• Isolate the violating hosts to the VLAN for Quarantine (Remediation).
• Allow for the re-installation of the persistent agent. Once agent is installed and communication is restored, the host will be allowed back onto the network.
1. Create a dead end role.a. Navigate to Policy > Roles > Add.
b. Type in Dead End for the name.
c. Click OK.
2. Enable the Lost Contact with Persistent Agent Event to Alarm Mapping.a. Navigate to Logs > Event to Alarm Mappings.
b. Add or double click to modify.
c. Click the enabled checkbox.
d. Select a severity from the drop-down box (Critical).
e. Select Clear on Event and select (Regained Contact with Persistent Agent).
f. Select Trigger Rule and set to Event Frequency (4 events occurring within 1 hours).
g. Check the checkbox for Action.
h. Select Host Role Action in the drop-down box.
i. Select the Dead End role in the Primary Task drop down.
3. Create a Network Access Policy to restrict hosts with the "Dead End" role.a. Navigate to Policy > Policy Configuration > Network Access Policy > Add.
b. Give the Network Access Policy a name (Lost Contact with Persistent Agent).
c. Click the Add icon under User Host Profile.
d. Give the User Host Profile a name (Lost Contact with Persistent Agent).
e. Click Add in Who/What by Attribute.
f. Click on the host tab.
g. Click the checkbox for role under Policy - Access.
h. Type in Dead End
i. Click OK.
j. Click the add icon under Network Access Configuration.
k. Give the Network Access Configuration a name (Lost Contact with Persistent Agent).
l. Type in the Dead End VLAN number.
m. Click OK.
n. Set the rank of the Network Access Policy as needed.
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.