the policy assigned is set to None-Deny, the mobile
device is not allowed to register. If the policy is set to None-Bypass, the mobile device can be registered but not using the
installed Mobile Agent.

FortiNAC F 7.2.0 Manager Guide 203

Fortinet Inc.
The Mobile Agent does work within the context of FortiNAC's VPN integration.

Setup Requirements

l Make sure the latest Agent package is installed on FortiNAC.

l Add SRV records to your production DNS server that allow the agent to locate the FortiNAC Server or Application
server to which it should connect.
l The Mobile device must be running Android operating system 2.3.3 or higher.
l Users can download the agent one of two ways:
l If the Android device is configured to allow downloads from unknown sources, the Mobile Agent can be

downloaded from the captive portal. For example, configure an Android phone by choosing Settings from a
Home screen, then selecting Applications and enabling the Unknown Sources option.
l If the Android device does not allow downloads from unknown sources, the Mobile Agent must be downloaded

through Google Play.

l FortiNAC appliance must be configured with SSL and must have a valid third party SSL certificate from a CA. A self-
signed certificate cannot be used. See Agent server communications on page 205.
l Create an endpoint compliance policy for Android devices to control whether or not an agent is required and
whether or not the device can register. See Endpoint compliance policies on page 231.
l To prevent Rooted devices from registering, enable Root Detection in the Scans used for Mobile devices. See Add
or modify a scan on page 247. When Root Detection is not enabled, the Mobile Agent still determines whether the
device is rooted, but allows the device to register and appends (Rooted) to the operating system information
displayed in the Host View.

Root Detection happens only during registration. If a user registers a device and then later
alters that device causing it to be Rooted, FortiNAC is not notified. You may want to age
these devices out of the database quickly so the user is forced to re-register periodically.

l Enable the Potential Rooted Device event and alarm to be notified when the Mobile Agent determines that the
devices may be rooted. The event message contains the username of the user and the MAC addresses of the
device. See Enable and disable events on page 323.
l Mobile device users are authenticated based on the settings for standard user login. Navigate to System > Portal
Configuration > Content Editor. In the tree on the left select Global > Settings and verify that the Standard User
Login Type is correct.
l You can modify the default text shown in the captive portal as mobile device users connect to the network. Navigate
to System > Portal Configuration > Content Editor. In the tree on the left scroll to the Registration > Mobile
Agent Download section to review or modify the download page. In the tree on the left, scroll to the Agent >
Mobile section to review or modify the Login page.

Notes

l If the Mobile device attempts to connect to the network but never reaches the agent download page and is never
prompted for credentials, verify that the device is receiving an IP address within the Registration VLAN. Verify that
the device is connected to the correct SSID.
l If the user receives a message indicating that they do not have rights to access the network, verify that there is a
Policy in place for mobile devices and that it is configured correctly.

FortiNAC F 7.2.0 Manager Guide 204

Fortinet Inc.
Agent server communications

FortiNAC-OS Requirement: "nac-agent" and "http" options must be included in the "set
allowaccess" command. See Open ports for details.

The sections below provide instructions for securing communications between the agent and the FortiNAC server with a
trusted SSL certificate, setting up communication between the agent and the server, and the host registry settings or
preferences that can be modified to customize Persistent Agent behavior.

Implementation

Update FortiNAC

Requires FortiNAC version 5.3.3 or higher to enable security.

You must have the latest Auto-Definition files installed. See Auto-definition updates on page 229.

Certificates

You must have a separate certificate for each FortiNAC server that runs the captive portal, such as the FortiNAC
Application server or the stand-alone FortiNAC Server.
Certificates must be from a trusted certificate authority (CA), such as VeriSign, Thawte, or GeoTrust.
Self-signed certificates are not recommended. If you use a self-signed certificate, end users will receive constant pop-up
warnings indicating that the site is not secure and asking them to confirm that they wish to continue. In addition, the
Mobile Agent absolutely require a certificate from a trusted CA. The Mobile Agent cannot communicate with FortiNAC
when Self-signed certificates are used.
If you already have a certificate that you are using to secure your portal, you can import that certificate into the FortiNAC
server configuration and use it for both the portal and agent/server communications.
If you do not have a certificate for your portal, generate a certificate request and purchase a certificate. When the
certificate is returned, import that certificate into the FortiNAC server configuration and use it for both the portal and
agent/server communications.
Persistent Agent, Dissolvable Agent, and the Mobile Agent require the use of a certificate.
The 3.x Persistent Agent communication method requires not only SSL certificates be installed for the Persistent Agent
target in FortiNAC, but also the root certificate be installed on the endstation hosting the agent. The Persistent Agent
reads all certificates from the trusted root certification authorities store of the system account. If the CA is not listed in this
store, the Persistent Agent will not trust the connection to FortiNAC and will not communicate.
FortiNAC does not push root certificates to endstations. Root certificates come pre-installed with the host's operating
system. Any additions or updates to root certificates are distributed via the host's OS updates.
For instructions on generating and installing SSL certificates, see the document entitled FortiNAC SSL Certificates
How To.

FortiNAC F 7.2.0 Manager Guide 205

Fortinet Inc.
DNS server configuration

If you use agents for macOS and some Linux systems, using a .local suffix in Domain fields in the Configuration Wizard
may cause communications issues.

Example:

Incorrect DNS suffix for reg: tech-reg.megatech.local

Correct DNS suffix for reg: tech.megatech-reg.edu
l On upgrade to V6.0 or higher, SRV records indicating the port and FQDN of the FortiNAC appliance where the
portal is located are automatically added to the domain.zone.* files for named. These files are created by the
Configuration Wizard, which can also add the SRV records to the domain.zone.* files during the initial appliance
configuration.
l If you are unable to configure the agent through Agent Configuration, the same SRV records may be added to the
corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC server with
which they should communicate.
l Any references to the FortiNAC server's FQDN in DNS must match the name in the certificate used to secure the
portal.
See DNS server configuration on page 212 and Agent server discovery on page 216.

Server configuration

If the time on FortiNAC is inaccurate and is updated after Agent Security is enabled, Agents
may ignore packets received from the server until the agent is restarted because the new
timestamp deviates significantly from previous timestamps.

Make sure that the server is configured to use NTP for time synchronization. Go to System > Settings > System
Management > NTP and Time Zone to configure the NTP server. This is typically set during installation.

Host configuration
l Host machines should not have the FQDN of the FortiNAC Server or Application Server in the hosts file on the hard
drive. Typically network users would not have this information in their hosts file. However, administrator users may
have the FQDN in their hosts file to accommodate accessing java applets. Modify the hosts file to use the short
name, such as qa233 instead of qa233.example.com. If a host has the FQDN in its hosts file, the Persistent Agent
cannot communicate with the FortiNAC Server or Application Server and cannot register the host.
l For Windows hosts, download and configure Administrative Templates for Group Policy Objects to update the
registry on each host with values that pertain to agent security.
l For macOS hosts, update Preferences to provide security values to the agent.
See Persistent Agent on Windows on page 218.

SSL certificates

The following components of FortiNAC are able to utilize SSL certificates for encrypting communications:
l Administrator interface: browser traffic between user managing FortiNAC through the UI and the FortiNAC
Control Server.

FortiNAC F 7.2.0 Manager Guide 206

Fortinet Inc.
l Persistent Agent: traffic between Persistent Agent (PA) installed on a host and the FortiNAC Application Server.
Functions that utilize this communication include, but are not limited to, registration/authentication and scanning.
l Portal: browser traffic between host in isolation using the captive portal (Registration, Remediation, authentication,
Dead End) and the FortiNAC Application Server. This is also used for traffic between the Dissolvable Agent, Mobile
Agent, and the FortiNAC Application Server.
These components are secured independently of each other. However, the same SSL certificate can be used if multiple
components are to be secured.
The following sections describe how to obtain, upload, and renew SSL certificates.

Implementation considerations

If you are running a high availability (HA) configuration using a shared IP address, the certificate information for the
Portal target is replicated from the primary server to the secondary server. If you are running a HA configuration where
primary and secondary servers are on separate subnets (L3 HA) contact Support for assistance.
You may act as your own CA and use your own internal certificate, as long as all systems in your domain use the same
certificate.
The Persistent Agent and Dissolvable Agent cannot use the self-signed certificate.

Wildcard certificates

Wildcard certificates may be imported to secure the Captive Portal. They can either be generated from a certificate
signing (CSR) created via FortiNAC or a third party.
To generate a wildcard CSR using FortiNAC, see Obtaining an SSL certificate from a CA on page 208.
To use a wildcard certificate already generated, proceed to Upload a certificate received from the CA on page 209.
Ensure the following when importing a wildcard certificate:
l The wildcard private key cannot be password protected.
l The actual fully qualified hostname must be entered in the fully qualified hostname Field in the General tab under
Go > Tasks > Portal Configuration. Entering the wildcard name in this field will cause the application of the
certificate to fail.

Subject Alternative Name (SAN) certificates

A SAN certificate can be used to secure multiple hostnames and/or IP addresses. For example, in a Layer 2 HA
environment the virtual, primary, and secondary appliance hostnames and their corresponding IP addresses can all be
secured with one certificate.
To generate a SAN certificate using FortiNAC, see Obtaining an SSL certificate from a CA on page 208.

Create a keystore for LDAP

If you choose to use SSL or TLS security protocols for communications with your LDAP directory, you must have a
security certificate. You must obtain a valid certificate from a certificate Authority. That certificate must be saved to a
specific directory on your FortiNAC.

FortiNAC F 7.2.0 Manager Guide 207

Fortinet Inc.
SSL or TLS protocols are selected on the Directory Configuration window when you set up the connection to your
LDAP directory. Follow the steps below to import your certificate. You should be logged in as root to follow this
procedure.
1. When you have received your certificate from the certificate Authority, copy the file to the /home/admin directory
on your FortiNAC server.
2. Use the keytool command to import the certificate into a keystore file.
For example, if your certificate file is named MainCertificate.der, you would type the following:
keytool -import -trustcacerts -alias <MyLDAP> -file /home/admin/MainCertificate.der
-keystore /bsc/campusMgr/.keystore

Depending on the file extension of your certificate file, you may need to modify the
command shown above. For additional information on using the keytool key and certificate
management tool go to www.oracle.com.

3. When the script responds with the Trust this certificate? prompt, type Yes and press Enter.
4. At the prompt for the keystore password, type in the following password and press Enter: ^8Bradford%23
5. To view the certificate, navigate to the /home/admin directory and type the following: keytool -list -v -
keystore /bsc/campusMgr/.keystore
6. Type the password used to import the certificate and press Enter.

The keystore is cached on startup. Therefore, it is recommended that you restart FortiNAC
after making any changes to the keystore.

Obtaining an SSL certificate from a CA

If you do not have a certificate, you must obtain a certificate from a CA.
To obtain a valid third party SSL certificate from a CA, you must generate a CSR and send it to the CA.
1. Go to System > Settings.
2. Expand the Security folder.
3. Select Certificate Management from the tree.
4. Click Generate CSR.
5. Select the certificate target (the type of certificate you want to generate).
lSelect Admin UI to generate a CSR for the admin UI.
lSelect Persistent Agent to generate a CSR for the PA communications.
l Select Portal to generate a CSR to secure the captive portal and DA communications.

l Select RADIUS Server to generate a CSR for integrated FortiNAC RADIUS server set to use 802.1x and

PEAP.
6. Enter the Common Name. This is the hostname to be secured by the certificate. If generating a wildcard CSR,
enter the desired domain specifying the wildcard in the Common Name field (Example: *.example.com).
7. Enter the Subject Alternative Names (leave blank if not requesting a SAN certificate). Click Add to enter each
additional hostname and/or IP address.
8. Enter the remaining information for the certificate in the dialog box:

FortiNAC F 7.2.0 Manager Guide 208

Fortinet Inc.
l Organization: The name of the server's organization.
l Organizational Unit: The name of the server's unit (department).
l Locality (City): The city where the server is located.
l State/Province: The state/province where the server is located.
l 2 Letter Country Code: The country code where the server is located.
9. Click OK to generate the CSR.
10. Copy the section with the certificate request to include the following:
-----BEGIN CERTIFICATE REQUEST-----
...Certificate Request Data...
-----END CERTIFICATE REQUEST-----
11. Paste it into a text file, and save the file with a .txt extension. Note the location of this file on your PC.
Make sure there are no spaces, characters, or carriage returns added to the certificate.
12. Send the certificate file to the CA to request a valid SSL certificate.

Important Notes:

l Do not click OK in the Generate CSR screen after saving the certificate file and sending to the CA. Each time OK is
clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous private key.
Consequently, if a certificate file has been submitted to the CA, and OK has been clicked since the original
certificate was generated, the returned certificate will not match the current private key, and a new request will have
to be issued and sent to the CA.
l Not all certificate Authorities ask for the same information when requesting a certificate. For example, some CA's
ask for a server type (Apache, etc) while others do not. FortiNAC requires a non-encrypted certificate in one of the
following formats:
l PEM
l DER

l PKCS#7

l P7B

This will allow the certificate to be applied to any of the desired components.
If the certificate is in PEM format, opening the certificate in a text editor should look something like the following
format:
-----BEGIN CERTIFICATE1-----
fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4
fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4
ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4
-----END CERTIFICTATE1-----
-----BEGIN CERTIFICATE2----
fjkghwjernlsfuigylerkjlkfjnu23jnlkjbliu5ghl6kh4
fjkjlkfjnu23jnlkjbliu5ghl6khkghwjernlsfuigyler4
ghwjernlsfuigylerkjlkfjnu23jnlkjbliu5fjkghl6kh4
-----END CERTIFCATE2-----
Certificate requests generated on FortiNAC use the SHA1 RSA encryption signature. However, certificates with
SHA2 encryption can be requested using this CSR.

Upload a certificate received from the CA

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be
returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be
returned.

FortiNAC F 7.2.0 Manager Guide 209

Fortinet Inc.
1. Save the file(s) received from the CA to your PC.
2. Select System > Settings.
3. Expand the Security folder.
4. Select Certificate Management from the tree.
5. Click Upload Certificate.
6. Select the target where the certificate will be uploaded:
l Select Admin UI to install the certificate for the admin UI.
l Select Persistent Agent to install certificate for the PA communications.
l Select Portal to install the certificate to secure the captive portal.
7. Select one of the following:
l Use Private Key from Last Generated CSR to use the key from the most recent CSR for the selected target.
l Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This
option is for renewing an existing installed certificate.
l Upload Private Key to upload a key. Click Choose to find and upload the private key.
8. Click Choose File to find and select the certificate to be uploaded. Users can also upload CA certificates and CA
bundles.

Upload any relevant intermediate certificate files needed for the creation of a completed
certificate chain of authority. The certificate Authority should be able to provide these files.
Without a complete certificate chain of authority, the target functionality may produce
error/warning messages.

9. Click Add Certificate if multiple certificates were returned. Use this to enter each additional certificate file.
10. Click OK.

Copying a certificate to another target

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:
1. Highlight the target with the desired certificate installed.
2. Click Copy Certificate.
3. Select the new target from the drop-down menu.
4. Click OK.

Activating certificates

Certificates for the admin UI and Persistent Agent are activated automatically upon installation. No further action is
required.
1. Navigate to System > Settings.
2. Expand the Security fold and then click Portal SSL.
3. In the SSL Mode field, select Valid SSL Certificate.
4. Click Save Settings (this may take several minutes).

Create expiration warning alarms

Three events are enabled by default in FortiNAC:

FortiNAC F 7.2.0 Manager Guide 210

Fortinet Inc.
l Certificate Expiration Warning: Generated when a certificate is due to expire within 30 days.
l Certificate Expiration Warning (CRITICAL): Generated when a certificate is due to expire within 7 days.
l Certificate Expired: Generated when a certificate has expired.
You must create alarms to send emails when these events are generated.
1. Navigate to Logs > Events & Alarms > Mappings.
2. Create one alarm for each event with the following settings:
lSelect the Notify Users setting.
l Select the type of messaging (Email or SMS) and admin group desired to be notified.

l Set the Trigger Rule to One Event to One Alarm.

3. For detailed instructions on creating alarms, see Add or modify alarm mapping on page 337.

Renew a certificate

SSL certificates must be renewed periodically or they expire. However, the existing certificate must be used until the new
one arrives. Some certificate Authorities allow managing certificates such that it can be renewed without generating a
new request file. In these cases, the private key will remain the same and the new certificate can be imported when it
arrives.
1. Save the file(s) received from the CA to your PC.
2. Select the target where the certificate will be uploaded. See Step 6 under Upload a certificate received from the CA
on page 209.
3. Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. See
Step 7 under Upload a certificate received from the CA on page 209.
4. Follow Steps 8-10 under Upload a certificate received from the CA on page 209 to complete the process.

Troubleshooting

If something is wrong with the uploaded certificate files, FortiNAC will display an error and will not apply the certificate.

Common causes for upload errors

l The wildcard name (e.g., *.example.com) was placed in the Fully Qualified Host Name field in the Portal SSL
view under System > Settings > Security. To correct, change the entry to the true fully qualified hostname and
click Save Settings.
l There are extra spaces, characters, and/or carriage returns above, below, or within the text body of any of the files.
l The certificate was not generated with the current key and there is mismatch.
This can happen if OK in the Generate CSR screen had been clicked after saving the certificate request. Each time
OK is clicked on the Generate CSR screen, a new CSR and private key are created, overwriting any previous
private key.
To confirm the certificate and key match, use the following tool:
https://www.sslshopper.com/certificate-key-matcher.html
If the key and certificate do not match, generate a new CSR and submit for a new certificate.
l An error displays indicating the private key is invalid. This can occur if the private key is not a RSA private key. To
confirm, (if the certificate is in PEM format), open the certificate in a text editor. If the content looks something like
the following:
----BEGIN PRIVATE KEY----

FortiNAC F 7.2.0 Manager Guide 211

Fortinet Inc.
MIIEowIBAAKCAQEAtozSKRv4mpPVk0L4Xz2RzadYym5pRH+Cp1du4uJ2yGKepFmF
HoB/yOuBt0PAJz9SAT+CkK7j5ocWbAlkjtZxdSs5T2aABWIWTmu0l5T8GYD6KQ9T
----END PRIVATE KEY----
then the key will need to be converted to a RSA key.
l The following error displays in UI: "Unable to update Apache configuration." This can occur if SSH communication is
failing (as the appliance establishes a SSH session to restart apache service). If appliance is a pair, verify Control
Server can SSH to Application Server. If appliance is a single device, verify appliance can SSH to itself (without
being prompted to enter a password).

For additional troubleshooting assistance, contact Fortinet Support.

DNS server configuration

FortiNAC has its own DNS server used to manage page resolution in the captive portal. This DNS server contains
specific SRV records used by the FortiNAC agent technology to locate the server while in isolation. These records
indicate the port and FQDN of the FortiNAC appliance where the portal is located.
The Configuration Wizard adds the SRV records to the domain.zone.* files for the named service during the initial
appliance configuration. Files are created and updated based upon the isolation interfaces configured (e.g. Isolation,
Registration, Remediation, etc). Manual edits to these files are not needed and should not be attempted.
If you use agents for macOS and some Linux systems, using a .local suffix in Domain fields in the Configuration Wizard
may cause communications issues.

Example:

Incorrect DNS suffix for reg: tech-reg.megatech.local

Correct DNS suffix for reg: tech.megatech-reg.edu
If you are unable to configure the agent through Agent Configuration, the same SRV records may be added to the
corporate production DNS servers. These are particularly important in a high availability environment because the SRV
records provide the agent with a prioritized list of servers with which it can communicate. In a facility were multiple
FortiNAC appliances are being managed by a FortiNAC Manager, SRV records make it easier for the agent to locate a
FortiNAC server.
When using the FortiNAC Manager to manage multiple FortiNAC servers, enabling the Require Connected Adapter
check box in Persistent Agent Properties eliminates the need to use ACLs to block access to the FortiNAC Application
server when the host is connecting on a device managed by a different FortiNAC Control Server/Application Server pair.
This setting will require a host reported by the agent to be connected to a device managed by FortiNAC in order to
communicate.
To enable the Require Connected Adapter check box, go to System > Settings > Passive Agent > Properties.
The agent must be configured with security enabled.
When Require Connected Adapter is disabled, you must use ACLs to block access to a FortiNAC Application server
when the host is connecting on a device managed by a different FortiNAC Control Server/Application Server pair. For
example, assume the host initially connects to the network on Device A which is managed by Server A. When the host
later connects to the network on Device B which is managed by Server B, the agent continues to communicate with
Server A. If access to Server A is denied, the agent will go through the server discovery process to locate another server.

FortiNAC F 7.2.0 Manager Guide 212

Fortinet Inc.
Entries in DNS are different for each agent. Currently, the DNS mechanism used for the agent to discover the server is
used by the Mobile Agent, Dissolvable Agent, and Persistent Agent. As new types of agents are added to FortiNAC you
may be required to update DNS SRV records to accommodate them. See Agent server discovery on page 216.

Verify the SRV records

1. Log into the CLI of the FortiNAC appliance that is running the captive portal, typically this is a FortiNAC Application
Server.
2. Navigate to the following directory: /var/named/chroot/etc
3. There is a special zone file for the Mobile Agent labeled
discovery.portal.bradfordnetworks.com.zone. Type ls *.zone and verify that this file is in the list of
files.
4. Type ls domain.zone.* to display a list of all of the domain.zone files.
5. Display the contents of one of the files by typing cat <file name>, for example, cat domain.zone.reg .
6. Within the contents displayed look for the lines beginning with _bradfordagent.
If those lines are included in the file, then the SRV records have been added to the domain.zone.* files. You should
see records similar to the following:
$TTL 15s
example.com. IN SOA reg.example.com. root.reg.example.com. (
1
10800
3600
604800
86400
)
IN NS reg.example.com.
IN TXT "Registration Domain"
$ORIGIN example.com.

b._dns-sd._udp PTR @
lb._dns-sd._udp PTR @
_networksentry._tcp PTR AgentConfig._networksentry._tcp

;Insert agent line here

; Needs to be here for BN_OTHER_HOSTNAME
AgentConfig._networksentry._tcp SRV 0 0 443 servername.domainname.com.
TXT path=/registration/agent/config
_networksentry._tcp SRV 0 0 443 servername.domainname.com.
TXT path=/registration/agent/config

FortiNAC F 7.2.0 Manager Guide 213

Fortinet Inc.
_bradfordagent._udp SRV 0 0 4567 servername.domainname.com.
_bradfordagent._tcp SRV 0 0 4568 servername.domainname.com.
*.example.com. IN A 172.16.28.1

Adding a DNS SRV record

DNS servers will vary based on the operating system of the computer used to house them. The example below is for a
DNS server running on a Windows operating system with the SRV records added from a command prompt. You may
prefer to use another method to add records to your DNS Server.
1. On the Windows Desktop click Start > Run.
2. On the Run dialog in the Open field, type command and click OK.
3. At the command prompt type the following:
> dnscmd /RecordAdd yourdomain.com _bradfordagent._udp.yourdomain.com. SRV 0 0 4567
servername.domainname.com.
4. To add the next record type the following:
> dnscmd /RecordAdd yourdomain.com _bradfordagent._tcp.yourdomain.com. SRV 0 0 4568
servername.domainname.com.

In the commands above yourdomain.com is the zone supplied via DHCP (Connection-specific DNS Suffix on a Windows
station in "ipconfig /all" output). servername.domainname.com is the FQDN of the FortiNAC Application Server or server
that is running the captive portal. Note that there is a period (.) after .com at the end of the FQDNs and node names.
The two zeros (0) in the example indicate priority and weight of this record. Priority is used when there are multiple
servers to which the agent can connect, such as in a high availability environment.

DNS server examples

From the DNS example in the section above you must include specific entries in your production DNS server. The
examples below list each entry and provide notes about its function and the agents affected.

Entry 1

This entry is used only by the Dissolvable Agent. It is always required.

_networksentry._tcp PTR AgentConfig._networksentry._tcp

AgentConfig._networksentry._tcp SRV 0 0 443 servername.domainname.com.

TXT path=/registration/agent/config

These lines work together to define the AgentConfig service. The first line indicates the name of the service and sets the
type (_networksentry._tcp).
The second and third lines are the SRV record and indicate the FQDN of the server to which the agent will connect. The
two zeros (0) in the example indicate priority and weight of this record. Priority is used when there are multiple servers to
which the agent can connect, such as in a high availability environment. 443 is the port and should not be changed. In
the example, the name of the server is servername.domainname.com. This must match the name in the valid certificate
used to secure the portal. Note that the period (.) at the end of servername.domainname.com. is required. The TXT line
contains the path.

FortiNAC F 7.2.0 Manager Guide 214

Fortinet Inc.
The agent uses the information contained in these entries to construct a URL for the server to which it should connect.
Using the records shown above the agent would construct the following:
https://servername.domainname.com:443/registration/agent/config

Entry 2

This entry is used by the Mobile Agent and is always required.

_networksentry._tcp.discovery.portal.bradfordnetworks.com SRV 0 0 443
servername.domainname.com.
_networksentry._tcp.discovery.portal.bradfordnetworks.com TXT
path=/registration/agent/config

These lines are SRV record and indicate the FQDN of the server to which the agent will connect. They are the detailed
version of the lines below that are included in the domain.zone.reg file shown above. It is recommended that you use the
detailed entry when editing your production DNS; however, either entry is acceptable.
_networksentry._tcp SRV 0 0 443 servername.domainname.com.
TXT path=/registration/agent/config

The two zeros (0) in the examples indicate priority and weight of this record. Priority is used when there are multiple
servers to which the agent can connect, such as in a high availability environment. 443 is the port and should not be
changed. In the example, the name of the server is servername.domainname.com. This must match the name in the
valid certificate used to secure the portal. Note that the period (.) at the end of servername.domainname.com. is
required. The TXT line contains the path.
The agent uses the information contained in these entries to construct a URL for the server to which it should connect.
Using the records shown above the agent would construct the following:
https://servername.domainname.com:443/registration/agent/config

Entry 3

This entry must be done on each site that uses the Persistent Agent.
_bradfordagent._udp SRV 0 0 4567 servername.domainname.com.

_bradfordagent._tcp SRV 0 0 4568 servername.domainname.com.

These SRV records indicate the FQDN of the server to which the agent will connect. The two zeros (0) in the example
indicate priority and weight of this record. Priority is used when there are multiple servers to which the agent can
connect, such as in a high availability environment. 4567 and 4568 are the ports on which the server listens and should
not be changed. In the example, the name of the server is servername.domainname. Note that the period (.) at the end of
servername.domainname.com. is required.
This entry is used by the Persistent Agent and is required. The Persistent Agent has other mechanisms for determining
where its server is such as registry entries on the host or information contained in Persistent Agent Properties on the
server. However, if those options are not available, the Persistent Agent does use DNS to locate a server.
See Agent server discovery on page 216.

Entry 4

These records are used by the Persistent Agent.

FortiNAC F 7.2.0 Manager Guide 215

Fortinet Inc.
In a high availability environment where redundant servers are not on the same sub-net and there is no shared IP
address, you must add SRV records for all of the servers in order by priority. Priority is the first number after SRV in the
example. If your high availability servers share an IP address you do not need to provide these entries. Use the entries
for the stand-alone server as shown in the examples above for Entry 1 through Entry 4.
_bradfordagent._tcp.example.com SRV 0 0 4568 primaryas.example.com.
_bradfordagent._udp.example.com SRV 0 0 4567 primaryas.example.com.
_bradfordagent._tcp.example.com SRV 1 0 4568 secondaryas.example.com.
_bradfordagent._udp.example.com SRV 1 0 4567 secondaryas.example.com.

Entry 5

These records are used by the Persistent Agent.

In an environment where multiple FortiNAC servers are managed by a FortiNAC Manager, the best practice is to set the
registry keys via software push. If this is not possible, there should be an entry in DNS for each FortiNAC appliance that
runs a captive portal. If all servers are reachable across all segments of the network, you may need to create ACLs that
block access for the Persistent Agent from one segment to another. When a host with the Persistent Agent installed
moves from one location to another on the network the Persistent Agent will continue to connect to its original FortiNAC
server. The agent will not connect to the server that is managing the port to which it is connected. If an ACL denies the
Persistent Agent access to a FortiNAC server based on the hosts location on the network, the Persistent Agent will
search for a different server.
The following shows DNS configuration entries for two FortiNAC configurations.
_bradfordagent._tcp.example.com SRV 0 0 4568 appserver1.example.com.
_bradfordagent._udp.example.com SRV 0 0 4567 appserver1.example.com.
_bradfordagent._tcp.example.com SRV 0 0 4568 appserver2.example.com.
_bradfordagent._udp.example.com SRV 0 0 4567 appserver2.example.com.

In the commands above example.com is the zone. appserver1.example.com and appserver2.example.com are the
FQDNs of the FortiNAC Application Servers or servers that are running the captive portal. Note that there is a period (.)
after .com. at the end of the FQDNs and node names.

Agent server discovery

Agent server discovery is a mechanism used by different types of agents to determine the identity of the FortiNAC Server
or Application Server to which the agent should connect. Some agents use SRV and TXT records contained within both
FortiNAC's DNS server (for when agents are in isolation) and your production DNS server. The records used by the
Agent for identifying and connecting to the FortiNAC server vary depending on the type of Agent used.
FortiNAC agents discover the FortiNAC Application Server to which they should connect in variety of ways. The
discovery process for each agent is outlined in this section.

The FortiNAC Application Server name used by the agent must match the server name in the
certificate securing the appropriate certificate Target or the agent and the server will not be
able to communicate. The certificate Target used is dependent upon the agent type. Refer to
the discovery process below.

FortiNAC F 7.2.0 Manager Guide 216

Fortinet Inc.
Persistent Agent

Persistent Agent v3.0 and higher determines the FortiNAC Application Server to which it should connect in several ways.
If you have used the Administrative Templates distributed with FortiNAC and used Group Policy Objects to set registry
entries on each host, then the Persistent Agent can use those entries to find the appropriate FortiNAC Application
Server.
The Persistent Agent communicates on the following ports:
l tcp 4568
l tcp 80 (required for upgrades)
The discovery process is as follows:
1. The Persistent Agent starts.
2. The agent checks DNS for SRV records of _bradfordagent._udp.example.com and _bradfordagent._
tcp.example.com.
3. The agent looks at the host registry (Windows), preferences (macOS), or .conf (Linux).
4. First it checks the entry for lastConnectedServer. If lastConnectedServer is set it adds the server to the top of the
list.
5. Then it checks the entry for HomeServer. If HomeServer is set, it adds it to a list.
6. Then the agent checks the entry for AllowedServers. This entry contains a list of additional servers to which the
agent can connect. It adds each of these servers to the list.
7. If SRV records are returned, the agent processes them in reverse priority order (highest value first). If homeServer
is not already set, the name contained in the SRV response is written to the host registry HKLM\Software\Bradford
Networks\Client Security Agent (Windows) or preferences (macOS, Linux).*
8. For each SRV record:
a. If the name is not already in the list, and restrictRoaming is disabled, the agent adds the name to the top of the
list and to the lastConnectedServer value.
b. Otherwise, if the name is already in the list, the agent moves the name to the top of the list.
9. Now that the list of servers is complete, the agent tries to connect to each server over SSL/TLS until it successfully
connects to one. Unless security is disabled on the agent, this is done over SSL/TLS (requires valid certificate
installed for the Persistent Agent certificate Target).
10. Once the agent has successfully connected to a server, that server will be set to the lastConnectedServer value,
and moved to the top of the list.
11. Once a server has been added to the lastConnectedServer, if restrictRoaming is enabled, it will remain at the top of
the list until that server is no longer reachable by the agent. At that point the list will be parsed until the agent
connects to a server and then that server will be moved to lastConnectedServer and to the top of the list.
*registry/preferences settings remain until one of the following occurs:
l Entry is manually changed.
l Agent is uninstalled.
l Agent is updated.
If the agent cannot be configured through Agent Configuration, the same SRV records may be added to the corporate
production DNS servers. Agents can then query the DNS servers to determine the FortiNAC server with which they
should communicate.

Mobile Agent

The Mobile Agent determines the FortiNAC Application Server to which it should connect by checking DNS as follows:

FortiNAC F 7.2.0 Manager Guide 217

Fortinet Inc.
1. The Mobile Agent starts.
2. It checks DNS and is directed to a service type _networksentry.tcp called AgentConfig.
3. It checks the SRV record for that service type for the server to which it should connect.
4. It connects to the FortiNAC Application Server over SSL/TLS (requires valid certificate installed for the Portal
certificate Target).
5. For Mobile Agent 3.1 or higher, if for any reason it cannot connect to the FortiNAC Application Server, a request for
the appropriate URL is presented to the user. The URL field will accept an HTTPS address, the FQDN of the server
which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed
asking the user to confirm that they wish to access the server over an insecure connection.

Passive Agent

The Passive Agent determines the FortiNAC Application Server to which it should connect by checking the host registry.
1. The network user logs onto the network.
2. The login triggers a script that is served from a corporate server on the network.
3. The script checks the registry entry ServerURL for the list of servers to which it can connect.
4. It tries the servers in order until it connects to one.

Dissolvable Agent

The Dissolvable Agent determines the FortiNAC Application Server to which it should connect by checking DNS as
follows:
1. The Dissolvable Agent starts.
2. It checks DNS and is directed to a service type _networksentry.tcp called AgentConfig.
3. It checks the SRV record for that service type for the server to which it should connect.
4. It connects to the FortiNAC Application Server over SSL/TLS (requires valid certificate installed for the Portal
certificate Target).
5. If for any reason it cannot connect to the FortiNAC Application Server, a request for the appropriate URL is
presented to the user. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create
an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to
confirm that they wish to access the server over an insecure connection.

Persistent Agent on Windows

To take advantage of the Agent Security feature some settings must be configured on the host. Settings for Windows
hosts are configured in the registry. Settings for Mac OS X hosts are configured in Preferences.
Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects.
These templates can be downloaded from the Agent Distribution view in FortiNAC. Customers can opt to edit registry
settings on hosts using another tool.

Requirements:

l Active Directory
l Group Policy Objects
l Template Files From

FortiNAC F 7.2.0 Manager Guide 218

Fortinet Inc.
Templates:

The templates listed below are provided by Fortinet. You must run the installation program for the templates on your
Windows server or another Windows system and then copy files to your server. Be sure to select the appropriate MSI for
your architecture.
l 32-bit (x86): Bradford Networks Administrative Templates.msi
l 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi

Install ADMX template

1. In FortiNAC select Policy > Agent Distribution.

2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the
appropriate template file.
3. Copy the template file to the domain server or another Windows system with access to the Central Store or local
PolicyDefinitions directory.
4. On the Windows system, double-click the msi file to start the installation wizard.
5. Click through the installation wizard.
6. Browse to Program Files\Bradford Networks\Administrative Templates\admx.
7. Copy the Bradford Networks.admx and en-US directory to the PolicyDefinitions directory of your central
store.
8. Open the Group Policy Editor and navigate to the Group Policy Object you want to edit, right-click and select Edit
to display the GPO Editor pane.
9. Browse to Computer Configuration > Administrative Templates > Bradford Networks.

Install GPO template

1. In FortiNAC select Policy > Agent Distribution.

2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the
appropriate template file.
3. Copy the template file to the domain server.
4. On the domain server, double-click the msi file to start the installation wizard.
5. Click through the installation wizard. At the end, the Microsoft Group Policy Management Console will be launched,
if available.
6. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
7. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, shows
the current templates pop-up.
8. Click Add and browse to Program Files\Bradford Networks\Administrative Templates.
9. Select Bradford Persistent Agent.adm and click Open.
10. Click Close, and the administrative templates will be imported into the GPO.

Install an updated template

Occasionally new templates are made available to incorporate additional features. If you already have a Fortinet
Administrative Template installed but it does not have Balloon Notifications enabled, follow the instructions below to
update it. If you do have Balloon Notifications enabled, see Agent packages on page 412 for instructions on installing an
updated template.
1. On your Windows server open the Group Policy Management Tool.
2. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.

FortiNAC F 7.2.0 Manager Guide 219

Fortinet Inc.
3. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show
the current templates pop-up.
4. Select the old template and click Remove. Follow the instructions above to install the new template.

Persistent Agent settings

The table below outlines settings that can be configured for the Persistent Agent.

Setting Options

Allowed Ciphers and Indicates the cipher and authentication schemes that can be used.
Authentication Schemes

CA Trust Length/ Depth Indicates how deep a chain of certificates to allow between the server's certificate and
the certificate's Central Authority.

CA File path The absolute path to a file containing root and intermediate CA certificates in PEM
format.

Security Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always
enabled.

Home Server The fully qualified hostname of the default server with which the agent should
communicate. If this server is not set, it is automatically discovered using Server
Discovery. On upgrade, this is populated by the contents of ServerIP.

Allowed Servers In large environments there may be more than one set of FortiNAC servers. If roaming
between servers is limited, list the FQDNs of the FortiNAC Application Server or
FortiNAC Servers with which the agent can communicate.

Restrict Roaming If enabled, the agent communicates only with its Home Server and servers listed under
Allowed Servers.
If disabled, the agent searches for additional servers when the home server is
unavailable.

maxConnectInterval The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer
Default: 960

Last Connected Server Server that the agent last connected to and with which the agent always attempts to
communicate first. Protocol configuration change requests are honored only when they
are received from this server. If this server is not set, it is automatically discovered using
Server Discovery.

Discover Servers, Priority, Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or
and Ports newer.

Refer to the Registry Keys section in Administrative templates for GPO for more information
about the registry keys that correspond to the Persistent Agent settings.

FortiNAC F 7.2.0 Manager Guide 220

Fortinet Inc.
Registry keys

The table below shows the host's registry keys that are not modified by the Group Policy Object. These keys can be set
manually.

Key Value Data

Persistent Agent

HKLM\Software\Bradford ServerIP The fully qualified hostname to which the agent

Networks\Client Security Agent should communicate.
For 64-bit operating systems see Note. Data Type: String
Default: ns8200

HKLM\Software\Bradford ClientStateEnabled 0: Do not show balloon notifications on status

Networks\Client Security Agent changes.
For 64-bit operating systems see Note. 1: Show balloon notifications on status
changes.
Data Type: DWORD
Default: 1

HKLM\Software\Bradford ShowIcon 0: Do not show the tray icon.

Networks\Client Security Agent 1: Show the tray icon.
Data Type: DWORD
Default: Not Configured
(Tray icon displayed)

HKLM\Software\Bradford allowedServers Comma-separated list of fully qualified

Networks\Client Security Agent hostnames with the agent can communicate. If
For 64-bit operating systems see Note. restrict roaming is enabled, the agent is limited
to this list. The home server does not need to
be included in this list (for example,
a.example.com, b.example.com,
c.example.com).
Data Type: String
Default: Empty

HKLM\Software\Bradford homeServer The fully qualified hostname of the default

Networks\Client Security Agent server with which the agent should
communicate.
Data Type: String
Default: Empty

HKLM\Software\Bradford restrictRoaming 0: Do not restrict roaming. Allow agent to

Networks\Client Security Agent communicate with any server.
1: Restrict roaming to the home server and the
allowed servers list.
Data Type: Integer
Default: 0

FortiNAC F 7.2.0 Manager Guide 221

Fortinet Inc.
Key Value Data

HKLM\Software\Bradford securityEnabled 0: Disable Agent Security.

Networks\Client Security Agent 1: Enable Agent Security
Data Type: Integer
Default: 1
Agent 5.3 and greater: Security is always
enabled.

HKLM\Software\Bradford ServerIP The fully qualified hostname to which the agent

Networks\Client Security Agent should communicate.
Data Type: String
Default: ns8200

HKLM\Software\Bradford maxConnectInterval The maximum number of seconds between

Networks\Client Security Agent attempts to connect to FortiNAC.
For 64-bit operating systems see Note. Data Type: Integer
Default: 960

HKLM\Software\Bradford lastConnectedServer The last server that the Agent successfully

Networks\Client Security Agent connected to. This will be automatically
For 64-bit operating systems see Note. populated by the agent upon successfully
connection to a server discovered through SRV
records, or from homeServer, or
allowedServers list. This value will remain
unchanged until the lastConnectedServer is
unreachable by the agent and the agent has
connected to another server.
Data Type: String
Default: Empty

HKLM\Software\Bradford discoveryEnabled Enable or Disable Discovery via SRV. The

Networks\Client Security Agent agent will search for SRV Records to prioritize
HKLM\Software\wow6432node servers and override default ports. If
connections to servers are not limited, agents
will connect to the discovered server names as
well.
0: Disable Discovery.
1: Enable Discovery
Data Type: Integer
Default: 1

On 64-bit operating systems in RegEdit, these registry values will appear in the following key:
HKLM\Software\wow6432node

FortiNAC F 7.2.0 Manager Guide 222

Fortinet Inc.
Disabling the tray icon via the registry requires the Persistent Agent.

Individual User keys are required only when the user’s settings differ from those for a group of
users. Typically, keys are set based on a group of users who have a common Policy using the
HKLM\Software\Bradford Networks\Client Security Agent key shown in the table.

Persistent Agent on macOS

To take advantage of the Agent Security some settings must be configured on the host. Settings for Mac OS X hosts are
configured in Preferences. At this time we do not have a recommendation for a tool to set preferences.

Security settings

The table below outlines settings that can be configured for Agent Security.

Setting Options

Allowed Ciphers and Indicates the cipher and authentication schemes that can be used.
Authentication Schemes

CA Trust Length/ Depth Indicates how deep a chain of certificates to allow between the server's certificate and
the certificate's Central Authority.

CA File path The absolute path to a file containing root and intermediate CA certificates in PEM
format.

Security Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always
enabled.

maxConnectInterval The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer
Default: 960

FortiNAC F 7.2.0 Manager Guide 223

Fortinet Inc.
Setting Options

Discover Servers, Priority, Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or
and Ports newer.

Preferences

The table below shows the modifications that need to be made to the host's Preferences. If you use a tool other than
GPO, you must make sure to set the appropriate keys on each host.

Value Data

allowedServers Comma-separated list of fully qualified hostnames with the agent can communicate. If
restrict roaming is enabled, the agent is limited to this list. The home server does not
need to be included in this list (for example, a.example.com, b.example.com,
c.example.com).
Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>).
The default port if not specified is 4568.
Example: a.example.com:9001, b.example.com:4568, c.example.com:4985
Data Type: String
Default: Empty

homeServer The fully qualified hostname of the default server with which the agent should
communicate.
Example: a.example.com
Agents 10.7 and above: Port can also be specified (<Fully qualified hostname>:<port>).
The default port if not specified is 4568.
Example: a.example.com:9001
Data Type: String
Default: Empty

restrictRoaming 0: Do not restrict roaming. Allow agent to communicate with any server.
1: Restrict roaming to the home server and the allowed servers list.
Data Type: Integer
Default: 0

securityEnabled 0: Disable Agent Security.

1: Enable Agent Security
Data Type: Integer
Default: 1
Agent 5.3 and greater: Security is always enabled.

ServerIP The fully qualified hostname to which the agent should communicate.
Data Type: String

FortiNAC F 7.2.0 Manager Guide 224

Fortinet Inc.
Value Data

Default: ns8200

ShowIcon 0: Do not show the tray icon.

1: Show the tray icon.
Default: Not Configured
(Tray icon displayed)

If both com.bradfordnetworks.bndaemon and

com.bradfordnetworks.bndaemon.policy are configured on the
system, the com.bradfordnetworks.bndaemon.policy configuration
takes precedence over the com.bradfordnetworks.bndaemon
configuration.

maxConnectInterval The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer
Default: 960

lastConnectedServer The last server that the Agent successfully connected to. This will be automatically
populated by the agent upon successfully connection to a server discovered through
SRV records, or from homeServer, or allowedServers list. This value will remain
unchanged until the lastConnectedServer is unreachable by the agent and the agent
has connected to another server.
Data Type: String
Default: Empty

discoveryEnabled Enable or Disable Discovery via SRV. The agent will search for SRV Records to
prioritize servers and override default ports. If connections to servers are not limited,
agents will connect to the discovered server names as well.
0: Disable Discovery.
1: Enable Discovery
Data Type: Integer
Default: 1

There are manual commands that can be used to modify the Preferences as follows:
1. On the macOS host, navigate to a command prompt (Terminal).
2. Before editing the preferences, it is recommended that you unload the launchDaemon plist. Type the following:
sudo launchctl unload /Library/LaunchDaemons/com.bradfordnetworks.agent.plist
3. To read the configuration, type the following:
sudo defaults read /Library/Preferences/com.bradfordnetworks.bndaemon
4. To write configuration values use the table above for the value names and type a command similar to the following:
sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon homeServer -
string qa225.bradfordnetworks.com
In the example above, homeServer is the value name, -string is the data type, qa225.bradfordnetworks is the data
or setting that should be added to Preferences.

FortiNAC F 7.2.0 Manager Guide 225

Fortinet Inc.
5. While some elements require a string data value, others require an integer data value. For these elements, type a
command similar to the following:
sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon
restrictRoaming -int 1
In the example above, restrictRoaming is the value name, -int is the value data type and 1 is the setting added to the
value. In this case 1 is equal to enabled and 0 is disabled.
6. To reload the launchDaemon plist, type the following:
sudo launchctl load /Library/LaunchDaemons/com.bradfordnetworks.agent.plist

Persistent Agent on Linux

Security settings

The table below outlines settings that can be configured for Agent Security.

Setting Options

Allowed Ciphers and Indicates the cipher and authentication schemes that can be used.
Authentication Schemes

CA Trust Length/ Depth Indicates how deep a chain of certificates to allow between the server's certificate and
the certificate's Central Authority.

CA File path The absolute path to a file containing root and intermediate CA certificates in PEM
format.

Security Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always
enabled.

maxConnectInterval The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer
Default: 960

FortiNAC F 7.2.0 Manager Guide 226

Fortinet Inc.
Setting Options

Discover Servers, Priority, Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or
and Ports newer.

Configuration settings

The table below shows the modifications that need to be made to the host's Preferences. If you use a tool other than
GPO, you must make sure to set the appropriate keys on each host.

Value Data

homeServer The fully qualified hostname of the default server with which the agent should
communicate.
Data Type: String
Default: Empty

restrictRoaming False: Do not restrict roaming. Allow agent to communicate with any server.
True: Restrict roaming to the home server and the allowed servers list.
Data Type: Boolean
Default: False

securityEnabled False: Disable Agent Security.

True: Enable Agent Security
Data Type: Boolean
Default: True
Agent 5.3 and greater: Security is always enabled.

ServerIP The fully qualified hostname to which the agent should communicate.
Data Type: String
Default: ns8200

caFile The absolute path to a file containing root and intermediate CA certificates in PEM
format.
Data type: String
Default: /etc/ssl/certs/ca-bundle.crt (RPM) or /etc/ssl/certs/ca-certificates.crt (DEB)

ShowIcon 0: Do not show the tray icon.

FortiNAC F 7.2.0 Manager Guide 227

Fortinet Inc.
Value Data

1: Show the tray icon.

Default: Not Configured
(Tray icon displayed)

If both PersistentAgent.conf and PersistentAgentPolicy.conf are

configured on the system, the PersistentAgentPolicy.conf
configuration takes precedence over the PersistentAgent.conf
configuration.

maxConnectInterval The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer
Default: 960

macpollinterval The maximum number of seconds between attempts to learn of new MAC address
added to the host. This is intended to facilitate the quick discovery of VM Guests that
have been deployed for use with the VM-Detection feature.
Data Type: Integer
Default: 5

Host logging for agent security

Log files located on the host that include information pertaining to Agent Security will vary by platform.

Windows

For Windows, look in the Common Application Data directory at %ProgramData%\Bradford Networks\
Log files include:
l stderr.txt: output of stderr.
l stdout.txt: output of stdout.

FortiNAC F 7.2.0 Manager Guide 228

Fortinet Inc.
l bndaemon_log.txt: Logged packets, same as pre-3.0.

macOS

For macOS, log messages are sent to the system log via the "debug" syslog priority.
l Messages display in console.log

Linux

For Linux, the log file is found at /var/log/bndaemon

l All logs are consolidated into this common file.

Time stamps included in the log file are displayed in UTC time. Coordinated Universal Time
(UTC) is a high precision atomic time standard that corresponds roughly to Greenwich Mean
Time.

Auto-definition updates

Fortinet provides weekly updates called auto-definition updates that contain support for the following:
l Information on the latest antivirus definitions
l Support for new versions of antivirus
l Support for new operating system versions
l Any new vendor OUIs released by the IEEE Standards Association
l New or modified custom scan options
Downloading these updates keeps your FortiNAC software current allowing your hosts and users to access the network
easily without having to contact your IT department.
For customers who prefer to download updates on a delayed schedule, Fortinet maintains the current update plus
updates from the previous three weeks.
To implement auto-definition updates you must do the following:
l Configure your FortiNAC server to communicate with the Fortinet download site.
l Configure the schedule for retrieving and installing updates.

Download settings

To download auto-definition updates from the download site, you must configure a connection to that site.

Configure settings

FortiNAC F 7.2.0 Manager Guide 229

Fortinet Inc.
1. Click System > Settings.
2. Expand the Updates folder.
3. Select System from the tree.
4. Go to the System Update Settings section of the screen.
5. Use the table below to enter the update settings. Contact Customer Support for the correct login credentials.
6. Click Test to check that the settings allow connection to the auto-definition directory and the product distribution
directory.

Refer to the System Update Settings section of the Release Notes on our website for
information about the distribution directory for the specific version you wish to download
and install.

7. Once connection to the server is established, click Save Settings.

Settings

Field Definition

Host IP address, hostname, or fully qualified name of the server that is hosting the updates.

Auto-Definition The sub-directory where the weekly antivirus and operating system updates are located.
Directory Default setting for this field is a period (.). If you are downloading these files from a
server on your network, specify the directory containing the updates.
If you prefer to download and install updates on a delayed schedule, you can choose
system updates from one, two, three or four weeks ago by modifying this field with an
additional sub-directory. For example, entering /week1 gives you an update that is one
week old. Available directories are:
./week1 contains updates that are one week old.
./week2 contains updates that are two weeks old.
./week3 contains updates that are three weeks old.
./week4 contains updates that are four weeks old.

Product Distribution The sub-directory where the product software files are located. This field will vary
Directory depending on the version of the software being updated.
A forward slash (/) may be required in the path configuration. Click Test to confirm the
configuration.
Refer to the System Update Settings section of the Release Notes on our web site for
information about the distribution directory for the specific version package you wish to
download and install.

Agent Distribution The sub-directory where the Agent update files are located. This field will vary
Directory depending on the version of the software being updated. A forward slash (/) may be
required in the path configuration. Click Test to confirm the configuration.
Refer to the System Update Settings section of the Release Notes on our web site for
information about the distribution directory for the specific agent package you wish to
download and install.

User The user name for the connection.

FortiNAC F 7.2.0 Manager Guide 230

Fortinet Inc.
Field Definition

Password The password for the connection.

Protocol HTTP: Hypertext Transfer Protocol.

HTTPS: Secure communication over HTTP.
SFTP: Secure FTP. This protocol provides a more secure connection.
FTP: File Transfer Protocol.
PFTP: Passive FTP. A more secure form of data transfer in which the flow of data is set
up and initiated by the FTP client rather than by the FTP server program.

Buttons

Test Tests the connection between the FortiNAC program and the update server.

Revert To Defaults Returns the window to the factory default settings.

Endpoint compliance policies

Endpoint compliance polices are used to assess hosts and determine if they are safe. An endpoint compliance policy is
composed of building blocks, including: a user/host profile and an endpoint compliance configuration. Refer to
Implementation on page 187 for information on the entire endpoint compliance feature.
When a host is evaluated and FortiNAC determines that the host requires an endpoint compliance policy, the host and
user are compared to the user/host profiles within each endpoint compliance policy starting with the first policy in the list.
When a match is found, the endpoint compliance policy is applied. Once a policy is selected as a match for the host or
user, the endpoint compliance configuration within the policy determines the treatment that the host receives. An
endpoint compliance configuration specifies whether or not an agent is required and the scan parameters for scanning
the host.
Endpoint compliance policies created on the FortiNAC server will be ranked above global endpoint compliance policy
created on the NCM. The rank of a local endpoint compliance policy can be adjusted above or below another local
endpoint compliance policy, but cannot be ranked below a global endpoint compliance policy. The rank for a global
endpoint compliance policy cannot be modified from the FortiNAC server.
If the user/host does not match any policy, it is allowed to register with no scan and no policy.
There may be more than one endpoint compliance policy that is a match for this host/user; however, the first match
found is the one that is used.

FortiNAC F 7.2.0 Manager Guide 231

Fortinet Inc.
If you create a user/host profile with fields Where set to Any, Who/What by Group set to Any, Who/What by Attribute set
to Any and When set to Always, it matches ALL users and hosts. This is essentially a Catch All profile. If this user/host
profile is used in a policy, all policies below that policy are ignored when assigning a policy to a user or a host. To
highlight this, policies below the policy with the catch all profile are grayed out and have a line through the data.
The best way to use a Catch All profile is to create a general policy with that profile and place it last in the list of policies.

Settings

Field Definition

Rank Buttons Moves the selected policy up or down in the list. Host connections are compared to Policies in
order by rank.

Set Rank Button Allows you to type a different rank number for a selected policy and immediately move the
policy to that position. In an environment with a large number of policies, this process is faster
than using the up and down Rank buttons.

Rank can only be set on local policies, rank changes for global policies
must be done at the NCM.

Table columns

Rank Policy's rank in the list of policies. Rank controls the order in which host connections are
compared to Policies.

Name User defined name for the policy.

Endpoint Contains the configuration for the Agent and Scan parameters that will be assigned if this
Compliance Policy matches the connecting host and user. See Endpoint compliance configurations on
Configuration page 236.

FortiNAC F 7.2.0 Manager Guide 232

Fortinet Inc.
Field Definition

User/Host Profile Contains the required criteria for a host or user, such as connection location, host or user
group membership, host or user attributes or time of day. Host connections that match the
criteria within the user/host profile are assigned the associated endpoint compliance
configuration. See User/host profiles on page 175.

Who/What Attributes
A host or user must meet all parameters within a single filter, but is only required to match one
filter in the list. The attribute must be known at the time of connection. See Filter example on
page 177.
RADIUS Attributes
Used to match against endpoints pre- and post-authentication.
Groups
l Any — Matches any group.

l Any Of — Matches any of the listed groups. Does not have to match everything, but has
to match at least one group that has been selected.
l All Of — Has to match every group that's been selected.
l None Of — Has to match no group that's been selected.

When The time frame specified in the selected User/Host Profile. The host must be on the network
within this time frame to be a match. When set to Always this field is a match for all hosts or
users.

Note User specified note field. This field may contain notes regarding the data conversion from a
previous version of FortiNAC.

Last Modified By User name of the last user to modify the policy.

Last Modified Date Date and time of the last modification to this policy.

Right click options

Delete Deletes the selected endpoint compliance policy.

Modify Opens the Modify Endpoint Compliance Policy window for the selected policy.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add an
administrator profile on page 55.

Buttons

Export Exports the data displayed to a file in the default downloads location. File types include CSV,
Excel, PDF, or RTF. See Export Data.

FortiNAC F 7.2.0 Manager Guide 233

Fortinet Inc.
Add or modify a policy

1. Select Policy & Objects.

2. Select Endpoint Compliance.
3. Click Add or select an existing policy and click Modify.
4. Click in the Name field and enter a name for this policy.
5. Select a User/Host Profile from the drop-down menu. You can use the icons next to the User/Host Profile field to
add a new profile or modify the profile shown in the drop-down menu. Note that if you modify this profile, it is
modified for all features that make use of the profile. Connecting hosts must match this User/Host Profile to be
assigned the endpoint compliance configuration specified in the next step.
6. Select an Endpoint Compliance Configuration from the drop-down menu. You can use the icons next to the
Endpoint Compliance Configuration field to add a new configuration or modify the configuration shown in the
drop-down menu. Note that if you modify this configuration, it is modified for all features that make use of it. See
Create or edit a configuration on page 237.
7. The Note field is optional.
8. Click OK to save your policy.

Determining host operating system

FortiNAC uses the information configured in the endpoint compliance policy and information received from the
connecting host to determine if an agent is required and which agent should be offered to a host. If the operating system
or host type is one for which there is no agent, FortiNAC can allow or deny network access based on the settings in the
endpoint compliance policy.
The host operating system is detected based on the information contained in the UserAgent string. When a host
connects to a FortiNAC web page, its browser sends the user-agent string to the FortiNAC Server or Application Server.
This string indicates which browser the host is using, its version number, and details about the host, such as operating
system and version. The chart below outlines the criteria FortiNAC uses to determine the host operating system.
Operating system is considered unsupported unless it meets one of the following criteria:

Criteria OS/Device

UserAgent contains "linux" and "android" Android

User Agent contains "linux" only Linux

User Agent contains "macOS" macOS

User Agent contains "Macintosh" and "Silk" Android

User Agent contains "Macintosh" and "Cloud9" Android

User Agent contains "linux", "android" and "silk" Kindle

User Agent contains any one of the following: "KFOT", "KFTT, "KFJWI", "KFJWA", Kindle Fire
"KFSOWI", "KFTHWI", "KFTHWA", "KFAPWI" or "KFAPWA"

User Agent contains "macOS" and "mobile" and "ipod" iOS for iPod

User Agent contains "macOS" and "mobile" and "iphone" iOS for iPhone

User Agent contains "macOS" and "mobile" and "ipad" iOS for iPad

FortiNAC F 7.2.0 Manager Guide 234

Fortinet Inc.
Criteria OS/Device

User Agent contains "macOS" and "mobile" Apple iOS

UserAgent contains "windows nt" Windows

UserAgent contains "windows phone Windows Phone

UserAgent contains "windows nt" and "ARM" Windows RT

UserAgent contains "freebsd" Free BSD

UserAgent contains "openbsd" Open BSD

UserAgent contains "netbsd" Net BSD

UserAgent contains "solaris" or "sunos" Solaris

UserAgent contains "symbianos" or "symbos" Symbian

UserAgent contains "webos" Web OS

UserAgent contains "windows ce" Windows CE

UserAgent contains "blackberry" Blackberry OS

UserAgent contains "BB10" and "Mobile" BlackBerry 10 OS

UserAgent contains "RIM Tablet OS" RIM Tablet OS

UserAgent contains "CrOS" Chrome OS

Create or edit a policy

1. Select Policy & Objects.

2. Select Endpoint Compliance.
3. Click Create New or select an existing policy and click Edit.
4. Click in the Name field and enter a name for this policy.
5. Select a User/Host Profile from the drop-down menu. You can use the icons next to the User/Host Profile field to
add a new profile or modify the profile shown in the drop-down menu. Note that if you modify this profile, it is
modified for all features that make use of the profile. Connecting hosts must match this user/host profile to be
assigned the endpoint compliance configuration specified in the next step.
6. Select an Endpoint Compliance Configuration from the drop-down menu. You can use the icons next to the
Endpoint Compliance Configuration field to add a new configuration or modify the configuration shown in the
drop-down menu. Note that if you modify this configuration, it is modified for all features that make use of it. See
Create or edit a configuration on page 237.
7. The Note field is optional.
8. Click OK to save your policy.

Delete a policy

1. Click Policy & Objects.

2. Select Endpoint Compliance.
3. Select the policy to be removed.

FortiNAC F 7.2.0 Manager Guide 235

Fortinet Inc.
4. Click Delete.
5. Click OK to confirm that you wish to remove the policy.

Endpoint compliance configurations

Endpoint compliance configurations define agent and scan parameters for hosts and users. Hosts can be required to
download an agent and undergo a scan, permitted access with no scan or denied access. The endpoint compliance
configuration that is used for a particular host is determined by the pairing of an endpoint compliance configuration and a
user/host profile within an endpoint compliance policy.
When a host is evaluated, the host, user and connection location are compared to each endpoint compliance policy
starting with the first policy in the list. When a policy is found where the host and user data and the connection location
match the user/host profile in the policy, that policy is assigned. The endpoint compliance configuration contained within
that policy determines the security treatment received by the host.

Settings

An empty field in a column indicates that the option has not been set.

Field Definition

Name User defined name for the Configuration.

Scan Name of the scan used to evaluate a connecting host.

Note User specified note field. This field may contain notes regarding the conversion from a
previous version of FortiNAC.

Collect Applications If enabled, the agent assigned to the host will collect information about installed applications
and add that information to the host record. An application inventory cannot be generated for a
hosts unless an agent is in use.

Last Modified By User name of the last user to modify the record.

Last Modified Date Date and time of the last modification to this configuration.

Agent - OS An Agent column is displayed for each operating system supported. The column contains the
agent that will be used or treatment that applies to hosts with that operating system when the
scan is applied. Some operating systems do not have agents and those hosts can only be
allowed or denied access to the network. See Create or edit a configuration on page 237 for
information on the agent options for each operating system.

Right click options

Delete Deletes the selected endpoint compliance configuration.

In Use Indicates whether or not the selected configuration is currently being used by any other
FortiNAC element. See Configurations in use on page 239.

Modify Opens the Modify Endpoint Configuration window for the selected configuration.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298

FortiNAC F 7.2.0 Manager Guide 236

Fortinet Inc.
Field Definition

You must have permission to view the admin auditing log. See Add an
administrator profile on page 55.

Buttons

Export Exports the data displayed to a file in the default downloads location. File types include CSV,
Excel, PDF, or RTF. See Export data on page 1.

Create or edit a configuration

1. Select Policy & Objects.

2. Expand Endpoint Compliance.
3. From the menu, select Configuration.
4. On the Endpoint Compliance Configurations window, click Create New or select an existing configuration and
click Edit.
5. On the General tab, click in the Name field and enter a name for this configuration.
6. Select a Scan from the drop-down menu. You can use the icons next to the Scan field to add a new scan or modify
the scan shown in the drop-down menu. Note that if you modify this scan, it is modified for all features that make use
of it. See Add or modify a scan on page 247.
7. If you would like to add a list of installed applications to the host record, enable the Collect Application Inventory
check box. This only applies to hosts that are assigned an agent. An application inventory cannot be generated for
hosts unless an agent is in use.
8. If you would like to add a whitelist of SSIDs that the endpoints can connect to, enable Restrict Wireless
Connections to Specific SSIDs.
9. If you would like the endpoint compliance scans to check for Dual Homes connections, enable Detect
Multihoming.
10. If you would like to grant varying levels of access based on the host's role, select Advanced Scan Controls. This
displays additional options that allow you to select and map a security action to scan success, failure, and warning.
See Chaining configuration scans on page 240.
You must have Security Incidents access enabled to use the Advanced Scan Controls feature.
11. The Note field is optional.
12. Click the Agent tab to select it.
13. Select an agent for each operating system. You may choose not to use an agent for a particular operating system;
however, scans can only be applied via an agent.
14. No agent exists for some operating systems. In those cases select either None-Deny Access or None-Bypass.
Refer to the table below for information on each field.
15. Click OK to save the configuration.

Settings

Field Definition

General tab

FortiNAC F 7.2.0 Manager Guide 237

Fortinet Inc.
Field Definition

Name User specified name for this configuration.

Scan Select the scan to be associated with this configuration. Hosts that match the endpoint
compliance policy containing this configuration will be scanned with the selected Scan.

Collect Application If enabled, the agent assigned to the host will collect information about installed
Inventory applications and add that information to the host record. An application inventory
cannot be generated for a hosts unless an agent is in use.

Advanced Scan Controls If enabled, allows you to select a security action mapped to an endpoint compliance
activity that will be taken based on scan results. See Chaining configuration scans on
page 240.

Note User specified note field. This field may contain notes regarding the conversion of
policies from a previous version of FortiNAC.

Agent tab

Windows Allows you to select a separate agent or treatment for each operating system. For
macOS example, a host with a Windows operating system may be scanned by the Persistent
Linux Agent while a host with a Mac operating system may be scanned with the Dissolvable
Agent. See Determining host operating system on page 234.
The names of all the agent versions and types available on the appliance are included
in the list. The .exe is recommended for user-interactive installation. The .msi is
recommended for use for a managed install by a non-user-interactive means.
Agent options include:
l Persistent Agent: Hosts with this operating system are required to download and

install the selected version of the Persistent Agent.

l Dissolvable Agent: Hosts with this operating system are required to download

and run the selected version of the Dissolvable Agent.

l Persistent Agent: Hosts with this operating system are required to download and
install the highest version of the Persistent Agent available on the FortiNAC
Application server. Using the Latest Persistent Agent option prevents you from
having to update Policies each time a new Agent is released and loaded onto your
server.
l None-Deny Access: No agent is assigned and hosts are denied access to the

network if they have the matching operating system.

l None-Bypass: No agent is assigned but hosts are allowed to access the network.

If you select None - Bypass, hosts can register only if their IP address has been
determined by FortiNAC. If IP address information has not been determined
FortiNAC cannot determine the physical address and will not allow that host on the
network. Users see the following message: Registration Failed - Physical
Address not Found.

Android l None-Deny Access: No agent is assigned and hosts are denied access to the
network if they have the matching operating system.
l None-Bypass: No agent is assigned but hosts are allowed to access the network if
they have the matching operating system.
l Mobile Agent: Mobile devices detected running the Android operating system are

FortiNAC F 7.2.0 Manager Guide 238

Fortinet Inc.
Field Definition

required to download and install the Mobile Agent. These devices are
automatically directed to the Mobile Agent Download page in the captive portal
where the host is prompted to download the Mobile Agent from Google Play
(Android).
l Latest Mobile Agent: Hosts with this operating system are required to download

and install the highest version of the Mobile Agent availability Mobile Agent is
downloaded from Google Play.
See Mobile Agent on page 203.

Settings For Operating This section provides a list of additional operating systems and allows you to select
Systems Without Agents treatment for each one. For example, iPod devices could be set to None-Bypass
indicating that no agent is necessary and allowing that device to connect to the network.
Options for additional platforms include:
l None-Deny Access: No agent is assigned and hosts are denied access to the

network if they have the matching operating system.

l None-Bypass: No agent is assigned but hosts are allowed to access the network if

they have the matching operating system.

Use Set all to None-Bypass or Set all to None-Deny Access to modify settings for
all additional platforms at once.
The last platform labeled Other is used as a catch-all for devices with new or
unsupported operating systems. Any platform not listed in the Policy, is treated as
specified by the setting associated with Other.

Configurations in use

To find the list of FortiNAC features that reference a specific endpoint compliance configuration, select the Configuration
from the Endpoint Compliance Configurations view and click In Use. A message is displayed indicating whether or
not the configuration is associated with any other features. If the configuration is referenced elsewhere, a list of each
feature that references the configuration is displayed.

Delete a configuration

If a configuration is in use by another feature in FortiNAC, it cannot be deleted. A dialog displays with a list of the features
in which the configuration is used. Remove the association between the configuration and other features before deleting
the configuration.
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Select Configuration from the menu.
4. Select the configuration to be removed.
5. Click Delete.
6. Click OK to confirm that you wish to remove the configuration.

FortiNAC F 7.2.0 Manager Guide 239

Fortinet Inc.
Chaining configuration scans

When advanced scan controls is enabled for an endpoint compliance configuration, you can map a security action
containing Run Endpoint Compliance Configuration to scan results.
The Run Endpoint Compliance Configuration activity will run scans for additional endpoint compliance
configurations. This allows further scans to be run on hosts when additional levels of access are needed. For example, if
the host is part of a group requiring access to a secure VLAN, you can run additional scans the host must pass to be
allowed onto this area of the network. Access is determined by the highest level scan that the host passes.
When a host is authenticated and matches an endpoint compliance policy, the endpoint compliance configuration scan
is run. When the action is taken based on the scan results, if the Run Endpoint Compliance Configuration activity is
performed and the endpoint compliance configuration scan starts successfully, the action moves to the next activity in
the list while the endpoint compliance configuration scan is running.
If the endpoint compliance configuration scan does not successfully start, additional activities are only performed if On
Activity Failure is set to Continue Running Activities.
There is no limit on the number of actions that can be run based on scan results.
The Persistent Agent must be installed on the host.
To enable and configure advanced scan controls, go to Policy & Objects. Click Endpoint Compliance >
Configuration, and then click Add or select an existing configuration and click Modify.

FortiNAC F 7.2.0 Manager Guide 240

Fortinet Inc.
FortiNAC F 7.2.0 Manager Guide 241
Fortinet Inc.
Scans

The Scans view allows you to configure network scans or sets of rules that are used to scan hosts for compliance. Scans
are included in endpoint compliance configurations that are paired with user/host profiles, which form endpoint
compliance polices. When a host is evaluated and requires an endpoint compliance policy, FortiNAC goes through the
list of polices and compares user and host information to the associated user/host profile. When a match is found, the
endpoint compliance configuration inside the policy is applied to the host. That configuration contains the scan and agent
information used to evaluate the host.
Scans typically consist of lists of permitted operating systems and required antivirus software. In addition, custom scans
can be created for more detailed scanning such as searching the registry for particular entries, searching the hard drive
for specific files, or verifying that hotfixes have been installed. Individual scans can be scheduled to run at regular
intervals if your organization requires frequent rescans.
The results of a scan are stored on Logs > Scan Results page.
When you scan hosts, the agent first checks to see if a required item is installed and then proceeds to scan for additional
details about that item. For example, if the host is required to run Windows 10 and that operating system is not installed,
the agent does not check to see if the updates have been installed. Scan results, therefore, are reduced because
needless scans are minimized. In the scan results, the host fails only for not having the operating system.
Using the example from the table shown above, the Agent ignores items that are not checked or selected. With this
agent, you would achieve the following results.
l Operating system 1 requires antivirus 3. The agent does not test to see that antivirus 1 and 2 are not installed,
therefore, the host cannot pass the scan unless it has operating system 1 with antivirus 3.
l Operating system 2 requires either antivirus 1 or antivirus 2. The agent does not test for antivirus 1.
l Operating system 3 requires either antivirus 1, antivirus 2, or antivirus 3.

Settings

Field Definition

Scan Name Each scan must have a unique name.

Remediation Indicates when the host is moved to Remediation. Options include:

On Failure: Host is moved to remediation immediately after failing a scan.
Delayed: Host is moved to remediation after a user specified delay if the reason for the
scan failure has not been addressed.
Audit Only: Host is scanned and a failure report is generated, but the host is never
moved to remediation.

Scan On Connect Indicates whether this option is enabled or disabled. Scan On Connect forces a rescan
every time the host assigned this scan connects to the network. See Scan on connect
on page 244.
This option only affects hosts running the Persistent Agent.

FortiNAC F 7.2.0 Manager Guide 242

Fortinet Inc.
Field Definition

Renew IP (Supported by Indicates whether the Renew IP option is enabled or disabled. When this option is
Dissolvable Agent Only) enabled, it causes the Dissolvable Agent to actively release and renew the IP address
of the host after it has completed its scan. The Renew IP option is only supported on
Windows and macOS.

Scan Failure Link Label Label displayed on the failure page when a network user's PC has failed a scan. If no
label is provided, the scan name is used. The label or scan name is a link that takes the
user to a page indicating why the PC has failed the scan.

Agent Order Of This set of options is available only when Remediation is set to On Failure.
Operations Determines the order in which the agent performs its tasks. Choose one of the
Remediation = On Failure following:
Scan Before Registering: The host downloads the Agent and is scanned in the
registration network before being registered. If the scan fails you must choose one of
the following:
l Do not Register, Remediate: Host remains a Rogue and stays in the registration

network until it passes the scan. Note the host will not be marked "at risk." Default
setting.
l Register and mark At Risk: The host is registered immediately after the scan and

then moved to Quarantine.

Persistent Agent always registers and marks at risk.

Register, then Scan (if the scan fails, Remediate): The host does not download an
agent in the Registration network. Instead, the host is registered and moved to
Quarantine to download the Agent and be scanned.
Agent Order Of The option below is available only when Remediation is set to Delay or Audit Only.
Operations
If scan fails - Register or Remediate: If the host fails a scan, a web page with a
Remediation = Delay or Register option and a Remediate option is displayed to the user.
Audit Only
If the user chooses the Remediate option, the host is placed in remediation and the user
must correct all issues and rescan.
If the user chooses the Register option, the host is placed in production. The user can
correct all of the issues and re-run the Agent.

Patch URL URL for the web page to be displayed when a host using the Dissolvable Agent fails the
scan. This web page allows the user to download the agent and rescan after addressing
the issues that caused the failure. Hosts using the Persistent Agent have the agent
installed and do not use this page.

Root Detection Indicates whether this option is enabled or disabled. If enabled, rooted mobile devices
are not allowed to register.
Mobile Agent devices determines whether or not the device has been rooted. Rooting is
a process allowing users of devices running the Android operating system to attain
privileged control (known as "root access") within Android's subsystem.

FortiNAC F 7.2.0 Manager Guide 243

Fortinet Inc.
Field Definition

Last Modified By User name of the last user to modify the scan.

Last Modified Date Date and time of the last modification to this scan.

Right click options

Copy Copy the selected Scan to create a new record.

Delete Deletes the selected Scan. Scans that are currently in use cannot be deleted.

In Use Indicates whether or not the selected Scan is currently being used by any other
FortiNAC element. See Scans in use on page 255.

Modify Opens the Modify Scan window for the selected Scan.

Schedule Opens the Schedule Policy view for the selected scan and allows you to add a schedule
for host rescans using that Scan. See Schedule a scan on page 255.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add
an administrator profile on page 55.

Buttons

Custom Scans Opens the Custom Scan Configuration window which allows you to add, remove or
modify custom scans. Custom scan can be added to policies for more detailed host
scans. See Custom scans on page 260.

Schedule Opens the Schedule Policy view for the selected scan and allows you to add a schedule
for host rescans using that Scan. See Schedule a scan on page 255.

Scan on connect

FortiNAC allows you to configure Scans that scan hosts each time they connect to the network. The Scan on Connect
option is enabled on individual Scans. You may have hosts that are scanned each time they connect and hosts with a
different Scan that are scanned periodically.

Scan on Connect can only be used on registered hosts that have the Persistent Agent
installed. If you are using the Dissolvable Agent, this option is ignored.

When a host connects to the network, FortiNAC determines which endpoint compliance policy should be applied to this
host based on the criteria in the associated user/host profile. If a registered host has the Persistent Agent installed and
Scan on Connect is enabled for the Scan that applies to this host, then the host is scanned. When the host disconnects
from the network, the Persistent Agent modifies that host's Scan on Connect status to indicate that the host should be
scanned again the next time it connects. If the host has more than one interface, such as wired and wireless, the host is
scanned regardless of which one is used.

FortiNAC F 7.2.0 Manager Guide 244

Fortinet Inc.
A rescan happens any time FortiNAC detects that the host has come online and the agent has
communicated with the server, such as when a switch sends a linkdown/linkup trap.

To enable Scan on Connect you must go to the Scans window, select the appropriate Scan and enable the option. See
Add or modify a scan on page 247 for step-by-step instructions on creating a Scan and enabling Scan on Connect.

Scan hosts without enforcing remediation

Hosts who are in Remediation are denied network access until they comply with the requirements of the Scan used to
evaluate them. FortiNAC can scan hosts on the network without placing them in Remediation. This allows the
administrator to determine host state or test new endpoint compliance policies without interrupting network users as they
work. To scan hosts without enforcing remediation you can disable the Quarantine switching option in FortiNAC
Properties. Disabling quarantine VLAN switching affects all hosts. However, you may need to scan selected hosts with
no repercussions.
Two options have been provided to allow you to scan selected hosts without forcing "at risk" hosts into Remediation,
Audit Only and Forced Remediation Exceptions group. You can use either one or both of these options. They work
independently of each other. Audit Only controls remediation based on the scan applied. The Forced Remediation
Exceptions group controls remediation based on group membership regardless of the scan used to evaluate the hosts.

Audit only

When the Audit Only option on a scan is enabled, hosts are scanned and the results of the scan are stored. Hosts that
fail the scan are never marked "at risk" and therefore are not forced into Remediation or Quarantine. Administrators can
then review all of the scan results and address issues of non-compliance without blocking users from the network.
Audit Only affects only those hosts evaluated by the scan in which Audit Only is enabled. If you have other scans with
Audit Only disabled, hosts evaluated by those scans who fail are forced into Remediation. Using this option you can
decide to force some groups of hosts into remediation while leaving others on the network. For example, you could have
a scan for your executive staff that has Audit Only enabled and a different scan for administrative staff that has Audit
Only disabled. Executives that fail a scan would continue to work without disruption, while administrative staff that fail a
scan would be forced to remediate.
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click Scans.
4. Select an existing scan to modify or create a new one.
5. On the Add or Modify Scan window go to the Scan Settings section and enable Audit Only under the
Remediation drop-down.
See Add or modify a scan on page 247 for additional information.

Forced remediation exceptions group

When hosts are placed in this group, they are evaluated by the scan that corresponds to them. See Policy assignment on
page 167. Results of the scan are stored and hosts who fail are marked "at risk". Hosts in this group are never forced into
remediation no matter which scan they fail. To prevent selected hosts from being forced to remediate, add them to this
group.

FortiNAC F 7.2.0 Manager Guide 245

Fortinet Inc.
The Forced Remediation Exceptions group is a system group that has already been created. System groups cannot be
removed only modified. See System groups on page 350 and Modify a group on page 348.

Delayed remediation

Delayed remediation allows you to scan hosts on your network, notify the user if the host has failed the scan and delay
placing the host in the remediation VLAN for a specified number of days. This process gives the host's owner time to
rectify the issues that triggered the failed scan and rescan without being removed from the network. If the user does not
take care of the issues that caused the failure and successfully rescan the host by the time the specified delay has
elapsed, the host is placed in remediation and cannot access the network.

Implementation

To implement Delayed Remediation, first implement the settings for endpoint compliance. See Implementation on page
187.
l This feature works with any agent (Passive Agent, Persistent Agent, or Dissolvable Agent). If you choose to use this
feature with the Dissolvable Agent, note the following:
l Using the Dissolvable Agent, delayed remediation can only be implemented during the registration process

where the host is provided a link to the Dissolvable Agent. If the host fails, it is marked as Pending - At Risk, but
can register and move to the production VLAN. The Dissolvable Agent remains on the host until all issues have
been resolved and the host has been rescanned.
l If you set up scheduled rescans for hosts, using Delayed Remediation does not prevent the scheduled rescan
from marking the host "At Risk" at the scheduled interval. Therefore, it is recommended that you use Proactive
Scanning with the Dissolvable Agent instead of Delayed Remediation. Proactive Scanning allows a user to
rescan a host prior to a scheduled required rescan and if the host fails it is not marked "at risk" until the date of
the scheduled rescan. See Schedule a scan on page 255.
To rescan the user must open a browser and navigate to the following:
https://<Server or Application Server>/remediation
The FortiNAC Server or Application Server in the URL can be either the IP address or Name of the server that
is running the captive portal.
l Modify existing scans or create new ones and set the Delayed Remediation option for the number of days the host
should be allowed to continue on the network after failing a scan. The default setting for Delayed Remediation is 0
days or no delay. See Add or modify a scan on page 247.
l If a host has already failed a scan with a Delayed Remediation setting and the delay setting is changed on the Scan,
it does not change the delay for the associated host. For example, if Host A is scanned, fails Scan A and is assigned
a delay of 2 days, changing Scan A to a delay of 5 days does not alter the delay for Host A. It remains 2 days.
l Configure events and alarms to notify you when a host is affected by the Delayed Remediation setting. See Enable
and disable events on page 323. Events include:
l Host Pending At Risk: Indicates that a host has failed a scan that has a Delayed Remediation set and has

been set to Pending At Risk.

l Host Security Test - Delayed Failure: A host has failed a scan and the scan has been set to Failure Pending

in the Host Properties Health Tab.

Process

Below is a sample of the process FortiNAC goes through when Delayed Remediation is enabled.
1. A host connects to the network and is scanned by an agent with Scan A that has a 3 day delay configured.
2. The host fails the scan for antivirus.

FortiNAC F 7.2.0 Manager Guide 246

Fortinet Inc.
3. A failure page indicating the reason for the failure is displayed on the host.
4. A Delayed Remediation record is created for this host and Scan A, which was used to scan the host.
5. The host's status is set to Pending At Risk.
6. On the Host Properties - Health Tab the scan for Scan A is set to Failure Pending.
7. The host remains on the production network and is not sent to the remediation VLAN.
8. After one day the host connects in the Library and is scanned by an agent with Scan B that has a 5 day delay
configured.
9. The host fails the scan for operating system.
10. A failure page indicating the reason for the failure is displayed on the host.
11. A second Delayed Remediation record is created for this host and Scan B.
12. The host status remains Pending At Risk.
13. On the Host Properties - Health Tab the scan for Scan B is set to Failure Pending.
14. The user corrects the antivirus issue and rescans with Scan A.
15. The Delayed Remediation record for this host and Scan A is removed.
16. On the Host Properties - Health Tab the scan for Scan A is set to Success.
17. The host's status remains Pending At Risk because the user has not corrected the operating system issue and
rescanned for Scan B.
18. Five days elapse and the user still has not corrected the operating system issue and rescanned for Scan B.
19. The host is marked At Risk but it is not moved to the Remediation VLAN because Scan B is not the scan that
currently applies to the host. Scan B will apply to the host if the host ever reconnects in the Library.
20. On the Host Properties - Health Tab the scan for Scan B is set to Failure.
21. The Delayed Remediation record for this host and Scan B is removed.
22. The host continues on the production network.
23. If the host ever reconnects in the Library, the host will be placed in Remediation. The User will have to resolve the
operating system issue and rescan the host for Scan B.
Each host failure and delay record is treated individually. Passing one scan and associated delay, does not remove
failures for other scans and corresponding delays. However, if a failed scan does not apply to the host, the host will not
be sent to remediation. Refer to Host health and scanning on page 135.

Add or modify a scan

Use the Add or Modify Scan dialog to configure scan settings. Settings are divided into two tables. The first table details
the fields on the General tab and the second details the Categories available under the remaining tabs.
1. Select Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. On the Scans View, click Add to add a new scan or select an existing Scan and click Modify.
5. Enter data in the fields as needed. See the Settings table below for information on each field.
6. For each operating system tab, there is a drop-down menu of categories that can be set, such as antivirus
settings. Instructions for configuring each category are contained in the Scan Configuration Settings - Categories
table.
7. The Summary tab provides an overview of the entire scan configuration for your review.
8. Click OK to save the scan.

FortiNAC F 7.2.0 Manager Guide 247

Fortinet Inc.
Settings - general tab

Field Definition

Scan Name Each scan must have a unique name.

Scan settings

Scan On Connect Forces a rescan every time the host assigned this scan connects to the network.
(Persistent Agent Only) This option only affects hosts running the Persistent Agent.
See Scan on connect on page 244.

Renew IP Indicates whether the Renew IP option is enabled or disabled. When this option is
(Supported Dissolvable enabled, it causes the Dissolvable Agent to actively release and renew the IP address of
Agent Only) the host after it has completed its scan. The Renew IP option is only supported on
Windows and macOS.

Root Detection The Mobile Agent determines whether or not the device has been rooted. Rooting is a
( Mobile Agent Only) process allowing users of devices running the Android operating system to attain
privileged control (known as "root access") within Android's subsystem.
If enabled, rooted mobile devices are not allowed to register.
If disabled, devices suspected of being rooted are allowed to register and (Rooted) is
appended to the operating system information displayed in the Host View.
If the agent detects that device has been altered, a Potential Rooted Device event is
generated.

Remediation - On Failure If enabled, the host is scanned and the information associated with the scan is recorded. If
the host fails the scan, the user must resolve all of the issues for which the host failed and
rescan before being allowed on the network.

Agent Order Of Operations:

This set of options is available only when Remediation is set to On Failure.

Determines the order in which the agent performs its tasks. Choose one of the following:
Scan Before Registering: The host downloads the Agent and is scanned in the
registration network before being registered. If the scan fails you must choose one of the
following:
l Do not Register, Remediate: Host remains a rogue and stays in the registration

network until it passes the scan. Note the host will not be marked At Risk.
l Register and mark At Risk: The host is registered immediately after the scan and

then moved to quarantine.

l Register, then Scan (if the scan fails, Remediate): The host does not download

an agent in the registration network. Instead, the host is registered and moved to
quarantine to download the Agent and be scanned.

Remediation - Delayed Hosts who fail this scan are set to Pending at Risk for the number of days indicated in the
Remediation Delay field. Hosts set to Pending at Risk are not placed in remediation until
the number of days indicated has elapsed. The user is notified of the failure immediately.

FortiNAC F 7.2.0 Manager Guide 248

Fortinet Inc.
Field Definition

Changes to this setting do not affect hosts that are already marked as Pending At Risk. If
a host was set to a delay of 3 days and you change the Remediation Delay field to 5 days,
the host remains at a delay of 3 days. Hosts scanned after the change will use the 5 day
setting.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, the Persistent Agent
displays a message stating that the host is at risk. Click the message to display
information about the scan. The host is automatically registered.
The Dissolvable Agent displays the results of the scan. You can choose to rescan or
register.
When the host is registered, the host is placed in production. The user can correct all of
the issues and re-run the Agent.

Remediation - Audit Only If enabled, the host is scanned and the information associated with the scan is recorded.If
the host fails the scan, it is not marked "at risk". Therefore, it is not forced into
Remediation and can continue using the network. The administrator can review the scan
results and take corrective action without disrupting users on the network.

Agent Order Of Operations:

If scan fails - Register or Remediate: If the host fails a scan, a web page with a
Register option and a Remediate option is displayed to the user.
If the user chooses the Remediate option, the host is placed in remediation and the user
must correct all issues and rescan.
If the user chooses the Register option, the host is placed in production. The user can
correct all of the issues and re-run the Agent.

Remediation If On Failure is enabled, the host is scanned and the information associated with the scan
is recorded. If the host fails the scan, the user must resolve all of the issues for which the
host failed and rescan before being allowed on the network.
If Delayed is enabled, hosts who fail this scan are set to Pending at Risk for the number
of days indicated in the Remediation Delay field. Hosts set to Pending at Risk are not
placed in remediation until the number of days indicated has elapsed. The user is notified
of the failure immediately.
If Audit Only is enabled, the host is scanned and the information associated with the
scan is recorded. If the host fails the scan, it is not marked At Risk. Therefore, it is not
forced into remediation and can continue using the network. The administrator can review
the scan results and take corrective action without disrupting users on the network.

FortiNAC F 7.2.0 Manager Guide 249

Fortinet Inc.
Field Definition

Agent Order of When Remediation is set to On Failure:

Operations
Determines the order in which the agent performs its tasks. Choose one of the following:
l Scan Before Registering: The host downloads the Agent and is scanned in the
registration network before being registered. If the scan fails you must choose one of
the following:
l Do not Register, Remediate: Host remains a Rogue and stays in the registration
network until it passes the scan. Note the host will not be marked "at risk." Default
setting.
l Register and mark At Risk: The host is registered immediately after the scan and
then moved to Quarantine.

Persistent Agent always registers and marks at risk.

Register, then Scan (if the scan fails, Remediate): The host does not download an
agent in the Registration network. Instead, the host is registered and moved to
Quarantine to download the Agent and be scanned.
When Remediation is set to Delayed or Audit Only:
If scan fails - Register or Remediate: If the host fails a scan, a web page with a
Register option and a Remediate option is displayed to the user.
If the user chooses the Remediate option, the host is placed in remediation and the user
must correct all issues and rescan.
If the user chooses the Register option, the host is placed in production. The user can
correct all of the issues and re-run the Agent.

Portal page settings

Label For Scan Failure Label displayed on the failure page when a network user's PC has failed a scan. If no label
Link is provided, the scan name is used. The label or scan name is a link that takes the user to
a page indicating why the PC has failed the scan.

Instructions For Scan If a host has failed a scan, the user must remedy the issue and rescan. This field allows
Failure you to provide the user with a brief set of instructions.

Patch URL For URL for the web page to be displayed when a host using the Dissolvable Agent fails the
Dissolvable Agent scan. This web page allows the user to download the agent and rescan after addressing
Re-Scan the issues that caused the failure. Hosts using the Persistent Agent have the agent
installed and do not use this page.
Set this to /remediation
To rescan the user must open a browser and navigate to the following:
https://<Server or Application Server>/remediation
The FortiNAC Server or Application Server in the URL can be either the IP address or
Name of the server that is running the captive portal.

FortiNAC F 7.2.0 Manager Guide 250

Fortinet Inc.
Field Definition

In use by/Not currently in Indicates whether the scan is being used in user/host profile(s). When the scan is in use,
use click the link to view the user/host profile(s).

Settings - categories

For each operating system there is a Category drop-down that allows you to configure specific settings for categories
such as antivirus. The table below outlines these settings.
Default parameter values for individual antivirus and operating systems packages are entered and updated
automatically by the schedsuled Auto-Def Updates. If the values have been manually edited, the Auto-Def Updates will
not override those changes.
Removing a check mark from a selected option causes any underlying changes to be lost. For example, if you modified
settings for AVG antivirus and then unselected it, those changes are lost.

Field Definition

Antivirus

Validation Options l Any: Any one of the selected items must be present on the host to pass the scan.
l All: All of the selected items must be present on the host to pass the scan.

Anti-Virus List New antivirus software is continually being created. As new antivirus software becomes
available, parameters for that software are made available as quickly as possible in
FortiNAC. The default values for each antivirus program are entered automatically by
the scheduled Auto-Def Updates feature. You should not need to modify these.
Select one or more types of Anti-virus software to check for on the host. To set
additional parameters for any of the selected antivirus programs, click the name of a
program. A parameters window opens and displays all of the advanced options that can
be set. Enter the custom parameter values for the selected program and click OK. See
Antivirus parameters - Windows on page 280 or Antivirus parameters - macOS on page
284 for details on each parameter.

Preferred Select the Preferred Anti-Virus from the drop-down list. If the host fails for all of the
products selected for the scan, only the preferred item selected is displayed on the
Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed
Policy pages contains a separate line for every product failure.

Custom scans

Custom Scans List Custom scans are user created scans that have been configured to scan hosts for
things such as specific files, registry entries or programs. Custom scans must be
created and saved before they can be included as part of a Security Policy. See Custom
scans on page 260.
When a Custom scan is added to a regular scan the custom scan is used across the
board no matter what other options have been selected for the policy. Any host that is
scanned with the regular scan is also scanned based on the custom scan. See Create a
scan on page 261.

FortiNAC F 7.2.0 Manager Guide 251

Fortinet Inc.
Field Definition

Custom scans can be added within a category, such as antivirus. For example, any host
that has AVG Antivirus will be scanned using an associated custom scan. In this case,
the custom scan is being used to enhance the scan for AVG Antivirus and it is not run
on every host. See Scan categories on page 261.

Operating systems

Selection Options l All: Marks every operating system with a check mark.
l None: Removes the check mark from every operating system check box.

Operating Systems List Scans for required or prohibited operating systems on hosts. Operating systems that
are selected are required. See Operating system parameters - Windows on page 286
The Windows-2003-Server-x64 product has been removed. Use the Windows 2003
Server and Windows XP x64 products.

Preferred Select the preferred operating system from the drop-down list. If the host fails for all of
the products selected for the scan, only the preferred item selected is displayed on the
Failed Policy pages. If no Preferred product is selected, the list displayed on the Failed
Policy pages contains a separate line for every product failure.

Monitors

Scan List Allows you to run a custom scan with greater frequency than the regular scan with
which it is associated. For example, the original scan may only run once a week, but
you may have a custom scan that needs to run every half an hour. Instead of running
the entire scan policy every half an hour you can choose to run only a custom scan.
Select a custom scan and enter the frequency with which it should run.
Performance degradation may occur if you select an interval less than every five (5)
minutes. It is recommended that monitoring intervals be set to five (5) minutes or more.

Custom scan options - scan level

Custom scans can be enabled for a regular scan. When a host is checked for compliance with the regular scan, the
custom scan is also checked. Before adding a custom scan to a security scan you must create the custom scan.
To enable a Custom scan for a security scan:
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Modify the scan that will use this custom scan.
5. Click either the Windows, the macOS, or the Linux tab.
6. Select Custom from the drop-down menu at the top of the window.
7. Select the check box next to the custom scan for the security scan.
8. Click OK to save your changes.

Custom scans options within a category level

FortiNAC F 7.2.0 Manager Guide 252

Fortinet Inc.
has a custom scan enabled, the custom scan is also used for hosts with the selected product. For example, if the security
scan checks for the existence of AVG Antivirus and a custom scan has been associated with AVG, then hosts with AVG
will also be scanned using the custom scan.
Before adding a custom scan to a security scan you must create the custom scan.
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Modify the security scan that will use this custom scan.
5. Click either the Windows, the macOS, or the Linux tab.
6. Click the Category drop-down on the Modify Scan view and select: antivirus, operating system, etc.
7. Click the specific item within the sub-category (i.e. product name).
8. Click the Custom Scans tab and select the custom scan to be applied to this sub-category.
9. Click OK to save the selected custom scan.
10. Click OK to save changes to the security scan.

Monitor custom scans

Script custom scans can't be used as a monitor.

This feature allows you to run a custom scan with greater frequency than the security scan with which it is associated.
For example, the original security scan may only run once a week, but you may have a custom scan that needs to run
every half an hour. Instead of running the entire security scan every half an hour you can choose to run only a custom
scan.
Use the monitor feature to periodically test for a specific status on hosts running the Persistent Agent. Monitors use
custom scans to check the host. A monitor you configure as part of a scan can be the same or different for each scan.
Configure monitors for each platform (Windows, macOS, or Linux) separately.
Hosts associated with the security scan are checked at the interval period set in the monitor. The agent on the host
sends a message to the server after each time period has passed, indicating whether the host has passed or failed the
scan. If several monitors are set to 1 minute intervals, traffic to the server is increased. For example, if there are 10
monitors running every minute on 5,000 hosts, the server might see up to 50,000 messages a minute.
Even though monitors use custom scans which can be set to warning, monitors will not send warnings to hosts. Monitors
can only pass or fail. Hosts that fail are marked at risk and placed in remediation.
Enabling a monitor for a custom scan automatically enables the custom scan. However, disabling a monitor will not
disable the associated custom scan.
For example, you have created custom scan A but have not selected it within any security scan. When you select custom
scan A in the Monitor list select a time period, the custom scan is enabled.
Monitors ignore the severity flag of a custom scan.

Monitor example

All users have been notified that peer-to-peer software is not tolerated on the network. A web page explaining this policy
is located in the remediation area where the host is moved after failing the scan.

FortiNAC F 7.2.0 Manager Guide 253

Fortinet Inc.
Actions taken:
l A custom scan for a prohibited process has been created to check for LimeWire, a peer-to-peer software program,
running on the host. The custom scan includes the URL of the web page where the host browser will be directed if
the host fails the custom scan.
l The monitor is set to 10 minutes for the custom scan.
Results:
l Every 10 minutes the agent checks the host to determine if LimeWire is running.
l If LimeWire is not running, the agent sends a message to the server indicating that the host has passed the

security scan.
l If LimeWire is running, the agent sends a message to the server indicating that the host has failed the scan.

The host is immediately moved to the quarantine VLAN and the browser redirected to the web page specified in
the custom scan.

Set up a custom scan monitor

Before adding a custom scan to a security scan you must create the custom scan.
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Click the security scan name and click Modify. If the security scan does not exist, it needs to be added. See Scans
on page 242 for details on adding scans.
5. Click either the Windows, the macOS, or the Linux tab.
6. Click the Category drop-down and select Monitors.
7. Select the check box for the type of custom scan.
8. Select the time period that the agent waits before checking the host for compliance with the custom scan settings.
The available intervals are every 15 seconds up to and including 1 minute, and every 5 minutes up to and including
1 hour.
Performance degradation may occur if you select a very short interval or if you select a large number of monitors. It
is recommended that monitoring intervals be set to five (5) minutes or more.
9. Click OK.

Reset default antivirus values

Antivirus parameters contained in FortiNAC are updated weekly using the Auto-Def updates feature. This ensures that
new version numbers and bug definition files for antivirus software that you require are taken into account when users'
computers are scanned.
If you have manually edited any parameters associated with a particular antivirus software the Auto-Def update does not
override your settings for that software. To reset antivirus to the default values and allow the Auto-Def updates feature to
update parameters do the following:
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Select a scan and click Modify.
5. Click either Windows or Mac, whichever applies.
6. Select Anti-Virus from the Categories drop-down.
7. Uncheck the checkbox for the software for which you have modified settings.

FortiNAC F 7.2.0 Manager Guide 254

Fortinet Inc.
8. Click OK.
9. Open the same scan again and navigate back to the software you unchecked.
10. Check the checkbox for the previously modified settings and click OK.
11. Repeat this process for each antivirus software that needs to be reset to defaults.
12. The next time the Auto-Def updates feature retrieves and installs an update, the antivirus software that you reset will
accept the updated parameters.

Delete a scan

If a Scan is in use by another feature in FortiNAC, it cannot be deleted. A dialog displays with a list of the features in
which the scan is used. Remove the association between the scan and other features before deleting the scan.
Deleting a scan automatically removes scheduled tasks for that scan.
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Click the scan to be removed.
5. Click Delete.
6. Click OK to remove the scan.

Scans in use

To find the list of FortiNAC features that reference a specific Scan, select the Scan from the Scans View and click In
Use. A message is displayed indicating whether or not the Scan is associated with any other features. If the Scan is
referenced elsewhere, a list of each feature that references the Scan is displayed.

Schedule a scan

When hosts that use the Persistent Agent or the Dissolvable Agent connect to the network, they are checked against an
endpoint compliance policy. FortiNAC maintains a list of hosts that have passed the scan within the policy. When hosts
that previously passed the scan connect to the network, they are given access.
To recheck the hosts and ensure continued compliance, schedule the scan to be run at specific intervals. The hosts are
rechecked the next time the scheduled task for the scan runs. Only hosts that have a valid operating system listed in
Host Properties are rescanned. Valid operating systems include Linux, Windows, and macOS.
You can add more than one scheduled task for each scan to check different groups of network hosts at various times.
This prevents an excessive load on the system. These groups are subgroups of the original group targeted by the scan.
For example, if the original scan was set to scan all staff in the Building A group, the scheduled scan could target staff in
subsets of the Building A group. Subsets would be created by placing staff from the Building A group into smaller groups.
Then, the 1st floor group could be scanned on Mondays, the 2nd floor group could be scanned on Tuesdays, etc.
If FortiNAC has lost contact with the host's Persistent Agent, the host cannot be scanned. Offline hosts will be rescanned
when they come back online.
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Click the scan to be scheduled.

FortiNAC F 7.2.0 Manager Guide 255

Fortinet Inc.
5. Click Schedule. The Schedule Rescan of Agents window opens. Any existing scheduled tasks appear in the
window.
6. Click Add.
7. Use the information in the table below to configure your schedule.

Field Definition

Task

Scan Name Name of the scan that will be used to rescan hosts.

Schedule Task Name Each task for the selected scan must have a unique name.

Target Agent Types Type of agent the hosts are using: all, Dissolvable Agent, or Persistent Agent.

Host Group If selected, indicates the group of hosts that will be checked for scan compliance
when this scheduled task runs. See Groups on page 345 for information on creating
groups. This group of hosts must be contained within the set of hosts targeted in the
original scan.

Security And Access If selected, filters hosts for rescan based on a field in the user record with matching
Attribute data in the LDAP or Active Directory. This group must be the same as or a subset of
the group targeted in the original scan.

If the Group option and the Security and Access Attribute option are both selected, the
host must be a member of the group selected and the user must have a matching
Security and Access Attribute value in order to be scanned.

If neither the Group option nor the Security and Access Attribute option are selected, all
of the hosts targeted by the original scan are scanned.

Scans can be used in multiply policies, therefore, the set of hosts to be scanned could be
quite large.

Schedule

Status Indicates whether the scheduled task is current enabled or disabled.

Schedule Interval How often the scheduled task is to run. Enter a number and select Days, Hours, or
Minutes from the drop-down list.

Next Scheduled Time The next date/time to run the scheduled task. Enter in the format MM/DD/YY
HH:MM AM/PM

Modify Schedule Opens the Modify Scheduled Activity dialog where you can configure the scan's
schedule.

Proactive scanning

Proactive Scanning See the section below for additional information.

FortiNAC F 7.2.0 Manager Guide 256

Fortinet Inc.
8. Click Modify Schedule to run the scheduled task automatically or on a fixed day.
l To run the task automatically, select Repetitive Task to select the rate at which you wish to run the task. For

example, selecting a Repetition Rate of two days and the Next Scheduled Time of today at 1:00 PM means the
task will run today at 1:00 PM, and will continue to run every two days at 1:00 PM.
l To run the task on a fixed day and time, select Fixed Day Task and then select the day(s). The task will

automatically run on the selected day(s) and time each week.

9. Click Apply.

Add proactive scanning to a scheduled scan

Within FortiNAC you can schedule scans to run automatically. Hosts using the Dissolvable Agent can initiate a rescan on
the production network. When a rescan is successful, the host has extended the time before another scan is required.
For example, assume the schedule is set to rescan every Sunday. The user rescans his host at his convenience on
Friday and passes the scan. When Sunday comes, FortiNAC checks the scan history and determines that this host has
had a successful scan. This host is not forced to rescan nor is it marked at risk.
If the host fails the scan, the user is presented with a list of reasons for the failure. The host is not marked at risk at this
time. If the user resolves the issues and rescans before the scheduled scan date, the host is never marked at risk and is
not forced to rescan on Sunday. If the user does not resolve the issues and rescan, when the scheduled scan date
arrives the host is either marked at risk or aged out of the database. The host cannot access the network until it has been
successfully scanned or until the host is reregistered and then is successfully scanned.
To rescan the user must open a browser and navigate to https://<Server or Application
Server>/remediation.
The FortiNAC Server or Application Server in the URL can be either the IP address or Name of the server that is running
the captive portal.
Proactive scanning is enabled on the Schedule Rescan window. To provide your hosts access to the Dissolvable Agent,
you can create a web page accessible from your network to download the Dissolvable Agent.
Scan results are central to FortiNAC's ability to determine when a host was last scanned. Scan results are removed
based on the archive and purge schedule set up in FortiNAC properties. When configuring the archive and purge
schedule be sure to make the interval long enough to allow the scan results to be used for Proactive Scanning. If the
interval is too short, scan results will be purged too soon forcing all hosts to rescan regardless of when their last scan
occurred. See Database archive on page 399 for information on archive and purge settings.

Schedule a scan: proactive scanning

Users can proactively rescan their computers to re-assess their system with or without any impact to their At Risk status.
This feature helps to decrease the load around the re-registration process or rescan intervals.
To rescan the user must open a browser and navigate to https://<Server or Application
Server>/remediation.
The FortiNAC Server or Application Server in the URL can be either the IP address or Name of the server that is running
the captive portal.
The time extension capability can not change a guest record’s age-out time; time extensions only apply to standard
hosts.
Use the options in the Schedule Rescan window to specify whether to apply a time extension if there is a successful
scan history within the interval, and what actions to take if there is no scan history. For example if a host does not rescan
proactively, the registered host can be set to age-out or be marked At Risk.

FortiNAC F 7.2.0 Manager Guide 257

Fortinet Inc.
Once you have created a policy, do the following to configure the proactive scanning and specify subsequent actions.

Add proactive scanning to a scan schedule

1. Click Policy & Objects.

2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Select the scan to be scheduled.
5. Click Schedule. The Schedule Rescan of Agents window opens. Any existing scheduled tasks for the scan
appear in the window.
6. Click Add.
7. For Target, select Dissolvable. Only hosts using the Dissolvable Agent can do a proactive scan.
8. For the Proactive Scanning Option, select On.
9. Click Apply.
In the example shown below, the Scan History Interval is set to one week. If hosts have successfully passed a scan
during the week prior to the time and date specified in the Next Scheduled Time field, their expiration time is extended
by one week and they will remain on their production network. If they do not have a successful scan within the previous
week, they are marked at risk and moved to remediation to be rescanned.

Settings

Field Definition

Task

Scan Name Name of the Scan that will be used to rescan hosts.

Schedule Task Name Each task for the selected policy must have a unique
name.

Target Agent Types Type of agent the hosts are using: all, Dissolvable Agent,
or Persistent Agent.

Host Group If selected, indicates the group of hosts that will be

checked for scan compliance when this scheduled task
runs. See Groups on page 345 for information on creating
groups. This group of hosts must be contained within the
set of hosts targeted in the original policy.

Security And Access Attribute If selected, filters hosts for rescan based on a field in the
user record with matching data in the LDAP or Active
Directory. This group of must be the same as or a subset
of the group targeted in the original policy.

If the Group option and the Security and Access Attribute option are both selected, the
host must be a member of the group selected and the user must have a matching Security
and Access Attribute value in order to be scanned.

FortiNAC F 7.2.0 Manager Guide 258

Fortinet Inc.
Field Definition

If neither the Group option nor the Security and Access Attribute option are selected, all of
the hosts targeted by the original scan are scanned.

Scans can be used in multiply policies, therefore, the set of hosts to be scanned could be
quite large.

Schedule

Schedule Interval How often the scheduled task is to run. Enter a number
and select Days, Hours, or Minutes from the drop-down
list.

Next Scheduled Time The next date/time to run the scheduled task. Enter in the
format MM/DD/YY HH:MM AM/PM

Pause When selected, the scheduled task is paused and will not
run automatically. Go to the Scheduler View and run the
task manually. See the Scheduler on page 355 for more
information.

Proactive scanning

Proactive Scanning Select On. If you select Off, the hosts are placed in
Quarantine when the scheduled task runs.

Scan History Interval (previous) Interval of time the previous scan history is considered
valid.

No Scan History Found If the host has not been successfully scanned within the
scan history interval, you have the option of marking the
host at risk or aging the record.
If you select At Risk, the host is moved to Quarantine to
be rescanned.
If you select Age Record, the host is deleted and must be
re-registered to regain network access.

Scan History Found If the most recent scan in the scan history is a successful
scan for the host and is within the scan history interval,
you have the option of selecting No Action or Extend Time.
Select No Action to let the account remain with the
existing expiration date and time. If the system takes no
action, the host is forced to rescan when the expiration
date and time are met even if the host has a successful
scan prior to the expiration date and time.
Select Extend Time to specify a period in Extend
Expiration Date (the next field).

FortiNAC F 7.2.0 Manager Guide 259

Fortinet Inc.
Field Definition

Extend Expiration Time If Extend Time is selected and the host has had a
successful scan within the Scan History Interval, the host’s
expiration time is extended by this amount.

Custom scans

Scans are configured to evaluate hosts connecting to the network. These scans search the host computer for things
such as antivirus software or a particular version of an operating system. The categories within which the scan can
search are fairly broad. To scan for very specific items, such as a file on the hard drive or a patch, you must create
custom scans and then link custom scans to a general Scan.
The severity level set in the custom scan determines how the host is treated when it fails a custom scan. Levels can be
set to deny the host access to the network or to just send a warning. See Severity level on page 278 for additional details.
Custom scans that are associated with a scan can be configured to run at more frequent intervals than the Scan itself by
setting up a Monitor in the Scan. This requires that the host have the Persistent Agent installed.
In addition to running a custom scan on any host that is evaluated by the associated Scan, you can use custom scans to
refine or enhance other Scans. For example, if you have set up a Scan to check hosts for one of the following antivirus
programs: AVG 8.5, Kaspersky, or Norton. Within the Kaspersky setting you can add a custom scan to search for a
version that must be installed. This custom scan will not be run for hosts using AVG 8.5 or Norton. It will be run for hosts
using Kaspersky.
Custom scans are created differently depending on the operating system on which they will run. You must create
separate custom scans for each operating system.
When hosts fail a custom scan, they are redirected to the web page designated within the custom scan configuration.
These web pages are not provided as part of the portal configuration. They must be created and stored on your FortiNAC
appliance in the following directory: /bsc/Registration/registration/site
Within the directory listed above there are other web pages that might serve as a template for the custom scans web
pages. One option is to copy the antivirus.jsp file to a new name and edit the text within that file to accommodate
your custom scans.
User created web pages that display when a host fails a custom scan are now stored in
/bsc/Registration/registration/site. If you are using Portal Version 1 and have legacy pages that are stored
in /bsc/Registration/registration/sma, you do not need to move them to the new directory, they will continue
to display to hosts as needed.

Custom Scans behavior with FortiNAC manager

An ECC custom scan is never automatically deleted during a sync operation from the
Manager; they are only marked as non-global on the pod during a sync, if the ECC custom
scan was deleted on the Manager.
The intentional behavior is to not delete them from the pod after they have been deleted from
the Manager, then the Manager sync'd to the pod. The custom scans remain on the pod, but
they are not marked as global; thus they're able to be deleted, if desired, in a second step.

FortiNAC F 7.2.0 Manager Guide 260

Fortinet Inc.
Create a scan

Custom scans can be enabled for a regular scan. When a host is checked for compliance with the regular scan, the
custom scan is also checked. Before adding a custom scan to a security scan you must create the custom scan. See
Windows on page 261, macOS on page 271, or Linux on page 274.
To enable a Custom scan for a security scan:
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Modify the scan that will use this custom scan.
5. Click either the Windows, the macOS, or the Linux tab.
6. Select Custom from the drop-down menu at the top of the window.
7. Select the check box next to the custom scan for the security scan.
8. Click OK to save your changes.

Scan categories

Custom scans can be enabled for various categories within a security scan such as the antivirus or operating system
requirements. When a host is checked for compliance with the security scan and one of the products within a category
has a custom scan enabled, the custom scan is also used for hosts with the selected product. For example, if the security
scan checks for the existence of AVG Antivirus and a custom scan has been associated with AVG, then hosts with AVG
will also be scanned using the custom scan.
Before adding a custom scan to a security scan you must create the custom scan. See Windows on page 261 or macOS
on page 271.
1. Click Policy & Objects.
2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Modify the security scan that will use this custom scan.
5. Click either the Windows, the macOS, or the Linux tab.
6. Click the Category drop-down on the Modify Scan view and select: antivirus, operating system, etc.
7. Click the specific item within the sub-category (i.e. product name).
8. Click the Custom Scans tab and select the custom scan to be applied to this sub-category.
9. Click OK to save the selected custom scan.
10. Click OK to save changes to the security scan.

Windows

The custom scans feature allows you to search host computers for very specific information. Custom scans must be
created separately for different operating systems. Within each operating system, there are different types of scans that
can be created. Refer to Add A Windows Custom Scan below for a list of scan types and general instructions on
adding scans. Refer to the instructions for each scan type for field level information. You can modify or delete the scans
at any time. When a scan is modified, it affects any existing scan that use that custom scan.

FortiNAC F 7.2.0 Manager Guide 261

Fortinet Inc.
Add a custom scan

1. Click Policy & Objects.

2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Click Custom Scans.
5. Select Add.
6. Select Windows from the Operating System drop-down list.
7. Select the type of scan desired. Each scan type has a special set of fields that are specific to that type. Use the table
below for settings.

Type Description

Cert-Check Test for a valid certificate on the host.

Requires Agent Version 3.5 or higher.

Domain-Verification Test for the domain joined by the host.

Note: This scan has been deprecated. Please use "Domain-Check" instead.

Domain-Check Replaces the "Domain-Verification" scan. Tests for the domain joined by the host.
Scan is not Windows OS specific (Windows XP, Windows 7, etc). For additional
details, see "Domain verification/Domain check" below.

File Test for the existence and version of a specific file. If the file exists and is an
executable the program can be forced to run.

HotFixes Test for the existence of specific HotFixes for the specified Operating systems.

Processes Test for the existence of a specific process name for the indicated Windows
operating system.

Prohibited - Domain- Test for the domain joined by the host.

Verification Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes
all hosts to pass the scan regardless of the domain returned.

Prohibited-Processes Test for the existence of a specific prohibited process for the indicated Windows
operating system(s).

Registry-Keys Test for a specific registry key and its associated data.

Registry-Version Test for a specific program and its version. The program can be required for specific
versions of Windows.

Service Test the state of a service running on the operating system.

Requires Agent Version 3.5 or higher.

8. Enter the Name for the custom scan.

9. Enter the information for the custom scan.
10. Click OK.
11. The name of the custom scan displays in the Custom Scans section for each scan. You can select the custom scan
to be part of the creation or modification of scan parameters.

FortiNAC F 7.2.0 Manager Guide 262

Fortinet Inc.
Certificate check

The certificate being scanned must be obtained from the CA (e.g., Windows AD server), and installed on the host in the
certificate Store under Local Computer > Personal > Certificates. The certificate must then be uploaded to
FortiNAC's certificate management to the Persistent Agent cert-check target. Go to System > Settings and under
Security click Certificate Management. Click Upload Certificate, and then select the Persistent Agent Cert Check
target.
Requirements for client certificates:
l The certificate must be signed by a CA specified by the customer.
l The certificate selected by the agent should adhere to the uses as specified:
l The certificate is a client certificate that is located in the certificate Store on the host under Local Computer >
Personal > Certificates.
l The host name can be found in the certificate as part of the certificate’s subject alternative name (SAN). For
example, DNS Name=Win7QA.qatest.com.
l The agent must also be able to sign data using the certificate's private key, so the key usage must have "Digital
Signature". This refers to the key usage, not the enhanced key usage.
l The certificate uploaded to FortiNAC's 'Persistent Agent Cert Check' target must be the CA certificate from the
signer of the workstation authentication certificate.

In order to complete and pass this scan, Server and endpoint clocks must be within 5 minutes.
If scans are not passing, please verify both clocks are in sync with each other.

To create a custom scan for a certificate check, enter the information shown in the table below into the custom scan
window after selecting the certificate check scan type.

Scan parameter Description

Label (required) This label appears in the results page information to identify which scan the host failed.

Web Address (optional) The URL of the page with information about this cert-check. If entered, this link appears
on the results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity (required) The severity of the failure if the certificate is not on the host. See Severity level on page
278 for more details.

CRL Revocation Checking If enabled, CRL revocation checking ensures the certificate has not been revoked by
(optional) the CA. If the certificate is revoked, the host fails the custom scan.
The application server must have access to the web server. When CRL verification is
enabled, the server reads the CRL distribution point URIs from the client certificate. The
application server will directly download a CRL from an "http://" URI, or indirectly
download a CRL from a "ldap://" URI through your configured LDAP servers.

FortiNAC F 7.2.0 Manager Guide 263

Fortinet Inc.
Scan parameter Description

Extended Key Usage If enabled, determines how the private key may be used. Multiple extensions must be
Restrictions (optional) comma-separated. For example, if you select this option and enter "1.3.6.1.5.5.7.3.2,
1.3.6.1.5.5.7.3.1" as the specified extensions,
l Disabled - There are no restrictions on key usage extensions.

l All of - The certificate must include all of the specified extensions.

l Exactly - The certificate must include only the specified extensions.

l One or More of - The certificate must have at least one of the specified

extensions.
l None of - The certificate may have extensions, but it must not have one of the

specified extensions.

File scan

To create a custom scan for a specific file, enter the information shown in the table below into the custom scan window
after selecting the File scan type.

Scan parameter Description

Label This label appears in the results page information to identify which scan the host failed.

Severity The severity of the failure if the file is not on the host. See Severity level on page 278 for
more details.

File Name The name of the file being checked.

File Contains String Enter the content that must be present within the file in order for the host to pass the
scan (e.g., the version number of a product in a configuration file). When the information
is found, the host passes the scan. If the information is not found, the host fails the scan.
Requires Agent 4.0.4 or greater.

Registry Key To speed up the search for a file you can first check the registry to determine the folder
in which the file is installed. In this field you would enter the section of the registry where
the information about the file you seek resides.
For example, if you want to make sure that Windows Messenger is installed on the host,
the scan needs to look for msmsgs.exe. Enter the registry key that points to the Value
Name containing the location of msmsgs.exe, such as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService

Registry Value Name The Value Name that contains the path to the file the custom scan is seeking.
To continue the example above, the Registry Key listed in the previous field tells the
custom scan the part of the registry to access to determine where msmsgs.exe is
installed. Once the custom scan is looking in the correct section, it needs to know the
specific "container" or Value Name in the registry that has the path to msmsgs.exe,
such as:
InstallationDirectory
The custom scan can begin its search in the directory specified in the
"InstallationDirectory" Value Name, such as:
"C:\Program Files\Messenger"

FortiNAC F 7.2.0 Manager Guide 264

Fortinet Inc.
Scan parameter Description

Execute Default = No. Select Yes to run the file when it is located.

Command-Line Options Command line options to be used when executing the file.

Wait for Execution to Default = No. If set to Yes, the scan waits until the execution of the program is complete
Complete Before before continuing.
Continuing

File Version (>=) The version number of the file has to be greater than or equal to the version number
entered here.

Web Address The URL of the page with information about this file. If entered, this link appears on the
Results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Windows OS Select the check box next to the version(s) of Windows for which this key is required.

Prohibit this product If the file is found and this is set to true, the host fails the scan for a prohibited product.
Default = false.

Registry keys

To create a custom scan for a specific registry key, enter the information shown in the table below into the custom scan
window after selecting the registry keys scan type.

Scan parameter Description

Label This label appears in the results page information to identify which scan the host failed.

Web Address The URL of the page with information about this registry key. If entered, this link
appears on the results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity The severity of the failure if the key is not on the host. See Severity level on page 278
for more details.

Hive The name of the hive to be searched. Supported hives are:

l HKEY_CLASSES_ROOT

l HKEY_CURRENT_USER

l HKEY_LOCAL_MACHINE

l HKEY_USERS

l HKEY_CURRENT_CONFIG

Scanning for registry keys in the HKEY_CURRENT_USER hive will not be successful
because the user running Persistent Agent differs from the user logged on to the host.

FortiNAC F 7.2.0 Manager Guide 265

Fortinet Inc.
Scan parameter Description

Key Name Name of the Registry Key that contains the value being located.

Value Name The Value Name to be located.

Type l REG_SZ
l REG_DWORD
You must enter the REG_DWORD setting as a decimal value, not hexadecimal.

Data The data to be contained in the selected type.

Action Select an action from the drop-down list:

l Match Value Exactly: The Value Name is used as a path to find the specified Key

Name in the tree. Data listed in the scan is compared to the data on the key. If the
value and data in the key are exact matches to the specified entries, the scan
passes. Otherwise, it fails.
l Search keys and values: The Key Name is used as a starting point. The search

is for whatever is contained in Data. The data must be found in a key name, a
Value name, or the data of all sub-keys of the key entered.
l Value contains Data: The Value Name is used as a path to find the specified Key

Name in the tree. Data listed in the scan is compared to the data in the value. If the
contents in the value contains the data, the scan passes. Otherwise, it fails.
l Key has a value: The Value Name is used as a path to find the specified Key

Name in the tree. If the key is found by using the name in the value and the data is
not empty, the scan passes. Otherwise, it fails.
l Sets the value (Use Caution): When checked, this scan ALWAYS PASSES. The

scan checks to see if the key exists in the registry key. If it does, the scan
overwrites the key to have the specified data. If it does not exist, the scan creates
the key and sets the data as specified.
When the Type is REG_DWORD, the only actions available are Match Value and Sets
the value (Use Caution).

Example:

Hive Name HKEY_LOCAL_MACHINE

Key Name SOFTWARE\Widgets\Setup
Value Name Version
Data 1.0

DWORD Comparison This field is enabled only when Type is set to REG_DWORD and Action is set to Match
Operation Value. The operator selected here is used in the comparison of the value in the Data
field to the Data value in the registry. For example, if this field is set to = then both
values must match exactly. If the operator is set to >= the Data value in the host registry
must be greater than or equal to the Data value in the custom scan.

Prohibit If the Registry Key is found and this is set to True, the host fails the scan for a prohibited
product.
Default = False.

FortiNAC F 7.2.0 Manager Guide 266

Fortinet Inc.
Scan parameter Description

Require for Windows... Select the check box next to the version(s) of Windows OS for which this key is
required.
You must select the OS within the custom scan to apply the scan to hosts with the
selected OS.
If you do not select an OS in the custom scan and the host has that OS, the host
automatically passes the general scan.

HotFixes

You can create a custom scan for a specific HotFix. Enter the information shown in the table below into the custom scan
window after selecting the HotFix scan type.
As a best practice, add HotFix custom scans to a particular operating system within a general scan. If you enable the
HotFix custom scan at the Scan level, every host that is evaluated by the scan is also scanned for the HotFix. Since
HotFixes are operating system specific you could inadvertently deny access to the network to many hosts.

Scan parameter Description

Label Label in the results page information identifying which scan the host failed.

Web Address The URL of the page with information about this HotFix. If entered, this link appears on
the results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity The severity of the failure if the HotFix is not on the host. See Severity level on page 278
for more details.

HotFix ID The name of the HotFix, such as KB123456.

Bypass Service Pack (>=) Select the Bypass Service Pack check box to display a text field. Enter the numeric
value for the Service Pack level in this field.
The host must have the specified hotfix (HotFix ID above) OR a service pack level equal
to or greater than the set value to pass the scan.

Require for Windows... Select the check box next to the version(s) of Windows for which this key is required.

Registry version

Create a custom scan to verify that a specific version of an application, such as Internet Explorer, is installed on the host.
Enter the information shown in the table below into the custom scan window after selecting the Registry-Version scan
type. When the scan runs, the registry is checked to see if the installed application has the required version.

Scan parameter Description

Label This label appears in the results page information to identify which scan the host failed.

FortiNAC F 7.2.0 Manager Guide 267

Fortinet Inc.
Scan parameter Description

Web Address The URL of the page with information about this registry version. If entered, this link
appears on the results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity The severity of the failure if the file is not on the host. See Severity level on page 278 for
more details.

Hive The name of the Hive to be searched. Supported hives are:

l HKEY_CLASSES_ROOT

l HKEY_CURRENT_USER

l HKEY_LOCAL_MACHINE

l HKEY_USERS

l HKEY_CURRENT_CONFIG

Key Name Name of the Registry Key that contains the value being searched for.

Value Name The Value Name that must be in the key entry.

Version The Version that must be in the key entry.

Operation Select an Operator for the version number:

>
=
>=

Prohibit If the Registry Key is found and this is set to True, the host fails the scan for a prohibited
product.
Default = False.

Version Delimiter The character used to identify the delimiter.

Require for Windows... Select the check box next to the version(s) of Windows for which this key is required.

Processes

Create a custom scan for a specific process. Process names for various applications may differ between operating
systems. Enter the process name for each OS if this is the case. Enter the process name(s) information into the custom
scan window for processes.
If you do not want to scan for a process on a particular operating system, leave the corresponding field blank. When you
click ApplyFortiNAC fills each blank field with the word SYSTEM. This indicates that the corresponding operating
system should be passed for this scan.

Scan parameter Description

Label This label appears in the results page information to identify which scan the host failed.

FortiNAC F 7.2.0 Manager Guide 268

Fortinet Inc.
Scan parameter Description

Web Address The URL of the page with information regarding this process. If entered, this link
appears on the results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as: When completing this field you must enter part of the path for the page
not just the page name, such as:
site/pagename.jsp

Severity The severity of the failure if the process is not running on the host. See Severity level on
page 278 for more details.

Process Name for ... Enter the name of the process that is required for the specific operating system(s).

Prohibited processes

Create a custom scan to prohibit a specific process on a host with selected operating system(s). Process names for
various applications may differ between operating systems. Enter the process name for each OS if this is the case. Enter
the process name(s) information into the custom scan window for prohibited processes.

Scan parameter Description

Label This label appears in the results page information to identify which scan the host failed.

Web Address The URL of the page with information regarding this prohibited process. If entered, this
link appears on the results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity The severity of the failure if the prohibited process is running on the host. See Severity
level on page 278 for more details.

Process Name for ... Enter the name of the process that is prohibited for the specific operating system(s).

Domain verification/Domain check

Create a custom scan to verify that a host has joined the appropriate domain when it connected to the network. Domain
names may differ between operating systems. Enter a comma separated list of domain names for each OS. Attach this
custom scan to any Policies that require domain verification. A host will pass this scan if it is joined with any domain
contained in the list for the host's operating system.

Scan parameter Description

Label This label appears in the results page information to identify which scan the host failed.

FortiNAC F 7.2.0 Manager Guide 269

Fortinet Inc.
Scan parameter Description

When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity The severity of the failure if the host is not part of any of the domains specified. See
Severity level on page 278 for more details.

Domain Names for ... Enter a comma separated list of the NetBIOS domain names that are required or
permitted for the specific operating system(s).

Prohibited domain verification

Create a custom scan to verify the domain a host is attempting to join and prohibit access to the network based on that
domain. Domain names may differ between operating systems. Enter a comma general scan to prevent access based
on domain verification. A host will fail this scan if it is joined with any domain contained in the list for the host's operating
system.
Requires Agent Version 2.2.2 or higher. Using a lower version of the agent causes all hosts to pass the scan regardless
of the domain returned.

Scan parameter Description

Label This label appears in the results page information to identify which scan the host failed.

Web Address The URL of the page with information regarding domain verification. If entered, this link
appears on the results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity The severity of the failure if the host is part of any of the domains specified. See
Severity level on page 278 for more details.

Domain Names for ... Enter a comma separated list of the NetBIOS domain names that are prohibited for the
specific operating system(s).

Service

You can create a custom scan to check the status of a Windows Service. Enter the information shown in the table below
into the custom scan window after selecting the Service scan type.

Scan parameter Description

Label This label appears in the results page information to identify which scan the host failed.

Severity The severity of the failure if the service is not in the desired state on the host. See
Severity level on page 278 for more details.

FortiNAC F 7.2.0 Manager Guide 270

Fortinet Inc.
Scan parameter Description

Service Name The name of the service on the Windows OS. To retrieve the service name, open the
Microsoft Management Console Local Services view. See Find the service name on
page 271 for information on how to locate the Service Name on your system.

Desired State Select the the state of the service on the host to be scanned. Select Running to indicate
the host must be running the service. Select Stopped to indicate the host must not be
running the service.

Web Address The URL of the page with information about this service. If entered, this link appears on
the Results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Find the service name

1. Open Microsoft Management Console on your system.

2. Navigate to the Local Services view.
3. Right-click the process you want to create the custom scan for, and click Properties.
4. Find the service name in the Properties view and enter it in the Service Name field of the custom scan.

macOS

The custom scans feature allows you to search host computers for very specific information. Custom scans must be
created separately for different operating systems. Within each operating system, there are different types of scans that
can be created. Refer to Add A macOS Custom Scan below for a list of scan types and general instructions on adding
scans. Refer to the instructions for each scan type for field level information. You can modify or remove the scans at any
time. When a custom scan is modified, it affects any existing general scans that use that custom scan.

Add a custom scan

1. Click Policy & Objects.

2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. Click Custom Scans.
5. Select Add.
6. Select macOS from the Operating System drop-down list.
7. Select the type of scan desired. Each scan type has a special set of fields that are specific to that type. Use the table
below for settings.

Scan Type Description

File Test for the existence of a specific file on the host. See File scan settings on page
272.

FortiNAC F 7.2.0 Manager Guide 271

Fortinet Inc.
Scan Type Description

Package Test for a existence of a specific installer package on the host. An inclusive range of
macOS Versions can be specified for this scan. See Package scan settings on page
272.

Processes Test for the existence of a specific process. See Processes scan settings on page
273.

Prohibited-Processes Test for the existence of a specific prohibited process. See Prohibited processes
scan settings on page 274.

8. Enter the Name for the custom scan.

9. Enter the information for the custom scan.
10. Click OK.
11. The name of the custom scan will now appear in the Custom Scans section for each macOS scan and can be
selected as part of the creation or modification of the general scan parameters.

File scan settings

To create a custom scan for a specific file, enter the information shown in the table below into the custom scan window
after selecting the File scan type.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

Severity The severity of the failure if the file is not on the host. If you select Required and the file
does not exist, the host fails the custom scan. If you select Warning, the host passes the
custom scan and a Policy Warning event is generated. This event can be mapped to an
alarm and set to notify the Administrator. See Severity level on page 278 for more
details.

File Name The name of the file being checked for on the host.

Starting Path The search for the file starts with the directory indicated here and includes all sub-
directories and files.
Important: Use the forward slash (/) to delimit directory names. Do NOT use a colon (:).

Web Address The URL of the page with information regarding this file. If entered, this link appears on
the Results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Prohibit this product If the file is found and this is set to true, the host fails the scan for a prohibited product.
Default = false.

Package scan settings

To create a custom scan for a specific installer package, enter the information shown in the table below into the custom
scan window after selecting the Package scan type.

FortiNAC F 7.2.0 Manager Guide 272

Fortinet Inc.
Use this custom scan to check whether particular updates or patches have been applied to the host.

If the package name is installed on a host with an OS version outside the range, the host will
pass the scan.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

Severity The severity of the failure if the package is not on the host. If you select Required and
the package does not exist, the host fails the custom scan. If you select Warning, the
host passes the custom scan and a Policy Warning event is generated. This event can
be mapped to an alarm and set to notify the Administrator. See Severity level on page
278 for more details.

Package Name name.pkg

The name of the installer package being searched for on the host. The custom scan
searches the /Library/Receipts directory for install receipts.

Minimum macOS The inclusive minimum version of the macOS software.

Version

Maximum macOS The inclusive maximum version of the macOS software.

Version

Web Address The URL of the page with information regarding this installer package. If entered, this
link appears on the Results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Processes scan settings

To create a custom scan for a specific process, enter the information shown in the table below into the custom scan
window after selecting the Processes scan type.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

Web Address The URL of the page with information regarding this process. If entered, this link
appears on the Results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

FortiNAC F 7.2.0 Manager Guide 273

Fortinet Inc.
Scan Parameter Description

Severity The severity of the failure if the process is not running on the host. If you select
Required and the process does not exist, the host fails the custom scan. If you select
Warning, the host passes the custom scan and a Policy Warning event is generated.
This event can be mapped to an alarm and set to notify the Administrator. See Severity
level on page 278 for more details.

Process Name The name of the process being scanned for on the host. This name is seen when you
use ps at the command line. This is not necessarily the name in the Activity Monitor list.
For example, iChat, iChatAgent, iTunes, iTunesHelper.

Prohibited processes scan settings

To create a custom scan for a specific prohibited process, enter the information shown in the table below into the custom
scan window after selecting the Prohibited Processes scan type.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

Web Address The URL of the page with information regarding this prohibited process. If entered, this
link appears on the Results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity The severity of the failure if the prohibited process is running on the host. If you select
Required and the prohibited process does exist, the host fails the custom scan. If you
select Warning, the host pass the custom scan and a Policy Warning event is
generated. This event can be mapped to an alarm and set to notify the Administrator.
See Severity level on page 278 for more details.

Process Name Name of the prohibited process being scanned for on the host.

Linux

The custom scans feature allows you to search host computers for very specific information. Custom scans must be
created separately for different operating systems. Within each operating system, there are different types of scans that
can be created. Refer to Add A Linux Scan below for a list of scan types and general instructions on adding scans.
Refer to the instructions for each scan type for field level information. You can modify or remove the scans at any time.
When a custom scan is modified it affects any existing general scans that use that custom scan.

Add a custom scan

1. Click Policy & Objects.

2. Expand Endpoint Compliance.
3. Click the Scans option to select it.
4. At the bottom of the window, click Custom Scans.
5. Select Add.

FortiNAC F 7.2.0 Manager Guide 274

Fortinet Inc.
6. Select Linux from the Operating System drop-down list.
7. Select the type of scan desired. Each scan type has a special set of fields that are specific to that type. Use the table
below for settings.

Scan Type Description

File Test for the existence of a specific file on the host. See File scan settings on page
275.

Package Test for a existence of a specific rpm/deb packages on the host. See Package scan
settings on page 276.

Processes Test for the existence of a specific process. See Processes scan settings on page
276.

Prohibited-Processes Test for the existence of a specific prohibited process. See Prohibited processes
scan settings on page 277.

Script Allows users to upload a script toFortiNAC to be executed on the host. See Script
settings on page 277.

8. Enter the Name for the custom scan.

9. Enter the information for the custom scan.
10. Click OK.
The name of the custom scan will now appear in the Custom Scans section for each Linux scan and can be selected as
part of the creation or modification of the general scan parameters.

File scan settings

To create a custom scan for a specific file, enter the information shown in the table below into the custom scan window
after selecting the File scan type.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

File Name The name of the file being checked for on the host.

FortiNAC F 7.2.0 Manager Guide 275

Fortinet Inc.
Scan Parameter Description
site/pagename.jsp

Prohibit this product If the file is found and this is set to true, the host fails the scan for a prohibited product.
Default = false.

Package scan settings

To create a custom scan for a specific rpm or deb package, enter the information shown in the table below into the
custom scan window after selecting the Package scan type.
Use this custom scan to check whether particular updates or patches have been applied to the host.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

Package Name The name of the rpm or deb package being searched for on the host. The custom scan
runs rpm or dpkg commands to search for installed packages.

Version The inclusive minimum version of the Linux software.

Web Address The URL of the page with information regarding this rpm or deb package. If entered, this
link appears on the Results page. This is a user created web page. It must be stored in:
/bsc/Registration/registration/site
When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Processes scan settings

To create a custom scan for a specific process, enter the information shown in the table below into the custom scan
window after selecting the Processes scan type.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

FortiNAC F 7.2.0 Manager Guide 276

Fortinet Inc.
Scan Parameter Description

Process Name The name of the process being scanned for on the host. This name is seen when you
use ps at the command line.

Prohibited processes scan settings

To create a custom scan for a specific prohibited process, enter the information shown in the table below into the custom
scan window after selecting the Prohibited Processes scan type.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

Process Name Name of the prohibited process being scanned for on the host.

Script settings

To create a custom scan for a specific script, enter the information shown in the table below into the custom scan window
after selecting the Script scan type.

Scan Parameter Description

Label This label appears in the Results page information to identify which scan the host failed.

Upload Script Users can select a script to upload to FortiNAC. The name of the uploaded script
appears in the text field.

Return Value The value that the script must return after the agent executes the script.

FortiNAC F 7.2.0 Manager Guide 277

Fortinet Inc.
Scan Parameter Description

When completing this field you must enter part of the path for the page not just the page
name, such as:
site/pagename.jsp

Severity level

You can configure custom scans with a Severity Level setting. The Severity Level controls whether a host loses access
to the network or only receives a warning when it is not in compliance with the scan. When the host fails a custom scan
with a severity level set to warning, the experience varies, depending on the type of security agent that is being used.

Required

When a custom scan severity level is set to Required, if the host fails the scan, the host is set to At Risk. The browser is
redirected to a web page that contains details about the requirements the host failed. The host self-remediates (corrects
the issues causing the failure) and rescans until it meets all requirements. When the host passes the requirements, it is
moved to the production network.
The Scan Results section of the Health tab on the Host Properties window shows a Failed or Passed result. See Host
health and scanning on page 135.

Warning

When the host fails a custom scan with a severity level set to Warning, the experience will vary depending on the type of
security agent that is being used.

Dissolvable Agent

When a host fails the scan, the browser is redirected to a web page that contains details about the requirements the host
failed. The web page is divided into two sections. One section contains required severity level items the host failed; the
other contains warning severity level items the host failed.
If the host failed only warning severity level items, a Register Now button is available on the web page. The user clicks
the button and is moved to the Success web page.
If the host failed required and warning severity level items, the host must self-remediate until all items in the Required
section are corrected. When only Warning level items are listed in the Warning section of the web page, the Register
Now button becomes available. The user clicks the button and is moved to the Success web page. The host is not fully
compliant with the endpoint compliance policy, but is allowed on the production network.

Persistent Agent

If the host fails the scan for only items with the severity level set to warning, a Warning message is sent to the host and
the host is moved to the production network.
If the host fails items with severity levels set to Required and Warning, the host is moved to the remediation network. The
browser is redirected to a web page containing details about the requirements the host failed. The web page is divided
into two sections. One section contains Required severity level items the host failed; the other contains Warning severity
level items the host failed.

FortiNAC F 7.2.0 Manager Guide 278

Fortinet Inc.
The host must self-remediate until all items in the Required section are corrected. When the only items listed are in the
section containing the failures for severity level set to Warning, the user receives a warning message that his computer is
not fully compliant with the endpoint compliance policy. The host is then allowed on the production network.
Configure the Warning message in System > Settings > Persistent Agent > Properties. See Security management
on page 1.
The Scan Results section of the Health tab on the Host Properties window shows a warning result. See Host health
and scanning on page 135.

Use case

The company network rules prohibit registered hosts on the network from having LimeWire installed on the host. Hosts
are required to have a Persistent Agent and are scanned daily to maintain compliance. If LimeWire is installed, the host
will receive three warnings before being removed from the network.
To set up a custom scan to enforce this rule:
1. Create a custom scan for registry key, enter the details for LimeWire, set Prohibit to True, and set the Severity
Level to Warning. See Windows on page 261 or macOS on page 271.
2. Create a regular scan and enable the custom scan within that scan. See Add or modify a scan on page 247.
3. Schedule the regular scan to be rerun daily. See Schedule a scan on page 255.
4. Create an endpoint compliance policy that contains the regular Scan. See Endpoint compliance policies on page
231.
5. Map the Security Risk Host event to an alarm that will take action on the third occurrence of the event, and set the
host At Risk and Send a message. See Add or modify alarm mapping on page 337.
6. Configure the Persistent Agent Properties Warning message block. See Security management on page 1.
7. Configure the web page that the host will be redirected to when moved to Remediation. The web page used is
created outside the program. In order to keep this page from being overwritten during an upgrade, it should be
stored in /bsc/Registration/registration/site. Then, return to your custom scan and modify it to contain
the new web address.
If the host fails the scan, the first two times, the Warning message is sent. On the third failure, the host is sent the
Warning message, is marked At Risk, and moved to Remediation. The web page informs the user about the failure
to meet policy requirements. The host self-remediates and rescans. When the host passes the policy, the host is
moved back to the production network.

FortiNAC F 7.2.0 Manager Guide 279

Fortinet Inc.
Scan parameters

Endpoint compliance policies used to scan your hosts for compliance, have many variables for which the host can be
scanned. For the antivirus and operating system variables, you can narrow the scan by setting custom parameters. For
example, when scanning for a particular operating system you can require that the operating system be at Service Pack
4 or higher.
Any parameter that you modify will no longer be updated by the Auto-Def Updates scheduled task. That task updates the
list of antivirus and operating systems for which you can scan. It also modifies parameters associated with each of those
items to force hosts to use the most recent definitions for antivirus and to have installed the latest updates to the
operating system.
This section provides details about each type of variable and the detailed parameters within that can be set to narrow
your scan further.

Antivirus parameters - Windows

The table below provides an alphabetical list all of the possible parameters that can be configured for antivirus software
for Windows. Only some of these parameters are used for any given antivirus program.

Check with your vendor for the required format. Formats for dates, version numbers, .dat files,
etc. change frequently and vary by product.

Default parameter values are entered and updated automatically by the scheduled Auto-Def
Updates. If the values have been manually edited, the Auto-Def Updates will not override
those changes.

Settings

Parameter Description Typical options

AntiVirus definition The date of the required AntiVirus definition files. YYYY-MM-DD
Date

AntiVirus Engine The version number of the required AntiVirus Engine. **

Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=
>=

Client Security Select a setting. Enabled or

Antimalware Service disabled
must be running

FortiNAC F 7.2.0 Manager Guide 280

Fortinet Inc.
Parameter Description Typical options

Client Security State Select a setting. Enabled or

Assessment Service disabled
must be running

Custom Scans Select the custom scans that you want to implement for Custom scans
the product.

Daily Virus Definition The version of the required daily definition files. **
Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=
>=

Definitions Label Enter the label for the Definitions Web Address. Text entry

Definitions Web Enter the URL for the web page where the updated URL
Address definitions for the selected product can be located and
downloaded.
When a host fails the scan this URL appears in the Failed
Policy Results view.

Definitions Version The version of the required definition files. **

Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=
>=

Engine Version The number of the required engine version. **

Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=
>=

Engine Version Label Enter the label for the Engine Version Web Address. Text entry

Engine Version Web Enter the URL for the web page where the updated URL
Address engine version for the selected product can be located
and downloaded.
When a host fails the scan this URL appears in the Failed
Policy Results view.

Label Enter a label. This label will appear on the Results panel Text entry
to identify which scan the host failed.

Macro Definition The date of the required macro definition files. YYYY-MM-DD
Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=

FortiNAC F 7.2.0 Manager Guide 281

Fortinet Inc.
Parameter Description Typical options

Main Virus Definition The version of the required main definition files. **
Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=
>=

Minimum Engine Minimum engine version required to pass the scan. **

Version

Operational Label Enter a label. This label will appear on the Results panel Text entry
to identify that an operational state did not meet the
requirement.

Operational Web Enter the URL of the web page that displays information URL
Address about the product when the host fails the scan because
the Client Security State Assessment or Antimalware
Service operational state did not meet the requirement.

Operator (applies to The Engine version and definition (Virus and Spyware) >
all) values found on the host must be either greater than, =
equal to, or both than the value(s) entered. >=

Products to Detect Select which products you wish to include in the scan. All
products are selected by default.

Scan results show the group name (label)

only, not the specific AV/AS product. The
scan will either pass or fail for the group
(label).

Program Version The version number of the program. **

Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=
>=

Program Version Enter the label for the Program Version Web Address. Text entry
Label

Program Version Enter the URL for the web page where the required URL
Web Address version can be located and downloaded.
When a host fails the scan this URL appears in the Failed
Policy Results view.

Prohibit this Product Set this option to true if you want to prohibit the true or false
installation of this product. If this product is installed, the
scan fails.

FortiNAC F 7.2.0 Manager Guide 282

Fortinet Inc.
Parameter Description Typical options

Protection Updates The date of the required Protection Updates file. YYYYMMDD
Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=
>+

Protection Updates Enter the label for the Protection Updates Web Address. Text entry
Label

Protection Updates Enter the URL for the web page where the Production URL
Web Address Updates can be located and downloaded.
When a host fails the scan this URL appears in the Failed
Policy Results view.

Signature Version The build number or date and build number of the **
required signature file.
Select the operator that will apply to the definition value >
found on the host: greater than, equal to, or both. =
>=

Signature Version Label for the Signature Version Web Address. Text entry
Label

Signature Version Enter the URL for the web page where the required URL
Web Address signature version can be located and downloaded.
When a host fails the scan this URL appears in the Failed
Policy Results view.

Spyware Definition Number of the required spyware definition file. **

Version The number of the required virus definition file. **

Select the operator that will apply to the definition value
found on the host: greater than, equal to, or both. >
=
>=

Version Label Enter the label for the Version Web Address. Text entry

Version Web Enter the URL for the web page where the required URL
Address version can be located and downloaded.
When a host fails the scan this URL appears in the Failed
Policy Results view.

Virus Definition Used to identify the virus definition version installed. May **
be the name of the definition file, the date of the file, a
version number,etc. >
Select the operator that will apply to the definition value =
found on the host: greater than, equal to, or both.
>=

FortiNAC F 7.2.0 Manager Guide 283

Fortinet Inc.
Parameter Description Typical options

Virus Definition The label for the VDF web address. Text entry
VDF
Label

Virus Definition The URL for the web page where updated definitions can URL
VDF be located and downloaded. Supply a local or Internet
Web Address URL. This URL will be displayed on the Failed Policy
Results view if the host fails the scan.

Virus Signature The date of the required virus signature. YYYY-MM-DD

Web Address Enter the URL of the web page that displays information URL
about the product if the host fails the scan.

Windows Operating Select any or all Windows operating systems required for
System the selected product.

Software specific parameters

Eset-NOD32 The number of the required scanner version of the file **

Minimum Scanner nod32.exe.
Version (nod32.exe)

Antivirus parameters - macOS

The table below provides an alphabetical list all of the possible parameters that can be configured for antivirus software
for macOS. Only some of these parameters are used for any given antivirus program.

Check with your vendor for the required format. Formats for dates, version numbers, .dat files,
etc. change frequently and vary by product.

Default parameter values are entered and updated automatically by the scheduled Auto-Def
Updates. If the values have been manually edited, the Auto-Def Updates will not override
those changes.

Settings

Parameter Description Typical options

Definitions Label Enter the label for the Definitions Web Address. Text entry

FortiNAC F 7.2.0 Manager Guide 284

Fortinet Inc.
Parameter Description Typical options

Engine Version Web Enter the URL of the web page where information about URL
Address the engine version is displayed if the host fails the scan.

Engine Version Label Enter the label for the Engine Version Web Address. Text entry

Label Enter a label. This label appears in the Results page Text entry
information to identify which scan the host failed.

Program Version The number of the required version. **

Select the Operator to apply to the definition value found
on the host: greater than, equal to, or both. >
=
>=

Program Version Enter the label for the Program Version Web Address. Text entry
Label

Program Version Enter the URL for the web page where the required URL
Web Address program version can be located and downloaded.
When a host fails the scan this URL appears in the Failed
Policy Results view.

Prohibit this Product Set this option to true if you want to prohibit the true or false
installation of this product. If this product is installed, the
scan fails.

Version Label Enter the label for the Version Web Address. Text entry

Virus Definition Used to identify the virus definition version installed. May **
be the name of the definition file, the date of the file, a
version number,etc. >
Select the operator to apply to the definition value found =
on the host: greater than, equal to, or both.
>=

Version Web Enter the URL for the web page where information about URL
Address the version is displayed when the scan is failed.
When a host fails the scan this URL appears in the Failed
Policy Results view.

Web Address Enter the URL of the web page where information about URL
the product is displayed in case the scan fails.

Software specific parameters

Clam Engine Version The number of the required engine version. **

Select the Operator to apply to the definition value found
on the host: greater than, equal to, or both. >
=
>=

FortiNAC F 7.2.0 Manager Guide 285

Fortinet Inc.
Operating system parameters - Windows

The table below contains an alphabetical list of possible Configuration Parameters that can be used when setting up
scans for Windows. A subset of these parameters is available for each version of this operating system.

Default parameter values are entered and updated automatically by the scheduled Auto-Def
Updates. If the values have been manually edited, the Auto-Def Updates will not override
those changes.

Settings

Parameter Description

Allowed Editions Select the allowed editions. Options are Home Basic, Home Premium, Business,
Enterprise, Ultimate, and Starter.

Critical / Security Updates The Critical / Security Updates Label that displays on the results page.
Label

Critical / Security Updates The URL for the web page where Windows-Server-2008 Critical / Security Updates
Web Address information can be located and downloaded. Supply a local or Internet URL to display in
the Failed Policy Results window if the host fails the scan.

Custom Scans Any custom scans that have been created are shown.

Disable Bridging When selected, disables bridging on the host.

Disable Internet When selected Internet Connection Sharing is disabled on the host.
Connection Sharing

Edition Label Enter a label. This label appears in the Results page information to identify which scan
the host failed.

Edition Web Address The URL for the web page where the specific edition information can be located and
downloaded. Supply a local or Internet URL to display in the Failed Policy Results
window if the host fails the scan.

Enable Automatic Updates See the enable automatic updates parameters table below.

Enable Windows When selected, the Windows Firewall is enabled.

Firewall

Force DHCP Requires write access to the registry if done through the .

Do not enable Force DHCP on policies that will be used for VPN
clients. Enabling this setting can cause the host to continuously lose
its VPN connection.

Label Enter a label. This label appears in the Results page information to identify which scan
the host failed.

FortiNAC F 7.2.0 Manager Guide 286

Fortinet Inc.
Parameter Description

If a Windows Operating System is selected from the Operating

Systems List but none of the following are selected:
l Require Version/Build Number

l Enable Automatic Updates

l Require Critical Updates
l Detect Network Bridges
l Disable Internet Connection Sharing
l Require Security Updates
l Trigger SCCM Evaluation
Scan results may list all the above with a result of "Passed".

Prohibit Home Edition When selected, prohibits Windows-XP Home Edition.

Require All Critical Updates When selected, all Critical Updates are required for the host.

Require Critical Updates When selected, Require Critical Updates must be enabled on the host.

FortiNAC leverages the Windows Update tool to check for Critical Updates and Security
Updates during an operating system scan. The host must be able to connect to the Microsoft
Windows Update web site and any other associated sites.

In the event that the local WSUS server is unreachable, FortiNAC does not revert to using
the Microsoft update servers. FortiNAC will not generate events when a host fails to contact
the WSUS server because it occurs on the endpoints and not on FortiNAC. However, a local
event log entry is created for hosts that fail to connect to the WSUS server.

Require Security Updates When selected will Require Security Updates to be enabled on the host.

Require Service Pack When the checkbox labeled "Require Service Pack" is selected a text field displays.
Enter the numeric value for the Service Pack Level.

SCCM Evaluation Label The SCCM Evaluation label that is displayed in scan results to indicate that the SCCM
Evaluation was triggered for the host.

Service Pack Label The Service Pack Label that displays on the results page.

Service Pack Level The required Service Pack Level. Enter the numeric value.
Select the Operator to apply to the definition value found on the host: greater than,
equal to, or both.

Service Pack Web Address URL for the web page where Service Pack information can be located and downloaded.
Supply either a local or Internet URL. This URL is displayed in the Failed Policy Results
window if the host fails the scan.

Trigger SCCM Evaluation When selected, an upgrade is forced on the host from the SCCM controller. This
ensures all hosts on the network are up-to-date. No error is generated within FortiNAC.
See the SCCM controller for failure details.

FortiNAC F 7.2.0 Manager Guide 287

Fortinet Inc.
Parameter Description

This option is available for Windows 7, 8, 10, Windows-Server-

2012, Windows-Server-2008-R2, and Windows-Server-2012-R2.

Edition Label The Updates Label that displays on the results page.

Validate Edition When enabled, only those editions of Windows that are selected in FortiNAC are
permitted. When disabled, all/any edition of the selected Windows operating systems
will be allowed, such as Windows Vista N or Windows Vista K.

Web Address The URL for the web page where Windows operating system information can be
located and downloaded. Supply either a local or Internet URL. This URL is displayed in
the Failed Policy Results window if the host fails the scan.

Enable automatic updates parameters

When this option is checked for the selected operating system, it enables Automatic Updates on the host by modifying
the registry. Additional configuration options appear once the box is selected. Use CAUTION when changing any of the
Auto Update Settings. It is recommended that you are familiar with these options before you make any changes.

Parameter Description

Auto Update Web Address Web address used for Windows update. The default is sma/windowsupdates.jsp.

Apply as a Policy Select True or False. Default = True.

(users can't modify) If this option is enabled, users of hosts running the selected version of Windows
can no longer set Windows Update Parameters for their own hosts. Registry keys
for those settings are set by FortiNAC and are locked. Changing this option to False
does not remove the lock from the registry keys. The keys must be deleted to
restore user access to Windows Update settings. Keys are as follows:
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

RescheduleWaitTime Time to wait between the time Automatic Updates starts and the time it begins
installations, where the scheduled times have passed. The time is set in minutes
from 1 to 60, representing 1 minute to 60 minutes).

This setting only affects host behavior after the hosts have
updated to the SUS SP1 client version or later.

NoAuto Select True or False. Default = False.

RebootWithLoggedOnUsers If set to true, Automatic Updates does not automatically restart a computer while
users are logged on. This setting affects host behavior after the hosts have updated
to the SUS SP1 host version or later.

NoAutoUpdate 0 = Automatic Updates is enabled.

1 = Automatic Updates is disabled.

FortiNAC F 7.2.0 Manager Guide 288

Fortinet Inc.
Parameter Description

Default = 0

AUOptions 1 = Keep my computer up to date has been disabled in Automatic Updates.

2 = Notify of download and installation.
3 =Automatically download and notify of installation.
4 = Automatically download and schedule installation.

AUState 0 = Initial 24-hour timeout (Automatic Updates doesn't run until 24 hours after it first
detects an Internet connection.)
1 = Waiting for the user to run Automatic Updates
2 = Detection pending
3 = Download pending (Automatic Updates is waiting for the user to accept the pre-
downloaded prompt.)
4 = Download in progress
5 = Install pending
6 = Install complete
7 = Disabled
8 = Reboot pending (Updates that require a reboot were installed, but the reboot
was declined. Automatic Updates will not do anything until this value is cleared and
a reboot occurs.)

ScheduledInstallDay 0 = Every day.

1 - 7 = The days of the week from Sunday (1) to Saturday (7).

ScheduledInstallTime The time of day in a 24-hour format (0-23).

UseWUServer Select True or False

Use or not use a server that is running Software Update Services instead of
Windows Update.

WUServer http://<server>
This value sets the SUS server by HTTP name (for example, http://IntranetSUS).

WUStatusServer http://<server>
This value sets the SUS statistics server by HTTP name (for example,
http://IntranetSUS).

If you configure the scan to enable Automatic Updates and an error occurs (for example, a
network or permission error) so that the scan cannot perform the update, then the scan might
fail.

Operating systems parameters - macOS

The table below contains an alphabetical list of possible Configuration Parameters for macOS. A subset of these
parameters is available for each operating system.

FortiNAC F 7.2.0 Manager Guide 289

Fortinet Inc.
Default parameter values are entered and updated automatically by the scheduled Auto-Def
Updates. If the values have been manually edited, the Auto-Def Updates will not override
those changes.

Settings

Parameter Description Typical options

Label Enter a label. This label appears in the Results page information to Text entry
identify which scan the host failed.

Web Address The URL for the web page where Mac information can be located URL
and downloaded. Supply a URL to display in the Failed Policy
Results window if the host fails the scan.

Label for Update Enter a label. Text entry

Version

Update Version Web The URL for the web page where Mac update information can be URL
Address located and downloaded. Supply either a local or Internet URL.

Require at least Numerical entry for x in the version 10.1.x Number

Version 10.x.

Custom Scans Any custom scans that have been created will be shown. Select a custom
scan.

FortiNAC F 7.2.0 Manager Guide 290

Fortinet Inc.
Roles

Roles are used in two different ways in FortiNAC. Roles assigned to hosts managed in the Host View or Users are
attributes of those elements. In this case the role is another way to group users and hosts. Roles can be used in
user/host profiles to filter for specific Users or Hosts when applying network access policies, endpoint compliance
policies, and Supplicant EasyConnect policies.
For devices or hosts managed in the Inventory roles are used to determine the network access given to those elements
based on their connection location. In this case Roles are used with network device roles. The Role is simply a name or
identifier that is assigned to the host or device. The Network Device Role maps the connection location with device, port
or SSID groups to a specific Role. For example, when a device connects to the network with Role A on Switch 1,
FortiNAC searches through the network device roles for a record with Role A that has a connection location containing
Switch 1. The first matching Network Device Role is used. The configuration of this Network Device Role can place the
device in a specific VLAN or can apply a CLI configuration.
Role management relies on the configuration of both Roles and network device roles. The Roles view contains the list of
possible Role names and controls assigning roles to users and hosts based on group membership. Roles for hosts
managed in the Host View and Users do not need a corresponding Network Device Role. Network access for those
hosts and users is handled by network access policies. Roles for devices or hosts managed in Inventory require a
corresponding Network Device Role to control network access. See Roles view on page 295.

If a role has more than one mapping for the same device or port group, the order of
precedence is determined by the order of the role mappings on the network device roles View.
Starting from the top of the list, the first mapping match found is used.

See Configuration on page 292 for an overview of setup requirements.

FortiNAC F 7.2.0 Manager Guide 291

Fortinet Inc.
Configuration

1. Determine which device(s) will be used to support a specific role.

2. Configure the device(s) with the VLAN or Interface ID information for the role.
3. Create a device group and add the device(s) for each set of devices that will be used for roles. For example, you
might have a group of devices that provide network access in Building A. That group of devices will provide different
types of access than the devices in Building B, therefore you would create two separate device groups. See Groups
on page 345 for information on groups.
4. If only some ports on a device or devices will be used for role management, you can place just the required ports in
a Port group specifically for roles. First, determine which ports will participate in role management and place those
ports in the Role Based Access Group. Ports that are not in this group cannot apply roles. Once ports are in the Role
Based Access group, place them in groups that will be associated with roles. See Groups on page 345 for
information on groups.

Ports that are assigned roles are typically included in the Role Based Access Group. If a
port is assigned a role but is not included in the Role Based Access Group, devices
connecting to that port are placed in the default VLAN entered on model configuration for
that device. They are not placed on the VLAN defined for the role. However, if the role is
used as a filter for any policy, that policy is still used.

5. Create a list of Roles. See Roles view on page 295.

6. Determine which hosts or users will be identified by the role.
7. Associate the hosts or users with the role. See Assigning roles on page 292.

Use only one method to associate a host or a user with a role. If more than one method is
used, the role is assigned based on the ranking of roles and the first piece of data that
matches.

Roles are only applied to hosts that are registered.

8. Once roles have been created, configure network device roles. Network device roles indicate the actions to be
taken when a device in that role connects to a group of devices or ports. There can be multiple mappings for a single
role. For example, Role A can have a mapping for Port/Device Group A and a different mapping for Port/Device
Group B. Select the Device or Port group and enter the network access IDs. See Network device roles on page 1.

Assigning roles

Roles can be assigned to users, hosts, network devices and ports. Each one of these entities has a role field on its
corresponding Properties window. Assignment of roles is accomplished by setting the role field for the user, host,
device or port either manually or using one of the options listed in the table.
When a user and a host have different roles, the user role is applied if the user logs into the host. In the case of a gaming
device that the user does not log into, it has its own role that may or may not be the same as the user's.
In the event that multiple methods are used to set a role, the order of precedence is determined by the order of the roles
on the Roles view. Starting from the top of the list, the first role match found is used. For example, assume you have

FortiNAC F 7.2.0 Manager Guide 292

Fortinet Inc.
assigned roles to hosts based on groups. Later you add the host to a new group, if that group is associated with a role
that is ranked above the host's original role, the host's role will be changed.
Roles created on the FortiNAC server will be ranked above global roles created on the NCM. The rank of a local role can
be adjusted above or below another local role, but cannot be ranked below a global role. The rank for a global role
cannot be modified from the FortiNAC server.
In the event that multiple methods are used to assign a role to a host, a hierarchy determines which role to assign. Roles
assigned through Portal pages (typically for gaming), have the lowest precedence and will be overwritten by a role
determined by any other method. Roles assigned by directory attributes have the highest precedence and will overwrite
a role that is assigned by any other method. Roles assigned by group membership have the middle level of precedence,
overwriting roles assigned through Portal Pages, but being overwritten by roles assigned via directory attributes. Roles
assigned via group membership will change when the host's group membership changes. When this occurs, the roles
are ranked, with low-numbered ranks having the highest precedence.

Settings

Setting Definition

User roles

User Roles Based On Users can be assigned roles by placing them in a group and then associating that group
Groups with a role on the Role View. See Add a role on page 296 for additional information on
adding roles. Once the group of users has been created and you have assigned them a
role, you must associate that role with a device group or a port group and a
corresponding VLAN or CLI configuration.
User groups can also be created based on groups in the directory. These groups are
treated the same as groups created manually within FortiNAC. If a user is a member of
more than one group the group that is found first when matching users to roles
determines the role assigned to the user.

When assigning Roles to users, the use of directory attributes over

directory groups is recommended. Attribute data is retrieved directly
from the directory as the user registers, while group information is
retrieved from data cached on the FortiNAC server and could be
out-dated.

User Roles Based On A Network users can be assigned a role based on a field in LDAP or Active Directory. For
Directory Field example, you might choose to have roles based on a field in the directory called
Department. The data within the Department field would be the name of the role, such
as Accounting or Customer Service. In a university environment a user might have a
role based on whether he is a Student or Faculty.
To assign roles based on a field in a directory you must indicate which field in the
directory is to be used as a role. See to map the role field.
Users in the directory with matching data in this field constitute a group, even though
the group is not shown anywhere. For example, users with Accounting in their
department field are treated as an Accounting group for the purpose of assigning roles.
Next, you must create a Role with the exact same name as the data contained in the
directory field. For example, if the user's role in the directory is Accounting, you must
create a Role on the Role View that is named Accounting.

FortiNAC F 7.2.0 Manager Guide 293

Fortinet Inc.
Setting Definition

When a user registers, the role field in User Properties is set to match the data in that
user's role field in the directory.

User Roles Based On When registering a host through the Captive Portal, if the user fields on the portal page
Fields In Captive Portal have a role set, that role is assigned to the user, such as during registration or
authentication.

Individual User Roles In some situations you may want to assign a role to a single user. First create the role
on the Roles view. Then, navigate to the User Properties window and modify the Role
field.

Host roles

Host Roles Inherited From When registering a rogue to a user on the Host View, you have the option to use the
Users user's role or to select a different role for the device. See Modify a host on page 139.
When registering a host through the Captive Portal, if the portal does not have a role
set, the host inherits the role of the user.
If the users role changes, regardless of how it is changed, any host registered to that
user that has the same role will be changed also.
Example:
John Doe is a student and has two registered hosts.
l John Doe’s Role: Student

l John Doe’s Host 1 Role: Student

l John Doe’s Host 2 Role: Gaming

John Doe graduates and becomes faculty, so the University makes the change in AD
and runs a directory sync. John's role is changed to Faculty.
l John Doe’s Role: Faculty

l John Doe’s Host 1 Role: Faculty

l John Doe’s Host 2 Role: Gaming

Host 2 did not match John's original role of Student, so it is not changed.

Host Roles Assigned When registering a host through the Captive Portal, if the portal page has a role set, that
Through Captive Portal role is assigned to the host during registration. If the role field is blank, the host inherits
the role of the user.

Host Roles Based On Hosts can be assigned roles by placing them in a group and then associating that group
Groups with a role on the Roles view. See Add a role on page 296 for additional information on
adding roles.

Host Roles Assigned This would typically be used to assign a role to hosts, such as a medical device that
Manually connects to the network.
To register rogues and set their role: Select one or more rogues on the Host View.
Right-click on the selected records and choose Register as Device from the menu. On
the registration pop-up you can select device type and role. See Register a host as a
device on page 1.
To set roles for registered devices: Select one or more devices on the Host View. Right-
click on the selected records and choose Set Host Role. Select the new role from the
drop-down list in the pop-up window.

FortiNAC F 7.2.0 Manager Guide 294

Fortinet Inc.
Setting Definition

Host Roles Assigned By This would typically be used to assign a role to hosts, such as a medical device that
Device Profiler connects to the network. Devices that are hosts, such as medical devices, gaming
devices, or printers can be assigned a role and a device type based on device profiling
rules.
If you are using the device profiler feature, you can create or use default rules that allow
FortiNAC to determine the device type and assign the device to a role. When a new
host device connects to the network it becomes a rogue because it is unknown.
FortiNAC compares information received from the device with the device profiling rules
in its database until it comes up with a match. Based on the parameters defined in the
rule, the device is assigned a type and a role. See Device profiler on page 1 and Device
profiling rules on page 152.
The role assigned by device profiler takes precedence over any role associated with the
vendor OUI.

Roles view

This view allows you to configure roles. Roles are assigned to Users, Hosts and Devices. For hosts managed in the
Hosts View and users, roles are attributes that are used in user/host profiles as filters. For devices and hosts managed in
Topology, such as a printer, roles are used to control network access based on where they connect. If you are using
roles to control network access for hosts and devices, you must also configure Network Device Roles to provide a set of
connection instructions for role and device or port group combinations.
For example, if Role A is assigned to all of the printers in the Accounting Department, then when a printer connects to a
port in the accounting office, the Network Device Role for accounting office ports is configured to move them to VLAN 10.
In the case of a host managed in the Hosts View, if Role B is assigned to that host, then when the host connects to a port
in the accounting office, FortiNAC Manager reviews the network access policies until it finds a policy for a host with Role
B connected to accounting ports based on the user/host profile in the policy.
Roles can be assigned in many different ways. In the case of the Roles View, roles are assigned based on directory
groups or FortiNAC Manager groups. When a user or a host is added to a group, FortiNAC Manager searches the list of
roles for a match starting with the role ranked number 1. When a match is found, the role is assigned to the user or the
host. In the case of directory attributes, when a user is registered and FortiNAC Manager checks the list of roles, a role
with a name that exactly matches the attribute will be assigned to the user if it is the first piece of data about the user that
matches the role criteria.
Roles created on the FortiNAC server will be ranked above global roles created on the FortiNAC Manager. The rank of a
local role can be adjusted above or below another local role, but cannot be ranked below a global role. The rank for a
global role cannot be modified from the FortiNAC server.
For additional information on all methods for role assignment, see Assigning roles on page 292.

Settings

Field Definition

Rank Buttons Moves the selected role up or down in the list. Users and hosts are compared to roles in
order by rank.

FortiNAC F 7.2.0 Manager Guide 295

Fortinet Inc.
Field Definition

Set Rank Button Allows you to type a different rank number for a selected role and immediately move the
role to that position. In an environment with a large number of roles, this process is
faster than using the up and down Rank buttons.

Name Name of the role. If you are assigning roles based on the directory attribute specified in
attribute mappings in the Role field, the name of the role in the Roles view must match
the data in the user's directory attribute. For example, if the directory attribute is
department and the user's field is set to Accounting, then the role name must be
Accounting in order to match.

Groups One or more groups whose members will be assigned to this role. List includes Groups
both in FortiNAC and in the directory, if one is being used with FortiNAC.
If no groups are selected, None is displayed in this field. This effectively disables the
role for group assignment. However, the role can still be assigned manually, by device
profiler or through the Captive Portal.

Note User specified note field. This field may contain notes regarding the conversion of roles
from a previous version of FortiNAC.

Last Modified By User name of the last user to modify the role. SYSTEM indicates that the role was
modified by FortiNAC itself.

Last Modified Date Date and time of the last modification to this role

Right click options

Export Exports data to a file in the default downloads location. File types include CSV, Excel,
PDF, or RTF. See Export data on page 1.

Copy Copy the selected Role to create a new record.

Delete Deletes the selected Role. Roles that are currently in use cannot be deleted.

In Use Indicates whether or not the selected role is currently being used by any other FortiNAC
element. See Role in use on page 297.

Modify Opens the Modify Role window for the selected role.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add
an administrator profile on page 55.

Add a role

Once you have created and configured the host, user and device groups, create the roles associated with these groups.
1. Select Policy & Objects > Roles.
2. Click Add.

FortiNAC F 7.2.0 Manager Guide 296

Fortinet Inc.
3. In the Name field, enter a name for the new role. If this role corresponds to an LDAP attribute value, the spelling of
the role name must be an exact match for the data contained in the user's directory record and you do not need to
select a group in the Groups field.
4. Click Select next to Groups. Choose one or more user or host groups by clicking on the names in the All Groups
column and clicking the right arrow to move them to the Selected Groups column. Click OK to continue.
5. If you are creating a role that you do not want to have automatically assigned, but wish to assign manually or
through the captive portal, then do not enter any groups.
6. Click in the Note field to add any user defined information needed for this role.
7. Click OK to save the role.
8. If this role will be used to control network access for hosts managed in Inventory and devices, go to the network
device roles view and configure the role mapping there. See Network device roles on page 1.

Modify or delete roles

You can modify the role settings as needed. All devices, users and hosts in the database are required to have a role. You
cannot remove a role from these elements. You can only change the role to something else. If no role is specified
devices, users and hosts default to the NAC Default role.
If a role is in use by a Device Profiling Rule, guest template, or assigned to a Host, User, or Device, the role cannot be
removed from the database. If a role is simply mapped to a device based on the device's membership in a group and not
assigned specifically to the device, the role can be removed.
1. Select Policy & Objects > Roles.
2. Select the role from the list.
3. To remove the role from the database, click Delete.
4. On the confirmation window, click Yes to remove the role.
5. If the role is in use, a warning message is displayed and the role is not deleted. Click In Use for a complete list of
places where this role is referenced.
6. To modify the role, click Modify .
7. Modify settings as needed and click OK to save.

Role in use

To find the list of FortiNAC features that reference a role, select the role from the Roles view and click In Use. A
message is displayed indicating whether or not the role is associated with any other features. If the role is referenced
elsewhere, a list of each feature that references the configuration is displayed. A role can be used in the following
locations:
l Network device roles
l Hosts
l Users
l Devices
l Device profiling rules
l Vendor OUIs
l Guest templates
l Scheduled tasks with an action of Role Assignment
l Event to alarm mappings with an action of Host Role Action

FortiNAC F 7.2.0 Manager Guide 297

Fortinet Inc.
Logs

Logs

Audit Logs 298

Events 301

Alarms 333

Audit Logs

The Audit Logs log tracks all changes made to an item in the system. Users with admin auditing permissions will see a
change in the admin auditing log whenever data is added, modified, or deleted. Users can see what was changed, when
the change was made, and who made the change.
Changes made through the CLI are tracked in the admin auditing log; however, the user ID for the user who made the
change will appear as CLI Tool.
Changes can be filtered by the name of the item that was changed, the action taken, the date when the change occurred,
the user ID for the user who made the change, and the type of item that was changed.
Changes made to the following items are not currently audited:
l Trap MIB files
l NTP and time zone settings
l Adapters
l RADIUS domain mappings
l RADIUS server defaults
l Security applications
l Alarms
l Certificates
l Portal SSL settings
l Portal configuration styles
l Mobile providers
l Database backup settings (excluding the Backup Timeout)
l Changes to the license key
Changing the name of a device or moving a device to a new container will result in a separate audit entry for each port on
the device.
Auditing archives and purges audits made to hosts, users, or elements.

Configuration

Users must have permission to view the auditing log.

FortiNAC F 7.2.0 Manager Guide 298

Fortinet Inc.
Logs

1. Click Users > Administrators > Profile Mappings.

2. Click Add or select an administrator profile and click Modify. (Note: The permissions for the System Administrator
profile cannot be changed).
3. Click Permissions tab.
4. Select the Access check box next to Admin Auditing.
5. Click OK.

Accessing the auditing log

1. Click Logs > Audit Logs.

2. Click a row to view the entire list of changes in Change Details window below.
Add/Modify Filter
1. Hover cursor over the column header. A filter icon will display.
2. Click the filter icon. A window appears with the applicable parameters. See Settings Table below for possible
parameters.
3. Select the desired filter operation (range, exact match, etc).
4. Select all criteria desired to search. For filters that include a search field, either manually enter or click the desired
values to search.
Note: Multiple Values can be OR’d together. If manually entering, use either “,” or “|” between values. Otherwise,
click all desired values in the below window.
5. Click Apply.
Delete Filter
1. Click filter icon in column header
2. Click Remove.

Settings

Field Definition

Add Filter Allows you to select a field from the current view to filter information. Select the field
from the drop-down list, and then enter the information you wish to filter. See Filters on
page 1.

Update Displays the filtered data in the table.

Admin auditing

Date The date and time when the change was made.
Filter Operations: "=", Range, "<=", ">=", NOT

User ID The user ID of the user who made the change.

The user ID appears as "CLI Tool" when changes are made using CLI tools.
Filter Operations: Contains, Exact Match, NOT

Action Shows whether the change involved adding, modifying, or deleting information.
Filter Operations: Contains, Exact Match, NOT

Type The type of item that was changed.

FortiNAC F 7.2.0 Manager Guide 299

Fortinet Inc.
Logs

Field Definition

Filter Operations: Contains, Exact Match, NOT

Name The name of the item that was changed. Click the name to view a dialog containing all
changes that have been made to the area.
Filter Operations: Contains, Exact Match, NOT

Summary The first four lines of what was changed on the specified date.
Filter Operations: None

Change Details Displays all details of the change made to the item on the specified date. This
information appears when you click a row representing a change in the Admin
Auditing table.

Buttons

Export Exports the data displayed to a file in the default downloads location. File types include
CSV, Excel, PDF, or RTF. See Export Data.

FortiNAC F 7.2.0 Manager Guide 300

Fortinet Inc.
Events

Events displays the contents of the events log. The events log is an audit trail of significant network and FortiNAC
incidents. Events are logged when they are enabled in the events management view. See Enable and disable events on
page 323.
To access events, go to Logs > Events & Alarms > Events.

Settings

Field Definition

First Name First Name of the user associated with the event, such as the registered owner of a host or
an administrator.

Last Name Last Name of the user associated with the event.

Element Name Name of the device, administrator, server or process associated with the event.

Element Type Type can be Device, Port, Container, Process, or All.

Group Group name of a group of elements, such as port group, device group or user group.

Pause If enabled, prevents the Events List from refreshing and adding new records to the screen.
In an environment with a large number of events, you may need to pause the refresh in
order to research an issue.

Date Date and time that the event occurred.

Event Event name. See Events and alarms list on page 302.

Element Element associated with the event, such as a user, administrator, device, port, or process.

Message A textual description of the selected entry.

Note An area for user notes.

Buttons

Import Import historical events from an Archive file. See Import archived data on page 1.

Export Exports the data displayed to a file in the default downloads location. File types include
CSV, Excel, PDF, or RTF. See Export data on page 1.

Set Note Opens a notes window and allows you to add notes to the selected event. See Event notes
on page 302.

FortiNAC F 7.2.0 Manager Guide 301

Fortinet Inc.
Logs

Event notes

You can add notes to an event entry to clarify why the event happened, track the resolution of a problem, or add general
information.
1. Select Logs > Events & Alarms > Events.
2. Use the filters to locate the appropriate event. Refer to Events on page 301 for settings.
3. Select the event.
4. Click Set Note.
5. Enter the note text or modify the existing note.
6. Click OK.
7. The note text appears on the Notes column on the Events View.

Events and alarms list

When events are enabled, they can be enabled for All Groups or for a single group. Depending on the event you may not
want to enable it for all groups because the volume of events would be overwhelming. For example, if you enabled the
host connected event for all groups, you would receive an event message every time someone connects to the network.
When you look at an event in the Event Viewer, additional information is provided about that occurrence of the event. It
might include information such as user name, IP address, MAC address or location.
Each event has a corresponding alarm that can be configured. See Map events to alarms on page 334.
Event names highlighted in gray are no longer used. However, they are still available in the Event Log to accommodate
importing older data that may contain those events.

Events and alarms

Event Definition

Access Configuration Modified Generated whenever an Access Configuration is modified.

Access Policy Modified Generated whenever an Access Policy is modified.

Adapter Created Generated whenever an adapter is added to a host.

Adapter Destroyed Generated whenever an adapter is removed from a host.

Add/Modify/Remove Blocking via Generated whenever a REST API request is received that creates or removes
REST API a Control Task.

Add/Modify/Remove Host Generated whenever a trap is received that adds, modifies or removes a host
record in the database.

Add/Modify/Remove Host via REST Generated whenever a REST API request is received that adds, modifies or
API removes a host record in the database.

Add/Modify/Remove User Generated whenever a trap is received that adds, modifies or removes a user
record in the database.

Add/Modify/Remove User via REST Generated whenever a REST API request is received that adds, modifies or
API removes a user record in the database.

FortiNAC F 7.2.0 Manager Guide 302

Fortinet Inc.
Logs

Event Definition

Admin User Created Administrative user created. User types are not included in the event message.

Admin User Destroyed Administrative user deleted from the database.

Admin User Logged Out Administrative user logged out of the user interface.

Admin User Login Failure Administrative user failed to log into the user interface.

Admin User Login Success Administrative user logged into the user interface.

Admin User Timed Out Administrative user was logged out of the User Interface based on the settings
in Users > Administrators > Timeout Settings in the Administrative
Interface Inactivity Time (Minutes) field.

Administrative Status Success User has gone into port properties for an individual port and successfully
turned the Admin Status on or off.

Agent - Unrecognized Vendor OUI No longer used.

Generated when an agent scans a host and returns MAC addresses that have
a vendor OUI that is not included in the vendor OUI Management list in
FortiNAC.

Agent Update Failure Indicates whether or not an agent updated successfully.

Agent Update Success

Agent Message Sent Message sent from FortiNAC user to one or more hosts. Only hosts running
the Persistent Agent can receive messages. This event is not generated if the
message fails to send.

Alarm Created Indicates that an event has caused an alarm.

Appliance Weak Password(s) Indicates that password for the appliance and/or the admin UI are either a
default factory password or are not complex enough. It is recommended that
you modify the password. Otherwise, your network may be at risk for a security
breach.

Application Server Contact Lost Generated when contact is lost to the Nessus plugin in a 1200/8200 pair.
Requires contact to be established before contact can be lost.

Application Violation FortiNAC can receive traps from external applications hosted on servers
modeled in the Topologyas Pingable or Server devices. This event is
generated when a trap is received. Traps might be used to indicate intrusion or
that a threshold has been exceeded.
A Host Application Violation event can be generated at the same time.

Application Violation Reset Generated based on a trap sent from an external application. Indicates that the
condition that caused the Application Violation event is no longer happening
and operations can return to normal. For example, if hosts have been marked
at risk, they can now be marked safe and can access the network.
A Host Application Violation Reset can be generated at the same time with
host specific information.

Authenticated User Successfully verified users credentials with the directory.

FortiNAC F 7.2.0 Manager Guide 303

Fortinet Inc.
Logs

Event Definition

Authentication Configuration Generated whenever an authentication configuration is modified.

Modified

Authentication Failure Unable to verify users credentials with the directory.

Authentication Policy Modified Generated whenever an authentication policy is modified.

Authentication Time-out Failure User did not authenticate within the alloted time.

Authentication Trap Receive Received an authentication trap from the directory.

Certificate Expiration Warning Generated when a certificate is due to expire within 30 days.

Certificate Expiration Warning Generated when a certificate is due to expire within 7 days.
(CRITICAL)

Certificate Expired Generated when a certificate has expired.

cipSecTunnelStop Generated when VPN connection IPsec Phase-2 Tunnel becomes inactive.

CLI Configuration Failure Generated when a user tries to configure a Scheduled task that involves
CLI Configuration Success applying a CLI configuration to a group. Indicates whether or not the
configuration of the scheduled task was successful.

CLI Data Substitution Failure Indicates failure to substitute the "Port, VLAN, IP, or MAC" data into the CLI.

Communication Lost with Event indicates that the BigFix patch management server cannot be reached.
BigFix Server

Communication Lost with Palo Alto User Agent is a component of the Palo Alto Firewall. If configured
Palo Alto User Agent FortiNAC sends user ID and IP address to the Palo Alto User Agent each time
a host connects to the network.
Event indicates that the Palo Alto User Agent modeled in the Inventory cannot
be reached.

Communication Lost with Event indicates that the PatchLink patch management server cannot be
PatchLink Server reached.

Communication Lost with Fortinet SSO Agent is a component of the FortiGate Firewall. If configured
RADIUS/SSO Agent FortiNAC sends user ID and IP address to the Fortinet SSO Agent each time a
host connects to the network.
Event indicates that the Fortinet SSO Agent modeled in the Inventory cannot
be reached.

Communication Lost with Generated if a Custom Script SSO Agent is configured in Inventory. FortiNAC
Script sends user ID and IP address as parameters to the script each time a host
connects to the network.
Event indicates that the script configured in the Inventory failed to run.

Communication Lost with If configured FortiNAC sends user ID and IP address to iboss each time a host
iboss connects to the network.
Event indicates that the iboss SSO Agent modeled in the Inventory cannot be
reached.

FortiNAC F 7.2.0 Manager Guide 304

Fortinet Inc.
Logs

Event Definition

Contact Established Contact with a device has been established.

Contact Lost Contact with a device has been lost.

Container Created New container has been created in the database. Containers are a grouping
mechanism for devices that display in the Inventory.

Container Destroyed Container has been deleted from the database. Deleting a container deletes all
of the devices it contains.

DHCP Host Name Changed Generated when a known host connects to the network and its hostname is
different. Indicates that the hostname in the database associated with the MAC
address and existing DHCP finger print for that host is different.

Database Archive/Purge Failure Indicates whether or not the scheduled database archive/purge was
Database Archive/Purge Success successful.

Database Backup Failure Indicates whether or not the scheduled database backup was successful.
Database Backup Success

Database Replication Error Occurs in a high availability situation when the MasterLoader database is not
replicating. Can also be triggered when the database on the secondary server
is not running.

Database Replication Succeeded Occurs in a high availability situation when the MasterLoader database is
successfully replicated to the secondary server.

De-authenticated User logged off from host.

De-authentication Failure Unable to log off user from host. User not found.

Deleted Host Successfully Host or FortiNAC user has been successfully deleted from the database. If
multiple records are deleted at once, a separate event is generated for each
record.

Device Cold Start Device was restarted using the power switch.

Device Created New managed device has been created in the database.

Device Destroyed Managed device has been deleted from the database.

Device Fingerprint Changed Host is using a different operating system than the one with which the host was
registered. This could occur on a host with a dual-boot. For example, the host
registers with a Windows operating system. The user later boots the host using
Linux and tries to access the network. That change would trigger this event. An
upgrade within a family of operating systems would not normally trigger this
event, such as from Windows XP to Windows Vista.
Operating system is determined by the DHCP fingerprint.

Device Identity No longer used.

FortiNAC F 7.2.0 Manager Guide 305

Fortinet Inc.
Logs

Event Definition

Device Link A device has linked to port X on the network.

Device Link Down A device link goes down on a specific port because a device was disconnected
from the port.

Device Link Up Generated when a device link goes up on a specific port.

Device Profile Rule Match A rogue host has matched a Device Profiling rule allowing it to be assigned a
device type and registered.

Device Profiling Automatic A rogue host has been registered by device profiling based on a device
Registration profiling rule.

Device Profiling Rule Missing Data Indicates that device profiler cannot compare a rogue against a rule because
FortiNAC does not have enough information about the rogue, such as a DHCP
fingerprint. If device profiler cannot compare a rogue against a rule it does not
continue processing that rogue, and moves on to the next rogue.

Device Rule Confirmation Devices identified by a Device Profiling rule maintain their association with that
Failure rule. If enabled, the associated rule and the device are checked periodically to
Device Rule Confirmation see if the rule is still valid for the device. These event messages indicate
Success whether or not the device matched the associated rule.

Device Warm Start Device was restarted from the command line interface.

Directory Connection Failure The connection to a directory, such as Active Directory or LDAP, failed. The
directory could have refused the connection because the user name and
password were incorrect. This event can be triggered when testing the
connection to the directory with Test on the Directory Configuration window.

Directory Group Disabled Users can be disabled/enabled in a directory, such as LDAP, based on group
Directory Group Enabled membership. When the FortiNAC database synchronizes with the directory,
users that are members of the group are enabled. Users that are not members
of the group are disabled.

Directory Synchronization Indicates whether or not a directory, such as Active Directory or LDAP,
Failure synchronized with the user database. Could be caused if FortiNAC fails to
Directory Synchronization connect to the directory. This synchronization is a one time task done when the
Success directory is configured. See Schedule synchronization on page 377.

Directory User Disabled Users can be disabled/enabled in a directory, such as LDAP. When the
Directory User Enabled FortiNAC database synchronizes with the directory, users can be
disabled/enabled based on their directory setting.

Disable Host Failure Generated when a user manually disables a host on the Host View. Indicates
Disable Host Success whether or not the host was successfully disabled.

Disable Hosts Failure Indicates whether or not hosts in a group were successfully disabled using a
Disable Hosts Success scheduled task.

Disable Port Failure Indicates whether or not a particular port was disabled by an alarm action.
Disable Port Success

FortiNAC F 7.2.0 Manager Guide 306

Fortinet Inc.
Logs

Event Definition

Disable Ports Failure Indicates whether or not ports in a particular group were disabled by a
Disable Ports Success scheduled task.

Disable User Success Indicates that a user selected from the user view was successfully disabled.

Disabled Authenticated No longer used.

Discovery Completed The device discovery process that adds new devices to FortiNAC has
completed. IP address range is included in the completion message.

Duplicate Host For Device No longer used.

Duplicate Physical Address No longer used.

Duplicate Users Found in Two users with the same last name and/or ID were found in the directory.
Directory FortiNAC is case in-sensitive. For example, two users with last names listed as
SMITH and smith are treated as if they were the same person. The newer of
the two users is ignored.

Email Failure Alarms can be configured to send E-mail Notifications to FortiNAC

administrative users. If the administrative user has no e-mail address or the e-
mail fails in any other way, this event is generated.

Enable Host Failure Indicates whether or not a host selected from the Host View was successfully
Enable Host Success enabled.

Enable Hosts Failure Indicates whether or not hosts in a group were successfully enabled using a
Enable Hosts Success scheduled task.

Enable Port Failure Indicates whether or not a particular port has been enabled by an alarm action
Enable Port Success in response to a previous event.

Enable Ports Failure Indicates whether or not ports in a particular group were enabled by a
Enable Ports Success scheduled task.

Enable User Success Indicates that a user selected from the user view was successfully enabled.

Endpoint Compliance Configuration Generated whenever an endpoint compliance configuration is modified.

Modified

Endpoint Compliance Configuration Generated whenever an endpoint compliance configuration platform setting is
Platform Setting Modified modified.

Endpoint Compliance Modified Generated whenever an endpoint compliance is modified.

Enterasys Dragon Violation Enterasys Dragon is an Intrusion Protection/Detection System. An event is

generated when an intruder is detected.

Entitlement Polling Failure (Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when there is an
error communicating or processing license entitlements data from Forticloud
over TCP 443. Entitlement polling is required for Subscription Licenses. Refer
to the Deployment Guide in the Document Library for Open Port requirements.

FortiNAC F 7.2.0 Manager Guide 307

Fortinet Inc.
Logs

Event Definition

Entitlement Polling Success (Requires version 8.8.10, 9.1.4, 9.2.0 or above) Generated when
communication and processing of license entitlements data from Forticloud
successfully completes.

Failed to Disable Adapters Attempted to disable hosts using an Alarm Action. Hosts failed to be disabled.

Failed to Disable HP Port Scheduled task that enables port security configuration on all HP/NT devices in
Security an associated group has failed.

Failed to Enable Adapters Attempted to enable hosts using an Alarm Action. Hosts failed to be enabled.

Failed to Enable HP Port Scheduled task that enables port security configuration on all HP/NT devices in
Security an associated group has failed.

FireEye IPS High Violation Generated whenever a high violation event is received from FireEye.

FireEye IPS Low Violation Generated whenever a low violation event is received from FireEye.

FireEye IPS Medium Violation Generated whenever a medium violation event is received from FireEye.

FortiOS 4.0 High Violation Generated whenever a high violation event is received from FortiOS 4.0.

FortiOS 4.0 Low Violation Generated whenever a low violation event is received from FortiOS 4.0.

FortiOS 4.0 Medium Violation Generated whenever a medium violation event is received from FortiOS 4.0.

FortiOS 5.0 High Violation Generated whenever a high violation event is received from FortiOS 5.0.

FortiOS 5.0 Low Violation Generated whenever a low violation event is received from FortiOS 5.0.

FortiOS 5.0 Medium Violation Generated whenever a medium violation event is received from FortiOS 5.0.

Found Ignored MAC address A host or device has connected with a MAC address that is in the MAC address
Exclusions list. This connection is not being managed by FortiNAC and the
host or device has access to the production network. See MAC address
Exclusion.

Found Microsoft LLTD or Multicast A host or device has connected with a MAC address in the Microsoft LLTD or
Address Multicast Address range. Those ranges are managed in the MAC address
Exclusion list. FortiNAC ignores these MAC addressed for 48 hours after the
first one is seen and then treats them as rogues unless the configuration is
updated on the MAC address Exclusion list. See MAC address exclusion on
page 1.

Gaming Device Registration A gaming device was registered by a user.

Group Does Not Exist for Scan FortiNAC attempted to perform a scan or scheduled task for a particular group
and the group no longer exists in the database. Either recreate the group or
remove the scan or scheduled task.

Guest/Contractor No longer used.

Pre-allocation Critical If you are setting up Guest/Contractor users in advance, an event can be
generated if you set up more Guest/Contractor users than you have licenses.

Guest/Contractor No longer used.

Pre-allocation Warning

FortiNAC F 7.2.0 Manager Guide 308

Fortinet Inc.
Logs

Event Definition

If you are setting up Guest/Contractor users in advance, an event can be

generated if you set up enough Guest/Contractor users to use 75% of the
available licenses.

Guest Account Created New guest account is created.

Guest Account Deleted Guest account is deleted.

Hard Disk Usage Critical Generated when the disk usage critical threshold is reached. This threshold is
a percentage of the space allocated for the bsc and var partitions. The
percentage is calculated for each partition separately. When any one partition
reaches the threshold the event is generated. Thresholds calculated for
individual partitions are never combined. Therefore if the combined total
crosses the threshold, no event is generated. Default = 95%

Hard Disk Usage Warning Generated when the disk usage warning threshold is reached. This threshold
is a percentage of the space allocated for the bsc and var partitions.The
percentage is calculated for each partition separately. When any one partition
reaches the threshold the event is generated. Thresholds calculated for
individual partitions are never combined. Therefore if the combined total
crosses the threshold, no event is generated. Default = 85%

Host Aged Out Host has been removed from the database based on the time or expiration
date on the associated Host Properties window. See Properties on page 133.

Host Application Violation Generated against a FortiNAChost based on the IP, MAC, or ID information
contained within an Application Violation trap. If IP, MAC address, or user ID
match any records in the FortiNAC database, this event is generated. See
Application Violation in this list.

Host Application Violation Reset Generated against a FortiNAC host based on the IP, MAC, or user ID
information contained within an Application Violation Reset trap. If IP, MAC
address, or user ID match any records in the FortiNAC database, an event is
generated. The reset event occurs when the host is no longer in violation. See
Application Violation in this list.

Host At Risk An administrative user marked a selected host At Risk or the host failed a scan.

Host At Risk Failure Indicates whether an alarm action triggered by an At Risk host succeeded or
Host At Risk Success failed.

Host At Risk Status Not Enforced Generated whenever a host fails a scan, but it is not enforced.

Host CLI Task Success Indicates whether or not the CLI commands associated with host/adapter
Host CLI Task Failure based ACLs have been successful.

Host Connected Generated whenever a registered host connects to the network.

FortiNAC F 7.2.0 Manager Guide 309

Fortinet Inc.
Logs

Event Definition

Host Copied From NCS In an environment where multiple FortiNAC appliances are managed by a
FortiNAC Manager, hosts and their corresponding information can be copied
from one appliance to another based on settings in the FortiNAC Manager
under System > Settings > Network Control Manager > Server
Synchronization. When hosts are copied from one appliance to another this
event is generated.

Host Created Generated whenever a host is created.

Host Destroyed Generated whenever a host is destroyed.

Host Disassociated Generated whenever a host is destroyed.

Host Disconnected Generated whenever a registered host disconnects from the network.

Host Identity Changed Indicates that a registered host's name or operating system has changed since
the last time it was read by the Persistent Agent or Dissolvable Agent, and that
it is possibly a dual boot device. This could also indicate MAC spoofing. An
operating system change , such as an upgrade could also trigger this event.

Host Pending At Risk A host failed a scan for an endpoint compliance policy. The policy was
configured for delayed remediation indicating that hosts that fail the scan are
not sent to remediation for x number of days. The event is generated when the
host is marked Pending At Risk.
Scan status "Failure Pending" triggers this event.

Host Registration Failure Host has gone to the Registration page and the user attempted to register the
Host Registration Success host. Indicates whether the registration succeeded or failed.

Host Rejected - No MAC Host rejected because it is missing a MAC address.

Host Rejected - No VLAN Host rejected because there is no VLAN defined for current state.

Host Safe Generated when a user goes to System > Settings > Control > Quarantine.
On the Quarantine view there is a button that allows the user to mark all hosts
as Safe. If this button is clicked the event is generated for each host that was
affected.

Host Safe Failure Indicates whether or not an alarm action associated with marking a host as
Host Safe Success safe has failed. See Host Safe on page 310 in this list.

Host Session Logged On Agent has detected that the user has logged on or off the host. Applies only to
Host Session Logged Off Windows hosts.

Incomplete User Found in FortiNAC requires the Last name and ID fields for each user. If either of those
Directory fields is missing, the user record is incomplete.

Interface Status Failure Indicates whether or not the Update interface status scheduled task was
Interface Status Success successful. The task reads and updates the interface status for each port on
the devices in the associated groups.

FortiNAC F 7.2.0 Manager Guide 310

Fortinet Inc.
Logs

Event Definition

Internal Scheduled Task Failure Indicates whether or not a scheduled task has failed. The name of the task is
Internal Scheduled Task provided.
Success

Invalid Physical Address The MAC address of the specified host or device is not recognized by
FortiNAC because the corresponding vendor OUI is not in the FortiNAC
database. Update the vendor OUI database either manually or by using Auto-
Def Updates. See and .

L2 Poll Failed Indicates whether or not FortiNAC successfully contacted the device to read
L2 Poll Succeeded the list of connected hosts.

L3 Poll Failed Indicates whether FortiNAC successfully read IP address mappings from a
L3 Poll Succeeded device.

Load In Limit Exceeded No longer used.

Max % In setting on the Bandwidth window has been met or exceeded.

Load In Limit Rearmed No longer used.

After the first “Load In Limit Exceeded” event occurs the server does not
generate a “Load In Limit Rearmed” event until the percentage of bandwidth
bytes in falls below Rearm % In value.

Load Out Limit Exceeded No longer used.

Max % Out setting on the Bandwidth window has been met or exceeded.

Load Out Limit Rearmed No longer used.

After a “Load Out Limit Exceeded” event occurs the server creates a “Load Out
Limit Rearmed” event once the percentage of bytes out falls below this the
Rearm % Out value.

Lost Contact with Persistent Agent This event can only be generated accurately when FortiNAC has up-to-date
network connectivity data (in order to determine a host's online status). This
requires the following:
- Wired network devices are being polled at a regular interval (typically 1 hour).
- Wired network devices are sending either Link Up/Link Down or Mac
Notification traps.
- Wireless devices are being polled at a regular interval (typically 15 minutes).

MAC Learned Generated when MAC Notification "MAC Add" or "MAC Move" syslog
messages/SNMP traps are received from supported devices. Occurs when the
switch has added to its forwarding table the MAC address of a connecting host.
Note: Not generated for infrastructure devices (such as Access Points).

MAC Removed Generated when MAC Notification "MAC Delete" or "MAC Move" syslog
messages/SNMP traps are received from supported devices. Occurs when the
switch has removed the MAC address of a host that has disconnected.
Note: Not generated for infrastructure devices (such as Access Points).

FortiNAC F 7.2.0 Manager Guide 311

Fortinet Inc.
Logs

Event Definition

MAC change event on uplink This event is generated when a MAC notification trap is received for a port in
FortiNAC is any of the uplink types.

Management Established Generated when management of a device is established.

Management Lost Generated when management of a device is lost.

Map IP to MAC Failure No longer used.

Map IP to MAC Success Mapping IP addresses to physical addresses for a selected group using a
scheduled task failed or succeeded.

Maximum Blacklist Clear Attempts Maximum number of attempts to remove a host from a controller's blacklist
Reached have been reached and the host remains on the blacklist.

Maximum Concurrent Physical No longer used.

Address Warning Generated when host connections exceed 6000 or 12000 depending on the
size of the appliance.

Maximum Concurrent Connections Concurrent connection licenses in use has reached or exceeded 95% of total
Critical licenses. Threshold is configurable. See Event thresholds on page 324.

Maximum Concurrent Connections Concurrent connection licenses in use has reached 100% of total licenses.
Exceeded

Maximum Concurrent Connections Concurrent connection licenses in use has reached or exceeded 75% of total
Warning licenses. Threshold is configurable. See Event thresholds on page 324.

Maximum Guest/Contractor No longer used.

Critical Guest manager licenses in use has reached or exceeded 95% of total licenses.
Threshold is configurable.

Maximum Guest/Contractor No longer used.

Exceeded Guest manager licenses in use has reached 100% of total licenses.

Maximum Guest/Contractor No longer used.

Warning Guest manager licenses in use has reached or exceeded 75% of total licenses.
Threshold is configurable.

Maximum Hosts Critical No longer used.

Access Manager licenses in use has reached or exceeded 95% of total
licenses. Threshold is configurable.

Maximum Host Warning No longer used.

Access Manager licenses in use has reached or exceeded 75% of total
anesthesiologist is configurable.

Maximum Hosts Exceeded No longer used.

Access Manager licenses in use has reached 100% of total licenses. No new
accounts can be created.

Maximum Known Device No longer used.

Critical

FortiNAC F 7.2.0 Manager Guide 312

Fortinet Inc.
Logs

Event Definition

Device Tracker licenses in use has reached or exceeded 95% of total licenses.
Threshold is configurable.

Maximum Known Device No longer used.

Warning Device Tracker licenses in use has reached or exceeded 75% of total licenses.
Threshold is configurable.

Maximum Known Devices No longer used.

Exceeded Device Tracker licenses in use has reached 100% of total licenses.

Maximum User Critical No longer used.

Shared Access Tracker licenses in use has reached or exceeded 95% of total
licenses. Threshold is configurable.

Maximum User Warning No longer used.

Shared Access Tracker licenses in use has reached or exceeded 75% of total
licenses. Threshold is configurable.

Maximum Users Exceeded No longer used.

Shared Access Tracker licenses in use has reached 100% of total licenses.

Maximum Blacklist Clear Attempts Generated when the maximum number of attempts to remove a MAC address
Reached from a device's black list has been exceeded. Currently the maximum is set to
3 attempts.

MDM Host Created Host was added to the database from MDM import

MDM Host Destroyed Host is deleted from the database because it is no longer found on a poll of the
MDM. This can occur if the corresponding record in the MDM database was
either removed or disabled. "Remove Hosts Deleted from MDM Server" option
in MDM services must be enabled.

MDM Poll Failure MDM poll did not complete

MDM Poll Success MDM poll completed

MDM Host Compliance Failed Host failed MDM scan

MDM Host Compliance Passed Host passes MDM scan

Memory Usage Critical Generated when the memory usage critical threshold is reached for the
appliance. This threshold is a percentage of the total allocated memory.
Default = 95% Threshold is configurable. See Event thresholds on page 324.

Memory Usage Warning Generated when the memory usage warning threshold is reached for the
appliance. This threshold is a percentage of the total allocated memory.
Default = 85% Threshold is configurable. See Event thresholds on page 324.

Message Cabletron/Enterasys Event Log Message

OID = 1.3.6.1.4.1.52.1280

Multi-Access Point Detected Generated when multiple MAC addresses are detected on a port. However, if
the port is in the Authorized Access Points group an event is not generated.
See Network Device .

FortiNAC F 7.2.0 Manager Guide 313

Fortinet Inc.
Logs

Event Definition

NAT Device Registered Generated when a NAT Device (router) is registered.

Nitro Security Violation Generated based on traps received from the NitroGuard Intrusion
Nitro Threat Level 1 - 6 Protection/Detection system on your network. The IPS/IDS must be modeled
in your Inventory.

No CDP Announcement Generated when a device that has sent at least one CDP announcement has
stopped sending those announcements. This is based on the polling time set
for the device. For example if the poll time is one hour, a new event message is
sent each time the hour elapses with no message from the device.

Operating System Is Up to Date Indicates that there are no new updates available after the operating system
update status task is run (1pm every Sunday, by default).

Operating System Status Check Indicates that the operating system update check failed due to multiple running
Failure checks. This may be caused by a configuration or network issue.

Operating System Update Initiated Indicates that an operating system update was started from the admin UI. See
Description on page 1.

Operating System Updates Indicates that there are updates available after the operating system update
Available status task is run (1pm every Sunday, by default).

Packeteer Configuration Failure No longer used.

Packeteer Configuration Indicates whether or not communication has been established with the
Success Packeteer PacketShaper software after Packeteer has been modeled in the
Inventory.

Packeteer Monitor If Packet Shaper has been configured to generate threshold violation events
and if a threshold violation occurs, the event triggers an SNMP trap from
PacketShaper to FortiNAC. This trap causes FortiNAC to generate a
Packeteer Monitor event.

Packeteer Monitor 2 No longer used.

If a Packeteer product has been configured to generate events for OID
13.6.1.3.6.1.4.1.2334.1.1 and the event triggers an SNMP trap from the
Packeteer to FortiNAC. This trap causes FortiNAC to generate a Packeteer
Monitor 2 event.

Persistent Agent Communication Persistent Agent Contact Status has been restored to normal.
Resumed This event is only generated on hosts running Persistent Agent 4.0 or better.

Persistent Agent Not This event can only be generated accurately agents when FortiNAC has up-to-
Communicating date network connectivity data (in order to determine a host's online status).
This requires the following:
- Wired network devices are being polled at a regular interval (typically 1 hour).
- Wired network devices are sending either Link Up/Link Down or Mac
Notification traps.
- Wireless devices are being polled at a regular interval (typically 15 minutes).

FortiNAC F 7.2.0 Manager Guide 314

Fortinet Inc.
Logs

Event Definition

This event is only generated on hosts running Persistent

Agent 4.0 or better.

Persistent Agent Scan Not This event can only be generated accurately when FortiNAC has up-to-date
Performed network connectivity data (in order to determine a host's online status). This
requires the following:
- Wired network devices are being polled at a regular interval (typically 1 hour).
- Wired network devices are sending either Link Up/Link Down or Mac
Notification traps.
- Wireless devices are being polled at a regular interval (typically 15 minutes).

Policy Warning Host was scanned by an endpoint compliance policy. The host does not meet
all of the scan requirements, but the scan rules state that a warning be issued
instead of making compliance a requirement.
Scan status "Warning" triggers this event.

Poll For Hosts Failure No longer used.

Poll For Hosts Success Indicates whether a scheduled task to poll switches for hosts has succeeded or
failed. Switches are contained in a device group and that group is polled.

Port CLI Task Failure Indicates whether a CLI configuration applied to a port ran and failed or
Port CLI Task Success succeeded.

Port in Authorized Access Points Failed to enable/disable port because it is in the Authorized Access Points
Group group.

Port Link Down Trap received from the switch each time there is a link up or a link down on a
Port Link Up port. Link up and link down happen each time a host is switched from one
VLAN to another.

Port Security Incomplete Maximum number of users on a port has been reached.

Port Segmented Trap received from an Enterasys or Cabletron switch indicating that a link is
down. This port may have been logically disconnected due to an excessive
collision level or it may be physically disconnected.

Port Uplink Configuration Modified An administrator modified the uplink setting of a port. The switch name, port
and administrator are included in the event.

Port in Authorized Access Points Scheduled task for a port in the Authorized Access Points group failed.
Group

Possible MAC address Spoof Indicates that the same MAC address has been detected on two different
devices simultaneously. One is possibly spoofing the other’s MAC address.
This event is generated based upon the value of the MAC Spoof Time Delay
configured under System > Settings > Network device. See Network device
for details.

FortiNAC F 7.2.0 Manager Guide 315

Fortinet Inc.
Logs

Event Definition

Possible NAT Device, MAC This event has been replaced with NAT Device Registered. It remains visible to
Spoofed allow you to restore an old backup and view occurrences of this event. See
NAT Device Registered on page 314 in this list.

Possible NAT User Generated on each host. One per MAC address on the NATd host. For
example, if a host has both a wired and wireless connection, an event is
generated for each.

Process Memory Usage Critical Generated when the memory usage critical threshold is reached for the
process. This threshold is a percentage of the total allocated memory. Default
= 95%

Process Memory Usage Generated when the memory usage warning threshold is reached for the
Warning process. This threshold is a percentage of the total allocated memory. Default
= 85%

Process Thread Count Critical Generated when the process thread count warning threshold is reached. This
threshold is a specific number of threads the process is using. Default = 575
This event is disabled by default.
The threshold will dynamically increase by 25 for every 8 CPU cores that are
added.

Process Thread Count Warning Generated when the process thread count warning threshold is reached. This
threshold is a specific number of threads the process is using. Default = 500
This event is disabled by default.
The threshold will dynamically increase by 25 for every 8 CPU cores that are
added.

Profile Modified Generated when a user modifies a user/host profile. Event message contains
user information for the user who made the change, whether the change was
an add, remove or replace, and the complete profile after the changes.

RADIUS Rate Exceeded Generated when the 60 requests-per-second threshold is exceeded.

This event is disabled by default.

RADIUS Time Threshold Indicates that the time threshold for a response from the RADIUS server has
been exceeded. This threshold is not configurable.

Regained Contact with Persistent Host has regained contact with the Persistent Agent .
Agent

Remote Access Excessive Session Generated when the time to process the remote client exceeds a threshold (set
Process Time through the "MaxClearTime" attribute on the ASA device).

Reports Purged Lists the file names of all reports that were deleted when reports were purged
from the /home/cm/reports directory.

REST API Failure Error when FortiNAC tries to communicate with the device using REST API.

SNMP Failure Generated when FortiNAC receives an SNMP failure during communication
with a SNMP enabled Network Device. This includes any error message
received from the SNMP packet.

FortiNAC F 7.2.0 Manager Guide 316

Fortinet Inc.
Logs

Event Definition

SNMP Read Error Did not receive all data when reading a switch using SNMP. Device name and
error code are included in the event message.

Scan Does Not Exist For FortiNAC has attempted to run a scan using a scheduled task. The scan
Scheduler Task referred to in the task no longer exists in the database. You must either
recreate the scan or remove the scheduled task from the scheduler.

Secondary Contact Lost Event triggered when the primary loses contact with the secondary.

Service Down - Tomcat Admin Event triggered when a specific service is no longer running. These services
Service Down - Tomcat Portal are required.
Service Down -dhcpd FortiNAC tries to restart the service every 30 seconds.
Service Down -httpd In a high availability environment, failover occurs after the fourth failed restart
Service Down -mysqld attempt.
Service Down -named
For the httpd service: After the system confirms that the httpd service is
Service Down -sshd
running, the system also attempts to connect to ports 80 and 443. If the system
fails to connect to either port, the httpd service is restarted.
If the primary is unable to communicate with the secondary to confirm it is
running, service down will not trigger a failover.

Service Started - Tomcat Admin Event triggered when one of the listed services is started. These services are
Service Started - Tomcat Portal required and must be running in order to use FortiNAC.
Service Started -dhcpd
Service Started -httpd
Service Started -mysqld
Service Started -named
Service Started -sshd

Service Down - Analytics Agent Event triggered when the service is down and it is required for FortiNAC to
send data to Analytics.

Service Down - Radius Event triggered when one of the listed the services is no longer running and it is
Service Down - Samba required for the RADIUS Manager.
Service Down - Winbind

Service Started - Analytics Agent Event triggered when the service is started. This service is required and must
be running in order to use Analytics.

Service Started -Radius Event triggered when one of the listed services is started. These services are
Service Started - Samba required in order to use RADIUS Manager.
Service Started - Winbind

Set Default VLAN Failure When a host disconnects from a port, the port can be set to return to its default
Set Default VLAN Success VLAN. Indicates whether or not the port successfully returns to the default
VLAN.

Sophos AntiVirus: Virus Found Sophos AntiVirus can be configured to send traps to FortiNAC when a virus is
found on a host. Host information is included in the trap. If a Sophos Trap is
received, this event is generated.

FortiNAC F 7.2.0 Manager Guide 317

Fortinet Inc.
Logs

Event Definition

Sourcefire Error Generated based on syslog events received from an Intrusion

Sourcefire IPS Action Protection/Detection system on your network. The IPS/IDS must be modeled
Sourcefire IPS High Violation in your Inventory.
Sourcefire IPS Low Violation Sourcefire IPS Action: Indicates that an action has been triggered by a
Sourcefire IPS Medium Violation syslog message from Sourcefire.

SSL Connection Failure Device failed to establish trust when connecting to FortiNAC. Must have SSL
Certificate Verification option enabled. See Credentials.
The event includes the following information:
l Reason for failure

l Missing issuer's DN if failure is due to certification chain/path error.

Certification chain failure example:
SSL connection failure for device FGT-3PI-TEST-1 with message SSL
certificate is not trusted: Missing Issuers
EMAILADDRESS=myemail@mydomain.com, CN=FGTxxxxxxxxxxxxx,
OU=Certificate Authority, O=Fortinet, L=Sunnyvale, ST=California, C=US

StealthWatch SNMP trap has been sent from a StealthWatch device

OID = 1.3.6.1.4.1.8712

StealthWatch Email Rejects Host is receiving a significant number of rejected mail attempts.

StealthWatch Email Relay Host is operating as an email relay.

StealthWatch High Concern A host has exceeded the Concern Index threshold set for it. This usually
means that an inside host is no longer operating as it was during the tuning
period and should be examined for possible compromise, misuse, or policy
violations. An external host with a High Concern index is often attempting to
violate your network integrity.

StealthWatch High File Sharing Host is transferring files.

StealthWatch High Volume Email Host is infected with an email worm.

StealthWatch Max Flows Host has had an excessive number of total flows active.
Initiated

StealthWatch New Flows Indicates that a host exceeds a total number of new flows in a 5-minute period.

StealthWatch Port Flood The host has attempted to connect on an excessive number of ports on the
Target IP. This may indicate a DoS attack or an aggressive scan by the source
IP.

StealthWatch SYN Flood The host has sent an excessive number of TCP connection requests (SYN
packets) in a 5-minute period. This may indicate a DoS attack or non-stealthy
scanning activity

StealthWatch Suspect Long Flow Host has a long duration flow.

FortiNAC F 7.2.0 Manager Guide 318

Fortinet Inc.
Logs

Event Definition

StealthWatch Worm Activity A host has scanned and connected on a particular port across more than one
subnet. The details section of this alarm specifies the port on which the activity
was observed.

StealthWatch Worm Propagation Host has scanned and connected on port 5 across more than 1 subnet.

StealthWatch Zone Violations Host has connected to a server in a zone that it is not allowed to access.

StoneGate IPS High Violation Generated based on syslog events received from an Intrusion
StoneGate IPS Low Violation Protection/Detection system on your network. The IPS/IDS must be modeled
StoneGate IPS Medium Violation in your Inventory. See Syslog Management .

StoneGate Violation Generated based on syslog events received from an Intrusion

Protection/Detection system on your network. The IPS/IDS must be modeled
in your Inventory. See Syslog Management .

Success Disabling Port Security Generated when the Enable or Disable HP/NT Port Security scheduled task
Success Enabling Port Security runs successfully. This task enables or disables port security configuration on
all HP/NT devices in the selected group. Port Security is used to disable hosts
if DeadEnd VLANs are not used on the network.

Sync Initiated (FortiNAC versions 9.1.3 and above) Generated when a synchronization of
servers by Control Manager has been triggered. Provides server IP, the user
who triggered the sync and status.

Synchronize Users with Indicates whether or not the FortiNAC user database has successfully
Directory Failure synchronized with the selected directory such as LDAP or Active Directory.
Synchronize Users with These events are triggered by the failure or success of the scheduled
Directory Success synchronization set up on the Directory Configuration window. See
Configuration on page 369.

Syslog Error Generated when the FortiNAC server receives an inbound syslog message for
a host that is not currently managed by FortiNAC.

System Backup Failure Indicates whether a system backup has succeeded. The system backup is run
System Backup Success by a scheduled task. The system backup may succeed, but will still fail if
remote backup is enabled and fails.
It is recommended that you create an alarm action to send an email if system
backup fails.

System Created Uplink If Uplink Mode on a Port's properties is set to Dynamic, FortiNAC converts the
port to an uplink port when the number of MAC addresses on the port exceeds
the System Defined Uplink count and generates this event.

System Fail Over In a high availability environment, this event indicates that the primary server
has failed and the secondary has taken over.

System Power Off Indicates that the user specified in the event message powered off the
FortiNAC server. See Power management on page 407

System Reboot Indicates that the user specified in the event message rebooted the FortiNAC
server. See Power management on page 407.

FortiNAC F 7.2.0 Manager Guide 319

Fortinet Inc.
Logs

Event Definition

System Automatically Restarted Server was restarted because a primary system process was down. Processes
include: MasterLoader, IP to MAC, Communication and Nessus.
This event was System Restart in prior versions.

TippingPoint SMS High Violation Generated based on syslog events received from an Intrusion
TippingPoint SMS Low Violation Protection/Detection system on your network. The IPS/IDS must be modeled
TippingPoint SMS Medium in your Inventory. See Syslog Management .
Violation

Top Layer IPS High Violation Generated based on syslog events received from an Intrusion
Top Layer IPS Low Violation Protection/Detection system on your network. The IPS/IDS must be modeled
Top Layer IPS Medium Violation in your Inventory. See Syslog Management .

Unauthorized SSID/VLAN No longer used.

Unauthorized Connection from Enabled by default. An untrusted FortiNAC appliance whose license key
FortiNAC Appliance contains a Fortinet-issued certificate is attempting to communicate. Probable
cause: Configuration for inter-server communication is incomplete. See KB
article https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-
Communication-between-servers-stops-after/ta-p/251200.

Unauthorized Connection from Enabled by default. An untrusted FortiNAC appliance using a self-signed
Legacy FortiNAC Appliance certificate is attempting to communicate. Self-signed certificates are used with
older appliances that do not have license keys with Fortinet-issued certificates.
Probable cause: Configuration for inter-server communication is incomplete.
See KB articlehttps://community.fortinet.com/t5/FortiNAC/Troubleshooting-
Tip-Communication-between-servers-stops-after/ta-p/251200.

Unknown User in Group No longer used.

Unsupported Trap Generated when FortiNAC receives a trap that it cannot interpret from a
device. The device's OID is included in the event.

Update SSID Failure SSID assignment scheduled task maps VLAN IDs to SSIDs. Event indicates
Update SSID Success whether or not the task succeeded.

Update VLAN ID Failure Indicates that the user specified in the event message powered off the
Update VLAN ID Success FortiNAC server. See Power management on page 407.
Update Default VLAN Values scheduled task sets the Default VLAN value for
the port in FortiNAC device model to the value entered in the scheduled task.
Event indicates whether or not the task succeeded.

User Aged Out Indicates that the user specified in the event message rebooted the FortiNAC
server. See Power management on page 407.
User has been aged out of the database based on the data stored in the Age
Time section of the User Properties view.

User Created Network user created in or deleted from the database. This is a non-
User Destroyed administrative user.

FortiNAC F 7.2.0 Manager Guide 320

Fortinet Inc.
Logs

Event Definition

User not NATd This event is generated on each host that had been previously NATd but are
not any longer. One per MAC address on the NATd host. For example, if a host
has both a wired and wireless connection, an event is generated for each.

Users Removed From User has been removed directly from a directory, such as LDAP. When the
Directory FortiNAC user database is synchronized with the directory this discrepancy
triggers the event. If Remove User is selected on your directory configuration,
the missing user is removed from the FortiNAC database.

Valid DHCP Server Generated when has verified that the DHCP server is running a valid DHCP
server application.

Vendor OUI Added Generated when a new vendor OUI has been added to the database.

Vendor OUI Removed Generated when a vendor OUI was removed from the database.

VLAN Switch Failure VLAN failed to change for port X.

VLAN Switch Success VLAN was changed successfully for X port.

Vulnerability Scan Failed Generated when the host failed the vulnerability scan.

Vulnerability Scan Finished Generated when the vulnerability rescan has finished.

Vulnerability Scan Ignored Generated when scan results from the vendor include hosts that were added to
the Vulnerability Exceptions Group, indicating which hosts were ignored. Hosts
in this group are allowed onto the network, regardless of scan results.

Vulnerability Scan Incomplete FortiNAC polls the vendor for scan results for a configured scan, but scan
results are unavailable because the scan was not run by the vendor.

Vulnerability Scan Passed Generated when the host passed the vulnerability scan.

Vulnerability Scan Removed A vulnerability scan that was added to FortiNAC was removed from the
vulnerability scanner.

Vulnerability Scan Request Refused The IP address targeted by a rescan is not included in the list of Qualysasset
(Qualys Integration only) IPs.

Vulnerability Scan Skipped The vulnerability scanner has not run the scan since FortiNAC previously
polled it, so FortiNAC skipped the scan during processing.

Vulnerability Scan Started Generated when the vulnerability rescan has started.

Vulnerability Scanner Concurrent Exceeded the limit that is set for the number of requests that can be processed
API Limit Exceeded (Qualys concurrently.
Integration only)

Vulnerability Scanner Connection The connection to the vulnerability scanner has failed.
Failure

Vulnerability Scanner Deleted A vulnerability scanner was deleted from FortiNAC.

Vulnerability Scanner Periodic API Qualys rejected an API request because the periodic API limit has been
Limit Exceeded (Qualys Integration exceeded. The event message includes the number of seconds until the
only) scanner will accept an API request.

FortiNAC F 7.2.0 Manager Guide 321

Fortinet Inc.
Event management

Event management allows you to specify which events to generate and whether to log the event records on another
server in addition to the local appliance. You can limit the number of events generated by selecting a group for each
event. Event messages are only created when the event occurs within the specified group.
Specify threshold values for the self-monitoring events by clicking Event Thresholds. These thresholds affect the
Performance Summary Panel on the dashboard. They can be edited here or from the Performance Summary Panel.
See System Performance on page 33 for additional information.
Some events are generated frequently and may not be necessary for day to day operations. Review the list of events
and determine which ones to enable to provide you with the most useful feedback. You may choose to enable an event
for a short period of time, such as to find a particular host when it connects to the network. See the example below for a
scenario in which enabling a particular event might be useful.

Example: Finding a stolen device

This is a scenario for locating a stolen or missing host:

1. Create a group that contains only the information for that host (including all wired and wireless sibling records).
2. Enable the host connected event for the new group. When the stolen host connects to the network through the wired
or wireless connection, a host connected event is generated.
3. Map the host connected event to an alarm to receive a notification that the host has connected. You may also take
an action against that host if you specified one in the mapping.
4. When you are notified that the stolen host has connected to the network, use the Host View to determine the device
and port to which this host is connected.
Events are generated for all components, such as devices, hosts or ports, unless you reduce the output by selecting a
specific group . See Events and alarms list on page 302 for event definitions.
Events can be sent to an external log host. See Log events to an external log host on page 325.

Settings

Fields used in filters are also defined in this table.

Field Definition

Event Thresholds Opens the Event Thresholds dialog to set thresholds to monitor license usage, memory
usage, process thread counts, and disk space. Exceeding these thresholds generates
specific events. See Event thresholds on page 324.

Events

Log Indicates the state of the selected event and where it will be logged if it is generated.
l Disabled: Event is disabled and will not be generated or logged anywhere.

l Internal: Logs only to an internal events database.

l External: Logs only to an external host.

l Internal & External: Logs both to an internal events database and an external host.

Event Name Name of the event.

FortiNAC F 7.2.0 Manager Guide 322

Fortinet Inc.
Logs

Field Definition

Group Group name of a group of elements, such as port group, device group or user group used to
limit generation of the selected event to the items in the group.
If set to All Groups, then the event is generated for all items, such as ports, devices, hosts or
users.
If no group is displayed, an event is generated for the system, and not a specific item.

Group Type Indicates whether this event applies to a group of ports, devices, hosts, users or
administrators.

Last Modified By User name of the last user to modify the event.

Last Modified Date Date and time of the last modification to this event.

Right click options

Modify Group Opens the Modify Group window.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add an
administrator profile on page 55.

Disable Logging Disables the event is disabled. The event will not be generated or logged anywhere.

Log Internal Logs the event only to an internal events database.

Log External Logs the event only to an external host.

Log Internal & Logs the event to both an internal events database and an external host.
External

Buttons

Export Exports the data displayed to a file in the default downloads location. File types include CSV,
Excel, PDF, or RTF. See Export data on page 1.

Options Allows you to change the log or group setting for one or more selected events.

Modify Group Change the group setting for one or more selected events.

Enable and disable events

Use the event management window to select which events will be logged.

FortiNAC F 7.2.0 Manager Guide 323

Fortinet Inc.
Logs

Events for the system

1. Click Logs > Events & Alarms > Management.

2. Use the Filters to locate the appropriate event. Refer to Event management on page 322 for filter settings.
a. To enable an event, select one or more events and click Options. Select one of the following:
l Internal: Logs only to an internal events database.

l External: Logs only to an external host.

l Internal & External: Logs both to an internal events database and an external host.

Any event that is logged is enabled.

b. To disable an event, select one or more events and click Options. Select Disable Logging.
To log events on an external log host, you must first add the log host to FortiNAC. See Log events to an external log host
on page 325 for instructions.

Events for a specific group

Logging events for a specific group limits the number of times the event is generated. The event will only be generated
for members of the selected group.
1. Click Logs > Events & Alarms > Management.
2. Use the filters to locate the appropriate event. Refer to Event management on page 322 for filter settings.
3. Select one or more events and click Options. Choose one of the logging options to enable the event.
4. Click Modify Group.
5. Click in the Group drop-down box and select the group for which this event will be enabled.
6. Click OK.

Event thresholds

This option allows you to monitor license usage, memory usage, process thread counts, and disk space, and establish
thresholds for the processes and hard drives. Each process type has its own thread count and maximum memory
allocations. The percentages in the thresholds are not relative to the total memory available on the appliance; they are
relative to the maximum amounts of memory that each loader process is allowed to consume.
View the memory allocated to each process in the Performance panel on the dashboard. The number of threads used by
the process is also contained in the panel. See System Performance on page 33.
When a threshold is exceeded, an event is generated. Each event has an associated alarm which is mapped by default.
Each specific event or alarm mapping is configured so that multiple events for a specific process or threshold results in a
single alarm. Modify the default mappings in Event to Alarm Mappings. You can also configure a specific action, such as
email notification. See Map events to alarms on page 334 for details.

Settings

Threshold Description

License thresholds

FortiNAC F 7.2.0 Manager Guide 324

Fortinet Inc.
Logs

Threshold Description

Concurrent Licenses Generated when the license usage threshold is reached. This threshold is a
Warning/Critical percentage of the total number of licenses configured. Default Warning = 75%.
Default Critical = 95%.

Hardware thresholds

Hard Disk Usage Generated when the disk usage threshold is reached. This threshold is a
Warning / Critical percentage of the space allocated for the bsc and var partitions. The
percentage is calculated for each partition separately. When any one partition
reaches the threshold the event is generated. Thresholds calculated for
individual partitions are never combined. Therefore if the combined total
crosses the threshold, no event is generated. Default Warning = 85%. Default
Critical = 95%.

Memory Usage Generated when the memory usage threshold is reached for the appliance.
Warning / Critical This threshold is a percentage of the total allocated memory. Default Warning
= 85%. Default Critical = 95%.

Network Topology Size Generated when the system sizing tool detects that the appliance has reached
Warning / Critical the threshold for possible connections. This threshold is a percentage of the
total connections that the appliance can manage. Default Warning = 85%.
Default Critical = 95%.

Software thresholds

Process Thread Count Generated when the process thread count threshold is reached. This threshold
Warning / Critical is a specific number of threads the process is using.
MasterLoader: Default Warning = 500. Default Critical = 575.
Nessus: Default Warning = 100. Default Critical = 125.

Process Memory Usage Generated when the memory usage threshold is reached for the process. This
Warning / Critical threshold is a percentage of the total allocated memory. Default Warning =
85%. Default Critical = 95%.

Set thresholds for self-monitoring events

1. Click Logs > Events & Alarms > Management.

2. Click the Event Thresholds button at the top of the window.
3. Click the License Tab. Enter the value for the warning and critical levels of the license usage.
4. Click the Hardware Tab. Enter the value for the warning and critical levels of the hardware thresholds for hard disk
and memory usage.
5. Click the Software Tab. Enter the value for the warning and critical levels of the software thresholds for each
system process.
6. Click OK.

Log events to an external log host

To log events on an external log host, you must first add the log host to the Log Receivers View. Once you have added
the log host server, configure the events to be logged externally on the Event Management View. The events will be sent

FortiNAC F 7.2.0 Manager Guide 325

Fortinet Inc.
Logs

as Syslog messages or SNMP Traps.

Add a server

1. Click System > Settings.

2. In the tree on the left select System Communication > Log Receivers.
3. Click Add to add a log host.
4. Select the type of server.
5. Enter the IP address of the server.
6. Enter the configuration parameters for the type of log host. The standard port information for each host type is
automatically entered. See the table below for detailed information on each type of server.
7. Click OK.

Settings

Field Definition

Type Type of server that will receive Event and Alarm messages. Options include: Syslog
CSV, SNMP Trap, and Syslog Command Event Format (CEF).

IP address IP address of the server that will receive Event and Alarm messages.

Port Connection port on the server. For Syslog CSV and Syslog CEF servers, the default =
514. For SNMP Trap servers the default =162

FortiNAC F 7.2.0 Manager Guide 326

Fortinet Inc.
Logs

Field Definition

Facility Displays only when Syslog is selected as the Type. Allows you to configure the
message type. The default is 4. Options include:
l 0 kernel messages
l 1 user-level messages
l 2 mail system
l 3 system daemons
l 4 security/authorization messages
l 5 messages generated internally by syslogd
l 6 line printer subsystem
l 7 network news subsystem
l 8 UUCP subsystem
l 9 clock daemon
l 10 security/authorization messages
l 11 FTP daemon
l 12 NTP subsystem
l 13 log audit
l 14 log alert
l 15 clock daemon
l 16 local use 0 (local0)
l 17 local use 1 (local1)
l 18 local use 2 (local2)
l 19 local use 3 (local3)
l 20 local use 4 (local4)
l 21 local use 5 (local5)
l 22 local use 6 (local6)
l 23 local use 7 (local7)

Security String Displays only when SNMP is selected as the Type. The security string sent with the
Event and Alarm message.

Configure events to log externally

1. Click Logs > Events & Alarms > Management.

2. Use the filters to locate the appropriate event. Refer to Event management on page 322 for filter settings.
3. For each event that should be logged externally, select one or more events and click Options. Select one of the
following:
l External: Logs only to an external host.

l Internal & External: Logs both to an internal events database and an external host.

Syslog format

The following is an example of a syslog message:

FortiNAC F 7.2.0 Manager Guide 327

Fortinet Inc.
Logs

<37>Apr 10 11:42:16 : 2009/04/10 11:42:16 EDT,3,2587,Probe - MAP IP To MAC

Success,0,1127,,BuildingB-3750,192.168.10.1,,Successfully read IP address mappings from
device BuildingB-3750

Format

Column Data From Example Definition

1 <37> Syslog category: This is the defined facility and the severity
Default Facility = 4 Security message
Severity = 5 Notice

2 Apr 10 11:42:16 : Time of the syslog generation.

3 2009/04/10 11:42:16 EDT Log time.

4 3 Log type:
l 1 Event

l 2 Alarm

l 3 Security Alarm

5 2587 Database ID AlarmID or ElementID

6 Probe - MAP IP To MAC Success Name of the event that generated the syslog message.

7 0 Severity:
l 0 Normal

l 1 Minor

l 2 Major

l 3 Critical

8 1127 Entity ID

9 Unique Identifier (user ID)

10 BuildingB-3750 Entity Name

11 192.168.10.1 Entity IP address

12 Entity physical address

13 Successfully read IP address Log Message

mappings from device
BuildingB-3750

SNMP trap format

The following is an example of an SNMP message:

1.3.6.1.4.1.16856.1.1.5="2009/04/10 11:37:02 EDT", 1.3.6.1.4.1.16856.1.1.6=1,
1.3.6.1.4.1.16856.1.1.7=2585, 1.3.6.1.4.1.16856.1.1.8="Probe - MAP IP To MAC Success",
1.3.6.1.4.1.16856.1.1.9=0, 1.3.6.1.4.1.16856.1.1.10=1127, 1.3.6.1.4.1.16856.1.1.15=,
1.3.6.1.4.1.16856.1.1.11=BuildingB-3750, 1.3.6.1.4.1.16856.1.1.12=192.168.10.1,

FortiNAC F 7.2.0 Manager Guide 328

Fortinet Inc.
Logs

1.3.6.1.4.1.16856.1.1.13=, 1.3.6.1.4.1.16856.1.1.14="Successfully read IP address

mappings from device BuildingB-3750."

Format

MIB Object Data From Example Definition

1.3.6.1.4.1.16856.1.1.5 "2009/04/10 11:37:02 EDT" The log time stamp in the format YYYY/MM/DD
hh:mm:ss z

1.3.6.1.4.1.16856.1.1.6 1 The type of log message

1 - Event message
2 - Alarm Message

1.3.6.1.4.1.16856.1.1.7 2585 The database identifier of the log message

1.3.6.1.4.1.16856.1.1.8 "Probe - MAP IP To MAC Name of the event that generated the syslog
Success" message.

1.3.6.1.4.1.16856.1.1.9 0 The log severity

0 - Normal
1 - Minor
2 - Major
3 - Critical

1.3.6.1.4.1.16856.1.1.10 1127 The database identifier of the log entity

1.3.6.1.4.1.16856.1.1.15 The unique identifier of the log entity "User ID"

1.3.6.1.4.1.16856.1.1.11 BuildingB-3750 The textual name of the log entity

1.3.6.1.4.1.16856.1.1.12 192.168.10.1 The IP address of the log entity. The format is

0.0.0.0"

1.3.6.1.4.1.16856.1.1.13 The Physical address of the log entity. The

format is 00:00:00:00:00:00"

1.3.6.1.4.1.16856.1.1.14 "Successfully read IP address The textual log message

mappings from device BuildingB-
3750."

Common event format (CEF)

Fields contained within a CEF syslog message include:

Example:

<37>Jul 22 11:24:20 : CEF:0|Fortinet|NAC Control Server|4.1.1.219.P9|6111|Login

Failure|1|rt=Jul 22 11:24:20 602 EDT cat=Network shost=NAC Director msg=User qa failed
to log in.

FortiNAC F 7.2.0 Manager Guide 329

Fortinet Inc.
Logs

Format

Column Title Data From Example Definition

Facility <37> Syslog category: This is the defined facility and the
severity
Default Facility = 4 Security message
Severity = 5 Notice
This is not part of the CEF format, but is contained
within the syslog message.

Date/Time Jul 22 11:24:20 Date and time the syslog message was generated.
This is not part of the CEF format but is contained
within the syslog message.

CEF: Version CEF:0 Version number defines the fields that are expected
to follow this field.

Device Vendor Fortinet These fields uniquely identify the type of device
sending the syslog message. In this case, the
Device Product NAC Control Server
sending entity is FortiNAC.
Device Version 4.1.1.219.P9

Signature ID 6111 Unique identifier per event type. This can be a string
or an integer.

Name Login Failure Name of the event that generated the syslog
message.

Severity 1 Severity:
0 Normal
1 Minor
2 Major
3 Critical

Extension rt=Jul 22 11:24:20 602 EDT Extension is a place holder for additional data. The
cat=Network shost=NAC Director extensions contained in this message include:
msg=User qa failed to log in. rt - receiptTime - Time stamp that indicates when
the event was generated.
cat-category-Type of device sending the syslog
message.
msg - message- Message giving more details about
the event.

Examples of syslog messages

Here are some examples of syslog messages that are returned from FortiNAC. In these examples, the Syslog server is
configured as follows:
l Type: Syslog
l IP address: a.b.c.d

FortiNAC F 7.2.0 Manager Guide 330

Fortinet Inc.
Logs

l Port: 514
l Facility: Authorization

Event Description Syslog Message

Login Success This is the event that is 02-28-2014 08:16:04 Auth.Notice 192.168.34.31 Feb 27
logged with a user logs into 22:16:14 : 2014/02/27 22:16:14 EST,1,545570,Login
the admin UI. Success,0,12,,,,,User root logged in.

Map IP To MAC Failure This is a legacy event --

logged when a scheduled
task runs (these are no
longer used for IP-MAC)
and the ARP is not read.

Probe - Map IP To MAC This is the event when we 02-28-2014 09:00:14 Auth.Notice 192.168.34.31 Feb 27
Failure fail to poll and L3 device for 23:00:24 : 2014/02/27 23:00:24 EST,1,545702,Probe -
IP->MAC (reading Arp MAP IP To MAC
Cache) L3 Polling Failure,0,28,,Switch,192.168.34.1,,Failed to read IP
address mappings from device Switch.

User Logged Out This is the event that is logs 02-28-2014 08:48:55 Auth.Notice 192.168.34.31 Feb 27
when a user logs out of the 22:49:04 : 2014/02/27 22:49:04 EST,1,545670,User
admin UI. Logged Out,0,12,,,,,User root Logged Out.

User Logged off Host This event is logged when 02-28-2014 08:44:25 Auth.Notice 192.168.34.31 Feb 27
a user logs off a host 22:44:34 : 2014/02/27 22:44:34 EST,1,545655,User
Logged off Host,0,4155,,,,,"User Man, Bat logged off
session 1 on host BRADSUPP7-LT

User Logged onto Host This event is logged when 02-28-2014 08:37:58 Auth.Notice 192.168.34.31 Feb 27
a user logs onto a host 22:38:07 : 2014/02/27 22:38:07 EST,1,545633,User
Logged onto Host,0,4155,,,,,"User Man, Bat logged onto
session 1 on host BRADSUPP7-LT"

User Remotely Connected An event that is logged --

to Host when a user remotely
connected to a terminal
session on a host using the
PA

User Locked Session This event is logged when 02-28-2014 08:49:53 Auth.Notice 192.168.34.31 Feb 27
a user locks his workstation 22:50:03 : 2014/02/27 22:50:03 EST,1,545681,User
Locked Session,0,4155,,,,,"User Man, Bat locked session
2 on host BRADSUPP7-LT"

User Unlocked Session This event is logged when 02-28-2014 08:52:07 Auth.Notice 192.168.34.31 Feb 27
a user unlocks his 22:52:16 : 2014/02/27 22:52:16 EST,1,545691,User
workstation Unlocked Session,0,4155,,,,,"User Man, Bat unlocked
session 2 on host BRADSUPP7-LT"

FortiNAC F 7.2.0 Manager Guide 331

Fortinet Inc.
Logs

View events currently mapped to alarms

1. Select Logs > Events & Alarms > Mappings. The Event to Alarm Mappings view appears.
2. To add a new mapping see Add or modify alarm mapping on page 337 for instructions.

FortiNAC F 7.2.0 Manager Guide 332

Fortinet Inc.
Alarms

Use Alarms to view and manage the contents of the alarm log. The alarm log is a list of all current alarms. The Severity
column indicates how serious the alarm is. Severity levels include: critical, minor, warning, informational.
The state of an alarm is either acknowledged or not acknowledged. The event-to-alarm mapping determines the
behavior and characteristics of the alarm. The event-to-alarm mapping feature gives you the option of sending alarms to
an external log host. See Map events to alarms on page 334 for details.
You can remove alarms from the log in two ways:
l Manually, when you select and clear the alarm
l Automatically, when the clear event defined in alarm mapping occurs
To access the alarms view, select Logs > Events & Alarms > Alarms.

Settings

Field Definition

First Name First Name of the user associated with the alarm, such as the registered owner of a host or an
administrator.

Last Name Last Name of the user associated with the alarm.

User ID User name from the credentials of the user who was logged in and associated with the alarm.

Element Name Name of the device, administrator, server or process associated with the alarm.

Element Type Type can be Device, Port, Container, Process, or All.

Group Group name of a group of elements, such as port group, device group or user group.

Pause If enabled, prevents the Alarms List from refreshing and adding new records to the screen. In an
environment with a large number of alarms, you may need to pause the refresh in order to
research an issue.

Severity Category indicating how serious the alarm is. Options include: Critical, Minor, Warning and
Informational

Date Date and time the alarm was triggered.

Alarm Alarm name. See Events and alarms list on page 302.

Element Element associated with the alarm entry, such as a user name, a hostname, a switch name or an
application name.

Trigger Rule Rule that determine the conditions under which an alarm is triggered based on an event. Options
include:
l One Event to One Alarm: Every occurrence of the event generates a unique alarm.

l All Events to One Alarm: The first occurrence of the event generates a unique alarm.

Each subsequent occurrence of the event does not generate an alarm, as long as the alarm
persists when subsequent events occur. When the alarm clears, the next occurrence of the

FortiNAC F 7.2.0 Manager Guide 333

Fortinet Inc.
Logs

Field Definition

event generates another unique alarm.

l Event Frequency: Number of the occurrences of the event generated by the same element
within a user specified amount of time determines the generation of a unique alarm.
l Event Lifetime: Duration of an alarm event without a clearing event within a specified time,
determines the generation of a unique alarm.

Acknowledged Indicates the date the alarm was acknowledged. If this field is blank, it indicates that the alarm
Date was never acknowledged.

Buttons

Import Import historical records from an Archive file. See Import Archived Data.

Export Exports the data displayed to a file in the default downloads location. File types include CSV,
Excel, PDF, or RTF. See Export Data.

Acknowledge Acknowledges the selected alarm but does not clear it. The Alarm remains in the displayed until
you clear it. A date is displayed in the Acknowledged column when the alarm is acknowledged.

Delete Clears the selected alarm and removes it from the list.

Show Details Displays the Details Panel for the selected alarm. See Show or hide alarm details on page 334.

Show or hide alarm details

The Alarm Details panel launched from the Alarms View displays a detailed narrative about the cause of the selected
alarm and the event that triggered it. For example, if there is an alarm indicating that an L2 Poll failed, the possible
causes are displayed indicating that the security string may be incorrect or the telnet credentials are incorrect. This gives
the administrator two things to verify when trying to correct the problem.
1. Select Logs > Events & Alarms > Alarms.
2. Use the filters to locate the appropriate alarm. Refer to Alarms on page 333 for settings.
3. Select the alarm.
4. Click Show Details.
5. Review the details displayed.
6. Click Hide Details to close the panel.

Map events to alarms

An event indicates that something significant has happened within FortiNAC. All events that are generated are logged in
the event log. If an event is mapped to an alarm, you are immediately informed by the alarm notification system. Some
events are mapped to alarms by default.
To view events that are mapped to alarms select Logs > Events & Alarms > Mappings. For a list of possible alarms
see Events and alarms list on page 302.
If an event is disabled, the associated Alarm Mapping is grayed out and has a line through it. To enable the event, right
click on the Alarm Mapping and select one of the Enable options.

FortiNAC F 7.2.0 Manager Guide 334

Fortinet Inc.
Logs

Enable/disable alarm mappings

When mapping events to alarms, you have the option to disable an alarm mapping to prevent the generation of alarms
when the selected event occurs. This may be useful during periods you know will generate many events. An example of
this is during the repair of a modeled network device. You may want to block the Device Contact Lost and Established
events from getting to the system since they will be expected. Another example is to block the Rogue User Detected
event during an Open House when many rogues will be detected. Use Enable and Disable at the top of the view to
enable and disable selected alarm mapping records.

Settings

Refer to Add or modify alarm mapping on page 337 for additional information on each field.

Field Definition

Enable Buttons Enables or disables the selected Alarm Mappings. Disabled mappings do not trigger an
alarm when the associated event is generated.

Enabled A green check mark indicates that the mapping is enabled. A red circle indicates that
the mapping is disabled.

Event Name of the Event that triggers this alarm.

Alarm Name of the Alarm that is mapped to the event.

Clear Event Name of the event that must be generated to clear the alarm mapped in this Alarm and
Event combination.

Severity Critical, Minor, Warning, or Informational.

Only the text of the severity is displayed. Severity icons do not display in the Alarm
Mappings table.

Notify Users Indicates who will be notified if this alarm is triggered, such as All Management group.

Trigger Rule Rules that determine when the alarm is triggered. Options include:
l One Event to One Alarm: Every occurrence of the event generates a unique

alarm.
l All Events to One Alarm: The first occurrence of the event generates a unique

alarm. Each subsequent occurrence of the event does not generate an alarm, as
long as the alarm persists when subsequent events occur. When the alarm clears,
the next occurrence of the event generates another unique alarm.
l Event Frequency: Number of the occurrences of the event generated by the

same element within a user specified amount of time determines the generation of
a unique alarm.
l Event Lifetime: Duration of an alarm event without a clearing event within a

specified time, determines the generation of a unique alarm.

Apply To Elements to which this alarm mapping applies. Options include:

l All: Applies this mapping to all elements.

l Group: Applies this mapping to a single group of elements.

l Specific: Applies this mapping to an element that you select from a list.

FortiNAC F 7.2.0 Manager Guide 335

Fortinet Inc.
Logs

Field Definition

Action If an Action is enabled in the mapping, displays the action that will be taken when this
alarm is triggered. Options include:
l Host Access Action: Host is disabled and then re-enabled after the specified

time has passed.

l Host Role: The host's role is changed and then set back to the original role after

the specified time has passed.

l Host Security Action: Host is set At Risk and then set to Safe after the specified

time has passed.

l Command Line Script: You can specify a particular command line script to be

executed as an alarm action.

l Email User Action: An email is sent to the user associated with the host.

l SMS User Action: An SMS Message is sent to the user associated with the host.

l Port State Action: Port is disabled and then re-enabled after the specified time

has passed.
l Send Message to Desktop: Send a text message to the desktop of a host(s) with

the Persistent Agent or Mobile Agent installed.

Send To External Log Hosts Indicates whether this alarm is sent to an external log host when the trigger event
occurs, select this check box. Default = No.
To configure remote hosts that will receive externally logged alarms, see Log receivers
on page 391.

Send To Custom Script Name of the command line script to be executed when this alarm is triggered. These
command line scripts are for advanced use, such as administrator-created Perl scripts.
Scripts are stored on the server in the following directory: /home/cm/scripts
The script will receive one packed argument that the script can parse for the desired
data.

Example

'type="Network" name="FortiNAC" msg="Alarm Admin User Login Failure asserted on

FortiNAC Mon Feb 27 14:34:35 EST 2017. The following Events caused the Alarm.
Admin user efewfwf failed to log in. Admin user efewfwf failed to log in. Admin user
efewfwf failed to log in. "'

Event Logging Indicates where the event is being logged or if logging has been disabled. Options
include:
l Disabled: Event is disabled and will not be generated or logged anywhere.
l Internal: Logs only to an internal events database.
l External: Logs only to an external host.
l Internal & External: Logs both to an internal events database and an external
host.

Event Logging Group Group name of a group of elements, such as port group, device group or user group
used to limit generation of the selected event to the items in the group. If set to All
Groups, then the event is generated for all items, such as ports, devices, hosts or
users.

FortiNAC F 7.2.0 Manager Guide 336

Fortinet Inc.
Logs

Field Definition

Last Modified By User name of the last user to modify the mapping.

Last Modified Date Date and time of the last modification to this mapping.

Right click options

Delete Deletes selected mappings from the database.

Modify Opens the Modify dialog and allows you to modify the selected mapping.
When multiple mappings are selected, opens a limited Modify dialog and allows you to
modify Severity and Notification settings. See Bulk modify alarm mappings on page
341.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add
an administrator profile on page 55.

Enable Enables the selected mappings.

Disable Disables the selected mappings.

Event Logging - Disable Disables the events associated with the selected mappings.

Event Logging - Internal Enables the events associated with the selected mappings and logs to an internal
events database.

Event Logging - External Enables the events associated with the selected mappings and logs to an external
host.

Event Logging - Internal & Enables the events associated with the selected mappings and logs to both an internal
External events database and an external host.

Export Exports data to a file in the default downloads location. File types include CSV, Excel,
PDF, or RTF. See Export Data.

Add or modify alarm mapping

1. Select Logs > Events & Alarms > Mappings.

2. Click Add or double-click on an existing mapping to modify it.
3. Refer to the table below for detailed information about each field.
4. The new mapping is enabled by default. If you wish to disable it, remove the check mark from the Enabled check
box.
5. In the Apply To section, select the element affected by this mapping. You can apply mappings to all elements, a
single group of elements, or specific elements.
Available selections vary depending upon the selected trigger event.
6. Click the box and select an element from the drop-down list.

FortiNAC F 7.2.0 Manager Guide 337

Fortinet Inc.
Logs

7. If you choose to Apply To a Group, you can select a group from the list or use the icons next to the group field to
add a new group or modify the group shown in the drop-down list. Note that if you modify a group, it is modified for
all features that make use of that group. See Add groups on page 346 for additional information.
8. Select the Notify Users settings.
9. If you choose to notify users, you can select an admin group from the list or use the icons next to the Group field to
add a new group or modify the group shown in the drop-down list. Note that if you modify a group, it is modified for
all features that make use of that group. See Add groups on page 346 for additional information.
10. Select the Trigger Rule for the event from the drop-down list. Rules determine when an Event triggers the creation
of an Alarm.
11. If you enable the Action option, select the action to take when the event occurs and the alarm is asserted. These
are basic actions that FortiNAC executes on a given alarm.
12. Action parameters display. Select the Primary Task from the drop-down list.
13. For some actions there is a secondary task. If desired, click the Enable box in the Run Secondary Task section,
select Min, Hr, or Day and enter the corresponding value.
14. Click OK. The new mapping is saved and appears in the Event/Alarm Map View.

Settings

Field Definition

Alarm definition

Enabled If checked, the alarm mapping is enabled. Default = Enabled.

Trigger Event Event that causes the alarm. Whenever this event occurs, its associated alarm is
generated. The alarm is automatically listed when you select the event.

Alarm to Assert The alarm generated when the event occurs.

Severity Sets the severity of the alarm. Select one of the values from the drop-down list: Critical,
Informational, Minor, and Warning. This value may be changed for existing Alarm and
Event mappings.

Clear on Event To automatically clear the alarm when a specific event occurs, select this check box.
Select the event that, when generated, causes this alarm to be removed.
If you leave the check box unchecked, you must manually clear the alarm.
Default = Unchecked (Disabled)

Send Alarm to External Log The alarm is sent to an external log host when the trigger event occurs, select this
Hosts check box. See Log receivers on page 391 for details on configuring an external log
host.
Default = Unchecked (Disabled)

Send Alarm to Custom You can specify a particular command line script to be executed when this alarm is
Script triggered. These command line scripts are for advanced use, such as administrator-
created Perl scripts.
First, write the script that is to be used as the alarm action. Store the script in this
directory: /home/cm/scripts
If there are no scripts in the directory, this field is not available. Click the check box to
enable the option and select the correct script from the drop-down list.
The arguments that are automatically passed to the script are as follows:

FortiNAC F 7.2.0 Manager Guide 338

Fortinet Inc.
Logs

Field Definition
l type: EndStation. User or network device
l name: name of element
l ip: IP address
l mac: MAC address
l user: userID
l msg: email message from alarm

Apply To l All: Applies this mapping to all elements.

l Group: Applies this mapping to a single group of elements.
l Specific: Applies this mapping to the element that you select from a list.

Notify users

Notify If checked, the administrators in the selected group are notified when an alarm occurs.

Send Email If checked, the administrators in the selected group are sent an email when the alarm
occurs. Administrators must have an email address configured in the Modify User
dialog to receive this email.

Send SMS If checked, the administrators in the selected group are sent an SMS message when an
alarm occurs. Administrators must have a Mobile Number and Mobile Provider
configured to receive this SMS message.

Trigger rules

One Event to One Alarm Every occurrence of the event generates a unique alarm.

All Events to One Alarm The first occurrence of the event generates a unique alarm. Each subsequent
occurrence of the event does not generate an alarm, as long as the alarm persists when
subsequent events occur.
When the alarm clears, the next occurrence of the event generates another unique
alarm.

Event Frequency The number of the occurrences of the event generated by the same element within a
user specified amount of time determines the generation of a unique alarm. Settings are
updated when the Action is configured.

Example:

Assume the host connected event is mapped to an alarm and the frequency is set to 3
times in 10 minutes.
l Host A connects 3 times in 10 minutes and the alarm is triggered.

l Host A connects 2 times and host B connects 2 times, there are 4 connections in

10 minutes. No alarm is generated because the hosts are different.

l Host A connects at minutes 1, 8 and 12. No alarm is triggered because the host did

not connect 3 times in 10 minutes.

l Host A connects at minutes 1, 8, 12, and 14. An alarm is triggered because

connections at minutes 8, 12 and 14 fall within the 10 minute sliding window.

FortiNAC F 7.2.0 Manager Guide 339

Fortinet Inc.
Logs

Field Definition

Event Lifetime The duration of an alarm event without a clearing event within a specified time,
determines the generation of a unique alarm.

Example:

Event A occurs. If Event B (clear event) does not occur within the specified time, an
alarm is generated.

Actions

Action If checked, the selected action is taken when the alarm mapping is active and the alarm
is asserted.

Host Access Action Host is disabled and then re-enabled after the specified time has passed.

Host Role The host's role is changed and then set back to the original role after the specified time
has passed. Roles are attributes of the host and are used as filters in user/host profiles.
Those profiles determine which network access policy, endpoint compliance policy or
Supplicant EasyConnect Policy to apply.
If roles are based on a user's attribute from your LDAP or Active Directory, this role
change is reversed the next time the directory and the FortiNAC database
resynchronize.

Host Security Action Host is set At Risk and then set to Safe after the specified time has passed.

Command Line Script You can specify a particular command line script to be executed as an alarm action.
These command line scripts are for advanced use, such as administrator-created Perl
scripts.
First, write the script that is to be used as the alarm action. Store the script in this
directory: /home/cm/scripts
The IP and MAC address arguments that are automatically passed to the script are in
the format shown in this example:
/home/cm/scripts/testScript 192.168.10.1 00:00:00:00:00:00

Email User Action An email is sent to the user associated with the host. The text of the email is entered in
the Email Host Action dialog box.
HTML tags may be added to text within the content of the email in order to format the
text, convert the text to a link, etc.
For example, you can add the <b> and tags to text in the Email message window to bold
the selected text in the recipient's email message.

SMS User Action An SMS Message is sent to the user associated with the host. The text of the message
is entered in the SMS User Action dialog box. The recipient must have a Mobile Number
and Mobile Provider configured.

%host% Allows you to include information specific to the non-compliant host in the email or SMS
alert message.
For example, this message:

FortiNAC F 7.2.0 Manager Guide 340

Fortinet Inc.
Logs

Field Definition

The system referenced below has been found at risk. Please contact your Help Desk for
assistance in remediating this issue. %host%
is displayed as:
The system referenced below has been found at risk. Please contact your Help Desk for
assistance in remediating this issue:
Host:
Host Name: TestUser-MacBook-Pro-2
OS: macOS 10.7.5
Network Adapters:
Connected 3C:07:54:2A:88:6F,192.168.10.143,Concord-3750 Fa3/0/46
Disconnected 60:C5:47:8F:B1:66,192.168.4.70,Concord_Cisco_1131.example.com
VLAN 4

%event% Allows you to include information specific to the event in the email or SMS alert
message.
For example, this message:

The system referenced below has been found at risk. Please contact
your Help Desk for assistance in remediating this issue: %event%

is displayed as:

The system referenced below has been found at risk. Please contact
your Help Desk for assistance in remediating this issue:
Host failed Test-Host
Tests:
Failed :: Anti-Virus :: ClamXav
MAC address: 3C:07:54:2A:88:6F
Last Known Adapter IP: 192.168.10.143
Host Location: Concord-3750 Fa3/0/46
. Remediation Delayed.

Port State Action The port is disabled and then re-enabled after the specified time has passed.

Send Message to Send a text message to the desktop of a host(s) with the Persistent Agent or Mobile
Desktop Agent installed.

Bulk modify alarm mappings

This option displays on the right-click menu only when multiple mappings are selected in the Event to Alarm Mappings
View. It provides a limited Modify dialog with options to modify Severity and Notification settings.
1. Select Logs > Events & Alarms > Mappings.
2. Use Ctrl or Shift to select multiple alarm mappings.
3. Right-click on the selected records and choose Modify from the pop-up menu.

FortiNAC F 7.2.0 Manager Guide 341

Fortinet Inc.
Logs

4. Use the table below to modify the selected mappings.

Field Definition

Severity Enables the Severity drop-down. The severity level of the alarm. Options include:
Critical, Informational, Minor and Warning.

Notify Users Enables the Notify Users settings.

Notify Group Drop-down list of Admin groups. Use this to determine who will be notified when this
alarm is triggered. The default is the All Management group which contains all
administrators.

Send Email If enabled, administrators in the selected group receive an email when this alarm is
triggered.

Send SMS If enabled, administrators in the selected group receive a text message when this
alarm is triggered. Administrators must have a mobile phone number and a mobile
provider listed on their user records to receive SMS messages.

5. Click OK to save your changes.

Delete alarm mapping

1. Select Logs > Events & Alarms > Mappings.

2. Select the appropriate mapping record from the list displayed.
3. Click Delete.
4. At the prompt, click OK.

FortiNAC F 7.2.0 Manager Guide 342

Fortinet Inc.
System

System

Certificate management 344

Config wizard 344

Groups 345

Feature Visibility 354

Scheduler 355

Tasks 360

Settings 362

FortiNAC F 7.2.0 Manager Guide 343

Fortinet Inc.
System

Certificate management

This section covers certificate management.

l Server certificates
l Trusted certificates

Config wizard

For details on implementing Configuration Wizard and its functionality, refer to the Configuration Wizard reference
manual in the Document Library.

Secondary Server Access in High Availability Configurations

The Secondary Server's admin UI web service must be started manually in order to access Configuration Wizard.
Steps
1. Login to the Secondary Server CLI as root.
2. Restart the web service. Type
systemctl start nac-secondary-admingui
L2 HA with Shared IP (VIP): If Secondary Server UI is not available after starting the service:
a. Stop the web service.
systemctl stop nac-secondary-admingui
b. Follow the instructions in KB article 224636.
https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Access-Secondary-Server-Configuration-Wizard-
with/ta-p/224636
3. Access the Secondary Server Configuration Wizard using the following URL
https://<Secondary Server name or IP>:8443
4. Navigate to System > Config wizard.
5. After configuration Wizard is run and changes are complete, stop the web service.
systemctl stop nac-secondary-admingui

If the service is not stopped, UI won't be accessible on failover.

FortiNAC F 7.2.0 Manager Guide 344

Fortinet Inc.
Groups

Groups allow you to put like items together. By creating groups you eliminate the need to configure and control items
within the group individually. For example, if you put a set of ports in a group, you can modify the group settings and
affect all of the ports simultaneously. Groups can contain other groups.
Use the Groups view to add, modify, and delete groups within FortiNAC. FortiNAC comes with some standard groups
over which it maintains ownership. These are marked as system groups. Create user-owned groups to group devices,
ports, hosts or users. Associate these groups with scheduled tasks to perform a variety of functions.
Groups can be used to assign policies or roles to hosts or users.
If there are more than 2000 groups in the database, the groups are not automatically displayed. Instead, a confirmation
dialog is shown asking if you would like to continue. Note that large numbers of records may load very slowly if not
filtered. Choose Yes to display all groups or No to reduce the number displayed by using the filters.

Settings

Field Definition

Name Name used to identify the group.

Type Indicates whether this is a group of ports, devices, IP phones, hosts, users or administrators.

Owner Creator of the group. System indicates that the group was created by FortiNAC. User
indicates that an administrator created the group.

Members The number of items contained within the group. For example, if this is a host group, this
number indicates the total number of hosts in the group. If this group contains sub-groups, the
number includes those items in each sub-group.

Days Valid This column only applies to Host groups. The Expiration Date for hosts in this group is
calculated using the number of days valid. For example, if a host is added to the group on
01/01/2011 and days valid is set to 30, the host's Expiration Date is set to 01/31/2011. The
Expiration Date is set when a host is added to the group or when the Days Valid is edited. See
Aging hosts in a group on page 349 for more information.

Days Inactive This column only applies to Host groups. The number of days of network inactivity after which
hosts in this group are removed from the database. For example, if this is set to three and a
host in this group has not connected to the network for three days, the host record is removed
from the database. See Aging hosts in a group on page 349 for more information.

Description User specified description for the selected group.

Last Modified By User name of the last user to modify the group.

Last Modified Date Date and time of the last modification to this group.

Right click options

Copy Group Creates a copy of the selected group.

FortiNAC F 7.2.0 Manager Guide 345

Fortinet Inc.
System

Field Definition

Delete Deletes the selected group.

Group Member Of Displays groups in which this group is a member. A group can be a sub-group of another
group of the same type. See Group membership on page 349.

In Use Provides a list of other features that reference this group, such as a Policy Mapping or a
Scheduled Task. See Group in use on page 349.

System-owned groups will not be displayed as "In Use", even though

they are in use by the system.

Manages Applies only to administrator groups. Administrator groups can be designated to manage
groups of devices or hosts. See Limit user access with groups on page 347.

Modify Opens the Modify Group window. See Modify a group on page 348.

Modify Device Applies only to device groups. Allows you to modify multiple devices at the same time.
Properties

Set Aging Allows you to set Days Valid and Days Inactive for the selected host group. Days valid and
days inactive are used to calculate the date when the host is aged out of the database. Date is
set when a host is added to the group or when the fields are modified. See Aging hosts in a
group on page 349.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See Add an
administrator profile on page 55.

Buttons

Export Exports the data displayed to a file in the default downloads location. File types include CSV,
Excel, PDF, or RTF.

Show Members Opens the Group Members window and displays a list of all of the items within the group.
Indicates whether the item is a member of the main group or a sub-group. See Show group
members on page 349.

Add groups

Create additional groups to logically group elements that require network resources.
1. Select System > Groups.
2. From the Group view, click Add.
3. Enter a Group Name

FortiNAC F 7.2.0 Manager Guide 346

Fortinet Inc.
System

4. Select a Member Type, which indicates the types of items that will be included in the group.

Type Description

Administrator Administrators that access FortiNAC.

Hosts Hosts that access the network.

Devices Devices such as switches, computers, or printers.

Ports Ports on switches on the network.

IP Phones Internet phones that are connected to the network.

Users Users that log onto the network.

5. For Host groups you have options for Days Valid and Days Inactive. These fields are used to calculate the
expiration date used to age hosts out of the database. They are optional and should not be set if you have another
mechanism that sets the expiration date. See Aging Out Host Or User Records before you set these fields.
6. Enter a Group Description.
7. In the All Members pane select one or more items to be included in the group, then click the right arrow to move
them to the Selected Members pane. For lists that do not include check boxes, select multiple items by holding
down the Ctrl key while clicking.
8. To remove an object from the group, click on it and then click the left arrow.
9. To add subgroups to a group, select the Groups tab and select one or more groups to add as subgroups.
10. Click OK to save the new group.

Copy a group

1. Select System > Groups.

2. Locate the group to be copied.
3. Right-click on the group and select Copy Group.
4. Enter a name for the new group and click OK.
5. The new group appears in the Groups View. This group is owned by the user and not FortiNAC.

Delete a group

1. Select System > Groups.

2. Locate the appropriate group.
3. Right-click the group to select it and choose Delete to remove the group from the list.
4. Click Yes to confirm that you wish to delete the group.

Limit user access with groups

To control which hosts and ports administrators can access you can place those administrators in special groups. Then
designate those special Admin groups to manage groups of hosts or ports.

FortiNAC F 7.2.0 Manager Guide 347

Fortinet Inc.
System

Example:

Assume you have two administrators that are responsible for monitoring medical devices and nurses in a hospital. They
should not see any other data. To accomplish this you must configure the following:
l Place the nurses' workstations into a host group.
l Place the medical devices to be monitored into a host group.
l Place the ports where the medical devices connect into a port group.
l Place these two administrators in a special administrator group.
l Assign these two administrators to a profile with permissions for Manage Hosts & Ports. Make sure the Manage
Hosts & Ports setting on the General Tab of the profile is set to Restrict by Groups.
l Set the Administrator group to manage the nurses group, the medical device group and the port group.
l Remove these two administrators from the All Management Group or they will have access to all hosts and ports.
When those administrators log into the admin UI, they can only see data associated with the nurses, medical devices or
the ports in the groups they manage.

Make sure to remove affected administrators from the All Management group or they will
continue to have access to all hosts and ports.

Administrators can still view all hosts and users from the Locate View if their administrator
profile gives them permission for that view, but they can only modify those that are in the group
they are managing.

1. Create the group of hosts or ports. See Add groups on page 346 for instructions.
2. Create an administrator profile with permissions for Manage Hosts & Ports. Make sure the Manage Hosts & Ports
setting on the General Tab of the profile is set to Restrict by Groups. See Add an administrator profile on page 55.
3. Create an Administrator group that contains the administrators responsible for the devices or ports.
4. Remove the administrators from the All Management group. See Modify a group on page 348 for instructions.
5. Right-click on the Administrator group of administrators and select Manages.
6. On the Manages window, select the group(s) to be managed by marking them with a check mark.
7. Click OK.

Modify a group

Modify a group by adding additional items to the group or removing members from the group. Group description, days
valid, and days inactive can also be modified.
1. Select System > Groups.
2. Select the group.
3. Click Modify.
4. If this is a host group, Days Valid and Days Inactive can be modified. See Aging out host or user records on page 1
before modifying these numbers.
5. To add members to the group, Ctrl-click items in the All Members panel, then click the right arrow.
6. To remove items from the group, Ctrl-click items in the Selected Members panel, then click the left arrow. All items
can be removed from the group by clicking the double left arrow.

FortiNAC F 7.2.0 Manager Guide 348

Fortinet Inc.
System

7. To modify subgroups, click the Groups tab and check or uncheck groups in the displayed list.
8. When you have made all desired modifications for the group, click OK.

Group membership

Displays the groups that contain the selected group and allows you to modify group membership. For example, if you
had a group called Staff, you might want to further sub-divide that by department, therefore you could have sub-groups
such as Accounting or Human Resources within Staff. Selecting Human Resources from Groups and opening the
Group Membership window would show that hierarchy. In addition the selected group can be added to or removed from
other groups.
1. Select System > Groups.
2. Locate the appropriate group.
3. Right-click the group to select it and choose Group Member Of to display the groups that contain the selected
group.
4. Modify the groups as needed and click OK to save your changes.

Show group members

This option displays a list of all of the items within the selected group. Indicates whether the item is a member of the main
group or a sub-group.
1. Select System > Groups.
2. Select the group and click Show Members to display the list of items within the group.
3. Use the Find field to search for a particular item by typing in any part of its name and clicking Next or Previous. This
field is case sensitive.

Group in use

To find the list of FortiNAC features that reference a group, select the group from the Groups View and click In Use. A
message is displayed indicating whether or not the group is associated with any other features. If the group is referenced
elsewhere, a list of each feature that references the group is displayed.

System-owned groups will not be displayed as "In Use", even though they are in use by the
system.

Aging hosts in a group

Use the Set Aging window to set aging for the hosts in a selected Host group. Using the Aging feature populates the
Expiration Date and the Inactivity Date fields on the Host Properties window. Hosts with existing age times are
modified. This option is only valid for Host groups. If a host is a member of more than one group, the aging time is applied
based on the last group to which the host was added or the last group whose aging times were modified.

FortiNAC F 7.2.0 Manager Guide 349

Fortinet Inc.
System

Adding age times to existing hosts can cause some hosts to be removed from the database immediately depending on
the creation date of the host record. If, for example, the creation date is 01/01/2010, today's date is 02/02/2010 and Days
Valid is set to 5, then the Expiration Date calculated is 01/06/2010. The record is deleted immediately.
If hosts have been manually set to Never Expire, the Expiration Date and Inactivity Date fields for those hosts will not be
modified by adding those hosts to a group with aging settings. See Properties on page 133, Set host expiration date on
page 143 and Aging out host or user records on page 1 for additional information.
1. Select System > Groups.
2. Right-click on the host group and select Set Aging.
3. Enter a number for Days Valid or Days Inactive. The number in days valid is used to calculate the expiration date
for each host in the group. The number in days inactive is used to calculate the inactivity date for each host.
4. Click OK.

System groups

The groups listed below are default system groups that exist within the FortiNAC database. They cannot be deleted.
Some groups need to be fine tuned to your network. Details are included in the table below.

Group Definition

Administrator

All Management FortiNAC administrators with all management access rights. Initially contains only
admin and root. New administrators are added to this group automatically. This is the
default group for e-mail notifications triggered by alarms.
Add users to your own specific Administrator groups to give them privileges to manage
(disable and enable) specific hosts and ports. If you place a user into your own
Administrator group, be sure to remove that user from the All Management group. See
Limit user access with groups on page 347.

Port

Access Point Ports with authorized access points connected and FortiNAC serving DHCP. Examples
Management are dumb hubs or wireless units. FortiNAC provides management of hosts connecting
through these access points.

Authorized Access Points Ports that have authorized access points connected. Access points that connect to
these ports do not generate Multi Access Point Detected events or alarms and the port
is not switched to another VLAN during, for example, Forced Registration or role
management VLAN Switching.
Access points that connect to ports that are not in this group do generate an event or
alarm.
Add switch ports that connect to hubs and wireless access points to this group.

Forced Authentication Ports that participate in forced authentication when unauthenticated users connect. If
you have a port in this group, when a host connects to this port and is unauthenticated,
the port is put into isolation VLAN and the host is forced to authenticate.

Forced Registration Ports that participate in forced registration when unregistered hosts connect.

FortiNAC F 7.2.0 Manager Guide 350

Fortinet Inc.
System

Group Definition

Add switch ports that participate in forced registration when an Unregistered Host
connects to the Forced Registration port group. Only ports that participate have their
VLAN ID set to the Registration VLAN when an Unregistered Host connects.

Forced Remediation Ports that participate in forced remediation VLAN switching when hosts connect.

Reset Forced Default Ports that return to the default VLAN when hosts disconnect.

Reset Forced Ports that return to Registration when hosts disconnect.

Registration

Role-Based Access Ports that participate in role-based access and switch VLANs, based on the role of
network devices, such as printers, when they connect.
Add switch ports that participate in VLAN switching. Ports that participate have their
VLAN ID set to the role specified for the connected network device.

Example:

A printer is set up with the role “Accounting”. When the printer connects to a port in this
group, the printer is switched to the VLAN associated with the “Accounting” role.

System DHCP Port The port used to discover unauthorized DHCP servers and validate authorized DHCP
servers.

Device

Authorized DHCP Servers Servers that are authorized to serve DHCP on the network.

Bridging Devices Devices that support the SNMP bridging MIB.

This group has been replaced by the L2 network devices group.

Device Interface Status Devices created through Discovery or created manually are automatically added to this
group. Use this group in conjunction with the task scheduler to periodically update the
interface status for each device in the group.

L2 Network Devices Devices that support the Standard 802.1d Bridge Table. This group is also used for
filtering the list of devices displayed on the L2 Network Devices window. As new L2
devices are discovered they are added automatically to this group and to either L2
Wired Devices or L2 Wireless Devices.

L2 Wired Devices A sub-group of L2 Network Devices that is used for filtering on the L2 Network Devices
window. L2 Wired Devices are added to this group automatically as they are
discovered.
Note: Removing a device from this group does not disable L2 (Hosts) Polling under the
Polling tab in Inventory.

FortiNAC F 7.2.0 Manager Guide 351

Fortinet Inc.
System

Group Definition

L2 Wireless Devices A sub-group of L2 Network Devices that is used for filtering on the L2 Network Devices
window. L2 Wireless Devices are added to this group automatically as they are
discovered.
Note: Removing a device from this group does not disable L2 (Hosts) Polling under the
Polling tab in Inventory.

L3 (IP-->MAC) This group must be populated manually with your L3 devices. The L3 group can be
used for filtering on the L3 Polling window.

Physical Address Devices that participate in the enabling and disabling of hosts.
Filtering Add switches that participate in host disabling to this group. If a host is connected to a
switch that is not in the physical address filtering group, and that host is disabled
through FortiNAC, the host remains connected to the network and is displayed as in
violation. Add the switch regardless of whether a host is disabled through a Dead End
VLAN, or through MAC address security.

Host view

Forced Scan Exceptions Hosts that do not participate in forced scans.

Forced User Authentication Hosts that do not participate in forced user authentication.
Exceptions

Forced Remediation Hosts are scanned and can be marked "at risk", but are never put into remediation.
Exceptions Scan results are stored allowing the administrator to review the results and take
corrective action without disrupting users on the network.

Global Agent Update Hosts in this group are excluded from automatic Persistent Agent Updates. Updates are
Exceptions controlled by MAC address. If a host has more than one MAC address, as long as any
one of its MAC addresses is listed in this group the host is not updated.

Registered Hosts Group of all registered hosts.

Rogue Hosts This group has a special property that controls whether or not rogue hosts can access
the network. Under Group Properties for this group, the Access field can be set to either
Deny or Allow.
l Deny: If the Access field is set to Deny, rogue hosts in this group are denied

network access until they register and any new unregistered hosts are
automatically put into the group as they connect to the network.
l Allow: If the Access field is set to Allow, rogue hosts in this group are permitted to

access the network and any new unregistered hosts are not added to the group.
Devices that are not in the Inventory but are connected to managed switches are
created as rogue hosts.
If rogue hosts are denied access to the network, they are disabled. To prevent this from
causing problems with new devices such as printers, lab hosts or servers, you must
register them as devices or as hosts. See Register a host as a device on page 1 or
Modify a host on page 139 for detailed instructions.

FortiNAC F 7.2.0 Manager Guide 352

Fortinet Inc.
System

Customer defined groups

User-owned groups are typically created to associate devices, ports, IP phones or hosts. You can associate these
groups with scheduled actions to perform a variety functions. Typical groups include the following:

Groups Notes

Ports Port groups can be used for a variety of purposes. Use the Fixed Day Task option in the
Scheduler with the Disable Ports and Enable Ports actions to disable or enable ports on a
date or time schedule.
You can nest port groups to make it easier to add ports to the FortiNAC owned groups, such
as Forced Registration groups.

Departments, You can use Host groups for a variety of purposes. Use Disable Hosts and Enable Hosts on
Staff, Divisions a date or time schedule with the Fixed Day Task option in the FortiNAC Scheduler.
Nest host groups to make it easier to control access over large groups of students.
Create host groups for each grade level to control each group through its own scheduled
task. You can also create a host group that contains each grade level and schedule it to
disable or enable the entire student population with a single task.

Administrator This group contains administrators who can manage (disable and enable) ports or hosts
contained in the associated port or host groups.
For example, place administrator "John Smith" in the Northeast Admins group. Set the
Northeast Admins group to manage the "Department 1 Ports" and the "Department 1
hosts". When John Smith logs in to FortiNAC, he can find and disable any host or port in
those groups. See Limit user access with groups on page 347.

FortiNAC F 7.2.0 Manager Guide 353

Fortinet Inc.
System

Feature Visibility

System > Feature Visibility provides the ability to enable or disable structural visibility changes to the FortiNAC style.

Option Description

Legacy View Architecture Switches views which have been upgraded back to the older FortiNAC style.
Note: Legacy views are scheduled for removal in future versions.

FortiNAC F 7.2.0 Manager Guide 354

Fortinet Inc.
Scheduler

Use the scheduler to add, modify and delete scheduled tasks within FortiNAC. A task is an action that is scheduled to
occur at a specified time and is usually associated with a specific group.
There are two types of scheduling: fixed day and repetitive. A fixed day task is one in which you schedule a task to run on
a combination of days of the week and times of the day, such as Mondays at 1:00 pm and Fridays at 10:00 am. A
repetitive task is one that you schedule to start on a given day, at a certain time, for the number of times you specify,
such as every 10 days starting today. You can set the repetition rate to any number of minutes, hours, or days.

Settings

Fields used in filters are also defined in this table.

Field Definition

Enable Disable Buttons Enables or disables the selected task.

Name User created name for the task.

Action Action being performed by the scheduler.

Group Action is limited to the group listed.

Enabled Indicates whether the task is enabled or disabled. Disabled tasks do not execute.

Schedule Days and times that this task is scheduled to run.

Last Scheduled Time Last time the task was executed by the scheduler.

Next Scheduled Time Next time the task will execute.

Description User specified description of the scheduled task.

Last Modified By User name of the last user to modify the scheduled task.

Last Modified Date Date and time of the last modification to this scheduled task.

Right click options

Copy Copy the selected task to create a new record.

Delete Deletes the selected task.

Disable Disables the selected task.

Enable Enables the selected task.

Modify Opens the Modify Scheduled Activity window for the selected rule.

Show Audit Log Opens the Admin Auditing Log showing all changes made to the selected item.
For information about the Admin Auditing Log, see Audit Logs on page 298.

FortiNAC F 7.2.0 Manager Guide 355

Fortinet Inc.
System

Field Definition

You must have permission to view the Admin Auditing Log. See
Add an administrator profile on page 55.

Run Now Executes the selected task immediately.

Buttons

Export Exports the data displayed to a file in the default downloads location. File types
include CSV, Excel, PDF, or RTF. See Export data on page 1.

Add a task

1. Select System > Scheduler.

2. From the Scheduler view, click Add.
3. The Enabled check box is selected by default. Uncheck it if you want this task to be disabled.
4. Enter a Name for the task and an optional description.
5. In the Action Type field, select either System or CLI. System actions are predefined tasks that you can choose to
execute. CLI actions are sets of command line instructions that are created in the CLI Configuration View and saved
to be executed elsewhere in the program.
6. Select the Action from the list of system or CLI actions. Refer to the table below the instructions for more
information.

See CLI Configuration View for information on creating CLI actions.

7. From the Group dropdown list, select the group that the action will be performed on. The list contains only the group
types specific to that Action.
8. From the Schedule Type drop down list, select either Fixed Day or Repetitive and set the day and time that the
task is to be performed.
9. A Fixed Day Task is one in which you schedule a task to run on a combination of days of the week and times of the
day, such as Mondays at 1:00 pm and Fridays at 10:00 am. Select the day(s) and time to run the task.
a. Click the box next to the day(s) to select the day.
b. Click the down arrows and select the hour, minutes, and AM or PM from the drop-down list for each day.
c. To enter days/times more quickly, select Set Multiple Days to set multiple days with the same time.
d. To remove all settings, click Clear All.
10. A Repetitive Task is one that you schedule to start on a given day, at a certain time, for the number of times you
specify, such as every 10 days starting today. The repetition rate can be set to any number of minutes, hours, or
days.

FortiNAC F 7.2.0 Manager Guide 356

Fortinet Inc.
System

a. Enter the Repetition Rate using whole numbers.

A repetition rate of zero causes the task to run only once.

b. Click the down arrow and select Minutes, Hours, or Days from the drop-down list.
c. Enter the date and time for the task to run in the Next Scheduled Time field using the format MM/DD/YY
hh:mm AM/PM Time Zone.
d. Click Update to update the Next Scheduled Time field or change the Repetition Rate.

The new Repetition Rate does not take effect immediately. It starts the next time the
scheduled task runs. For the new Repetition Rate take effect immediately, click
Update.

11. Click OK.

Actions

Actions Group Type Description

Certificate Expiration Monitor None Generates a warning, critical warning, and expiration
events for the certificates listed in Certificate
Management. See Certificate management on page 344

Custom Script None Executes the selected command line script located in
/home/cm/scripts.

Database Archive and Purge None Archives and purges Event, Connection, and Alarm
records that are older than 7 days. The number of days is
configurable in the Event And Alarm Age Time field on the
FortiNAC Properties window. See Database archive on
page 399.

Database Backup None Back up the FortiNAC database. The database backup
files are stored on the local appliance at
/bsc/campusMgr/master_loader
/mysql/backup.
See Remote backup configuration on page 407 for more
information on configuring backups to a remote server.

Disable Adapters Hosts Prohibits network access to all adapters in the associated
host group. Disables the adapters but not the host itself.

Disable HP/NT Port Security Devices Disables port security configuration on all HP/NT devices
in the associated group. Use Port Security to disable
hosts if DeadEnd VLANs are not used on the network.

Disable Ports Port Administratively disables all ports in the associated

group.

FortiNAC F 7.2.0 Manager Guide 357

Fortinet Inc.
System

Actions Group Type Description

Enable Adapters Hosts Allows network access to all hosts in the associated
group.

Enable HP/NT Port Security Devices Enables port security configuration on all HP/NT devices
in the associated group. Use Port Security to disable
hosts if DeadEnd VLANs are not used on the network.

Enable Ports Port Administratively enables all ports in the associated group.

Modify Device VLAN Values Ports Writes the indicated VLAN value to the switch and
changes only the Current VLAN value in the FortiNAC
device model. You must specify the VLAN value.

Purge Remediation Output Files None Purges the output files from all the Nessus scans
(Reports) performed since the last purge.

Nessus Servers and scans are no longer

supported.

Resynchronize Device Devices Allows you to sync a device with FortiNAC after making a
change to the device (e.g., adding a VLAN, role or SSID
for a wireless device).

Role Assignment Hosts Modifies the Role for the associated group of hosts or
users. You must specify the new role.

SSID Assignment Devices Maps VLAN IDs to SSIDs. You must specify the both the
VLAN ID and the SSID.

System Backup None Back up the FortiNAC system files. The system backup
files are stored on the local appliance at
/bsc/backups/<server name>
See System backups on page 410.

Update Default VLAN Values Ports Sets the Default VLAN value for the port in FortiNAC
device model to the value entered in the scheduled task.
You must specify the VLAN value.

Update Interface Status Devices Reads and updates the interface status for each port on
the devices in the associated groups.

Update Remediation Center None Connects to Nessus.org and updates the Nessus server
with the scan IDs for the version running on the
application server. Also connects to Fortinet and updates
the server with the latest scan profiles.

If you create scan profiles with Nessus Wx,

you must run this task to ensure that those
scan profiles will work properly.

FortiNAC F 7.2.0 Manager Guide 358

Fortinet Inc.
System

Actions Group Type Description

Nessus Servers and scans are no longer

supported.

Add other scheduled tasks

Tasks can be added to the Scheduler in two ways. You can go directly to the scheduler and create a new task for a
group. Certain tasks can only be created from other configuration windows. For example, to schedule a weekly update of
your Auto-Def file you must go to the Auto-Def Update window. This task is created and displays on the Scheduler
window, but it cannot be created within the Scheduler window. The table below describes scheduled tasks that are
created outside the Scheduler window, but, once created, display within that window.

Task Definition

Scan Scans that are part of Endpoint Compliance Policies for hosts can be set to run at
regular intervals. See Schedule a scan on page 255.

Proactive Scanning Security Policy schedules are affected by Proactive Scanning.

Report Generation Schedule reports to be automatically generated. See Schedule reports on page 1.

Auto Definition Weekly updates to your Auto-Def file can be scheduled.

Synchronizer

Synchronize Users From Schedule your LDAP or Active Directory to synchronize with your user database. See
Directory Schedule synchronization on page 377.

Security Rescan Schedule your scanned host list to be cleared so that Admin scans can begin again.
See Clear scanned hosts list on page 1.

Verify DHCP Servers Schedule a poll for rogue DHCP servers. See Rogue DHCP server detection on page 1.

Copy a task

1. Select System > Scheduler.

2. Use the filters to display a list of tasks.
3. Click the task to select it.
4. Click Copy.
5. Enter a name for the new task.
6. Modify other fields as needed.
7. Click OK.
8. The new task appears in the Scheduler.

FortiNAC F 7.2.0 Manager Guide 359

Fortinet Inc.
System

Delete a task

1. Select System > Scheduler.

2. Use the filters to display a list of tasks.
3. Click the task to select it.
4. Click Delete.
5. Click Yes to delete the task.

Modify a task

You can change a task from a Repetitive task to a Fixed Day task by changing the task’s date, time, and repetition rate.
You can also change the group associated with the task and the name of the task. For Settings see Add a task on page
356.
1. Select System > Scheduler.
2. Use the filters to display a list of tasks.
3. Click the task to select it.
4. Click Modify.
5. Modify the data as needed.
6. Click OK.

Run task now

To run a scheduled action at any time:

1. Select System > Scheduler.
2. Use the filters to display a list of tasks.
3. Click the task to select it.
4. Click Run Now.

Tasks

Any assigned, active tasks will appear in the top-right corner of the FortiNAC page under a new bell notification icon.
Each task has a message, an icon to present who it's assigned to (either you, or everyone), and a pencil with which to
edit the task. Some tasks may optionally also have a redirect icon which can be clicked to take you to a different view
within the site. At the bottom of this notification drop-down, there is a cog menu to click for Task Settings (which for now
is only to show tasks you've assigned).
Aside from this notification panel, there is a main Task view which you can navigate to via the left navigation pane under
System > Tasks. Here you can see and manage all Tasks regardless of assigned or completed states.
The actions you can take are shown via buttons at the top of the page, as well as context menus when right-clicking a
task. You can create tasks, edit tasks, mark a task as complete, or delete them altogether.
When creating a new task, the following properties are available to you:

FortiNAC F 7.2.0 Manager Guide 360

Fortinet Inc.
System

l Message: Text to be displayed in the Task List and notification panel.

l Previous Task (optional): A hierarchical feature to link tasks in sequence. The task provided must be completed
before the task being created/edited can be completed.
l Associated View (optional): A view within the navigation whick will be opened when the user clicks Open View
l Assignee (optional): A user to assign this task to. If left blank, the task will be assigned to everyone
l Note (optional): Added text field for more robust information; only viewable from the Task view, not the notification
panel.

FortiNAC F 7.2.0 Manager Guide 361

Fortinet Inc.
Settings

The settings view provides access to global system configuration options, such as Aging properties to remove hosts and
users from the database or email settings for emailing users and administrators.
All settings can also be unified under System by enabling Unified Settings under System > Feature Visibility.

Users & Hosts Setting Description

User/Host Management

Aging Configure default settings to age users and hosts out of the database.
See Aging on page 1.

Allowed Hosts Configure the default number of hosts that can be registered to a user.
See Allowed hosts on page 1.

Device Profiler Enable or Disable creating rogues from DHCP packets heard on the network.
See Device profiler on page 1.

MAC Address Exclusion Lists the MAC addresses that can be ignored by FortiNAC when they connect to the
network. These addresses will not be treated as rogues and will be allowed on the
production network.
See MAC address exclusion on page 1.

Network Setting Description

Authentication

LDAP Directories on page 366

Roaming Guests Roaming guests

Control

Access Point Management Provides the ability to manage hosts connected to hubs using DHCP as a means to
control or restrict host access.
See Access point management on page 1.

Allowed Domains Specify the domains and production DNS server that isolated hosts use to gain access
to network locations.
See Allowed domains on page 1.

Quarantine When quarantine VLAN Switching is set to Enable and the ports are in the Forced
Remediation Group,FortiNAC switches unregistered hosts that are being scanned to the
quarantine VLAN until the scan process is completed.
See Quarantine on page 1.

Identification

FortiNAC F 7.2.0 Manager Guide 362

Fortinet Inc.
System

Network Setting Description

Device Types Displays icons representing each device type in the system, and allows you to add,
modify, and delete custom type icons.

NAT Detection Enter the IP ranges where FortiNAC will allow NAT'd hosts. IP addresses outside this
range could be NAT'd hosts and can generate an event and an alarm to notify the
network administrator.
See NAT detection on page 1.

Rogue DHCP Server Monitors approved DHCP servers operation and detects rogue DHCP servers on the
Detection network using a dedicated interface on the FortiNAC appliance. It defines a scheduled
task to run and search specific VLANs and discover all active entities serving IP
addresses. This task compares the discovered DHCP servers against a list of
authorized DHCP servers and triggers corresponding events when there is no match.
See Rogue DHCP server detection on page 1.

Vendor OUIs Allows you to modify the vendor OUI database, which is used to determine whether or
not a MAC address is valid or by device profiler to profile devices by OUI. The database
is updated periodically through the Auto Definition update process.
See Vendor OUIs on page 382.

Network Device

Network Device Set global properties that are specific to network devices and VLANs.
See Network device on page 1.

System Setting Description

Reports

Analytics Configure the connection between the FortiNAC server and the cloud reporting
Analytics server. This connection allows an agent on the FortiNAC server to push
data for reporting to an external server based on a user-defined schedule.

Persistent Agent

Agent Update Enable Persistent Agent updates by operating system, schedule agent updates
and add hosts to the list of Update Exceptions. You can update agents on both
platforms simultaneously or separately.
See Global updates on page 1

Credential Configuration Configure how credentials are verified for hosts who use the Persistent Agent.
See Credential configuration on page 1.

Properties Configure the FortiNAC server name of the server for Persistent Agent
communication, enable or disable display notifications to the host, configure
Header and footer text for the Persistent Agent authentication page and Status
messages in the message box on the user's desktop.
See Security management on page 1.

Status Notifications Configure how users are notified of their host status when the Persistent Agent
contacts the FortiNAC server.

FortiNAC F 7.2.0 Manager Guide 363

Fortinet Inc.
System

System Setting Description

See Status notifications on page 1.

Transport Configuration Configure TCP and UDP communication between the FortiNAC server and the
Persistent Agent.
See Transport configurations

USB Detection Use the USB Detection view allows to configure FortiNAC to be notified in the
event that a USB device was plugged into a host on the network.
See USB detection.

System Communication

Addresses Configure a list of address and address group objects used in SSO and VPN
configuration. See Addresses.

Email Settings Enter settings for your email server. This allows FortiNAC to send email to
Administrators and network users.
See Email settings on page 390.

Firewall Tags Configure Logical Network Firewall Tags

Fortinet FSSO Settings Enable FortiNAC as a Fortinet Fabric Connector

Log Receivers Configure a list of servers to receive event and alarm messages from FortiNAC.
See Log receivers on page 391.

Email/SMS Message Templates Customization of SMS and E-Mail messages for Self-Registered and Pre-
Registered Guests

Mobile Providers Displays the default set of Mobile Providers included in the database. FortiNAC
uses the Mobile Providers list to send SMS messages to guests and
administrators. The list can be modified as needed.
See Mobile providers on page 1.

Patch Management The Patch Management feature allows integration with Patch servers such as
BigFix or PatchLink.
See Patch management on page 1.

Proxy Settings Configure FortiNAC to direct web traffic to a proxy server in order to download OS
updates and auto-definition updates.

SNMP Set the SNMP protocol for devices that query FortiNAC for information. It is also
used to set the SNMP protocol to accept SNMPv3 traps that register hosts and
users.
See SNMP on page 393.

Syslog Files Syslog Files that you create and store are used by FortiNAC to parse the
information received from these external devices and generate an event. The
event can contain any or all of the fields contained in the syslog output and can be
mapped to an Alarm and an Alarm action.
See Syslog management on page 1 and Map events to alarms on page 334.

FortiNAC F 7.2.0 Manager Guide 364

Fortinet Inc.
System

System Setting Description

Trap MIB Files Enter configurations to interpret SNMP trap MIB information sent from a device
and associate it with events and alarms in FortiNAC.
See Trap MIB files on page 1 and Map events to alarms on page 334.

Vulnerability Scanners Configure and manage the connection to a Vulnerability Scanner, allowing
FortiNAC to request and process scan results.

System Management

Database Archive Set the age time for archived data files and configure the schedule for the Archive
and Purge task.
See Database archive on page 399.

Database Backup/Restore Schedule database backups, configure how many days to store local backups,
and restore a database backup. Note that this restores backups on the FortiNAC
server, not backups on a remote server.
See Database backup/restore on page 401.

High Availability Configuration for Primary and Secondary appliances for high availability. Saving
changes to these settings restarts both the Primary and Secondary servers.
See High availability on page 403.

License Management View or modify the license key for this server or an associated Application server.
See License management on page 404

NTP And Time Zone Reset the time zone and NTP server for your FortiNAC appliances. Typically the
time zone and NTP server are configured using the Configuration Wizard during
the initial FortiNAC set up. Requires a server restart to take effect.
See NTP and time zone on page 406.

Power Management Reboot or power off the FortiNAC server. In the case of a FortiNAC Control Server
/ Application Server pair, reboot or power off each server individually.
See Power management on page 407.

Remote Backup Configuration Configure Scheduled Backups to use a remote server via FTP and/or SSH.
See Remote backup configuration on page 407.

System Backups Create a backup of all system files that are used to configure FortiNAC.
See System backups on page 410.

Updates

Agent Packages Displays a list of the Dissolvable Agent, Persistent Agent, and Passive
Agentversions available on your FortiNAC appliance. Download new agents and
add them to FortiNAC as they become available from Fortinet using Download.
Download an Administrative template for GPO configuration to your PC from the
FortiNACappliance using the links at the top of the view.
See Agent packages on page 412.

Operating System Use operating system updates to download and install updates to the operating
system on FortiNAC servers.
See Updating CentOS on page 1.

FortiNAC F 7.2.0 Manager Guide 365

Fortinet Inc.
System

System Setting Description

System Use System Updates to configure download settings, download updates from
Fortinet, install updates and view the updates log.
See System update on page 420.

Authentication

Authentication groups together the available options for authenticating credentials when Administrators log in to the
FortiNAC Manager UI.
Options

Option Definition

LDAP Use LDAP to configure the connection to one or more authentication directories. Data from the directory
populates the FortiNAC Manager database with demographic data for Administrator users.
See Directories.

RADIUS Use RADIUS to configure the connection to one or more RADIUS servers. Data from the RADIUS server
populates the FortiNAC Manager database with demographic data for Administrator users. See
RADIUS.

Automatic authentication

Hosts can be automatically authenticated during registration. This requires the use of either the Dissolvable Agent or
Persistent Agent. For details on the agents see the and Using the Persistent Agent on page 198 sections.

Dissolvable Agent

1. Enable authentication. See Add or modify a policy on page 1 for details.

2. When the host downloads and runs the Dissolvable Agent, the host is automatically authenticated.

Persistent Agent

1. Enable authentication. See Add or modify a policy on page 1 for details.

2. When the host downloads and installs the Persistent Agent, the host is automatically authenticated.

Directories

Use the authentication directories view to configure the connection with one or more LDAP directories. If you plan to use
local authentication via the FortiNAC database or RADIUS authentication then this step is not necessary.
A directory is a database that contains the records of an organization’s members. You can organize the members into
groups within the directory. If configured in FortiNAC the directory can be used to authenticate network users. If you have
chosen LDAP authentication in the portal configuration window, you must configure a directory in FortiNAC. See Portal
configuration on page 1 or Configure authentication credentials on page 1.

FortiNAC F 7.2.0 Manager Guide 366

Fortinet Inc.
System

The directory configuration validates the user and populates the user record in the FortiNAC databases with user-
specific information before they are allowed access to the network. FortiNAC uses the LDAP protocol to communicate to
an organization’s directory.
A user's record is made up of fields that contain information about the user such as first name, last name, and email
address. The name of a field in a directory is defined by a schema. For example, the schema specifies that a user's first
name is stored in a field with an attribute name of "givenName". This attribute name is used when retrieving a user's first
name from the record. Attribute names can vary from directory to directory, so FortiNAC allows you to define your own
fields. Users in an “ou” in the directory are populated into a group in FortiNAC if the distinguished name (DN) attribute is
entered in the directory group attribute mappings view.
When an administrator group is created in FortiNAC with the same name as a group being synchronized from a
directory, the administrator group members will remain the same as the directory group members. Therefore, if you add
a non-directory user to the administrator group and then synchronize the directory, the non-directory user is removed
from the administrator group because the user is not a member of the directory group.

Authenticate using a domain name

If you chose to authenticate using a domain name, you must consider the following:
l When a domain name is specified and the login includes the matching domain, authentication first uses both the
user name and the domain name. If this authentication fails, no further authentications are attempted.
l When a domain name is specified and the login includes a domain that does not match, the authentication
immediately fails.
l When no domain is specified and the login includes a domain, authentication first uses the user name and the
domain name. If this authentication fails, a second authentication is attempted using only the user name.
l Domain names must be an exact match. For example, if you define the domain as example.com, a login of
john.smith@it.example.com is not authenticated because the domain specified is not an exact match.
l The table below provides a summary of the various formats which FortiNAC uses to interpret the fully qualified
usermame and to identify the user portion (which can sometimes be a host), the domain portion and the separator.

Fully qualified username User Domain

user user no domain specified

user@domain.com user domain.com

user@domain user domain

domain\user user domain

domain.com\user user domain.com

Authenticate using domain names and multiple directories

If you are using multiple directories to authenticate users, you must consider the following:
l When one directory is configured and no domain is specified, authentication is attempted using the one directory.
l When multiple directories are configured and no domain is specified, authentication is attempted to all directories
that are in the database. The order in which the directories are processed cannot be controlled, and the first
directory that yields a successful authentication is used. Therefore, if settings such as Security & Access Attribute
Value, Role, etc., are not identical between all configured directories, a user's network access can vary based on
which directory settings are in effect. These settings will depend on the most recent directory sync.

FortiNAC F 7.2.0 Manager Guide 367

Fortinet Inc.
System

l When multiple directories are configured, authentication is attempted against all directories without Domain
configurations, or with Domain configurations matching the domain, if one is supplied. If a Domain is configured for
the directory, the user must supply a matching value for their domain in order for authentication to be attempted to
that directory.
l If duplicate user Id's are present within the directories then the Identifier attribute mappings must contain unique
values. Use userPrincipalName or mail attributes. Using sAMAccountName only recommended for the default
directory without a Domain Name configured all others must provide a unique user ID value.
Note: Domain Name can be a semi-colon separated list in the following format. EXAMPLE;example.com

Requirements

The following steps provide a basic outline for the procedures required to setup the directory and its communication with
FortiNAC.
1. Enable ping on the directory server itself. This allows FortiNAC to ping the directory server and prevents the server
Icon in the Network Device Summary panel on the dashboard from displaying an error as if it had lost contact when,
in fact, it is in contact via LDAP.
If you plan to use the top level (root) of the directory tree as a Group search branch, make sure that you use Config
Wizard to configure DNS in FortiNAC so that the IP address of the directory can be resolved to the directory's
hostname. In addition, the IP address must be resolved by the primary DNS server.
2. Set up the connection between the directory application and FortiNAC. This step provides login information allowing
FortiNAC to connect and communicate with the directory. See Configuration on page 369.
3. Map directory data fields to FortiNAC data fields. This step allows you to import user and group information into your
database.
4. Configure User and Group Search Branches.
5. Data in your directory can change frequently. Users could be added, removed or modified. Those changes need to
be incorporated into your FortiNAC database. Create a schedule to synchronize the directory with the FortiNAC
database. See Schedule synchronization on page 377.
6. If choosing to use SSL or TLS security protocols for communications with the LDAP directory:
l TLS 1.2 or TLS 1.3 must be enabled on the LDAP directory
l Installing a security certificate isn't necessary in most cases. However, if needed, see Create a keystore for
SSL or TLS on page 379.
7. If you choose to use logon/logoff scripts to register the host when a user logs on or off a domain.
You may need to access your directory using a separate interface to acquire login, group and user information.
If you create new users in the directory, be sure not to assign a user ID that is the same as an existing user account or
guest account in the FortiNAC database. Having duplicate user IDs will prevent one or both of the users from accessing
the network.

Structure and synchronization

When synchronizing FortiNAC with a directory there are specific configuration tasks that must be completed. FortiNAC
does not have a view into the structure of your directory; however, you must understand this structure to complete the
configuration.
You may have your own application to view the attributes of your directory or there are some available on the Internet,
such as Active Directory Explorer, LDAP Administrator, or Apache Directory.

FortiNAC F 7.2.0 Manager Guide 368

Fortinet Inc.
System

Configuration

Directory configuration allows you to configure the connection to the directory, user attributes that you would like to
import, user search branches and Group Search Branches. Each configuration section has specific information that
must be entered to allow FortiNAC to connect with the directory and import users and groups.
Use Schedule to configure the intervals for synchronizing the database with the selected directory. Use Preview to
review data in the selected directory. Use Copy to copy the directory configuration fields from an existing configuration.
Directory configuration can be accessed from System > Settings > Authentication > LDAP.

Connection tab

The Connection tab contains the parameters required for communication with the directory. Not all fields are required.
Be sure to enter information only in those fields that apply to your directory.

Settings

Field Description

Name Name of the server where the directory is hosted.

Primary IP IP address of the primary directory server. The server will be added as a pingable
device.

Security Protocol The security protocol used when communicating with the server containing your
directory. Options are SSL, STARTTLS, and none.
If SSL or STARTTLS are chosen you must have a security certificate from a CA. The
certificate should be stored in the following directory on your appliance
/bsc/campusMgr/
See Create a keystore for SSL or TLS on page 379 for instructions on importing and
storing certificates.

MAC address Physical address of the primary directory server. This field is required.

LDAP Login User login name of the service account FortiNAC uses to access the LDAP server.
Service account must have read access to all requested search branches.

LDAP Password Password for the user login.

Validate Credentials Click to verify that directory credentials are correct.

Credential Status Displays the results of clicking Validate Credentials. Messages such as credentials
verified or failed to validate can be displayed.

Additional Configuration Displays the fields listed below in this table.

Domain Name If this field contains a domain name, users must include the domain name in their login
to be authenticated against this directory.

Example:

Valid formats for login are: user, user@domain.com and domain\user.

Setting a value here requires all users to supply a domain name during login.

FortiNAC F 7.2.0 Manager Guide 369

Fortinet Inc.
System

Field Description

When no domain is specified in the Directory Configuration view and the login
includes a domain, authentication first uses the user name and the domain name. If this
authentication fails, a second authentication is attempted using only the user name.

Secondary Server FQDN or IP address of the secondary directory server. This server would be accessed
in the event that the Primary server was unavailable. This server is added as a pingable
device. Important: Value must be FQDN if Security Protocol = SSL or STARTTLS.
Note: FortiNAC uses the same LDAP Login and Password to contact both directories.

Version Directory version. Default = 3

Port Communication port used by the directory. The default port is based on the security
protocol. To use a port other than the default, type the desired port number into this
field.
Common port values/protocols are:
l None = 389

l SSL = 636

l STARTTLS = 389

Time Limit Time in seconds that FortiNAC waits for a response from the directory. Default = 5.
The number of seconds may need to be increased in the directory or in FortiNAC if the
exception “Time Limit Exceeded” begins to be noted more often.

Enable Synchronization of Check this box to synchronize the FortiNAC database with either the primary or the
Users/Groups At secondary directory servers based on a schedule in the Scheduler View.
Scheduled Time

on sync, delete Users no When checked, users that have been removed from the directory will be removed from
longer found in this the FortiNAC database when the scheduled resynchronization takes place.
directory

Perform Lookup On Referrals allow administrators to set up search paths for collecting results from multiple
Referral servers. If you have configured your directory for referrals and you want to do
authentication on the referred directory servers, enable this option. Enabling referrals is
required in order to search sub domains.

Connect by Name Automatically checked when StartTLS is selected as the Security Protocol.
FortiNAC connects to LDAP using the the Name field of the directory configuration with
a URL such as ldap://dc.example.com to connect to the primary server.
When not selected, FortiNAC will connect to LDAP using the Primary IP address field of
the directory configuration with a URL such as ldap://10.0.0.2.

NetBIOS name When specified, authentication will be via Kerberos. This represents the domain
NetBIOS name of the active directory server. This must match a domain NetBIOS name
from one of the configured Winbind instances in Network > RADIUS > Winbind.

The Administrator must enter the specific connection information for the directory server used for user authentication.
The Security information required varies depending on the type of directory you are using. Be sure to enter only the data
required for your directory type.
The Directories View can be accessed either from System > Settings > Authentication > LDAP.

FortiNAC F 7.2.0 Manager Guide 370

Fortinet Inc.
System

1. Click System > Settings.

2. Click the Authentication folder in the tree control.
3. Click LDAP to display the Directories window.
4. To Modify a directory, select a directory in the list and click Modify.
5. To Add a directory, click Add.
6. A list of directories found on your network is displayed. Click on the name of the directory to be added. If the
directory is not listed, click Enter Manually. Directories are found based on SRV records on your corporate DNS.
7. Use the information in the Settings table above to enter connection information.
8. Click the Connection tab and enter connection information.
9. Click Validate Credentials to verify the connection.
10. If FortiNAC is able to successfully connect to the directory a Credentials Verified message is displayed in the
Credential Status field.
11. To ensure that the user data is available to FortiNAC, you must also complete the User Attributes, Group Attributes,
Search Branches and Select Groups tabs.
12. Click Next to continue.

User attributes tab

To add users from an LDAP compliant directory, the customer user database schema must be mapped to the FortiNAC
user data. Attributes can be mapped for users and groups by selecting the tabs on the left side of the window.
If a user in the directory has multiple attributes with the same attribute ID, FortiNAC uses the first one it finds. For
example, if a record looked like the one shown below, FortiNAC would use staff.
eduPersonalAffiliation=staff
eduPersonalAffiliation=employee
eduPersonalAffiliation=alum
eduPersonalAffiliation=student

The attribute mappings for the user are entered on the User Attributes Tab. The AD attributes are mapped on this form
for User Description, Contact, Hardware, and Security and Access. This allows FortiNAC to retrieve the user information
based on the User Search Branches configured on the Search Branches tab.

Configure user attributes

When adding a directory FortiNAC attempts to determine the directory type and populates the attribute fields based on
the directory type. Do not modify the directory yype unless it is incorrect. Do not modify the attributes unless they are
incorrect.
The value of an attribute being mapped cannot exceed 255 characters in order for the attribute to be retrieved by
FortiNAC.
1. To access user attributes for an existing directory, select System > Settings.
2. Click the Authentication folder in the tree control.
3. Click LDAP to display the directories window.
4. If you are adding a new directory, the User Attributes tab is displayed when you click Next after completing the
connection tab.
5. The Directory Type drop-down indicates the type of directory being configured. This will scan the directory based
on the type selected and pre-populate some of the fields. The directory type should already be listed for you. If the
directory type is not listed or you know the field names for your directory, this step is not required.
6. Enter the user attribute mappings.

FortiNAC F 7.2.0 Manager Guide 371

Fortinet Inc.
System

7. The Identifier (ID) field is a required entry. User records in the directory must have data entered in the selected ID
field.
Note: As of version 8.7.0, the Last Name is no longer a required field.
8. To ensure that the user data is available to FortiNAC, you must also complete the Group Attributes, Search
Branches, and Select Groups tabs.
9. Click Next to continue.

Directory attributes

If you are using Active Directory, keep in mind that Active Directory only allows access via LDAP to users whose primary
group is the Domain Users group.

User attributes Active Directory Novell

Object Class user person

Description

First Name givenName givenName

Last Name * sn sn

Identifier * sAMAccountName cn

Title title

E-mail userPrincipalName

Contact

Address streetAddress mailstop

City l city

State st S

Zip/Postal Code postalCode

Phone telephoneNumber Telephone Number

Mobile Phone mobile

Mobile Provider otherMobile

The provider contained in the Mobile Provider

field in the directory must match a provider in
the FortiNAC database or SMS messages
cannot be sent to that user's Mobile phone.
Depending on the configuration of your
directory, otherMobile may not be the location
of the Mobile Provider field.

Security and access

FortiNAC F 7.2.0 Manager Guide 372

Fortinet Inc.
System

User attributes Active Directory Novell

Security Attribute The Directory Attribute that can be used in a filter. Data
contained in this field is copied to the Security and Access
value field on the User Properties and the Host Properties
record for each user and associated host when the directory
synchronizes with the database.

Allowed Hosts The number of host records each individual user may have in
FortiNAC.

Role Name of the Directory Attribute used to associate a user with

a role.

Matching roles must be created in FortiNAC

with the exact same spelling and case as the
roles that exist in the directory based on the
selected attribute. See Roles view on page
295.
When assigning roles to users, the use of
directory attributes over directory groups is
recommended. Under no circumstances
should you use both methods to assign roles.

Disabled Attribute Setting this attribute allows the AD Administrator to disable

users in Active Directory and have all instances of the user
automatically disabled in FortiNAC when the next scheduled
resync occurs.
Attribute = userAccountControl

Disabled users are able to access the network

until FortiNAC resynchronizes with the Active
Directory. To immediately disable all instances
of the user in FortiNAC, go the Scheduler View
and run the Synchronize Users with Directory
task. See Scheduler on page 355 for more
information.

Disabled Value When the value for the Disabled Attribute for the user equals
the Disabled Value, FortiNAC disables all instances of a user
when the next scheduled resync with AD occurs. The user
must have previously been disabled in AD.
The Disabled Value may vary from directory to directory.
Check a user that is currently disabled in the directory to see
what the disabled value should be. Enter that value in the
Disabled Value field.
If "Disabled Value" starts with a "0x", a bitwise comparison is
done between the value in the directory and this field.

FortiNAC F 7.2.0 Manager Guide 373

Fortinet Inc.
System

User attributes Active Directory Novell

Otherwise, without the "0x" prefix, it will only do an exact

match numeric comparison.

If you are using Active Directory, it is possible

for the Disabled Value to vary from user to
user. The value is affected by other account
settings selected within the directory, such as
Password Never Expires or User Must Change
Password At Next Login. You may only be able
to set the Disabled Value for users that have
identical account settings. See
https://support.microsoft.com/en-
us/kb/305144 for more information on these
values.

Time To Live The name of the directory attribute that contains the
numerical value for the user age time. If the attribute does not
have a value the user age time is not set by the directory.
Age time can also be set using the Properties window or on
the User Properties window for an individual user.
All of these options simply modify the Expiration Date in the
User Properties window. See User properties on page 74.

The value of the attribute in the Time To Live

field must be set to the name of the custom
attribute that is configured in the directory as
the numerical value of hours or days for which
the user is valid.

Time to Live Unit The time unit set in the User Properties age time if the Time
to Live attribute contains a value.
Options: Hours or Days

Group attributes tab

The attribute mappings for groups are entered on the Group Tab. The AD attributes are mapped on this form for Object
Class, Group Name and Members. This allows FortiNAC to retrieve the group information based on the Group Search
Branch configured on the Search Branches Tab. Groups created in the directory are imported into FortiNAC each time
the Directory Synchronization task is run either manually or by the Scheduler.

Active Directory size limitations for the number of users per group may cause issues with
group based operations. Only the users up to the limitation are affected by group based
operations. Size limitations vary depending on the version of Active Directory used and the
settings in the MaxValRange and MaxPageSize directory fields.

FortiNAC F 7.2.0 Manager Guide 374

Fortinet Inc.
System

The value of an attribute being mapped cannot exceed 255 characters in order for the attribute
to be retrieved by FortiNAC.

Configure group attributes

1. To access group attributes for an existing directory, select System > Settings.
2. Click the Authentication folder in the tree control.
3. Click LDAP to display the directories.
4. If you are adding a new directory, the Group Attributes tab is displayed when you click Next after completing the
User Attributes tab.
5. Enter the group attribute mappings:

Group Attributes Active Directory Novell

Object Class group groupOfMembers

Group Name name cn

Group Members member member

Distinguished Name (DN)

The DN is not to be used in conjunction with groups identified by Object Class.

6. To ensure that the user data is available to FortiNAC, you must also complete the Search Branches and Select
Groups tabs.
7. Click Next to continue.

Search branches tab

The Search Branches tab is where the Administrator enters the specific User and Group Search Branches information
for the Directory server. This tells FortiNAC where the user and group information is located in the Directory.

The example shown in the figure below is for Active Directory. In this example the segments represent the following:

cn=Users: The abbreviation cn stands for Common Name. In this case, it is the name of the branch or
folder in Active Directory that should be searched for users. The name of that branch could be anything,
such as Employees or Students.
dc=example: The abbreviation dc stands for Domain Component. In this case it is the second level
domain name, such as yahoo in yahoo.com.

FortiNAC F 7.2.0 Manager Guide 375

Fortinet Inc.
System

dc=com: The abbreviation dc stands for Domain Component. In this case it is the first level domain name,
such as com in google.com or edu in marshalluniversity.edu or org in npr.org.

Configure search branches

1. To access search branches for an existing Directory, select System > Settings.
2. Click the Authentication folder in the tree control.
3. Click LDAP to display the directories.
4. To modify an entry, select the entry and click Modify.
5. To remove an entry, select the entry to be removed and click Delete.
6. If you are adding a new directory, the Search Branches tab is displayed when you click Next after completing the
Group Attributes tab.
7. Click Add to add new search branch information. Available search branches are listed; however you can enter your
own information. If the list of available search branches is too long to display, type the first few letters of the branch
needed to narrow the list.
8. In the Add dialog, enter or select the Search Branch and then click OK.
9. To ensure that the user data is available to FortiNAC, you must also complete the Select Groups tab.
10. Click Next to save search branch information.

Select groups tab

Use the Select Groups tab to choose groups of users to be included when the directory and the FortiNAC database are
synchronized. Upon initial synchronization, a host group is created for each LDAP group selected. Hosts become
members of these groups when they are registered to a user that is a member of that LDAP group. Note: If an
Administrator group with the same name already exists, a host group will not be created.
Users that do not already exist in FortiNAC are not imported. However, user data for users already in the database is
updated each time the Synchronization task is run. Only the members of selected groups will be synced (put in the
groups) and not ignored for syncing the attributes.

Configure group selections

1. To access group selections for an existing directory, select System > Settings.
2. Click the Authentication folder in the tree control.
3. Click LDAP to display the directories.
4. If you are adding a new directory, the Select Groups tab is displayed when you click Next after completing the
Search Branches tab.
5. Mark the groups of users that should be included when the directory and the database are synchronized by
checking the box in the Active column. If you do not check any boxes, all groups will be included.
6. Click OK to save the directory configuration.
7. An initial Synchronization is done immediately when you save the Directory. It is recommended that you set up a
schedule for synchronizing the Directory See Schedule synchronization on page 377.

Delete a directory

1. Click System > Settings.

2. Click the Authentication folder in the tree control.
3. Click LDAP to display the Directories window.

FortiNAC F 7.2.0 Manager Guide 376

Fortinet Inc.
System

4. Select a directory configuration in the list and click Delete.

5. Confirm that you wish to delete the directory configuration.

Replace a directory

If replacing an existing directory with another directory, use the following steps. Otherwise, some user records may
remain associated to the old directory. See related KB article 209296 for details:
1. Delete the old directory. See steps above.
2. Add the new directory using the old directory name.
3. Modify the LDAP directory and change the old directory name to the new directory name.
4. Select OK. This re-writes the name attribute to all of the user records and can take a few minutes.
5. Run the Synchronize Users with Directory task from the Scheduler view. See Run task now for instructions.

Schedule synchronization

When you select Schedule on the Directories view, you can select a date/time and poll interval for the directory
synchronization task. The scheduled task may also be paused and run manually later. This process adds the
Synchronize Users with Directory task to the scheduler.
When the directory and FortiNAC are synchronized, changes made to users in the directory are written to corresponding
user records in the database. Users from the directory are only added to the FortiNAC database when they connect to
the network and register.
Upon initial synchronization, a host group is created for each directory group. Specific directory groups can be disabled
from attribute mappings. See Select groups tab under configuration for details. If an Administrator group with the same
name already exists, a host group will not be created. Any new groups created in the directory are detected upon the
following synchronization. Groups created are displayed in FortiNAC on the Groups View.
If you are using a directory for authentication, user data is updated from the directory based on the user ID during
synchronization. This is true regardless of how the user is created and whether the user is locally authenticated or
authenticated through the directory. If the user ID on the user record matches a user ID in the directory, the FortiNAC
database is updated with the directory data.
When an administrator group is created in FortiNAC with the same name as a group being synchronized from a
directory, the administrator group members will remain the same as the directory group members. Therefore, if you add
a non-directory user to the administrator group and then synchronize the directory, the non-directory user is removed
from the administrator group because the user is not a member of the directory group.
The directory schedule is global and applies to all directories listed. Separate schedules cannot be entered for each
directory.

Settings

Field Definition

Schedule Interval Poll interval for the scheduled task. Options are Minutes, Hours, or Days.

Next Scheduled Time The next date/time the scheduled synchronization task will run. Entered in the format
MM/DD/YY HH:MM AM/PM.

FortiNAC F 7.2.0 Manager Guide 377

Fortinet Inc.
System

Field Definition

Enabled When unselected, the scheduled synchronization task is stopped and does not run
automatically. To run the task manually click Run Now.

Run Now Runs the Synchronization task immediately.

Schedule directory resynchronization

1. Click System > Settings.

2. Click the Authentication folder in the tree control.
3. Click LDAP to display the Directories window.
4. Select a directory in the list and click Schedule.
5. Set a Schedule Interval by entering a number and selecting Minutes, Hours, or Days from the drop-down menu.
6. Click in the Next Scheduled Time field and enter the date/time to run the synchronization task.
7. To stop the scheduled task, remove the check mark from click in the Enabled box.
If the scheduled task is disabled, the Administrator can go to the Scheduler view and run the task manually to
synchronize the directory with FortiNAC. See Scheduler on page 355 for details.
8. To run the scheduled task immediately, click Run Now.
9. Click OK to save the schedule.

Preview

Use Preview to view the list of users that are found in the directory. User records in the directory are not listed until a
parameter is selected and its associated value is entered in the Filter field.
The directory configuration must be completed before any records can be previewed.
1. Click System > Settings.
2. Click the Authentication folder in the tree control.
3. Click LDAP to display the Directories window.
4. Select a directory in the list and click Preview.
5. Enter search criteria in the first text field, such as an ID or Last Name. Searches are not case-sensitive.
Use asterisks (*) as wild cards in text fields if you know only a portion of a name. The wild card represents any
characters. For example, enter F* in the text field and select the First Name parameter to locate all records where F
is the first character in the First Name field.
6. Select a parameter from the drop-down list.
7. Click Search.
An asterisk in the Role column next to an attribute value indicates that the role name has not been configured in
FortiNAC. If the role does exist in FortiNAC, the attribute value appears in the Role column without an asterisk.
Entering just the wild card in the text field returns every record in the directory and may cause time or size limit
exceeded errors to occur depending on the total number of records.
This is a view only list and is not imported into FortiNAC. The user information is only imported into the FortiNAC
database as the user registers. The Sync Directory task in the Scheduler is used to update user information
already in the FortiNAC database with any changes made in the directory database. See Scheduler on page 355 for
additional information.
8. Click the Groups tab to view the groups in the directory and select the groups to import.
All the groups in the directory are listed along with the number of member records contained in each group.

FortiNAC F 7.2.0 Manager Guide 378

Fortinet Inc.
System

Selecting groups is part of the process of adding a directory configuration, therefore, groups may already be
selected.
9. To import groups of user records from the directory to the FortiNAC database when the directory Synchronization
scheduled task runs select the groups to be imported by checking the box(es) next to the group name.
10. A check mark in the Is Organizational Unit column indicates that the group is an OU or a container for other
groups.
11. Click OK.

Create a keystore for SSL or TLS

When using SSL or TLS security protocols for communications between FortiNAC and some servers (such as LDAP
directory, Fortinet EMS and Nozomi servers) a security certificate may be required. The need for the certificate is
dependent upon the configuration of the directory. In most cases, FortiNAC automatically imports the certificate it needs.
However, if this is not the case, use the following steps to import the certificate.
Certificate Import Instructions:
1. Once the certificate from the CA has been received, login to the FortiNAC server CLI as root.
Note: If using NAC-OS, login to CLI as admin then run:
execute enter-shell
2. Copy the file to the /home/admin directory.
3. Use the keytool command to import the certificate into a keystore file.
keytool -import -trustcacerts -alias ldap_client -file /home/admin/MainCertificate.der -keystore .keystore
Example using certificate file named MainCertificate.der:
keytool -import -trustcacerts -alias ldap_client -file MainCertificate.der -keystore .keystore
For additional information on using the keytool key and certificate management tool go to the Sun web site
java.sun.com.
4. When the script responds with the Trust this certificate? prompt, type Yes and press Enter.
5. At the prompt for the keystore password, type in the following password and press Enter ^8Bradford%23
6. To view the certificate, navigate to the /home/admin directory and type the following:
keytool -list -v -keystore .keystore
7. Type the password used to import the certificate and press Enter.
8. Verify connection to the directory. In the Administration UI, navigate to System > Settings > Authentication >
LDAP.
9. Double click the directory model and click the Validate Credentials button.
If unable to connect, restart the FortiNAC control process to clear any cached information:
1. In the FortiNAC CLI, type:
sudo shutdownCampusMgr
2. Wait 30 seconds
3. Type:
sudo startupCampusMgr

Radius

A RADIUS server enables external authentication for users connected to FortiNAC managed network devices. This type
of server is often used in a wireless environment, but also used in wired environments supporting 802.1x authentication.

FortiNAC F 7.2.0 Manager Guide 379

Fortinet Inc.
System

The FortiNAC Manager uses RADIUS authentication for authenticating administrators logging onto the FortiNAC system
via UI.

RADIUS Server profiles

The first RADIUS Server added becomes the primary server by default. As more servers are added, you can modify
which server is the primary.
The encryption method for user names and passwords passed between FortiNAC and the RADIUS server must be set to
PAP. This affects the following accounts or user names and passwords created on the RADIUS server:
l The validation account created for communication with FortiNAC and entered in the RADIUS Server Profile
configuration.
l Network users that access the network via the captive portal and are authenticated through RADIUS.
l Admin UI users authenticated through RADIUS.
l VPN Users authenticated through RADIUS.
You should be able to communicate with a RADIUS Server in order to add it to the list. For example, if a RADIUS Server
is not currently connected to the network and FortiNAC cannot contact it, you will be asked if you want to add the server
anyway.
Configure Proxy Port Configuration
1. Click System > Settings > Authentication > RADIUS.
2. Modify the following as appropriate:
l Authentication Port: Enables/disables the service and defines the authentication port for the RADIUS Proxy.
Default: Enabled, 1812 (Cannot be set to the same port as Local RADIUS Authentication port)
l Accounting Port: Enables/disables the service and defines the accounting port for the RADIUS Proxy.
Default: Enabled, 1813
3. Click Save Settings. Changes to the configuration apply within 0-30 seconds.

Add a profile
1. Click Add.
2. Enter the parameters for the RADIUS Server profile (see table below).
3. Click the RADIUS Secret field to enter the RADIUS secret.
4. Enter the User Name.
5. Click the Password field to enter the Password information.

Field Definition

Profile Name Name displayed in the RADIUS server list.

Host Name/IP Host name or IP address of the RADIUS server.

address If you are generating certificates using a NSRADIUS appliance, the Fully Qualified
Domain Name is required.

RADIUS Secret Encryption key used by the RADIUS server to send authentication information.

Authentication Port number through which the RADIUS server communicates.

Port

FortiNAC F 7.2.0 Manager Guide 380

Fortinet Inc.
System

Field Definition

Accounting Port Port number that the RADIUS server uses for the accounting features, if they are used. If
your RADIUS server does not use accounting features, leave the check box blank.

Last Modified By User name of the last user to modify the RADIUS Server.

Last Modified Date and time of the last modification to this RADIUS Server.
Date

Validation account

User Name User name for verifying access to the RADIUS Server. This field is required, but only
used when there are multiple RADIUS Servers configured. You must create an account
on the RADIUS Server that is used by FortiNAC to communicate with that Server. The
encryption method must be set to PAP.

Password Password for verifying access to the RADIUS server. This field is required.

6. New servers are saved automatically.

7. Repeat as needed for additional RADIUS servers.

Modify a profile
1. Click System > Settings > RADIUS.
2. Select the RADIUS Server profile and click Modify.
3. Make the changes. Changes are saved automatically.

Delete a profile
1. Click System > Settings > RADIUS.
2. Select the RADIUS Server profile and click Delete.

FortiNAC F 7.2.0 Manager Guide 381

Fortinet Inc.
System

Identification

Identification groups together methods of detecting and identifying rogue hosts. Options include:

Option Definition

Device Types Displays icons representing each device type in the system, and allows you to add,
modify, and delete custom device type icons.

Vendor OUIs

Use the vendor OUI database to determine whether a particular MAC is valid. As new IEEE device information becomes
available, the database needs to be updated to reflect the new codes. This prevents invalid physical address errors
when devices with the new MACs are connected to the network. The AutoDef Synchronization scheduled task
automatically updates the vendor OUI database. See Scheduler on page 355 for additional information on scheduling
tasks.
You can search the vendor OUI database, and add, modify, or remove vendor OUIs. Vendor OUI Added and vendor OUI
Removed events are generated when you add or remove vendor OUIs.
The vendor name appears in the Host View unless you enter a vendor OUI alias. If you use a vendor OUI alias to identify
the type of device, you can quickly filter all devices with a specific alias. For example, you can manage gaming devices
by adding the vendor OUI to the database with the vendor OUI alias of Gaming Device. Then you can use the Host
View filter to find these records by name, change them to registered, and assign them a role without requiring the device
to be assigned to a user.
Vendor OUIs are also used with the device profiler feature. Device profiling rules can use the vendor OUI to help identify
rogue devices connecting the network. Depending on the instructions associated with the rule, the device can be
automatically assigned a device type and be placed in the Host View, the Inventory or both. See Device profiler on page
1 for additional information.
To access the vendor OUI View select System > Settings > Identification > Vendor OUIs.

Add a vendor OUI

1. Click System > Settings.

2. Expand the Identification folder and click Vendor OUIs.
3. Click Add at the bottom of the window.
4. Use the table below to enter the vendor OUI information:

FortiNAC F 7.2.0 Manager Guide 382

Fortinet Inc.
System

Field Description

Vendor OUI First 3 octets of a device’s Physical Address. Enter in the hexadecimal format
##:##:## (For example, 00:1D:09)

Vendor Name Name of the vendor that owns the vendor OUI.

Vendor Alias Value entered displays as the host name in the Host View. This field is optional
when adding a vendor OUI.

Role Role for devices associated with this vendor OUI. Roles assigned by device profiler
take precedence.
If a device is registered via the Portal Page, then the role associated with the vendor
OUI is applied.
See Roles on page 291.

Registration Type Type of device registration that is specified through the AutoDef Synchronization
update, such as a Camera, a Card Reader or a Gaming Device. In the Add/Modify
vendor Code dialog the current setting for the vendor code Registration Type is
displayed. Options include Manual or a specific device type.

Registration Type Used to specify a Registration Type that is different from the default supplied by the
Override AutoDef Synchronization update. Options include Manual or a specific device type.

Description User specified description of the vendor OUI.

Last Modified By User name of the last user to modify the vendor OUI.

Last Modified Date Date and time of the last modification to this vendor OUI.

Right click options

Delete Deletes the selected vendor OUI.

Modify Opens the Modify Vendor OUI dialog.

Show Audit Log Opens the admin auditing log showing all changes made to the selected item.
For information about the admin auditing log, see Audit Logs on page 298.

You must have permission to view the admin auditing log. See
Add an administrator profile on page 55.

Buttons

Export Exports the data displayed to a file in the default downloads location. File types
include CSV, Excel, PDF, or RTF. See Export data on page 1.

5. The Description field is optional and allows you to add notes about the OUI. This field is not displayed on the
vendor OUIs view.
6. Select the Registration Type Override for the device.
7. Click OK.

FortiNAC F 7.2.0 Manager Guide 383

Fortinet Inc.
System

Modify a vendor OUI

1. Click System > Settings.

2. Expand the Identification folder and click Vendor OUIs.
3. Search for the appropriate vendor OUI and select it. Click Modify.
4. Edit the vendor OUI information
5. The Description field is optional.
6. Click OK.

Modify multiple vendor OUIs

Multiple vendor OUIs can be modified at the same time to update fields such as Role or Description.
1. Click System > Settings.
2. Expand the Identification folder and click Vendor OUIs.
3. Search for the appropriate vendor OUIs. Select all of the affected vendor OUIs. If they are not part of a continuous
list, hold down the CTRL key to select them.
4. Click Modify.
5. On the Modify dialog enable the check boxes next to the fields to be updated. Any field that is not enabled will not be
affected.
6. Modify the data in the selected fields.
7. Click OK.

Delete a vendor OUI

1. Click System > Settings.

2. Expand the Identification folder and click Vendor OUIs.
3. Search for the vendor OUI to be deleted and select it.
4. Click Delete.
5. A confirmation message is displayed. Click Yes to delete the OUI.

To register devices, such as gaming devices, you must enter the vendor OUIs in the vendor OUI database. When the
host connects the device to the network a rogue host record is created.
If you are using the device profiler feature, these devices may be processed by a Device Profiling Rule that registers
them for you.
1. Enter the vendor OUIs into the database.
2. When entering the vendor OUI be sure to fill in the Vendor Alias field. This alias displays on the Host View when a
device with this vendor OUI connects to the network.
3. If this device requires a role, select a Role on the vendor OUI window. This role is only applied to devices registered
manually through the Portal Page.

FortiNAC F 7.2.0 Manager Guide 384

Fortinet Inc.
System

4. In order to register a device you must make sure that the Registration Type Override field in the vendor OUI
window is set to reflect the correct device type. For example, if this vendor OUI represents a gaming device, you
would select Gaming Device from the list in this field.
5. Once the device is connected to the network, click Users & Hosts > Hosts.
6. Locate the record for the rogue device.
7. Select the record. Then, right-click and select Register As Device.

Device registration after vendor OUI database update

Devices whose vendor OUIs are not in the database appear in the Host View as rogues when they connect to the
network. Once you have entered the vendor OUI in the database, the information in the Host View displays the vendor
OUI data as part of the rogue record. Use the vendor alias to identify the type of device, such as gaming device or
security camera, for example. The vendor alias is displayed in the host name column of the Host View.
1. Add the vendor OUI information to the database. Include the vendor alias to aid in grouping the devices.
2. Go to Users & Hosts > Hosts and use the filter tabs or column sort features to locate the devices.
3. Select the record(s) and change the device to Registered using the Register As Device option on the right-click
menu.

Network control manager

Server Synchronization controls the replication of hosts from one FortiNAC Manager to another.

Option Definition

Server Synchronization Server Synchronization controls the replication of hosts from one FortiNAC Manager to
another and the synchronization of global information.
See Server Synchronization.

Server synchronization

Host Propagation controls the replication of hosts from one FortiNAC Control Server to another. In an environment
where multiple Control Servers are being managed, it is possible for a host to connect to one Control Server and then
move to another building and connect to a different Control Server.
Global Object Synchronization enables automatic synchronization of the FortiNAC Server(s) with the FortiNAC
Manager.

Host propagation

Each Control Server then has to determine that host's state. Determining the host's state may include processes such
scanning the host or presenting a registration page, thus delaying the host's access to the network. In addition, hosts
could be in conflicting states on different Control Servers.
For example, a host connects to the network via Control Server A and is presented with a registration page. The user
cancels out of the page and is listed as a Rogue Host on Control Server A.

FortiNAC F 7.2.0 Manager Guide 385

Fortinet Inc.
System

Later the same host connects to the network via Control Server B and is presented with a registration page. The user fills
out the registration page and becomes a Registered Host on Control Server B. This host is now in two different states on
two different Control Servers on the same network. When the host returns to Control Server A, the user will have to
register there also.
Enabling the On Demand Host Propagation option copies a registered host from one managed server to all other
managed servers when the host registers, if the associated user has the Propagate Hosts option enabled. However, if
the host is already a rogue on a different managed server, the registered host is not copied. For example, if the host is a
rogue on Control Server A, it registers on Control Server B and is unknown on Control Server C, then the registered host
exists on Control Server B, it is copied to Control Server C, but the existence of the rogue on Control Server A prevents it
from being copied there. The user would need to re-register the host on Control Server A if it connects there.
This setting and the Propagate Hosts option on User records are enabled by default. Disabling this option on the
FortiNAC Manager disables it globally. Disabling Propagate Hosts on an individual user, disables the feature only for that
user.
Enabling the Rogue Host Synchronization option stops a rogue or unknown host from having to re-register on a
second Control Server if they have already registered on any other Control Server. This option copies registered hosts
only to Control Servers that have rogue hosts, not to all Control Servers. Choosing this option uses less bandwidth than
the Registered Host Synchronization feature. It also allows you to view the servers to which hosts have connected. If you
use the Registered Host Synchronization option, all hosts exist on all servers.
Enabling the Registered Host Synchronization option alleviates the need to determine whether or not an individual
host is registered for each Control Server. When the host registers, that information is passed to all other Control Servers
on the network. If you choose this option, you do not need to choose the previous option, since all hosts are copied to all
servers.
Once a host is registered on a Control Server, the host's enabled/disabled status will be propagated, but no other
attribute or state changes are propagated. The Registered Host Synchronization feature is used to speed up the
registration process in an environment with multiple Control Servers.
If the synchronization options are enabled as detailed above, registered hosts are copied from one Control Server to
another when the host registers. As the host logs on and off the network and the host state changes, these
changes are not copied from one Control Server to another.
If both synchronization options are disabled, the FortiNAC Manager can query all Control Servers when a host connects
to determine the host's previous state. However, choosing one of the copy options reduces the amount of time a host
waits to be connected to the network and provides a better user experience.

Global object synchronization

When the Global Object Synchronization option is enabled, all FortiNAC Servers are automatically synchronized with
the FortiNAC Manager on a 10 minute interval. Any information on the server that is older than the information on the
FortiNAC Manager is overwritten.
Upon manual synchronization, all information on the FortiNAC Server that is shared globally with the FortiNAC Manager
is overwritten. Global Groups enabled on the CA are not supported. The FortiNAC Manager is responsible for Global
Groups configuration.
Global information on the FortiNAC Server is read-only. The following information is shared globally between the
FortiNAC Server and the FortiNAC Manager:
l Admin Profiles
l Guest Templates

FortiNAC F 7.2.0 Manager Guide 386

Fortinet Inc.
System

l Device Profiling Rules

l Device Types
l Groups
l Roles
l User/Host Profiles
l Endpoint Compliance Policies
l Endpoint Compliance Configurations
l Endpoint Compliance Scans
l Security Actions that are used by Endpoint Compliance configurations

Modify host propagation

1. Select System > Settings > Network Control Manager.

2. Select Server Synchronization.
3. Under Host Propagation select an option for the synchronization of hosts.
4. Enter a time interval for the enabled host synchronization.
5. Click Save Settings.

Modify global object synchronization

1. Select System > Settings > Network Control Manager.

2. Select Server Synchronization.
3. Under Global Object Synchronization enable automatic synchronization of global information, by selecting Global
Object Synchronization, and then click Save Settings.
4. To manually synchronize global information, click Synchronize Now.
Manual synchronization can also be done from Dashboard > Server List panel. Click the Synchronize Server icon
in front of each listed server

Server synchronization field definitions

Field Definitions

Host Propagation

On Demand Host If enabled, copies registered hosts to Control Servers, when the associated user has
Propagation the Propagate Hosts option enabled. The Propagate Hosts option is enabled by default
on every user. This option will not replace an existing rogue with a host that registered
on different managed appliance. In that case, the user would have to register again on
the appliance where the rogue exists.
Default = Enabled.

Rogue Host If enabled, copies registered hosts to Control Servers that have rogue hosts. Rogues
Synchronization that match registered hosts are replaced by the registered host records.

Synchronization Time Registered hosts are copied to Control Servers with rogue hosts each time this interval
(minutes) elapses.

FortiNAC F 7.2.0 Manager Guide 387

Fortinet Inc.
System

Field Definitions

Registered Host If enabled, copies all registered hosts to all Control Servers.
Synchronization

Synchronization Time Registered hosts are copied to Control Servers each time this interval elapses.
(minutes)

Global Object Synchronization

Global Object When the Global Object Synchronization option is enabled, all FortiNAC Servers are
Synchronization automatically synchronized with the FortiNAC Manager on a 10 minute interval. Any
information on the server that is older than the information on the FortiNAC Manager is
overwritten.

Synchronize Now Lets you manually synchronize information between the FortiNAC Manager and the
FortiNAC Servers.

System communication

System Communication groups together features that allow FortiNAC to communicate with other devices or to send
email and SMS messages to administrators and network users.

Receive data from external devices

FortiNAC can be configured to receive data or messages from other devices on the network, such as an IPS/IDS device.
FortiNAC can accept data from a trap or Syslog message to add records to the database or trigger events and alarms. If
events and alarms are triggered, alarms can be configured to take action on hosts or users and notify administrators via
e-mail or SMS messages.
There are several options that can be used to leverage data from other devices. Each of these options is independent of
all of the others. They can be used simultaneously but they do not work together.

Syslog management

The Syslog Management feature in FortiNAC allows you to create specific configurations used to parse inbound syslog
messages. Supported message formats include CSV, TAG/VALUE and CEF. New events and alarms are automatically
created for each syslog configuration you create. When an inbound message is received, FortiNAC can react based on
the event and alarm generated. See Syslog management on page 1.

Trap MIB

The Trap MIB feature allows you to configure FortiNAC to receive SNMPv1 and SNMPv2 traps from external devices
that contain information about the connecting host. New events and alarms are created for these configurations and they
display based on the OID of the sending device. When a trap is received FortiNAC can react based on the event and
alarm generated. See Trap MIB Files.

FortiNAC F 7.2.0 Manager Guide 388

Fortinet Inc.
System

SNMPv3

SNMPv3 traps can be leveraged to populate the FortiNAC database with hosts and users as they connect to the
network. When a trap is received from an external device, host and user records are added, modified or removed in the
database. Events and alarms associated with these traps can be used to notify administrators or take actions on
connecting hosts and users.

MDM services

MDM Services allows you to configure communication with one or more Mobile Device Management servers. Based on
the information received from the MDM server you can take action on hosts, such as disabling them. See MDM services
on page 121.

Option Definition

Addresses Configure a list of address and address group objects used in SSO and VPN
configuration. See Addresses.

Email Settings Enter settings for your email server. This allows FortiNAC to send email to
Administrators and network users.
See Email settings on page 390.

Log Receivers Configure a list of servers that to receive event and alarm messages from FortiNAC.
See Log receivers on page 391.

MDM Services Configure one or more Mobile Device Management (MDM) servers that integrate with
FortiNAC.
See MDM services on page 121.

Mobile Providers Displays the default set of Mobile Providers included in the database. FortiNAC uses
the Mobile Providers list to send SMS messages to guests and administrators . The list
can be modified as needed.
See Mobile providers on page 1.

Patch Management The Patch Management feature allows integration with Patch servers such as BigFix or
PatchLink.
See Patch management on page 1.

Proxy Settings Configure FortiNAC to direct web traffic to a proxy server in order to download OS
updates and auto-definition updates.

SNMP Set the SNMP protocol for devices that query FortiNAC for information. It is also used to
set the SNMP protocol to accept SNMPv3 traps that register hosts and users.
See SNMP on page 393.

Syslog Files Syslog Files that you create and store are used by FortiNAC to parse the information
received from these external devices and generate an event. The event can contain any
or all of the fields contained in the syslog output and can be mapped to an Alarm and an
Alarm action.
See Syslog management on page 1 and Map events to alarms on page 334.

Security Event Parsers Customize parsing of syslog messages for generating security events.
See Security event parsers on page 1

FortiNAC F 7.2.0 Manager Guide 389

Fortinet Inc.
System

Option Definition

Trap MIB Files Enter configurations to interpret SNMP trap MIB information sent from a device and
associate it with events and alarms in FortiNAC.
See Trap MIB files on page 1 and Map events to alarms on page 334.

Threat Analysis Engines Configure Threat Analysis Engines to be used when applications are submitted via an
agent to FortiNAC.

Vulnerability Scanners Configure and manage the connection to a vulnerability scanner, allowing FortiNAC to
request and process scan results.
See Vulnerability scanner on page 1.

Security Fabric Connector Provides the ability to register FortiNAC in the Security Fabric Tree. Once registered,
FortiNAC is visible in the Security Fabric Topology view on FortiOS products.
See Security Fabric Connection.

Email settings

1. Click System > Settings.

2. Expand the System Communication folder.
3. Select Email Settings from the tree.
4. Use the table below to enter the necessary settings.
5. Click Save Settings.
Note: This feature can also be accessed in Network > Service Connectors > Create New > Email Server

Settings

Field Definition

Email Server Server used to send email notifications.

Sender Email Email address that appears as the sender in email sent from FortiNAC. You may want
to configure an alias for this email address to better inform the recipient that the
message is being sent from FortiNAC.

Authentication If enabled, you must enter the user name and password for the email account used as
the sender account.

User Name User Name for the email account used as the sender account.

Password Password for the email account used as the sender account.

Port Port used for communication with the email server. This must match the port setting on
the email server itself.

Connection Security Used to encrypt email communication between the FortiNAC server and the email
server. This setting must match the setting configured on your email server. Options
are: None, SSL/TLS or STARTTLS.

FortiNAC F 7.2.0 Manager Guide 390

Fortinet Inc.
System

Field Definition

Always Send as Sender If turned off, contextual e-mail addresses will be used, such as sending as the sponsor
Email of a guest.

Advanced When enabled, displays the SMTP Timeout and SMTP Connection Timeout fields.

SMTP Timeout Defines how long FortiNAC will wait if the flow of data has stalled before it fails.

SMTP Connection Timeout Lets you define the amount of time allowed to connect to the email server before it fails.

Test Email Settings Send a test message to the email address entered in the test settings.

Log receivers

Event and Alarm records may be stored offline on another host. The events and alarms are forwarded by using either a
Syslog message or an SNMP Trap. See Log events to an external log host on page 325 and Map events to alarms on
page 334 for more information. The host may be either an SNMP Trap receiver or a Syslog server. Use the Log
Receivers view to add, modify, and remove external log hosts.

Add a log host server

1. Click System > Settings.

Settings

Field Definition

Type Type of server that will receive Event and Alarm messages. Options include: Syslog
CSV, SNMP Trap, and Syslog Command Event Format (CEF).

IP address IP address of the server that will receive Event and Alarm messages.

Port Connection port on the server. For Syslog CSV and Syslog CEF servers, the default =
514. For SNMP Trap servers the default =162

FortiNAC F 7.2.0 Manager Guide 391

Fortinet Inc.
System

Field Definition

Security String Displays only when SNMP is selected as the Type. The security string sent with the
Event and Alarm message.

Modify connection information

1. Click System > Settings.

2. In the tree on the left, select System Communication > Log Receivers.
3. Select a log receiver from the list and click Modify.
4. Edit the log host information.
5. Click OK.

Delete an external log host

1. Click System > Settings.

2. In the tree on the left select System Communication > Log Receivers.

FortiNAC F 7.2.0 Manager Guide 392

Fortinet Inc.
System

3. Select a Log Receiver from the list and click Delete.

4. Click Yes on the confirmation message.

Proxy settings

Proxy settings allows you to configure FortiNAC to direct web traffic to a proxy server in order to download OS updates
and auto-definition updates.
Proxy communication is not supported for MDM Services.
1. Click System > Settings.
2. Expand the System Communication folder.
3. Select Proxy Settings from the tree.
4. Use the table below to enter the necessary settings.
5. Click Save Settings.

Settings

Field Definition

Enable Proxy Configuration If enabled, FortiNAC will use the Proxy Configuration to download OS updates and
auto-definition updates.

Host The hostname or address of the proxy server.

Port Port used for communication with the proxy server. This must match the port setting on
the proxy server itself.

Authentication If enabled, you must enter the user name and password for the proxy server.

User Name User Name for the email account used as the sender account.

Password Password for the email account used as the sender account.

Use HTTP Proxy settings If enabled, the HTTP Proxy configuration will be used for both HTTPS and FTP Proxy
for all protocols communication.

Proxy Exclusions Indicates the hosts that should be accessed without going through the proxy. The list of
hosts are separated by the '|' character. The wildcard character '*' can be used for
pattern matching (e.g., Dhttp.nonProxyHosts=”*.foo.com|localhost” indicates that every
host in the foo.com domain and the localhost should be access directly, even if a proxy
server is specified).

SNMP

Use the SNMP Properties view to select the SNMP protocol for devices that query FortiNAC for information. If SNMP is
enabled, FortiNAC responds to SNMP communication from other devices, such as a Network Management system that
might include the FortiNAC server in its own database.

FortiNAC-OS Requirement: "snmp" option must be included in the "set allowaccess"

command. See Open ports for details.

FortiNAC F 7.2.0 Manager Guide 393

Fortinet Inc.
System

Go to Settings > System Communication > SNMP.

In addition, this view is also used to set the SNMP protocol to accept SNMPv3 traps that register hosts and users.
Both types of communication pass through port 161. Settings here are global. Therefore, if you choose to use SNMPv3
traps sent from other network devices to register hosts and users, then ALL other devices that query FortiNAC for
information must also communicate using SNMPv3. You must modify the configuration of those external devices to use
SNMPv3.
The SNMP protocols that are supported are SNMPv1/SNMPv2c and SNMPv3. SNMPv3 uses DES or AES encryption
for the Privacy Password.
Privacy protocols supported are:
l DES
l Triple-DES
l AES-128
SNMP MIBs used to communicate with FortiNAC are in: /bsc/campusMgr/ui/runTime/docs/mibs/

Settings

Field Description

Enable SNMP If SNMP is enabled, FortiNAC responds to SNMP requests from other servers.
Communication

SNMP Protocol Select the SNMP protocol FortiNAC will be responding to:
l SNMPv1/SNMPv2c

l SNMPv3-AuthPriv (SNMPv3 with authentication and privacy)

l SNMPv3 AuthNoPriv (SNMPv3 with authentication but no privacy.)

SNMPv1/SNMPv2c

Security String Enter the security string that FortiNAC will respond to when communicating with the
server.

SNMPv3

User Name User Name for the SNMPv3 credentials.

Authentication Protocol Specify the SNMPv3 authentication protocol.

The available authentication protocols are:
l MD5

l SHA1

Authentication Specify the authentication password required by FortiNAC when SNMPv3-AuthPriv or

Password SNMPv3-AuthNoPriv queries are received.

Privacy Protocols Specify the SNMPv3 privacy protocol.

The available privacy protocols are:
l DES

l Triple-DES

l AES-128

FortiNAC F 7.2.0 Manager Guide 394

Fortinet Inc.
System

Field Description

Privacy Password Specify the privacy password required by FortiNAC when SNMPv3-AuthPriv queries
are received.

Management hosts

IP addresses List of IP addresses of the devices that have communicated with FortiNAC through
SNMP.

Set up SNMP communication

1. Click System > Settings.

2. Expand the System Communication folder.
3. Select SNMP from the tree.
4. Click Enable and select an SNMP protocol.
5. Enter the parameters as required for the selected protocol. See the table above for additional information.
6. Click Save Settings.

Disable SNMP communication

1. Click System > Settings.

2. Expand the System Communication folder.
3. Select SNMP from the tree.
4. Click Disable.
5. Click Save Settings.

Register hosts and users with SNMPv3 traps

FortiNAC can use data sent in SNMPv3 traps from external devices to register hosts and users. This speeds up the
process of adding hosts and users to your FortiNAC database by taking advantage of information that is readily available
from another system. In addition, based on trap parameters hosts and users can be modified or removed from the
database.

FortiNAC requirements
l FortiNAC must have an integration suite license. See Licenses on page 14.
l The Trap Sender must be modeled in the Inventory as a pingable device. See Add or modify a pingable device on
page 1.
l You must enter SNMPv3 settings in System > Settings > System Communication > SNMP that match those of
the device to which you are sending traps. Note that if you had previously entered SNMPv1/SNMPv2c settings for
external devices querying FortiNAC for information, you must modify settings on those devices to use SNMPv3.
l If you are running FortiNAC in a FortiNAC Manager environment, the Trap Sender must be modeled on each
FortiNAC Server or Control Server that should receive this information. Note that if you have enabled any of the
Copy Registered Host options on the FortiNAC Manager it may not be necessary to receive traps on more than
one managed server.
l When traps are received they can trigger the events listed below in the Event Log. These events can be mapped to
Alarms. Make sure the events are enabled. See Event management on page 322. To map events to alarms see Add
or modify alarm mapping on page 337.

FortiNAC F 7.2.0 Manager Guide 395

Fortinet Inc.
System

Event Definition

Add/Modify/Remove Host Generated whenever a trap is received that adds, modifies or removes a host
record in the database.

Add/Modify/Remove User Generated when a trap is received that adds, modifies or removes a user
record in the database.

Trap sender requirements

l Use the Management IP address (eth0) of the FortiNAC Server or Control Server as the destination for the trap.
l Send traps to port 161 on the FortiNAC Server or Control Server.
l If you are running FortiNAC in a high availability environment, send traps to both the primary and the secondary
FortiNAC Servers or Control Servers.
l You must have snmptrap.exe and libsnmp.dll on the device sending the traps. Download the latest binaries for the
appropriate operating system from www.net-snmp.org/download.html.
l Configure the traps on the sending device. See the tables below for information on trap parameters.

Hosts

l If a trap is received for an existing host, the host's database record is updated with information from the trap.
l When a trap is received for a host that matches a rogue in FortiNAC, the rogue is converted to a registered host if
the trap contains user data. It is converted to a registered device if there is no associated user.
l If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete
these hosts either send an additional trap that removes the host or you must go to the Host View and delete them
manually. See Delete a host on page 141.
l If the same host is added twice but with different MAC addresses for separate adapters, it is treated as two separate
records in the FortiNAC database. The two adapters are not linked to each other in any way and are not considered
siblings in FortiNAC.
l Variables with spaces in the names should be in quotation marks, such as "Windows Vista".
l Separators in MAC addresses must be colons, such as 90:21:55:EB:A3:87.

OID Description Definition

1.1.1.1 Host Name Name of the host.

1.1.1.2 IP address IP address of the host.

1.1.1.3 MAC address Physical Address of the host.

Required.

1.1.1.4 Host operating Name of the operating system on the host.

system

1.1.5 Role Role assigned to the host. Roles are attributes of hosts used as filters in user/host
profiles.

1.1.6 Action Indicates whether this trap is adding or removing a host from the database. Adding
an existing host will modify that host's record in the database.
1=Add
2=Remove

FortiNAC F 7.2.0 Manager Guide 396

Fortinet Inc.
System

OID Description Definition

1.2.8 Element Indicates that this trap is registering either a host or a host and its corresponding
user.

Example traps

To add a host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC
address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest:
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 ''
1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook
.1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117
.1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest
.1.3.6.1.4.1.16856.1.1.6 integer 1

To remove host record for the PC with a hostname of Gateway-notebook, with an IP address of 160.87.100.117, a MAC
address of 00:26:9E:E2:DD:DB, an OS of Windows, and a role of Guest. Note that only MAC address is required to
remove a host.
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 ''
1.3.6.1.4.1.16856.1.2.8 .1.3.6.1.4.1.16856.1.1.1.1 s Gateway-notebook
.1.3.6.1.4.1.16856.1.1.1.4 s Windows .1.3.6.1.4.1.16856.1.1.1.2 s 160.87.100.117
.1.3.6.1.4.1.16856.1.1.1.3 s 00:26:9E:E2:DD:DB .1.3.6.1.4.1.16856.1.1.5 s Guest
.1.3.6.1.4.1.16856.1.1.6 integer 2

Users
l If an LDAP directory is modeled in the Inventory, FortiNAC checks the directory for information about the user
included in the trap. If the user exists in the directory, additional fields are populated for that user in the FortiNAC
database. If the user does not exist in the directory, a user record is created in FortiNAC with only the data received
in the trap.
l If a trap is received for an existing user, the user's database record is updated with information from the trap.
l If a trap is received for an existing user and the trap contains host information, the host is registered to the user. If
the host already has a rogue record, the rogue is converted to a registered host and associated with the user.
l If a user is deleted based on a trap, associated hosts are not deleted and they become registered devices. To delete
these hosts you must go to the Host View and delete them manually. See Delete a host on page 141.
l When FortiNAC resynchronizes with the directory, user data may be overwritten by data from the directory
depending on the directory attribute mappings.
l Variables with spaces in the names should be in quotation marks, such as "Mary Ann".

Trap parameters

OID Description Definition

1.1.2.1 User Name User Name stored in the directory. If the user is not in the directory, this record will
still be added, modified or removed.
Required.

1.1.2.2 User First Name

1.1.2.3 User Last Name

FortiNAC F 7.2.0 Manager Guide 397

Fortinet Inc.
System

OID Description Definition

1.1.2.4 User Title

1.1.2.5 Email User's e-mail address.

1.1.5 Role Role assigned to the User. If this trap is adding both a user and a host, both are set to
the same role.

1.1.6 Action Indicates whether this trap is adding or removing a user from the database. Adding
an existing user will modify that user's record in the database.
1=Add
2=Remove

1.2.9 Element Indicates that this trap is only registering a user.

Example traps

To add testuser to the database:

snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 ''
1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser
.1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe
.1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com
.1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 1

To delete user record for testuser from the database. Note that only User Name is required to remove a user.
snmptrap -v3 -u <user**> -l authNoPriv -a MD5 -A <Passphase**> 160.87.9.10:161 ''
1.3.6.1.4.1.16856.1.2.9 .1.3.6.1.4.1.16856.1.1.2.1 s testuser
.1.3.6.1.4.1.16856.1.1.2.2 s John.1.3.6.1.4.1.16856.1.1.2.3 s Doe
.1.3.6.1.4.1.16856.1.1.2.4 s Mr .1.3.6.1.4.1.16856.1.1.2.5 s jdoe@megatech.com
.1.3.6.1.4.1.16856.1.1.5 s Guest .1.3.6.1.4.1.16856.1.1.6 integer 2

System management

System Management groups together core server features such as data backup and restore, redundant servers,
licensing and time zone settings. Options include:

Option Definition

Database Archive Set the age time for archived data files and configure the schedule for the Archive and
Purge task.
See Database archive on page 399.

Database Backup/Restore Schedule database backups, configure how many days to store local backups, and
restore a database backup. Note that this restores backups on the FortiNAC server, not
backups on a remote server.
See Database backup/restore on page 401.

High Availability Configuration for primary and secondary appliances for high availability. Saving
changes to these settings restarts both the primary and secondary servers.

FortiNAC F 7.2.0 Manager Guide 398

Fortinet Inc.
System

Option Definition

See High availability on page 403.

License Management View or modify the license key for this server or an associated Application server.
See License management on page 404.

NTP and Time Zone Reset the time zone and NTP server for your FortiNAC appliances. Typically the time
zone and NTP server are configured using the Configuration Wizard during the initial
appliance set up. Requires a server restart to take effect.
See NTP and time zone on page 406.

Power Management Reboot or power off the FortiNAC server. In the case of a FortiNAC Control Server /
Application Server pair, reboot or power off each server individually.
See Power management on page 407.

Remote Backup Configure Scheduled Backups to use a remote server via FTP and/or SSH.
Configuration See Remote backup configuration on page 407.

System Backups Create a backup of all system files that are used to configure FortiNAC.
See System backups on page 410.

Database archive

Use database archive to set age times for selected log files. Log files are archived and then purged from the FortiNAC
database when the age time elapses. Archived data can be imported back into the database if necessary. Importing
archived data does not overwrite existing data it adds the archived records back into the database. See Import archived
data on page 1.

Settings

Field Definition

The timing of the scheduled backup task and the age of the files that
are to be removed must be thought out carefully or you will remove
all of your backups. For example, if the remove option is set to 5
days and your backup task runs every 15 days, you may
inadvertently remove all of your backups. However, if the remove
option is set to 15 days and the backup task runs every 5 days, then
you would always have backup files.

Event/Alarms Age Time Number of days events or alarms are maintained in the Events or Alarms logs and
(days) viewable in the Events or Alarms View. Events and Alarms are archived and purged
based on the scheduled task settings.
Default setting = 7 days

FortiNAC F 7.2.0 Manager Guide 399

Fortinet Inc.
System

Field Definition

Scan Results Age Time Number of days Scan results are maintained in the Scan results log and viewable in the
(days) Scan results view. Scan results are archived and purged based on the scheduled task
settings.
Default setting = 7 days

Edit archive age time

1. Click System > Settings.

2. Expand the System Management folder.
3. Select Database Archive from the tree.
4. Use the information in the table above to set Age Time.
5. Click Save Settings.

Schedule event archive and purge

1.Click System > Settings.

2.Expand the System Management folder.
3.Select Database Archive from the tree.
4.Click Modify Schedule.
5.Select the Enabled check box.
6.Enter a name for the task in the Name field.
7.The Description field is optional. Enter a description of the task.
8.Action type and Action are pre-configured based on the task and cannot be modified.
9.From the Schedule Type drop down list, select either Fixed Day or Repetitive and set the day and time that the
task is to be performed.
10. A Fixed Day Task is one in which you schedule a task to run on a combination of days of the week and times of the
day, such as Mondays at 1:00 pm and Fridays at 10:00 am. Select the day(s) and time to run the task.
a. Click the box next to the day(s) to select the day.
b. Click the down arrows and select the hour, minutes, and AM or PM from the drop-down list for each day.
c. To enter days/times more quickly, select Set Multiple Days to set multiple days with the same time.
d. To remove all settings, click Clear All.
11. A Repetitive Task is one that you schedule to start on a given day, at a certain time, for the number of times you
specify, such as every 10 days starting today. The repetition rate can be set to any number of minutes, hours, or
days.
a. Enter the Repetition Rate using whole numbers.

A repetition rate of zero causes the task to run only once.

b. Click the down arrow and select Minutes, Hours, or Days from the drop-down list.
c. Enter the date and time for the task to run in the Next Scheduled Time field using the format MM/DD/YY

FortiNAC F 7.2.0 Manager Guide 400

Fortinet Inc.
System

hh:mm AM/PM Time Zone.

The new Repetition Rate does not take effect immediately. It starts the next time the
scheduled task runs. For the new Repetition Rate take effect immediately, click
Update.

d. Click Update to update the Next Scheduled Time field or change the Repetition Rate.
12. Click OK.

Schedule settings

Field Definition

Remove local backups Number of days for which you would like to keep backups. Anything older than the
older than number of days entered, is removed the next time the scheduled task for backups runs.
This setting removes backup files created on the FortiNAC server before they are
copied to the remote server. Backups on the remote server are not removed.
The timing of the scheduled backup task and the age of the files that are to be removed
must be thought out carefully or you will remove all of your backups. For example, if the
remove option is set to 5 days and your backup task runs every 15 days, you may
inadvertently remove all of your backups. However, if the remove option is set to 15
days and the backup task runs every 5 days, then you would always have backup files.

Status Indicates whether the task is enabled or disabled.

Schedule Interval How often the scheduled task runs.

Next Scheduled Time The next date and time the scheduled synchronization task will run. Entered in the
format MM/DD/YY HH:MM AM/PM

Modify Schedule Allows you to modify the scheduled activity.

Run Now Runs the scheduled task immediately.

Database backup/restore

A database backup creates a backup of the entire database. All database archives can be restored if the database
becomes corrupted. To restrict the restoration to only alarms, connections, or events data, go to those specific views and
select the Import option. See Alarms on page 333, Connections view on page 1, and Events on page 301 for more
information.
Restoring a database archive causes the FortiNAC Server or Control Server to restart.
1. Click System > Settings.
2. Expand the System Management folder.
3. Select Database Backup/Restore from the tree.

Schedule a database backup

1. Under Schedule Database Backup, click Modify Schedule.

2. Select the Enabled check box.
3. Enter a name for the task in the Name field.

FortiNAC F 7.2.0 Manager Guide 401

Fortinet Inc.
System

4. The Description field is optional. Enter a description of the task.

5. Action type and Action are pre-configured based on the task and cannot be modified.
6. From the Schedule Type drop down list, select either Fixed Day or Repetitive and set the day and time that the
task is to be performed.
7. A Fixed Day Task is one in which you schedule a task to run on a combination of days of the week and times of the
day, such as Mondays at 1:00 pm and Fridays at 10:00 am. Select the day(s) and time to run the task.
a. Click the box next to the day(s) to select the day.
b. Click the down arrows and select the hour, minutes, and AM or PM from the drop-down list for each day.
c. To enter days/times more quickly, select Set Multiple Days to set multiple days with the same time.
d. To remove all settings, click Clear All.
8. A Repetitive Task is one that you schedule to start on a given day, at a certain time, for the number of times you
specify, such as every 10 days starting today. The repetition rate can be set to any number of minutes, hours, or
days.
a. Enter the Repetition Rate using whole numbers. A repetition rate of zero causes the task to run only once.
b. Click the down arrow and select Minutes, Hours, or Days from the drop-down list.
c. Enter the date and time for the task to run in the Next Scheduled Time field using the format MM/DD/YY
hh:mm AM/PM Time Zone.
d. Click Update to update the Next Scheduled Time field or change the Repetition Rate.
The new Repetition Rate does not take effect immediately. It starts the next time the scheduled task runs. For
the new Repetition Rate take effect immediately, click Update.
9. Click OK.

Schedule settings

Field Definition

Status Indicates whether the task is enabled or disabled.

Schedule Interval How often the scheduled task runs.

Next Scheduled Time The next date and time the scheduled synchronization task will run. Entered in the
format MM/DD/YY HH:MM AM/PM

Modify Schedule Allows you to modify the scheduled activity.

Run Now Runs the scheduled task immediately.

FortiNAC F 7.2.0 Manager Guide 402

Fortinet Inc.
System

Restore a database

1. Click on a backup to select it.

2. Click Restore Database.

High availability

Use the high availability view to add to and update high availability configuration information.
For details on implementing High Availability and its functionality, refer to the High Availability reference manual in the
Document Library.
High Availability - FortiNACOS
High Availability - CentOS

Configure high availability

1. Ensure that all appliances are keyed for high availability. See License management on page 404 and check the high
availability field.
2. Click System > Settings.
3. Expand the System Management folder.
4. Select High Availability from the tree.
5. Use the table below to enter the required information.
6. Click Save Settings and wait for the success message.
7. Restart FortiNAC services on both appliances to apply changes. See Power management.

When you click Save Settings on the Administration - High Availability view, the primary
server tries to communicate with the secondary to ensure that the database will be replicated.
If the primary server cannot communicate with the secondary, it continues to try until
communication is established.

If you are configuring high availability in an environment where you have a FortiNAC Control
Server and an Application Server, additional fields are displayed to configure the two
Application Servers.

Note: For steps to remove an existing High Availability configuration, refer to the Appendix of
the High Availability reference manual in the Fortinet Document Library.
https://docs.fortinet.com/document/fortinac/9.4.0/high-availability

Settings

Field Description

Shared IP configuration

FortiNAC F 7.2.0 Manager Guide 403

Fortinet Inc.
System

Field Description

Use Shared IP address Enables the use of a shared IP address in the high availability configuration. If enabled,
the administrator can manage whichever appliance that is in control with the shared IP
address instead of the actual host IP address.
If your primary and secondary servers are not in the same subnet, do not use a shared
IP address.

Shared IP address The shared IP address for the high availability configuration. Added to the /etc/hosts
file when the configuration is saved.

Shared Subnet Mask (bits) The shared subnet mask in dotted decimal (example: 255.255.255.0).

Shared Host Name Part of the entry in the /etc/hosts file for the shared IP address. Administrators can
access the UI using either the shared IP address or the shared host name.

Server configuration

Primary Appliance IP address: IP address assigned to eth0 for the primary.

Gateway IP address: IP address pinged by the appliances to determine if network
connectivity is still available.
CLI/SSH root Password [User:root]: Root password on the appliance itself. Allows
settings to be written to the appliance.
Retype root CLI/SSH Password [User:root]: Retype the password entered in the
CLI/SSH root Password field for confirmation.

Secondary Appliance IP address: IP address assigned to eth0 for the secondary.

Host Name: Name assigned to the secondary.
Gateway IP address: IP address that is pinged by the appliances to determine if
network connectivity is still available.
CLI/SSH root Password [User:root]: Root password on the appliance itself. Allows
settings to be written to the appliance.
Retype root CLI/SSH Password [User:root]: Retype the password entered in the
CLI/SSH root Password field for confirmation.

License management

Manage license keys on the servers through this view. You can view and modify both the FortiNAC Control Server and
FortiNAC Application Server licenses through this view. Servers that are part of a high availability configuration appear in
the drop-down list.
License information is displayed on the dashboard. See Dashboard on page 27 for additional information.
The events related to license use help maintain proper appliance use per environment. Warning and critical events and
alarms are generated based on a set of user defined thresholds. See Event thresholds on page 324 to set thresholds.
See Map events to alarms on page 334 to set alarms based on threshold events.

View/modify license information

The license options will vary depending on whether pre-2016 (Secure Enterprise Standard, Secure Enterprise
Advanced, or Secure Enterprise Mobility) or post-2016 (Secure Enterprise Advanced or Secure Enterprise Premier)
license packages are installed on the server.

FortiNAC F 7.2.0 Manager Guide 404

Fortinet Inc.
System

1. Click System > Settings.

2. Expand the System Management folder.
3. Select License Management from the tree.
4. From the drop-down list select the server containing the license key.
5. Click Modify License Key.
6. You can modify the license key in two ways:
l To upload from a text file, click Upload, browse to the license key file, and click Open. This must be a text file

not a zip file.

l From another file, copy and paste the new license key text into the text box.

7. Click OK to apply the new license key. The existing key detail is displayed in a pop-up window along with the new
key detail.
8. Click OK to apply the new license key. Click Undo if you want to revert to the existing license key.
9. To restart the server immediately, click OK on the dialog box.
10. To restart the server later, click Cancel on the dialog box. Another dialog box appears stating that the new key will
not be applied until the server is restarted. New features or license counts contained in the new license cannot be
accessed until the server is restarted. The new license is saved on the server, but is not read until the server is
restarted.
11. Click OK to confirm.

Settings

Key Definition

License Name Indicates which license level (Base, Plus or Pro) is installed on the server.
Note: Subscription license entitlements display for the Secondary Server when it is
"Running - in Control" in a High Availability pair.

Concurrent Licenses Number of licenses configured for possible online connections to the network.
Connections are counted for hosts and devices that are not switches or routers.
Note: Subscription license entitlements display for the Secondary Server when it is
"Running - in Control" in a High Availability pair.

Security Incidents Licenses Indicates the number of licenses configured for Security Incidents.

Evaluation Time Indicates the number of days configured for an evaluation license. If you have
purchased a full license for the product, this field does not display.

High Availability Indicates whether or not high availability has been enabled.

Device Profiler Indicates whether or not the device profiler feature has been enabled.

Guest Manager Indicates whether or not the guest manager feature has been enabled.

Endpoint Compliance Indicates whether or not the Security Policy features have been enabled.

Integration Suite Indicates whether or not access to third party information such as SNMP Traps and
Syslogs has been enabled.

Wireless Only Indicates whether or not a limited Wireless Only license has been enabled.

FortiNAC F 7.2.0 Manager Guide 405

Fortinet Inc.
System

Key Definition

Provided as a quick start solution for organizations that use only wireless devices on
their network. This feature is not supported for all wireless devices. Currently only HP
MSM and Ruckus controllers can be configured. For HP wireless devices, FortiNAC
can write configuration changes to the device. For Ruckus controllers, FortiNAC cannot
write configuration changes to the device only the device model in the database. Other
wireless devices and up to five wired devices can be added using the Network Devices
View or the Inventory. In addition, this license disables the Discovery feature. .

NTP and time zone

You can reset the time zone and NTP server for your FortiNAC appliances. Typically the time zone and NTP server are
configured using the configuration wizard during the initial appliance set up.
The NTP server is used to synchronize the clock on the FortiNAC appliance. FortiNAC contacts the NTP server
periodically to synchronize its clock with the NTP servers. NTP server keeps time in UTC, or Coordinated Universal
Time, which corresponds roughly to Greenwich Mean time.

Settings

Field Definition

FortiNAC Servers Provides a list of servers for which you can change time settings. If you have a Control
server and an Application server pair, both servers are displayed in the list. In an HA
environment this would include up to four servers, two Control servers and two
Application servers.
Each server's time must be set individually. Settings apply only to the server displayed
in this field.

NTP Server External server used to synchronize or update the clock on the selected FortiNAC
server. Defaults to pool.ntp.org.

Time Zone Time zone where the selected FortiNAC server resides.

Modify time settings

Changes to NTP or time zone require a server restart to take effect. Go to the control panel to
restart the server now. See Power management on page 407.

1. Click System > Settings.

2. Expand the System Management folder.
3. Select NTP And Time Zone from the tree.
4. Click the FortiNAC Servers drop-down and choose the server to be modified.
5. Enter your preferred NTP Server in the NTP Server field.
6. Click the Time Zone drop-down and select the time zone for this server.
7. Click Save Settings to save settings for the selected server.
8. To modify another server, select it in the FortiNAC Servers drop-down and repeat steps 4 through 7.

FortiNAC F 7.2.0 Manager Guide 406

Fortinet Inc.
System

Power management

The system can be rebooted or powered down through the FortiNAC interface, by any user whose administrator profile
allows access to the Settings view. In a high availability environment or in the case where there is a FortiNAC Control
Server/Application Server pair, servers must be rebooted or powered off individually.

In a HA environment, reboot or power off the secondary servers first.

Events associated with Power Management are as follows:

l System Power Off: Indicates that the server has been powered down and provides the user name of the user who
initiated the action.
l System Reboot: Indicates that the system was rebooted and provides the user name of the user who initiated the
action.

Reboot the server

1. Click System > Settings.

2. Expand the System Management folder.
3. Select Power Management from the tree.
4. Select a server from the list.
5. Click Reboot . This process may take 2-3 minutes.

Power off the server

1. Click System > Settings.

2. Expand the System Management folder.
3. Select Power Management from the tree.
4. Select a server from the list.
5. Click Power Off. This process may take 30 seconds.

Remote backup configuration

Use the Remote Backup Configuration view to define the connection details used to copy database and system files to a
third party (remote) server.
Database and system backups occur automatically when the Database BackUp and System Backup scheduled tasks
run. The backup files are stored on the local appliance. See Database backup/restore and System backups for more
information.
The Administrator can, additionally, configure FortiNAC to place a copy of the database and system backups on a
remote server for safekeeping. The backups are placed in time and date stamped files.
Files can be transferred using FTP and/or SSH protocols.
Database backup file naming convention:
FortiNAC_DataBase_BackUp_YYYY_MM_DD_HH_mm_SS_<hostname>.gz

FortiNAC F 7.2.0 Manager Guide 407

Fortinet Inc.
System

System backup file naming convention:

<hostname>.YYYYMMDD.*.gz

Step 1: Configure the backup server

Remote server configuration using FTP

1. Create an account on the remote FTP server to be used by FortiNAC for backup file transfer.
2. Create a folder to which FortiNAC will copy the files.

For instructions on completing the above tasks, consult documentation specific to the FTP application used.
Remote server configuration using SSH
The FortiNAC’s public key must be appended to the authorized_keys file in the remote server for successful SSH
communication.
High Availability configurations: SSH keys for both the primary and secondary FortiNAC servers must be appended.
1. In the FortiNAC UI, navigate to System > Settings > System Management > Remote backup configuration.
2. Select the checkbox next to Enable SSH Remote Backup.
3. Select Display Public SSH Keys.
4. The Public SSH Key window appears. Copy the key displayed.
5. Click Close.
6. Associate the public key to the remote server where the backups will be stored. This process will vary depending on
the product. Refer to the SSH server product documentation for instructions.

l The format of authorized_keys file is one entry per line.

l Do not include extra white space or characters when pasting the key.

FortiNAC F 7.2.0 Manager Guide 408

Fortinet Inc.
System

Step 2: Configure the remote backup target

1. In the UI navigate to System > Settings > System Management > Remote Backup Configuration.
2. Configure using the table below.

Field Definition

Backup Timeout Number of minutes for the backup to be created and copied to the remote
server. If this time elapses before the backup is done, the process is
interrupted. Be sure to select a time that is long enough for your system to
complete its backup. The default is 20 minutes; however, large systems may
require more time.

Enable FTP Remote Backup Remote backups to this server are enabled when this is checked.
Default = Unchecked

Server IP address of the remote server.

User Name User Name required for write access to the server.

Password Password required for write access to the server.

Remote Path The directory path where the remote backup files will be placed. This directory
must exist on the server.

EnableSSH Remote Backup Remote backups to this server are enabled when this is checked. The SSH
keys must already be established for the SSH remote backups to be
successful.
Default = Unchecked

Display Public SSH Keys Click to view the public SSH key from the FortiNAC Primary and Secondary
Control Servers.

Server The IP address of the remote server. Format is user@remote-server, such as

asmith@192.168.1.1 .

Remote Path The directory path where the remote backup files will be placed. This directory
must exist on the server.

Test SSH Connection Test the connection to the server using the SSH Server and SSH Remote Path
settings to confirm the settings are valid.
If the test fails, it means the Remote Backup task will not back up the files to
the specified remote server.

Step 3: Validate

FTP
1. Navigate to System > Scheduler.
2. Highlight the Database Backup task and click Run Now.
3. On the remote server, confirm the files were transferred.

SSH

FortiNAC F 7.2.0 Manager Guide 409

Fortinet Inc.
System

1. Click Test SSH Connection to verify SSH communication with the remote server.
2. Once successfully tested, navigate to System > Scheduler.
3. Highlight the Database Backup task and click Run Now.
4. On the remote server, confirm the files were transferred.

System backups

A system backup creates a backup of all system files that are used to configure FortiNAC, such as license key and web
server configurations.
1. Click System > Settings.
2. Expand the System Management folder.
3. Select System Backups from the tree.
4. In the Remove local backups older than field, enter the number of days for which you would like to keep
backups.
The timing of the scheduled backup task and the age of the files that are to be removed must be thought out
carefully or you will remove all of your backups. For example, if the remove option is set to 5 days and your backup
task runs every 15 days, you may inadvertently remove all of your backups. However, if the remove option is set to
15 days and the backup task runs every 5 days, then you would always have backup files.
5. Click Modify Schedule.
6. Select the Enabled check box.
7. Enter a name for the task in the Name field.
8. The Description field is optional. Enter a description of the task.
9. Action type and Action are pre-configured based on the task and cannot be modified.
10. From the Schedule Type drop down list, select either Fixed Day or Repetitive and set the day and time that the
task is to be performed.
11. A Fixed Day Task is one in which you schedule a task to run on a combination of days of the week and times of the
day, such as Mondays at 1:00 pm and Fridays at 10:00 am. Select the day(s) and time to run the task.
a. Click the box next to the day(s) to select the day.
b. Click the down arrows and select the hour, minutes, and AM or PM from the drop-down list for each day.
c. To enter days/times more quickly, select Set Multiple Days to set multiple days with the same time.
d. To remove all settings, click Clear All.
12. A Repetitive Task is one that you schedule to start on a given day, at a certain time, for the number of times you
specify, such as every 10 days starting today. The repetition rate can be set to any number of minutes, hours, or
days.
a. Enter the Repetition Rate using whole numbers. A repetition rate of zero causes the task to run only once.
b. Click the down arrow and select Minutes, Hours, or Days from the drop-down list.
c. Enter the date and time for the task to run in the Next Scheduled Time field using the format MM/DD/YY
hh:mm AM/PM Time Zone.
d. Click Update to update the Next Scheduled Time field or change the Repetition Rate.
The new repetition rate does not take effect immediately. It starts the next time the scheduled task runs. For the
new repetition rate take effect immediately, click Update.
13. Click OK.
14. Click Save Settings.

FortiNAC F 7.2.0 Manager Guide 410

Fortinet Inc.
System

Settings

Field Definition

Status Indicates whether the task is Enabled or Disabled.

Schedule Interval How often the scheduled task runs. Options are Minutes, Hours, or Days.

Next Scheduled Time The next date and time the scheduled synchronization task will run. Entered in the
format MM/DD/YY HH:MM AM/PM

Modify Schedule Allows you to modify the scheduled activity.

Updates

Updates groups together options for updating FortiNAC servers with the latest software release and the latest Agent
packages.

Options

Option Definition

Agent Packages Displays a list of the Dissolvable Agent, Persistent Agent, and Passive Agent versions
available on your FortiNAC appliance. Download new agents and add them to FortiNAC
as they become available from Fortinet using the Download. Download an
Administrative template for GPO configuration to your PC from the FortiNACappliance
using the links at the top of the view.
See Agent packages on page 412.

System Use System Updates to configure download settings, download updates from Fortinet,
install updates and view the updates log.
See System update on page 420.
System version information can be viewed in the System Summary Widget in the
Dashboard of the UI.
Example
Version 7.2.1.0051

FortiNAC F 7.2.0 Manager Guide 411

Fortinet Inc.
System

Agent packages

The Agent packages view displays a list of the Dissolvable Agent, Persistent Agent, Passive Agent, and Mobile Agent
versions available on your FortiNAC appliance. This view allows you to download new agents and add them to FortiNAC
as they become available from Fortinet.
Both the Dissolvable Agent and Persistent Agents can be supplied to hosts automatically by FortiNAC through the
captive portal when the host reaches the appropriate web page. The agent presented to the host is based on the
configuration of the endpoint compliance policy applied to that host. Supplying the Passive Agent requires additional
configuration. See Passive Agent on page 1.
Hosts who already have a version of the Persistent Agent installed can be automatically updated to a newer version of
the agent based on the settings you enter on the Agent Update tab. See Upgrade the Persistent Agent on page 202.
You also have the option to download a Persistent Agent from the list to your own computer to be distributed to hosts
through your web site, using a login script or some other distribution method. Files are saved on your computer in the
default download location. This location varies depending on the browser you are using.
The Windows Persistent Agent is available in two formats: .msi and .exe. The .msi file is recommended for use in a
managed install by non-user-interactive means. The .exe file is recommended for user-interactive installation. The Linux
Persistent Agent is also available in two formats: .deb or .rpm. The macOS Persistent Agent is available in .dmg format.
If you choose to distribute the agent using Group Policy Objects, you must download and install administrative templates
on your Windows server. Use the links at the top of the Agent Distribution view to download the templates.
Select Delete to remove old Agent packages from your server.

Settings

Field Definition

Package Name of the .jar file containing the agents and supporting files.

Agent Version Version number of the agent.

Name Name of the type of agent. Agents include:

l Mobile Agent

l Dissolvable Agent

l Persistent Agent

l Passive Agent

Operating Operating system on which the agent can run.

System

File File name and type, such as .exe or .bin.

Size Download size of the agent file in KiB.

Delete Allows you to delete old agent packages from the FortiNAC server.

Download agent packages

Status Indicates whether there are new agent packages available for download from Fortinet. Status
messages include:
l Up to Date

l New Agent Packages Available

FortiNAC F 7.2.0 Manager Guide 412

Fortinet Inc.
System

Field Definition

Download Launches the Agent Download dialog allowing you to select new agent packages to be added to your
FortiNAC server.

Download new agent packages

New Agent packages are placed on the Fortinet update server when they become available. Agent packages contain all
of the available FortiNAC agents and agent related files. The Mobile Agent can be downloaded from the captive portal if
the device allows downloads from unknown sources, otherwise it is distributed through Google Play. However, there are
supporting files for the Mobile Agent in the agent package. For any agent update you must download and install the
latest agent package.
Download settings must be configured correctly in order to download agent packages. See System update on page 420
for more information.
1. Click System > Settings.
2. Expand the Updates folder.
3. Select Agent Packages from the tree.
4. Scroll to the bottom of the page. When new agents are available, the message New Agent Packages Available is
displayed next to Download. Select Download to display a list of available agent packages.
5. Click the Download link next to an agent package to initiate the download. A progress page is displayed until the
download is complete.
6. Click Close to return to the Agent Packages view.

Download the Persistent Agent for custom distribution

Follow the steps below to download a Persistent Agent from your FortiNAC appliance to your local computer.
1. Click System > Settings.
2. Expand the Updates folder.
3. Select Agent Packages from the tree.

The Dissolvable Agent, Persistent Agent, and Passive Agent packages are included in the
list, but only the Persistent Agent and Passive Agent packages may be downloaded
through this view. The links appear in blue.

4. Locate the agent you wish to download. Click on the name of the agent file in blue text in the File column of the
table.
5. The file is typically saved to the default download location. This is controlled by your browser.
6. Distribute the file via the Desktop Management software of your choice. It is recommended that you visit our web
site for additional information on deploying the Persistent Agent outside of FortiNAC.

Download and configure administrative templates for GPO

Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects.
For the Persistent Agent and the Passive Agent, there are templates to configure the Server URL of the FortiNAC
Application Server with which the agent will communicate. There are also per-computer and per-user templates to
enable or disable the system tray icon or Balloon Notifications of status changes. The Balloon Notification template does
not affect the Server IP and is not required.

FortiNAC F 7.2.0 Manager Guide 413

Fortinet Inc.
System

FortiNAC does not support an Administrative Template for deploying configuration changes to macOS computers or
users through GPO. You can investigate 3rd party applications, such as Likewise Enterprise that support macOS
computers using Group Policy Object editor. The modifications shown in the tables below can be made in the
Preferences file on macOS hosts, using the tool of your choice.

The Persistent Agent running on a macOS computer can determine the server to which it
should connect via DNS server records it does not require changes to Preferences.

If you are using the Persistent Agent, your Windows login credentials are automatically passed to FortiNAC. You can
modify the Administrative Template to hide the Persistent Agent Login dialog and use the Windows login credentials sent
by the Persistent Agent by modifying the settings in the Administrative Template. See Using Windows domain logon
credentials on page 199.
Security is enabled by default. It is recommended that you update to the latest template files and configure the templates
for the new security settings.

Requirements:

l Active Directory
l Group Policy Objects
l Template Files From Fortinet

Templates:

The templates listed below are provided by Fortinet. You must run the installation program for the templates on your
Windows server . Be sure to select the appropriate MSI for your Windows server architecture.
l 32-bit (x86): Bradford Networks Administrative Templates.msi
l 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi

Install the templates for GPO

1. In FortiNAC select System > Settings > Updates > Agent Packages.
2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the
appropriate template file.
3. Copy the template file to the domain server.
4. On the domain server, double-click the msi file to start the installation wizard.
5. Click through the installation wizard. When installation has completed, the Microsoft Group Policy Management
Console is required to complete the installation. Refer to the Windows Server documentation for details.
6. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
7. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, shows
the current templates pop-up.
8. Click Add and browse to Program Files\Bradford Networks\Administrative Templates.
a. To use the Persistent Agent, select FortiNAC Persistent Agent.adm and click Open.
b. To use the Passive Agent, select FortiNAC Passive Agent.adm and click Open.
9. Click Close, and the Administrative Templates will be imported into the GPO.

FortiNAC F 7.2.0 Manager Guide 414

Fortinet Inc.
System

Install an updated template when balloon notifications are configured

If you have never configured Balloon Notifications, go to the section of this document labeled Install An Updated
Template.
If you already have a Fortinet Administrative Template installed for the Persistent Agent and the Balloon Notifications
were ever set to anything other than Not Configured (e.g. enabled or disabled), you must unconfigure the Balloon
Notifications and push the settings to your clients. When your clients have all been updated, then the new template can
be installed. These templates affect the registry settings on the client host. In the case of the Balloon Notifications,
removing the previous configuration before installing the new one ensures that the keys will be set correctly.

Before updating a template, be sure to record the current template settings. Existing template
settings are lost when the new template is installed.

1. In FortiNAC, navigate to System > Settings > Persistent Agent.

2. Select Properties and make sure that Display Notifications is disabled. When you have uploaded and configured
the new template, come back to this view and restore the Display Notifications option to its original state.
3. Log into your Windows Server.
4. On your Windows server open the Group Policy Management Tool.
5. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
6. Select Computer Configuration > Administrative Templates > Bradford Persistent Agent.
7. In the pane on the right, right-click on the Balloon Notifications setting and select Properties.
8. On the Setting tab in the Properties window select Not Configured and click OK.
9. When all of your clients have received the updated settings, the new template can be installed.
10. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
11. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show
the current templates pop-up.
12. Select the old template and click Remove. Follow the instructions in the Install The Templates For GPO section
shown above to install the new template.

Install an updated template

Before updating a template, be sure to record the current template settings. Existing template
settings are lost when the new template is installed.

1. On your Windows server open the Group Policy Management Tool.

2. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
3. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show
the current templates pop-up.
4. Select the old template and click Remove. Follow the instructions in the Install The Templates For GPO section
shown above to install the new template.

FortiNAC F 7.2.0 Manager Guide 415

Fortinet Inc.
System

Modify settings

See the table below for settings which can be configured using the Administrative Templates provided.

Settings

Option Definition

Persistent Agent template

Host Name Fully qualified host name of the FortiNAC Application Server or the FortiNAC Server if
you are not using a pair. It is pushed out to the connecting host(s) to ensure that the
Persistent Agent is communicating with the correct host in a distributed environment.

Balloon Notifications Enables or Disables Balloon Notifications on a per-host or per-user basis. This setting is
not required for configuring Server IP information. Options include:
l Enabled: Forces balloon notifications for host state changes to be enabled on the

host.
l Disabled: Forces balloon notifications for host state changes to be disabled on the

host.
l Not Configured: Use the non-policy setting (Enabled).

Login Dialog Enables or Disables the login dialog on a per-host or per-user basis. This setting is not
required for configuring Server IP information. See Using Windows domain logon
credentials on page 199 for further instructions. Options include:
l Enabled: The login dialog is enabled. This can be used per-user to override a per-

host setting of Disabled.

l Disabled: The login dialog is disabled. The agent will never prompt the user for

credentials. This is useful in certain Single-sign-on configurations.

l Not Configured: The login dialog is enabled, unless overridden by a per-user

configuration.

System Tray Icon Enables or Disables the system tray icon on a per-host or per-user basis. This setting is
not required for configuring Server IP information. (Requires Persistent Agent 2.2.3 or
higher). Options include:
l Enabled: The system tray icon is enabled. This can be used per-user to override a

per-host setting of Disabled.

l Disabled: The system tray icon is disabled. Disabling the system tray icon also

disables the following functionality: Status Notifications (Show Network Access

Status, Login, Logout), Message Logs and the About dialog.
l Not Configured: The system tray icon is enabled, unless overridden by a per-user

configuration.

Max Connection Interval The maximum number of seconds between attempts to connect to FortiNAC.

Persistent Agent security settings

Security Mode Indicates whether security is enabled or disabled.

FortiNAC F 7.2.0 Manager Guide 416

Fortinet Inc.
System

Option Definition

Home Server Server with which the agent always attempts to communicate first. Protocol
configuration change requests are honored only when they are received from this
server. If this servers is not set, it is automatically discovered using Server Discovery.
On upgrade, this is populated by the contents of ServerIP.

Limit Connections To l Enabled: Agent communicates only with its Home Server and servers listed under
Servers Allowed Servers list displayed.
l Disabled: Agent searches for additional servers when the home server is
unavailable.
l Allowed Servers List: In large environments there may be more than one set of
FortiNAC servers. If roaming between servers is limited, list the FQDNs of the
FortiNAC Application Servers or FortiNAC Servers with which the agent can
communicate.

Passive Agent template

Passive Agent Server URL List: Comma separated list of URLs (HTTP(s)://<server_
name>/<context> formatted) for the FortiNAC servers that hosts running an agent
should contact. Hosts must be able to reach all of the URLs in order to run properly.

Example:

http://qa228/registration
The context portion of the Server URL is the area of the captive portal the agents should
contact, such as registration, remediation, or authentication.

Registry keys

The template setup shown in the table above modifies the Windows host's registry settings. The table below shows the
modifications made to the host's registry keys by the Group Policy Object using the administrative template. If you use a
tool other than GPO, you must make sure to set the appropriate keys on each host.
Upon installation of the Persistent Agent, the following key is created by default (and can be viewed using the Windows
registry editor on the endstation):
HKLM\Software\Bradford Networks\Client Security Agent

When registry settings are pushed to a host via software, one or both of the following keys are created (depending upon
the values pushed):
HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent
HKLM\Software\Policies\Bradford Networks\Persistent Agent

When the settings are pushed, the values for HKLM\Software\Bradford Networks\Client
Security Agent will remain the same, but any settings altered via the software push will
override those listed in the original key.

On 64-bit operating systems in RegEdit, these registry values will appear in the following key:
HKLM\Software\wow6432node.

FortiNAC F 7.2.0 Manager Guide 417

Fortinet Inc.
System

Key Value Data

Persistent Agent

HKLM\Software\Policies\Bradford ServerIP The fully qualified hostname to which the

Networks\Persistent Agent agent should communicate.
Data Type: String
Default: Not Configured

HKLM\Software\Policies\Bradford ClientStateEnabled 0: Do not show balloon notifications on status

Networks\Persistent Agent changes.
1: Show balloon notifications on status
changes.
Data Type: DWORD
Default: Not Configured

HKEY_USERS\ … ClientStateEnabled 0: Do not show balloon notifications on status

\Software\Policies\Bradford changes.
Networks\Persistent Agent 1: Show balloon notifications on status
changes. Data Type: DWORD
Default: Not Configured

HKLM\Software\Policies\Bradford LoginDialogDisabled 0: Enable Login Dialog.

Networks\Persistent Agent 1: Disable Login Dialog.
Data Type: DWORD
Default: Not Configured
(Login Dialog displayed)

HKEY_USERS\ … LoginDialogDisabled 0: Enable Login Dialog.

\Software\Policies\Bradford 1: Disable Login Dialog.
Networks\Persistent Agent Data Type: DWORD
Default: Not Configured
(Login Dialog displayed)

HKEY_USERS\ … ShowIcon 0: Do not show the tray icon.

\Software\Policies\Bradford 1: Show the tray icon.
Networks\Persistent Agent Data Type: DWORD
Default: Not Configured
(Tray icon displayed)

HKLM\Software\Policies\Bradford ShowIcon 0: Do not show the tray icon.

Networks\Persistent Agent 1: Show the tray icon.
Data Type: DWORD
Default: Not Configured
(Tray icon displayed)

FortiNAC F 7.2.0 Manager Guide 418

Fortinet Inc.
System

Key Value Data

HKEY_LOCAL_ maxConnectInterval The maximum number of seconds between

MACHINE\SOFTWARE\Policies\ attempts to connect to FortiNAC.
Bradford Networks\Persistent Agent Data Type: Integer
Default: 960

HKEY_LOCAL_ securityEnabled 0: Disable Agent Security.

MACHINE\SOFTWARE\Policies\ 1: Enable Agent Security
Bradford Networks\Persistent Agent Data Type: Integer
Default: 1

HKEY_LOCAL_ homeServer The fully qualified hostname of the default

MACHINE\SOFTWARE\Policies\ server with which the agent should
Bradford Networks\Persistent Agent communicate.
Data Type: String
Default: Empty

HKEY_LOCAL_ restrictRoaming 0: Do not restrict roaming. Allow agent to

MACHINE\SOFTWARE\Policies\ communicate with any server.
Bradford Networks\Persistent Agent 1: Restrict roaming to the home server and
the allowed servers list.
Data Type: Integer
Default: 0

HKEY_LOCAL_ allowedServers Comma-separated list of fully qualified

MACHINE\SOFTWARE\Policies\ hostnames with which the agent can
Bradford Networks\Persistent Agent communicate. If restrict roaming is enabled,
the agent is limited to this list. The home
server does not need to be included in this list
(for example, a.example.com,
b.example.com, c.example.com).
Data Type: String
Default: Empty

Passive Agent

HKEY_USERS\{SID}\Software\ ServerURL Server URL List: Comma separated list of

Policies\Bradford Networks URLs for the FortiNAC servers that an agent
\PASSIVE should contact.

Example:

http://qa228/registration
The context portion of the Server URL is the
area of the captive portal the agents should
contact, such as registration, remediation, or
authentication.

FortiNAC F 7.2.0 Manager Guide 419

Fortinet Inc.
System

Key Value Data

HKLM\Software\Policies\Bradford ServerURL Server URL List: Comma separated list of

Networks\PASSIVE URLs for the FortiNAC servers that an agent
should contact.

Example:

http://qa228/registration
The context portion of the Server URL is the
area of the captive portal the agents should
contact, such as registration, remediation, or
authentication.

Deploy the Passive Agent

1. On your Windows server open the Group Policy Management Tool.

2. Navigate to the Group Policy Object you want to edit.
3. Right-click the Group Policy Object and select Edit to display the GPO Editor pane.
4. Click User Configuration > Policies >Windows > Settings Scripts (Logon/Logoff) to display the Logon and
Logoff script configurations.
5. Double click Logon for Logon Properties.
6. Click Add and then browse to the location of FortiNAC_Passive_Agent.exe.
7. Select FortiNAC_Passive_Agent.exe to add it to the Script Name field.
8. Enter -logon in the Script Parameters field.
9. Click OK.
To ensure the user is logged off the host upon logging out, do the following:
1. Follow steps 1-4, and then double-click Logoff.
2. Add FortiNAC_Passive_Agent.exe to to the Script Name field, and then enter -logoff in the Script Parameter
field.
3. Click OK.

System update

To update FortiNAC, download the most recent FortiNAC software distribution. Connection settings must be configured
for access to the server where the download is hosted.
The database is automatically backed up during the update process.

High availability environment

To update your servers in a high availability environment note the following:

l The primary server must be running and in control in order to update the system.
l The secondary server(s) must be running.
l The primary server must be able to communicate with the secondary server(s).
l The primary server automatically updates the secondary server(s).

FortiNAC F 7.2.0 Manager Guide 420

Fortinet Inc.
System

l If the secondary server(s) is in control, FortiNAC prevents you from updating and displays a message with detailed
instructions indicating that the Primary must be running and in control.
Update the primary server following the instructions shown here for a regular update.
Update Managed Servers
FortiNAC Manager can be used to update the managed servers. This is done by propagating the update from the
FortiNAC Manager to the managed servers throughout the environment.
Managed Server Update Requirements
If the below requirements are not met, the update cannot be run from the Manager. The update must be run from the
managed server's Administration UI.
l Managed servers must use the same Operating System (CentOS or FortiNAC-OS) as the Manager.
Example:
FNC-M-xx (CentOS) can upgrade FNC-CA-xx (CentOS)
FNC-MX-xx (FortiNAC-OS) can upgrade FNC-CAX-xx (FortiNAC-OS)
FNC-MX-xx (FortiNAC-OS) cannot upgrade FNC-CA-xx (CentOS)
l Managers using FortiNAC-OS (FNC-MX-xx) can only update managed servers running on the same virtual
appliance platform.
Example:
FNC-MX-xx on VMware can upgrade FNC-CAX-xx on VMware
FNC-MX-xx on VMware cannot upgrade FNC-CAX-xx on Hyper-V

Configure settings

Configure the connection settings for the download location so the Auto-Def Synchronizer, Agent packages, and the
Software Distribution Updates can be completed. You need to change the default settings if another server is used to
host the auto-definition or updated distribution files.
1. Click System > Settings.
2. Expand the Updates folder.
3. Select System from the tree.
4. Go to the System Update Settings section of the screen.
5. Use the table below to enter the update settings.
6. Contact Customer Support for the correct login credentials.
7. Click Test to check that the settings allow connection to the auto-definition directory and the product distribution
directory.

Refer to the System Update Settings section of the Release Notes on our website for
information about the distribution directory for the specific version you wish to download
and install.

8. Once connection to the server is established, click Save Settings.

FortiNAC F 7.2.0 Manager Guide 421

Fortinet Inc.
System

Settings

Field Definition

Host Host IP address, host name, or fully qualified name of the server that is hosting the
updates. Applies to both software and Operating System updates.

l ./week2 contains updates that are two weeks old.

l ./week3 contains updates that are three weeks old.

l ./week4 contains updates that are four weeks old.

Product Distribution The sub-directory where the product software files are located. This field will vary
Directory depending on the version of the software being updated.
A forward slash (/) may be required in the path configuration. Click Test to confirm the
configuration.
Refer to the FortiNACRelease Notes for information about the distribution directory for
the specific version package you wish to download and install.

Agent Distribution The sub-directory where the Agent update files are located. This field will vary
Directory depending on the version of the software being updated. A forward slash (/) may be
required in the path configuration. Click Test to confirm the configuration.
Refer to the FortiNACRelease Notes for information about the distribution directory for
the specific version package you wish to download and install.

User The user name for the connection.

Password The password for the connection.

Protocol Applies to both software and Operating System updates.

l HTTP

l HTTPS
l SFTP - This option has been deprecated and no longer works. It will be removed in
a future release.
l FTP
l PFTP

Buttons

Test Tests the connection between the FortiNAC program and the update server.

Revert To Defaults Returns the window to the factory default settings.

FortiNAC F 7.2.0 Manager Guide 422

Fortinet Inc.
System

Download

For ForrtiNAC-OS, the firmware image will display as majorrelease.build (7.0068) which is
different from CentOS which displays majorrelease.minorrelease.patchreelase.build
(9.4.4.0789).

To update the software on the appliance, download the distribution files to the appliance.
1. Click System > Settings.
2. Expand the Updates folder.
3. Select System from the tree.
4. Click Download. FortiNAC automatically connects to the download server and retrieves a list of the files available
for download. FortiNAC displays a warning message if no update files are found.
5. Scroll through the list of files available for download. Select the most recent distribution file and then click
Download. Available distribution files are listed in order by version number with the most recent number at the top
of the list.
6. Click Download to start the download process. This process runs in the background and closes automatically.
Distribute
Copy the distribution file to the managed servers.
1. Click the Distribute button.
2. Select the version from the drop-down menu.
3. Select the servers from the Server List to update.
4. Click OK.

A window will appear to display the file transfer progress.

Install

Once the distribution files have been downloaded to the appliance, you must manually start the installation. Since the
update process restarts the appliance, choose a time to install the update when it will have the least impact on services.
The update takes several minutes.
1. Click System > Settings.
2. Expand the Updates folder.
3. Select System from the tree.
4. Click Install.
5. Select the distribution file from the drop-down list and click Update.
6. Verify that the update was successful by checking the version number for the currently installed version. This can be
viewed using either the Admin UI or CLI.
Admin UI:
l System Summary Dashboard widget
l User icon drop-down menu in upper right corner
CentOS CLI: Enter the following at the command line prompt:
master; cat .version

FortiNAC-OS CLI: Enter the following at the command line prompt:

get system status

FortiNAC F 7.2.0 Manager Guide 423

Fortinet Inc.
System

Show log

A log of the updates is maintained during installation. To view the logs, after installation, click Show Log and select the
date of the installation.
In a high availability configuration, the update log files are located on the primary appliance, since the primary appliance
must be in control during an update.
1. Click System > Settings.
2. Expand the Updates folder.
3. Select System from the tree.
4. Click Show Log.
5. Select the Date from the list.
6. The log detail displays in the view.
7. Close the window.

FortiNAC F 7.2.0 Manager Guide 424

Fortinet Inc.
Decommission Manager

Decommission Manager

If the Manager is no longer needed, use these steps to disable the FortiNAC Manager such that entitlements are
transferred to the FortiNAC-CA server.
This procedure assumes the use of perpetual licenses (as opposed to subscription). If using subscription licensing, this
document does not apply.
Requirements
l FortiNAC version: 9.2.7, 9.4.2, F7.2.1 or greater on all appliances
l License contracts have been migrated from the Manager to the FortiNAC-CA
l Endpoint licenses for any additional managed FortiNAC server or High Availability pairs that will continue to run
Considerations
l Perform snapshots on any virtual appliances before proceeding
l During this process, there will be a period of time where entitlements will not be available
l Services on the FortiNAC Server will be restarted
l Due to the above, it is recommended this process be done during a maintenance window if the FortiNAC-CA is
controlling network access (under enforcement)

Step 1: Download New Key

This step can be done prior to the maintenance window.

1. Login to the Customer Support Portal at http://Support.Fortinet.com
2. Under the Asset Management panel, click Product List.

3. Click View Options and select Show Entitlement and click Apply.

FortiNAC F 7.2.0 Manager Guide 425

Fortinet Inc.
Decommission Manager

The Support Type column should now display.

4. In the Search bar at the top of the view, type License Support. The resulting entries are the products with endpoint
license keys.
5. To view the MAC address and UUID, click on the serial number.
6. Note the serial number of the appliance having the endpoint license upgraded.
7. Click on the appliance serial number again. Under Entitlement, License Support should be listed.

8. Under License & Key, the endpoint license type should be listed along with the number of concurrent licenses.
9. Under Key, select Get the License File next to FortiNAC License File Download. File will have a .lic extension.

10. Download the license key file (<serial number>.lic) and save to a folder. This will be used in the next section.
Important: This license key can only be applied to the appliance owning the serial number in the .lic filename.
11. Logout of Customer Support Portal.

Step 2: Review Global Objects

This step can be done prior to the maintenance window.

FortiNAC F 7.2.0 Manager Guide 426

Fortinet Inc.
Decommission Manager

In the Manager, take a screen capture or note the global objects and confirm they are present on the managed
FortiNAC-CA. This list will be used to verify the objects once the server is removed from the Manager.
Admin Profiles:
Users & Hosts > Administrators > Profiles
Guest Templates:
Users & Hosts > Guests & Contractors > Templates
Device Profiling Rules:
Users & Hosts > Device Profiling Rules
Device Types:
System > Settings Identification > Device Types
Groups:
System > Groups
Roles:
Policy & Objects > Roles
User/Host Profiles:
Policy & Objects > User/Host Profiles
Endpoint Compliance Policies:
Policy & Objects > Endpoint Compliance > Policies
Endpoint Compliance Configurations:
Policy & Objects > Endpoint Compliance > Configurations
Endpoint Compliance Scans:
Policy & Objects > Endpoint Compliance > Scans
Security Actions used by Endpoint Compliance configurations:
Policy & Objects > Endpoint Compliance > Actions

Step 3: Remove Server from Server List

1. Log in to the FortiNAC Manager UI in one web browser window and the FortiNAC-CA UI in another.
2. In the Manager’s Dashboard, select the FortiNAC-CA in the Servers widget.
3. Select Delete.
4. Log out of the FortiNAC Manager.
5. In the FortiNAC-CA UI, the License Information panel should reflect a Concurrent License count of 0. If not, wait
about 1 minute to allow the entitlements to update.

Step 4: Install New Key

1. In the FortiNAC-CA UI, navigate to System > Settings > System Management >License Management.
2. Click Modify License Key.

FortiNAC F 7.2.0 Manager Guide 427

Fortinet Inc.
Decommission Manager

3. Click Upload and select the new .lic license key file.
4. Click OK. The existing key detail is displayed in a pop-up window along with the new key detail.
5. Click OK to apply the new license key. Click Undo if you want to revert to the existing license key.
6. To restart the server immediately, click OK on the dialog box.
7. Click OK to confirm.
8. Once system has restarted, review the Administration UI to verify new entitlements:
License Information Dashboard panel
System > Settings > System Management > License Management
Troubleshooting
Mismatched MAC Address error when installing new key

Step 5: Validate

Confirm any previously shared (global) objects are still listed and are modifiable.

Step 6: Shut Down the Manager

The Manager can now be shut down.

1. In the Manager UI, navigate to System > Settings > System Management > Power Management.
2. Select a server from the list.
3. Click Power Off. This process may take 30 seconds.

FortiNAC F 7.2.0 Manager Guide 428

Fortinet Inc.
Move server to another Manager (FNC-M/FNC-CA)

Move server to another Manager (FNC-M/FNC-CA)

Use these steps to transfer an existing managed FortiNAC server

from one FortiNAC Manager to another. Requirements

l FortiNAC version: 9.2.7, 9.4.2, F7.2.1 or greater on all appliances

l License contracts have been installed on the new Manager

Considerations
l Perform snapshots on any virtual appliances before proceeding
l During this process, there will be a period of time where entitlements will not be available
Due to the above, it is recommended this process be done during a maintenance window if the FortiNAC server is
controlling network access (under enforcement)

Step 1: Review Global Objects

In the Manager, take a screen capture or note the global objects and confirm they are present on the managed FortiNAC
server. This list will be used to verify the objects once the server is removed from the Manager.
Admin Profiles:
Users & Hosts > Administrators > Profiles
Guest Templates:
Users & Hosts > Guests & Contractors > Templates
Device Profiling Rules:
Users & Hosts > Device Profiling Rules
Device Types:
System > Settings Identification > Device Types
Groups:
System > Groups
Roles:
Policy & Objects > Roles
User/Host Profiles:
Policy & Objects > User/Host Profiles
Endpoint Compliance Policies:
Policy & Objects > Endpoint Compliance > Policies

FortiNAC F 7.2.0 Manager Guide 429

Fortinet Inc.
Move server to another Manager (FNC-M/FNC-CA)

Endpoint Compliance Configurations:

Policy & Objects > Endpoint Compliance > Configurations
Endpoint Compliance Scans:
Policy & Objects > Endpoint Compliance > Scans
Security Actions used by Endpoint Compliance configurations:
Policy & Objects > Endpoint Compliance > Actions

Step 2: Remove Server from Server List

In the server UI, the License Information panel should reflect a Concurrent License count of 0. If not, wait about 1
minute to allow the entitlements to update.
Step 3: Validate
In the server, confirm any previously shared (global) objects are still listed and are modifiable.

Step 4: Update Existing Manager’s Allowed Serial Numbers

(optional)

Delete the server's Serial Number(s) from the existing Manager's allowed serial number list. If the Manager is being
decommissioned, this step can be skipped.
1. Log in to the existing Manager's CLI as root and type:
globaloptiontool -name security.allowedserialnumbers
Example of results:
security.allowedserialnumbers: FNVM-CAxxxxx6,FNVM-CAxxxxx7,FNVM-CAxxxxx8
2. Copy the resulting serial number list (example: FNVM-CAxxxxx6,FNVM-CAxxxxx7,FNVM-CAxxxxx8) to a text
editor.
3. Delete the CA's Serial Number from the list. Example where CA's Serial Number is FNVM-CAxxxxx6:
FNVM-CAxxxxx7,FNVM-CAxxxxx8
4. Enter the following command and include the edited content
globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"
Example:
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-CAxxxxx7,FNVM-
CAxxxxx8"
5. Log out of the CLI. Type:
logout

FortiNAC F 7.2.0 Manager Guide 430

Fortinet Inc.
Move server to another Manager (FNC-M/FNC-CA)

Step 5: Update CA’s Allowed Serial Numbers

Update the server's allowed serial number list with the new Manager serial number.
1. Log in to the server CLI as root and type:
globaloptiontool -name security.allowedserialnumbers
2. Copy the resulting serial number list to a text editor. Replace the serial numbers of the existing Manager(s) with the
new Manager(s).
3. Enter the following command and include the edited content
globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"
Example:
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-
Mxxxxxxx2"
4. Log out of the CLI. Type:
logout

Step 6: Update New Manager’s Allowed Serial Numbers

Add the server's Serial Number(s) to the new Manager's allowed serial number list.
1. Log in to the new Manager's CLI as root and type:
globaloptiontool -name security.allowedserialnumbers
Example of results:
security.allowedserialnumbers: FNVM-CAxxxxx4,FNVM-CAxxxxx5
2. Copy the resulting serial number list (example: FNVM-CAxxxxx4,FNVM-CAxxxxx5) to a text editor.
3. Add the CA's Serial Number(s) at the end of the list. Example where CA's Serial Number is FNVM-CAxxxxx6:
FNVM-Mxxxxxxx1,FNVM-Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6
4. Enter the following command and include the edited content
globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"
Example:
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVM-Mxxxxxxx1,FNVM-
Mxxxxxxx2,FNVM-CAxxxxx4,FNVM-CAxxxxx5,FNVM-CAxxxxx6"
5. Log out of the CLI. Type:
logout

Step 7: Add Server to New Manager’s Server List

Add the server to the new Manager's UI.

1. Navigate to the Dashboard.
2. Select Create New in the Servers widget and add the FortiNAC server IP address.

FortiNAC F 7.2.0 Manager Guide 431

Fortinet Inc.
Move server to another Manager (FNC-M/FNC-CA)

Manager will automatically copy the license entitlements to the CA.

Step 8: Shut Down the Old Manager (optional)

If being decommissioned, the old Manager can now be shut down.

1. In the Manager UI, navigate to System > Settings > System Management > Power Management.
2. Select a server from the list.

Click Power Off. This process may take 30 seconds.

FortiNAC F 7.2.0 Manager Guide 432

Fortinet Inc.
Move server to another Manager (FNC-MX/FNC-CAX)

Move server to another Manager (FNC-MX/FNC-CAX)

Use these steps to transfer an existing managed FortiNAC server from one FortiNAC Manager to another.

Requirements

l FortiNAC version: 9.2.7, 9.4.2, F7.2.1 or greater on all appliances

l License contracts have been installed on the new Manager

Considerations
l Perform snapshots on any virtual appliances before proceeding
l During this process, there will be a period of time where entitlements will not be available
l Due to the above, it is recommended this process be done during a maintenance window if the FortiNAC server is
controlling network access (under enforcement)

Step 1: Review Global Objects

In the Manager, take a screen capture or note the global objects and confirm they are present on the managed server.
This list will be used to verify the objects once the server is removed from the Manager.
Admin Profiles:
Users & Hosts > Administrators > Profiles
Guest Templates:
Users & Hosts > Guests & Contractors > Templates
Device Profiling Rules:
Users & Hosts > Device Profiling Rules
Device Types:
System > Settings Identification > Device Types
Groups:
System > Groups
Roles:
Policy & Objects > Roles
User/Host Profiles:

FortiNAC F 7.2.0 Manager Guide 433

Fortinet Inc.
Move server to another Manager (FNC-MX/FNC-CAX)

Policy & Objects > User/Host Profiles

Endpoint Compliance Policies:
Policy & Objects > Endpoint Compliance > Policies
Endpoint Compliance Configurations:
Policy & Objects > Endpoint Compliance > Configurations
Endpoint Compliance Scans:
Policy & Objects > Endpoint Compliance > Scans
Security Actions used by Endpoint Compliance configurations:
Policy & Objects > Endpoint Compliance > Actions

Step 2: Remove Server from Server List

1. Log in to the Manager UI in one web browser window and the server UI in another.
2. In the Manager’s Dashboard, select the server in the Servers widget.
3. Select Delete.
4. Log out of the Manager.
5. In the server UI, the License Information panel should reflect a Concurrent License count of 0. If not, wait about 1
minute to allow the entitlements to update.

Step 3: Validate

In the server, confirm any previously shared (global) objects are still listed and are modifiable.

Step 4: Update Existing Manager’s Allowed Serial Numbers

(optional)

Delete the server’s Serial Number(s) from the existing Manager's allowed serial number list. If the Manager is being
decommissioned, this step can be skipped.
1. Log in to the existing Manager's CLI as admin and type:
execute enter-shell
globaloptiontool -name security.allowedserialnumbers
Example of results:

FortiNAC F 7.2.0 Manager Guide 434

Fortinet Inc.
Move server to another Manager (FNC-MX/FNC-CAX)

security.allowedserialnumbers: FNVX-CAxxxxx6,FNVX-CAxxxxx7,FNVX-CAxxxxx8
2. Copy the resulting serial number list (example: FNVX-CAxxxxx6,FNVX-CAxxxxx7,FNVX-CAxxxxx8) to a text editor.
3. Delete the CA's Serial Number from the list. Example where CA's Serial Number is FNVX-CAxxxxx6:
FNVX-CAxxxxx7,FNVX-CAxxxxx8
4. Enter the following command and include the edited content
globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"
Example:
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVX-CAxxxxx7,FNVX-
CAxxxxx8"
5. Log out of the CLI. Type:
exit
exit

Step 5: Update FortiNAC Server’s Allowed Serial Numbers

Update the server’s allowed serial number list with the new Manager serial number.
1. Log in to the server CLI as admin and type:
execute enter-shell
globaloptiontool -name security.allowedserialnumbers
2. Copy the resulting serial number list to a text editor. Replace the serial numbers of the existing Manager(s) with the
new Manager(s).
3. Enter the following command and include the edited content
globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"
Example:
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVX-Mxxxxxxx1,FNVX-
Mxxxxxxx2"
4. Log out of the CLI. Type:
exit
exit

Step 6: Update New Manager’s Allowed Serial Numbers

Add the server’s Serial Number(s) to the new Manager's allowed serial number list.
1. Log in to the new Manager's CLI as admin and type:
execute enter-shell
globaloptiontool -name security.allowedserialnumbers
Example of results:

FortiNAC F 7.2.0 Manager Guide 435

Fortinet Inc.
Move server to another Manager (FNC-MX/FNC-CAX)

security.allowedserialnumbers: FNVX-CAxxxxx4,FNVX-CAxxxxx5
2. Copy the resulting serial number list (example: FNVX-CAxxxxx4,FNVX-CAxxxxx5) to a text editor.
3. Add the server's Serial Number(s) at the end of the list. Example where CA's Serial Number is FNVX-CAxxxxx6:
FNVX-Mxxxxxxx1,FNVX-Mxxxxxxx2,FNVX-CAxxxxx4,FNVX-CAxxxxx5,FNVX-CAxxxxx6
4. Enter the following command and include the edited content
globaloptiontool -name security.allowedserialnumbers -setRaw "<updated_SN_list>"
Example:
globaloptiontool -name security.allowedserialnumbers -setRaw "FNVX-Mxxxxxxx1,FNVX-
Mxxxxxxx2,FNVX-CAxxxxx4,FNVX-CAxxxxx5,FNVX-CAxxxxx6"
5. Log out of the CLI. Type:
exit
exit

Step 7: Add Server to New Manager’s Server List

Add the server to the new Manager's UI.

1. Navigate to the Dashboard.
2. Select Create New in the Servers widget and add the FortiNAC server IP address.

Manager will automatically copy the license entitlements to the FortiNAC server.

Step 8: Shut Down the Old Manager (optional)

If being decommissioned, the old Manager can now be shut down.

1. In the Manager UI, navigate to System > Settings > System Management > Power Management.
2. Select a server from the list.

Click Power Off. This process may take 30 seconds.

FortiNAC F 7.2.0 Manager Guide 436

Fortinet Inc.
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

Fortinet Fortinac Study Guide For Fortinac 72
No ratings yet
Fortinet Fortinac Study Guide For Fortinac 72
452 pages
FortiNAC 7.6.0 F Admin Guide
No ratings yet
FortiNAC 7.6.0 F Admin Guide
978 pages
FortiManager 7.6.0 Administration Guide
No ratings yet
FortiManager 7.6.0 Administration Guide
1,106 pages
FortiManager 7.4.6 Administration Guide
No ratings yet
FortiManager 7.4.6 Administration Guide
1,030 pages
Fortinac - Administration Guide
No ratings yet
Fortinac - Administration Guide
906 pages
FortiNAC-F 7.4.0-Release Notes
No ratings yet
FortiNAC-F 7.4.0-Release Notes
29 pages
FortiClient EMS 7.4.1 Administration Guide
No ratings yet
FortiClient EMS 7.4.1 Administration Guide
578 pages
FortiManager 6.0.4 Administration Guide PDF
No ratings yet
FortiManager 6.0.4 Administration Guide PDF
491 pages
FortiAnalyzer-7 2 2-Administration - Guide
No ratings yet
FortiAnalyzer-7 2 2-Administration - Guide
416 pages
FortiNAC 9.4.0 Admin Guide
No ratings yet
FortiNAC 9.4.0 Admin Guide
926 pages
FortiManager 7.2.4 Administration Guide
No ratings yet
FortiManager 7.2.4 Administration Guide
916 pages
FortiLAN Cloud 21.3 User Guide
No ratings yet
FortiLAN Cloud 21.3 User Guide
176 pages
FORTINAC
No ratings yet
FORTINAC
901 pages
FortiManager 7.0.7 Administration Guide
No ratings yet
FortiManager 7.0.7 Administration Guide
796 pages
FortiManager-7 0 3-Administration - Guide
No ratings yet
FortiManager-7 0 3-Administration - Guide
781 pages
FortiClient EMS 7.4.0 Administration Guide
No ratings yet
FortiClient EMS 7.4.0 Administration Guide
519 pages
FortiNAC 9.4.8 Release Notes
No ratings yet
FortiNAC 9.4.8 Release Notes
86 pages
FortiNAC Deployment Guide v94
No ratings yet
FortiNAC Deployment Guide v94
82 pages
FortiManager-7 6 1-Administration - Guide
No ratings yet
FortiManager-7 6 1-Administration - Guide
1,066 pages
FortiNAC 9.4.4 Release Notes
No ratings yet
FortiNAC 9.4.4 Release Notes
70 pages
FortiNAC-9 4 5-Release - Notes
No ratings yet
FortiNAC-9 4 5-Release - Notes
72 pages
FortiAnalyzer 7.0.1 Administration Guide
No ratings yet
FortiAnalyzer 7.0.1 Administration Guide
353 pages
FortiNAC-7.2.0-F-Backup and Restore (CentOS)
No ratings yet
FortiNAC-7.2.0-F-Backup and Restore (CentOS)
23 pages
FortiAnalyzer 7.2.1 Administration Guide
No ratings yet
FortiAnalyzer 7.2.1 Administration Guide
398 pages
FortiNAC-F 7.2-VMWare Deployment Guide
No ratings yet
FortiNAC-F 7.2-VMWare Deployment Guide
43 pages
Forticlient Ems 7.2.0 Release Notes
No ratings yet
Forticlient Ems 7.2.0 Release Notes
25 pages
Standalone PDF
No ratings yet
Standalone PDF
1,022 pages
FortiNAC-OS-F 7.2.4-CLI Reference Guide
No ratings yet
FortiNAC-OS-F 7.2.4-CLI Reference Guide
33 pages
FortiNAC Configuration Wizard Rev92
No ratings yet
FortiNAC Configuration Wizard Rev92
37 pages
FortiNAC F 7.2.8 Release Notes
No ratings yet
FortiNAC F 7.2.8 Release Notes
30 pages
FortiManager 7.4.2 Administration Guide
No ratings yet
FortiManager 7.4.2 Administration Guide
993 pages
FortiManager 7.0.1 Administration Guide
No ratings yet
FortiManager 7.0.1 Administration Guide
742 pages
FortiNAC-9 4 4-Release - Notes
No ratings yet
FortiNAC-9 4 4-Release - Notes
73 pages
FortiClient EMS 7.0.7 Administration Guide
No ratings yet
FortiClient EMS 7.0.7 Administration Guide
316 pages
FortiManager-7 4 0-Administration - Guide
No ratings yet
FortiManager-7 4 0-Administration - Guide
937 pages
Yokogawa Giza PDF
No ratings yet
Yokogawa Giza PDF
187 pages
FortiClient EMS 7.0.0 Administration Guide
No ratings yet
FortiClient EMS 7.0.0 Administration Guide
260 pages
Fortinac - Release Notes
No ratings yet
Fortinac - Release Notes
46 pages
Forticonverter v7.2.0 Release Notes
No ratings yet
Forticonverter v7.2.0 Release Notes
15 pages
Manual de Usuario y Operación FortiAnalyzer
No ratings yet
Manual de Usuario y Operación FortiAnalyzer
486 pages
Fortinet Fortinac Lab Guide For Fortinac 72
No ratings yet
Fortinet Fortinac Lab Guide For Fortinac 72
118 pages
FortiClient EMS 7.0.0 Administration Guide
No ratings yet
FortiClient EMS 7.0.0 Administration Guide
261 pages
FortiNAC 9.4.0 Admin Guide
No ratings yet
FortiNAC 9.4.0 Admin Guide
905 pages
Fortimanager Cloud v7.2.1 Release Notes
No ratings yet
Fortimanager Cloud v7.2.1 Release Notes
14 pages
FortiNAC 9.4.6 Release Notes
No ratings yet
FortiNAC 9.4.6 Release Notes
76 pages
FortiOS 7.2 Best Practices
No ratings yet
FortiOS 7.2 Best Practices
47 pages
FortiClient EMS 6.2.2 Administration Guide
No ratings yet
FortiClient EMS 6.2.2 Administration Guide
199 pages
Forticlient Ems 7.2.0 Release Notes
No ratings yet
Forticlient Ems 7.2.0 Release Notes
25 pages
Fortimanager 6.2.1 Administrator Guide
No ratings yet
Fortimanager 6.2.1 Administrator Guide
546 pages
Fortisiem 4.10.0 User Guide
50% (2)
Fortisiem 4.10.0 User Guide
555 pages
Data Communications and Networking 5th Edition Test Bank Available Instantly
No ratings yet
Data Communications and Networking 5th Edition Test Bank Available Instantly
314 pages
FortiAnalyzer-7 0 0-Administration - Guide
No ratings yet
FortiAnalyzer-7 0 0-Administration - Guide
335 pages
Forticlient Ems 7.2.0 Release Notes
No ratings yet
Forticlient Ems 7.2.0 Release Notes
25 pages
Huawei Imaster NCE-FAN Product Description
100% (1)
Huawei Imaster NCE-FAN Product Description
210 pages
FortiOS 7.2 Best - Practices
No ratings yet
FortiOS 7.2 Best - Practices
40 pages
FortiNAC 8.5 Study Guide-Online
50% (2)
FortiNAC 8.5 Study Guide-Online
439 pages
Fortinac Control Manager 83
No ratings yet
Fortinac Control Manager 83
755 pages
Quickstart Guide: Forticlient Ems 7.0.3
No ratings yet
Quickstart Guide: Forticlient Ems 7.0.3
54 pages
FortiNAC Deployment Guide v94
No ratings yet
FortiNAC Deployment Guide v94
79 pages
FortiNAC-7.2 F-IT IOT IIOT Deployment Guide
No ratings yet
FortiNAC-7.2 F-IT IOT IIOT Deployment Guide
31 pages
T Rec G.872 201912 I!!pdf e
No ratings yet
T Rec G.872 201912 I!!pdf e
40 pages
Zhone Dslam
No ratings yet
Zhone Dslam
410 pages
FortiNAC Deployment Guide v94
No ratings yet
FortiNAC Deployment Guide v94
82 pages
Internet Banking A Case Study Final
No ratings yet
Internet Banking A Case Study Final
64 pages
Digital World (1) .Edited
100% (1)
Digital World (1) .Edited
8 pages
Advantys STB
No ratings yet
Advantys STB
112 pages
Bharati Vidyapeeth Institute of Technology Question Bank: Unit Test-II (Shift:-I & II)
No ratings yet
Bharati Vidyapeeth Institute of Technology Question Bank: Unit Test-II (Shift:-I & II)
27 pages
Brocade Compatibility Matrix
No ratings yet
Brocade Compatibility Matrix
270 pages
New Project
No ratings yet
New Project
86 pages
Cat Gr11 Theory Memo Jun2013 Studyopp
No ratings yet
Cat Gr11 Theory Memo Jun2013 Studyopp
8 pages
5A07601.QU.23.1020.0391 - Proposal Upgrade HMI Aslpa PLTU Sengkang Rev.0
No ratings yet
5A07601.QU.23.1020.0391 - Proposal Upgrade HMI Aslpa PLTU Sengkang Rev.0
19 pages
Best Practices of Huawei Oceanstor Dorado V3 For Data Backup and Recovery Using Veeam Software
No ratings yet
Best Practices of Huawei Oceanstor Dorado V3 For Data Backup and Recovery Using Veeam Software
43 pages
1.4.1 Cisco Network Foundation Protection
No ratings yet
1.4.1 Cisco Network Foundation Protection
6 pages
Exploring Web3 From The View of Blockchain
No ratings yet
Exploring Web3 From The View of Blockchain
38 pages
Emulex Boot For NIC, iSCSI, and FCoE Protocols User Guide
No ratings yet
Emulex Boot For NIC, iSCSI, and FCoE Protocols User Guide
280 pages
Electromagnetic Spectrum
No ratings yet
Electromagnetic Spectrum
33 pages
Unit - V
No ratings yet
Unit - V
138 pages
Test Bank For Computer Security Fundamentals 5th Edition by William Chuck Easttom
No ratings yet
Test Bank For Computer Security Fundamentals 5th Edition by William Chuck Easttom
5 pages
Cisco and Wireshark
No ratings yet
Cisco and Wireshark
8 pages
Ruijie Reyee RG-NBR Series Egress Gateways Release Notes, NBR - RGOS 11.9 (6) B16 (V1.1)
No ratings yet
Ruijie Reyee RG-NBR Series Egress Gateways Release Notes, NBR - RGOS 11.9 (6) B16 (V1.1)
19 pages
How To - Configure SSL VPN in Cyberoam
No ratings yet
How To - Configure SSL VPN in Cyberoam
10 pages
Ruggedcom Rx1400: Multiprotocol Intelligent Node
No ratings yet
Ruggedcom Rx1400: Multiprotocol Intelligent Node
8 pages
DeepinMind NVR Datasheet DS-7608NXI-M2 - X
No ratings yet
DeepinMind NVR Datasheet DS-7608NXI-M2 - X
8 pages
QNO FQR Datasheet
No ratings yet
QNO FQR Datasheet
6 pages
Practice Paper mh2
No ratings yet
Practice Paper mh2
12 pages
Social Networks
No ratings yet
Social Networks
3 pages
StorMagic SvSAN Volume Migration Feature
No ratings yet
StorMagic SvSAN Volume Migration Feature
4 pages
FortiGate 900D
No ratings yet
FortiGate 900D
6 pages
h15844.3 Vxrail Vcenter Server Planning Guide
No ratings yet
h15844.3 Vxrail Vcenter Server Planning Guide
18 pages
Haivision White Paper RTMP Vs SRT Comparing Latency and Maximum Bandwid
No ratings yet
Haivision White Paper RTMP Vs SRT Comparing Latency and Maximum Bandwid
14 pages
WiFi 6 User Guide 12092020
No ratings yet
WiFi 6 User Guide 12092020
7 pages
Infoscale Support Vmware Vmotion RDMP
No ratings yet
Infoscale Support Vmware Vmotion RDMP
5 pages
Simplified EasyBuild Guide - English
No ratings yet
Simplified EasyBuild Guide - English
3 pages
SAP Solution Manager
From Everand
SAP Solution Manager
equitypress
4/5 (10)
Minikube in Practice: Definitive Reference for Developers and Engineers
From Everand
Minikube in Practice: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.