Fortinet black logo

Administration Guide

Host health and scanning

7.4.0
Copy Link
Copy Doc ID 5c5c1a78-d02f-11ee-8c42-fa163e15d75b:241168
Download PDF

Host health and scanning

Host health is determined by the endpoint compliance policies, system and administrative states, or scans run on the host. Each time a scan is run a record of that scan is stored in the database and displayed on the Heath tab of the Host Properties window. Each scan and scan type the host is eligible for is shown along with the name, status, and action. The agent scan shown in bold text and highlighted with a gray bar indicates the scan that is currently applied to the host. Click Show History for short-term historical data.

Scan Configuration Changes

Changes made to a scan configuration only affect the hosts that fail the scan after the change is made. Any hosts that failed the scan prior to the change are not affected. The host must pass the scan before it can take on another host state.

Examples:

  • If Host A is scanned, fails Scan A and is assigned a delay of 2 days, changing Scan A to a delay of 5 days does not alter the delay for Host A. It remains 2 days.
  • If Host A is scanned, fails Scan A and is marked "At Risk", changing Scan A to Delayed Remediation does not alter Host A. It remains "At Risk" until it passes Scan A.

Multiple Scans Applying to a Host

When multiple scans exist in a host record in Host Health, the combination of the Status fields can affect the host state. If the scan associated with the policy is changed, the results of the original scan are no longer in affect. The endpoint compliance policy that applies to the host now uses a different scan. Failing an Admin or System Scan; however, are still in affect. Refer to the table below for the effects of the Status fields on network access.

Scan type/status

Network access

Admin

System

Agent scan A

Agent scan B*

Initial

Initial

Failure

Initial

No. Must pass scan B.

Initial

Initial

Failure

Success

Yes

Failure

Initial

Failure

Success

No. Must pass Admin Scan.

Success

Failure

Failure

Success

No. Must pass System Scan.

Success

Success

Failure

Success

Yes

*Agent Scan B is the scan that currently applies to the host in the example in the table.

Access the health tab
  1. Select Users & Hosts > Hosts.
  2. Search for the appropriate host.
  3. Select the host and either right-click or click Options.
  4. From the menu select Host Properties.
  5. Click on the Health tab.

Settings

Option

Description

Type

Admin: Indicates the reason why a host was manually marked at risk. They are not actually scanning the host but provide a configuration or profile with which to associate the host state. Admin Scans can be used to mark hosts At Risk or Safe based on an alarm action triggered by an event. These scans can also be used to enable or disable access based on the time of day, for example to limit access for guests after 5:00 pm.

System: These scans run scripts on the FortiNAC platform.

Agent: Scans run by an agent installed on the host based on an endpoint compliance policy or set of requirements with which the host must comply. The Agent scan listed in bold and highlighted by a gray bar indicates the scan that is currently applied to the host.

Name

The Name of the scan. There may be more than one scan of a particular type that the host is eligible to be scanned against.

Status

Initial: Default setting indicating that the host has not been scanned, therefore it has neither passed nor failed. For Admin scans, manually setting the scan to Initial is the equivalent of Success. For other scan types, setting the status to Initial has no effect.

Failure: Indicates that the host has failed the scan. This option can also be set manually. When the status is set to Failure the host is marked "At Risk" for the selected scan.

Failure Pending: The host has been scanned and failed a scan that has the Delayed Remediation option enabled. The host is not placed in remediation and it is marked "Pending At Risk". See Delayed remediation for additional information.

Success: Indicates that the host has passed the scan. This option can also be set manually. When the status is set to Success the host is marked "Safe" for the selected scan.

Actions

ReScan appears in the Actions column for Agent scans. Clicking ReScan places the host into the queue to be re-scanned.

If FortiNAC cannot contact the host when ReScan is clicked, a message is displayed indicating that the host was not rescanned.

View history
  1. On the Host Properties Health tab, click Show History.
  2. View the list of scans, results, and when the scan(s) were performed. Results are sorted with the most recent at the top of the list. Note that if there are no Admin, System, or endpoint compliance policy scan results to display when you click History, the History window opens with the message, "There are no scan results for this host."
  3. Inside the History window, click the Script/Profile name to view the details of the scan. The details view opens in a new browser window.
  4. Close the scan details window.
  5. Click Refresh on the History view to refresh the list with the most recent data.
  6. Close the window when finished.

Host health and scanning

Host health is determined by the endpoint compliance policies, system and administrative states, or scans run on the host. Each time a scan is run a record of that scan is stored in the database and displayed on the Heath tab of the Host Properties window. Each scan and scan type the host is eligible for is shown along with the name, status, and action. The agent scan shown in bold text and highlighted with a gray bar indicates the scan that is currently applied to the host. Click Show History for short-term historical data.

Scan Configuration Changes

Changes made to a scan configuration only affect the hosts that fail the scan after the change is made. Any hosts that failed the scan prior to the change are not affected. The host must pass the scan before it can take on another host state.

Examples:

  • If Host A is scanned, fails Scan A and is assigned a delay of 2 days, changing Scan A to a delay of 5 days does not alter the delay for Host A. It remains 2 days.
  • If Host A is scanned, fails Scan A and is marked "At Risk", changing Scan A to Delayed Remediation does not alter Host A. It remains "At Risk" until it passes Scan A.

Multiple Scans Applying to a Host

When multiple scans exist in a host record in Host Health, the combination of the Status fields can affect the host state. If the scan associated with the policy is changed, the results of the original scan are no longer in affect. The endpoint compliance policy that applies to the host now uses a different scan. Failing an Admin or System Scan; however, are still in affect. Refer to the table below for the effects of the Status fields on network access.

Scan type/status

Network access

Admin

System

Agent scan A

Agent scan B*

Initial

Initial

Failure

Initial

No. Must pass scan B.

Initial

Initial

Failure

Success

Yes

Failure

Initial

Failure

Success

No. Must pass Admin Scan.

Success

Failure

Failure

Success

No. Must pass System Scan.

Success

Success

Failure

Success

Yes

*Agent Scan B is the scan that currently applies to the host in the example in the table.

Access the health tab
  1. Select Users & Hosts > Hosts.
  2. Search for the appropriate host.
  3. Select the host and either right-click or click Options.
  4. From the menu select Host Properties.
  5. Click on the Health tab.

Settings

Option

Description

Type

Admin: Indicates the reason why a host was manually marked at risk. They are not actually scanning the host but provide a configuration or profile with which to associate the host state. Admin Scans can be used to mark hosts At Risk or Safe based on an alarm action triggered by an event. These scans can also be used to enable or disable access based on the time of day, for example to limit access for guests after 5:00 pm.

System: These scans run scripts on the FortiNAC platform.

Agent: Scans run by an agent installed on the host based on an endpoint compliance policy or set of requirements with which the host must comply. The Agent scan listed in bold and highlighted by a gray bar indicates the scan that is currently applied to the host.

Name

The Name of the scan. There may be more than one scan of a particular type that the host is eligible to be scanned against.

Status

Initial: Default setting indicating that the host has not been scanned, therefore it has neither passed nor failed. For Admin scans, manually setting the scan to Initial is the equivalent of Success. For other scan types, setting the status to Initial has no effect.

Failure: Indicates that the host has failed the scan. This option can also be set manually. When the status is set to Failure the host is marked "At Risk" for the selected scan.

Failure Pending: The host has been scanned and failed a scan that has the Delayed Remediation option enabled. The host is not placed in remediation and it is marked "Pending At Risk". See Delayed remediation for additional information.

Success: Indicates that the host has passed the scan. This option can also be set manually. When the status is set to Success the host is marked "Safe" for the selected scan.

Actions

ReScan appears in the Actions column for Agent scans. Clicking ReScan places the host into the queue to be re-scanned.

If FortiNAC cannot contact the host when ReScan is clicked, a message is displayed indicating that the host was not rescanned.

View history
  1. On the Host Properties Health tab, click Show History.
  2. View the list of scans, results, and when the scan(s) were performed. Results are sorted with the most recent at the top of the list. Note that if there are no Admin, System, or endpoint compliance policy scan results to display when you click History, the History window opens with the message, "There are no scan results for this host."
  3. Inside the History window, click the Script/Profile name to view the details of the scan. The details view opens in a new browser window.
  4. Close the scan details window.
  5. Click Refresh on the History view to refresh the list with the most recent data.
  6. Close the window when finished.