This article describes the causes for disconnected collectors (FQA).
Questions and Answers
Question 1: Is it possible to edit the timeout period for a license to expire?
Question 2: Was it detected that an agent had its license expired, but upon power up, it was noted that it was removed from the FortiEDR console, but still had the agent installed and that agent is still ON, but The information was no longer seen in our console, is this behavior correct?
Answer: As soon as an agent connects to the aggregator again (For example after 31 days) a license would assign to it and it works like before.
Question 3: If the agent is installed and ON despite not having a license, is it still blocking?
Answer: Yes it would block based on the last policies and exceptions that were downloaded from the aggregator.
Question 4: If it continues to block as indicated in point (above), is the block based on the latest configurations and security signatures?
Answer: Each security event that triggered on the collector side would also reclassify based on FCS (Fortinet Cloud Service). The EDR is mostly work based on the process behavior not signature. In collector version 5.x the local core would decide based on security policies, exception and communication policies. If a collector doesn’t have a connection to get the latest policies and exceptions, it would make a decision based on the last one that it downloaded.
Question 5: If the EDR agent installed on the end machine, which is unlicensed, continues to block malware, do the malware blocks focus on the Fortinet database, until the last time it was updated with the license?
Answer: If it’s the first time, and the aggregator doesn’t have enough license to assign to it, this collector wouldn’t have any configuration, so it wouldn’t detect anything. However if this collector has license at some point, it would still block the malicious activities.
Question 6: New malware and ransomware are constantly being discovered every day, the EDR agent installed without a license will no longer protect the computer from newly discovered malware and ransomware, right?
Answer: The EDR is working based on process behavior other than just being a signature base software. So it would triggered even when the malware or ransomware is not published yet (0-day attack).
Question 7: In case the EDR is not focused as commented (above) and is only based on the behavior of the rules, then the EDR agent installed without a license on the final computer will continue to protect the client for free, It is right?
Answer: No. There are many features that one cannot use when the agent is not registered and running on EDR manager. Following are some of the examples:
- The Threat Hunting date.
- New exception for the events that triggered.
- FCS classification and playbook.