NSE6 Part 13: FortiNAC Endpoint Compliance, Agents, and Host Isolation

VLAN enforcement gets endpoints onto the right network segment. Compliance scanning decides whether they stay there. A corporate laptop that hasn’t had its AV definitions updated in three weeks is a risk even on the production VLAN — FortiNAC can detect that state and move the device to quarantine without the admin doing anything manually. This part covers how that posture loop works, and how the guest and BYOD workflows fit alongside it.


Agent Types

FortiNAC determines endpoint compliance state through one of three agent models:

Persistent Agent

A background service installed on Windows or macOS that continuously monitors the endpoint’s security state and reports to FortiNAC.

  • Installation: Deployed via endpoint management (SCCM, Intune, Jamf) or manual installer.
  • Communication: Connects to FortiNAC Control Server over TCP 4568 (or a configurable port).
  • Continuous reporting: Reports compliance status at configurable intervals. If AV goes out of date between scans, the persistent agent sees it within the next check interval.
  • Platform: Windows (most feature-complete), macOS, Linux (limited).

Persistent agent capabilities:

Check typeExample
AV productSpecific vendor, version, definition date (e.g., Windows Defender definitions < 7 days old)
OS patch levelWindows Update last run within 30 days
Process runningSpecific process must be present (corporate VPN client) or must not be running (peer-to-peer client)
Registry keyKey must exist with a specific value
File existenceConfiguration file present
FirewallWindows Firewall enabled
Disk encryptionBitLocker enabled

Dissolvable (On-Demand) Agent

A lightweight executable that runs a one-time compliance scan, reports results to FortiNAC, and exits — no installation, nothing left on the endpoint.

  • Triggered by: The user being directed to the registration or compliance portal (typically when landing in the registration VLAN).
  • Limitation: One-time snapshot. If the endpoint’s AV goes out of date after the initial scan, FortiNAC doesn’t know until the next portal visit or scan trigger.
  • Best for: Guest devices, BYOD, contractor machines where installing a persistent agent is not acceptable.

Agentless Assessment

FortiNAC queries the endpoint directly without any installed software:

MethodRequirementWhat it checks
WMI (Windows)Admin credentials to the endpoint, WMI enabledOS version, AV product, patch level, running services
SSHSSH access, admin credentialsLinux process list, file existence
SNMPSNMP enabled on endpointDevice info, interface status

Agentless is less reliable than a persistent agent (endpoints may block WMI or have firewall rules) but requires no software deployment. Useful for servers and network devices where agents are not appropriate.


Compliance Rules and Security Policies

Security rules

A security rule defines a single compliance check: Policy > Policy Configuration > Security Rules > Add

Rule: AV-Definitions-Current
Platform: Windows
Check: Antivirus definition date is less than 7 days old
Check type: Antivirus

Multiple security rules are combined into a security policy:

Security Policy: Corporate-Windows-Baseline
Rules:
  - AV-Definitions-Current (required)
  - OS-Patches-Current (required)
  - Firewall-Enabled (optional — warn only)

A security policy can mark rules as required (failure blocks access) or optional (failure generates a warning but not a quarantine action).

Compliance scan schedule

  • On connect: Scan every time the device connects to the network.
  • Periodic: Scan every N hours while connected.
  • On demand: Admin or event triggers a scan.

Persistent agents report state continuously — the “scan” is the agent’s regular heartbeat. Dissolvable agents scan on demand at portal time.


Remediation Actions

When a device fails a compliance check, FortiNAC can take several remediation actions:

ActionWhat happens
NotifySend email/SMS to the user or admin. No access change.
QuarantineMove the endpoint to the quarantine VLAN via CoA.
Show remediation URLDisplay a page explaining how to fix the issue (captive portal).
Send remediation pushPush a script or update to the endpoint (via agent).
Mark for re-scanAfter N minutes, trigger another compliance scan to check if the issue is resolved.

The most common production workflow:

  1. Compliance fails → device moves to quarantine VLAN (CoA).
  2. User gets captive portal: “Your AV is out of date. Click here to update.”
  3. User updates AV. Persistent agent detects the change and reports compliance pass.
  4. FortiNAC policy re-evaluates → device moves back to production VLAN (CoA).

Quarantine VLAN design

The quarantine VLAN should:

  • Allow access to Windows Update / AV update servers (or a local WSUS/mirror)
  • Allow access to the FortiNAC remediation portal (HTTP/HTTPS to FortiNAC management IP)
  • Block everything else

This ensures non-compliant devices can fix themselves without being able to reach sensitive resources.


Host Isolation

Host isolation is the most restrictive action: the host is completely denied network access (port shut down or VLAN set to a black-hole). Used for:

  • Confirmed compromised hosts
  • Active threat response
  • Devices in disabled state

Network > Hosts > [select host] > Disable

This triggers a CoA to the switch, sending a Disconnect-Request to terminate the 802.1X session and moving the port to a no-access VLAN or shutting it down entirely.


Guest Management

FortiNAC provides a full guest lifecycle without requiring FortiAuthenticator (though FAC integration is an option). The FCA-FNAC exam tests the standalone FortiNAC guest flow.

Self-registration

Guest visits the FortiNAC guest portal (typically served in the guest/registration VLAN):

  1. Guest enters name, email, phone.
  2. FortiNAC sends a verification code to the email or phone number provided.
  3. Guest enters the code and accepts the usage policy.
  4. FortiNAC creates a temporary guest account with configured expiry and VLAN.
  5. Guest gets network access in the guest VLAN.

For higher-assurance guest access:

  1. Guest submits a request with their details and their sponsor’s email.
  2. Sponsor receives an email with an approval link.
  3. Sponsor logs into the sponsor portal (authenticate with AD credentials via LDAP).
  4. Sponsor approves (or rejects) the request.
  5. FortiNAC creates the account and sends credentials to the guest.

Sponsor portal is a separate web interface at https://fortinac-ip/sponsor/. Sponsors authenticate against the LDAP/AD configured in FortiNAC — they do not need a FortiNAC admin account.

Guest account attributes

AttributePurpose
Account expiryGuest loses access after N hours/days
Max simultaneous sessionsPrevents credential sharing
VLAN assignmentGuest VLAN (soft enforcement via policy)
Bandwidth quotaOptional per-account download/upload limit
SMS/email notificationsSend credentials on creation or renewal

Bulk guest creation

For events/conferences: Guest Management > Bulk Create Import a CSV: firstname,lastname,email,phone FortiNAC generates accounts and optionally emails credentials to each guest.


BYOD Workflows

BYOD endpoints are personally-owned devices accessing the corporate network. The workflow goal: register the device as belonging to an employee, optionally profile it as managed/trusted, and assign it to the correct VLAN.

Self-registration portal

  1. Employee connects, lands in the registration VLAN.
  2. Navigates to the FortiNAC registration portal.
  3. Authenticates with AD credentials.
  4. Clicks “Register this device.”
  5. FortiNAC creates a host record: MAC + AD identity. State = Registered. Owner = authenticated employee.
  6. CoA moves the device to the BYOD VLAN.

Certificate-based device onboarding

For a higher-assurance BYOD flow, FortiNAC integrates with FortiAuthenticator as a certificate authority:

  1. Employee registers device and requests a device certificate.
  2. FortiNAC initiates a SCEP request to FortiAuthenticator.
  3. FortiAuthenticator issues a device certificate signed by the corporate CA.
  4. Certificate is installed on the device.
  5. Future 802.1X authentication uses EAP-TLS with the device certificate — no username/password required.

MDM integration

Microsoft Intune:

  • FortiNAC registers an Azure AD app with DeviceManagementManagedDevices.Read.All permission.
  • FortiNAC polls the Graph API for device compliance status.
  • Devices marked Compliant in Intune join a “MDM-Managed” group in FortiNAC.
  • Devices that become non-compliant in Intune trigger a policy re-evaluation.

Jamf Pro:

  • FortiNAC uses Jamf REST API to query Mac and iOS device status.
  • Compliant device → trusted group → production VLAN.

FortiClient EMS:

  • EMS pushes endpoint security status (AV, VPN, firewall, vulnerability state) to FortiNAC via API.
  • Used as a compliance check alongside or instead of the persistent agent.

IoT Device Onboarding

Profiling-driven onboarding for IoT is entirely automatic once profiling rules are tuned:

  1. IP camera connects → profiled as “Axis IP Camera” via DHCP option 60 ("AXIS") + HTTP UA.
  2. FortiNAC creates host record with device type = IP-Camera.
  3. Policy: Host group = IP-Camera, Port group = Any → VLAN 300 (IoT-Cameras)
  4. FortiNAC sends Access-Accept with VLAN 300 → camera is in the IoT VLAN.

No manual registration, no admin action. The profiling rule does the work.


Exam Scenarios

Q: A persistent agent is installed on a laptop but FortiNAC is not receiving compliance reports. A: Check network connectivity from the laptop to the FortiNAC Control Server on TCP 4568. Check firewall rules on the endpoint and between the VLAN and the FortiNAC management subnet. Also verify the agent is configured with the correct FortiNAC server IP.

Q: A guest completes self-registration but the email verification code never arrives. A: FortiNAC SMTP configuration may be missing or wrong. Check Administration > System > Email Settings. Also verify the guest portal is configured to send verification via email, and the user’s email address was entered correctly.

Q: An Intune-managed device is marked compliant in Intune but FortiNAC still places it in the registration VLAN. A: The Intune MDM integration may not have synced yet, or the host record in FortiNAC hasn’t been updated. Trigger a manual MDM sync: System > MDM Integrations > Intune > Sync Now. Also check the host group membership criteria — the device must be in the “MDM-Managed-Compliant” group for the production VLAN policy to match.