Description
This article discusses the behavior where an antivirus program on an endstation is reporting FortiNAC running a scan on a large number of ports. This can occur if Device Profiling Rules are configured to use the 'Active' method to identify rogues or re-validate hosts.
Scope
FortiNAC/CentOS 9.x, 7.2, FortiNAC-F/FortiNAC-OS 7.2
Solution
The 'Active' method scans a large number of ports to identify the device type. The port scan is normal behavior but may trigger some Antivirus programs to report this as a potential network attack.
Note:
If the 'Confirm Rule on Connect' option is enabled in the Device Profiling Rule, registered devices previously profiled with this rule will be scanned each time they connect to the network. This function is used to confirm the device still matches the rule.
See
Adding a rule in the Administration Guide for a complete list of available methods for device identification.