FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 191569
Description
A registered host connects to the VPN and downloads the Dissolvable Agent in order to scan.  The scan results are not sent to the server, preventing the host from moving to the unrestricted (production) network. 

This behavior is triggered by criteria used in the User/Host Profile for the matching Endpoint Compliance Policy such as (but not limited to): 

Host Group
Host role 
VPN client

Note.
A Rogue host may be able to connect to the VPN, register and successfully move to production.  However, the host will fail to be moved from the restricted network upon re-connect.

This behavior does not affect hosts with the Persistent Agent installed.

Scope
All versions supporting Cisco ASA and FortiGate VPN integrations.

Solution
Workaround:
Include one or more of the following criteria in the User Host Profile.
 
Important:
 Do not include any other criteria.


Required
Adapter [Connected: Offline]

Optional:
Adapter [IP Address: <VPN IP subnets.  Can use wildcard (*)>]
Host [Persistent Agent: No]

Example 1:
Adapter [Connected: Offline]

Example 2:
Adapter [Connected: Offline]
and
Adapter [IP Address: 10.19.58.*]

Example 3:
Adapter [Connected: Offline]
and
Adapter [IP Address: 10.19.58.*]
or
Host [Persistent Agent: No]

Solution:  Addressed in version 8.8.3.1718.

ID 0652141
ID 0639548

Contributors