Persistent Agent Configuration
If the Persistent Agent will not be used, skip this step and proceed to Default Endpoint Compliance Policy.
VPN Communication Using Required Connected Adapter
FortiNAC can be configured to only communicate with Persistent Agents connected to the local network. The option controlling this function is called Require Connected Adapter.
FortiNAC is unable to determine the online status for VPN connections. To allow FortiNAC to communicate with agents over VPN when this option is enabled, additional configuration is required.
-
Navigate to System > Settings > Persistent Agent > Properties.
-
Review the Require Connected Adapter setting.
-
If Require Connected Adapter checkbox is selected, proceed to step 4. Otherwise, this section can be skipped.
-
Click the Add button next to Allowed IP Subnets.
-
Specify the network used for the VPN IP Pool then click OK. This allows FortiNAC to communicate with agents from that network regardless of connection status.
Example:
IP Address: 10.200.80.0
CIDR/mask: 24
For more details, refer to the following section in the Administration Guide: Properties.
Notification Messages
By default, the agent will display messaging to the user informing them of their network status when connecting over VPN.
When end stations first connect, access is restricted and the agent displays:
“Network restrictions have been applied for this device”
Once FortiNAC has evaluated the end station and moved the IP address to the unrestricted network object group, the agent displays:
“Network restrictions have been lifted for this device”
These messages will display regardless of the ClientStateEnabled Persistent Agent setting. For more information on this setting, see section Persistent Agent Settings in the Persistent Agent Deployment Guide: Persistent Agent Deployment and Configuration.
To disable the messaging see Disable Persistent Agent Notifications in the Appendix.