Frequently Asked Questions
What is the difference between NAC 6.0 and existing NAC products?
The following features have been added to implement Zero-Trust security policies on top of the capabilities of existing NACs. Support for dynamic destination access control for communication/internal network->Cloud/from-home access between sensor managed nodes. NAC 6.0 Client functionality to provide enhanced terminal security and secure communication environment for telecommuters. Cloud information collection for visibility and zero trust access control of the Cloud server band. Cloud Gateway functionality to provide dynamic access control for cloud server bandwidth and Internet access. Cloud Security Group Management for Automated Security Policy Management on Cloud Servers. Netflow (IPFIX)-based NTA capabilities that provide visibility into network traffic. Security news feeding service that informs you of the latest security news and related nodes. New Dashboard / Extended Node Type / Platform Image Based Grid View.
What is Zero Trust security policy and how does NAC 6.0 provide it?
Any device that accesses a network is a concept that takes by default a policy that does not allow other than the services/servers that are essential to that device. To do this, the origin and destination must be categorized very precisely according to their role. (Micro Segmentation) NAC 6.0 can manage node groups for destinations, including origin and Cloud, through node groups that provide more than 500 conditional expressions. The new NAC 6.0 allows node groups to be used when setting up network access that is allowed to finely classified user terminals. When destination control is enabled through node groups, the security policy is automatically updated based on status/properties/Tags, etc.,away from the IP/Subnet security policy provided by existing products.
Do I need new equipment or network configuration for dynamic destination control?
No, no new equipment or network configuration changes are required when operating NAC 6.0 in an existing sensor-installed environment. Dynamic access control is possible without configuration changes through communication between sensors through standard VXLAN SGT. Genians' patented ARP-based virtual in-line access control method allows in-band access control by configuring out-of-band or building an in-line gateway sensor, so you can choose the appropriate method depending on the deployment environment.
How can dynamic destination control be applied when accessing servers (workloads) that exist in the cloud?
Cloud access control can be applied in two ways. The first method is to manage the IP list of devices that have access to the server by synchronizing it with a node group through the Security Group feature provided by the Cloud. The second method is to configure the Cloud Gateway to allow all communications to pass through the Cloud Gateway for access control. In this case, you can use an SSL-VPN-based G2C method for specific terminals only or a G2G method using IPSec for network-level connections.
Is the user's network traffic visibility provided when performing dynamic access control?
Yes, NAC 6.0 provides standard Netflow (IPFIX)-based audit records for connections through sensors/gateways. This provides 5 Tuples, Policy information, as well as GeoIP, BGP AS, HTTPS Encrypted Traffic Analysis (ETA), HTTP Request information, etc.
What is the difference between the dynamic access control provided by NAC 6.0 and the controller-type SDN?
The SDN method, which handles dynamic access control for all connections on one central controller, has a problem that all communication is interrupted in the event of a controller failure. In contrast, Genian NAC 6.0's dynamic access control method uses the standard VXLAN SGT method, and dynamic access control of previously authorized terminals operates normally even in the event of a policy server failure. In addition, it is provided through Genian's own ARP virtual inline method, so there is no need to change the physical network configuration or network settings at all.
What happens if a NAC 6.0 sensor failure occurs when using dynamic destination access control?
If you are operating in out-of-band host sensor mode, the network access control function is disabled in case of sensor failure. If you're operating in an In-Band manner with Cloud Gateway, you can recover faster than your On-Prem Appliance system with simple instance reboot/replayability.
What are the benefits of NAC 6.0 offered in NAC 6.0 over traditional VPNs?
By default, NAC 6.0 provides IPSec, SSL-VPN capabilities provided by traditional VPNs. The NAC 6.0 Client is integrated within the NAC Agent and supports Zero Config. The PoP can be located in the Cloud, dramatically reducing WAN segment traffic and providing faster network access to users compared to traditional VPN methods where all traffic enters the company. The PoP can be located in various countries/continents, making it suitable for global companies. (Multiple PoP and Latency-based PoP automatic selection) Only devices that have passed the device integrity check provided by the NAC Agent can be controlled to allow network access, and access is controlled through continuous device health check while the network is in use.
Does NAC 6.0 support Multi Cloud environments?
The use of one or more Cloud services is becoming more common due to the complexity of the Cloud environment. NAC 6.0 provides an easy way to simplify and automate the establishment of different security policies for different Cloud providers. When security policies for Cloud servers/services are defined through NAC 6.0, security groups are automatically applied through the industry standard Terraform without the need for separate UI/API/CLI for each Cloud service.
Can Cloud Security Group Management be applied only to Public Cloud?
No, it is also applicable to private clouds such as VMWare/Citrix, or to HCI and Hybrid clouds such as Nutanix. Furthermore, you can support a variety of providers, including switches, security equipment, and SaaS services. We are providing sequential support according to your request.
What is the difference between NAC 6.0 and SASE?
SASE's approach to service is to ensure that all network access control is through the Cloud Gateway, placing all security systems in the Cloud. This shifts the On-Premises-centric security system to Cloud-centric. NAC 6.0 provides the NAC 6.0 and Cloud Gateway you need to do this. Cloud Gateway offers a variety of tunneling methods, including IPSec, SSL-VPN, GRE, and VXLAN, to help different branch and telecommuters create secure communication channels. NAC 6.0 allows users to create their own built-in SASE services.
Does NAC 6.0 support Multi-Tenancy?
NAC 6.0 supports Kubernetes-based multi-tenant environments that can serve multiple tenants in addition to traditional products for single tenants. This allows you to build a system that provides independent, managed services for multiple domains within the client company.
What is the product release cycle?
Genian NAC 6.0 releases a new minor version every one months.
Can I downgrade my software version?
No, downgrade is not supported. For a downgrade, you should create a backup before you upgrade, and then reinstall software and restore backup data.
Is the communication between each component encrypted?
Yes, communication between each component is encrypted through TLS.
What if I exceed the license amount?
See step 1 on Sizing Software and Hardware
How can I check Windows update of endpoints?
See step 1 on Update Windows
How come the blocked Nodes cannot open the CWP through Genian NAC 6.0?
See step 1 on Blocked Nodes are not redirected to CWP page
What Regex engine does Genian NAC 6.0 utilize?
Genian NAC 6.0 utilizes Perl Compatible Regular Expressions. For information including syntax reference the following resources:
Can User Credentials from Active Directory be used to access the Web Console?
Yes. To configure, you must configure authentication integration AND user database synchronization with an AD domain controller. Lastly the Active Directory user must be selected in the Genians user database and configured with a superAdmin role.
Can Node info be imported from a wireless controller via SNMP?
No, this function is not supported.
Why can't I collect domain information from my Agentless environment?
Domain name and host name information in an Agentless environment is collected via two methods:
Method 1 - The Sensor extracts domain name and host name from netbios packets. Be sure to add a sensor interface in the subnet you wish to collect this information for.
Method 2 - WMI collection of domain, host name and other information is possible if configured. Reference the following information on how to configure this feature if domain or host name information is not being populated by the Sensor.
Why is the Agentless device host name not collected?
Domain name and host name information in an Agentless environment is collected via two methods:
Method 1 - The Sensor extracts domain name and host name from netbios packets. Be sure to add a sensor interface in the subnet you wish to collect this information for.
Method 2 - WMI collection of domain, host name and other information is possible if configured. Reference the following information on how to configure this feature if domain or host name information is not being populated by the Sensor.
Why can't I collect device information in my Agentless environment, even after configuring Agentless WMI collection?
In Windows 10 version 2004 there are known issues with WMI functioning properly due to DCOM version issues. The recommendation is to upgrade to a later version. If upgrading to a later version is not possible, please contact your technical support representative.
Why there is 'Agent Not Installed' policy even though we are using Agentless?
The default enforcement policy is created based on Agent-installed. you can use it after creating/deleting a policy according to your environment.
When is the update cycle of Genian data?
The Genian data is automatically updated at the set period when the inspection cycle is set at Web Console > Preferences > Miscellaneous > Genian data settings > Scan interval and the bottom Automatic Update item is set as On.
How can I collect wireless LAN SSIDs?
Please refer to the following documents. Controlling WLAN
How do I control access to the terminal wireless LAN?
Terminal wireless LAN access control can be performed in two ways. There are ways to Disable wireless network adapter (Controlling Network Interface)` and restrict wireless LAN AP access using Controlling WLAN.
How do you control unnecessary administrator web access?
Session management(Managing Administrator Connections) allows unnecessary access sessions to be forcibly terminated.
Can I access the web console using user credentials in Active Directory?
Available by setting up authentication interworking and information synchronization; AD domain controller and database synchronization; finally, AD users must select and configure from Genians user databases integrate-external, LDAP .
What is the node type and platform classification operation method?
Node type and platform classification are classified through the operational data NMDB and GPDB GDPI .
How do I collect agent logs?
Right-click the agent tray icon -> Click Program Information -> Click Error Reporting -> Check C:GnAgentDate.zip File
What is the difference between node action and node action in enforcement policy?
Node actions enable all registered agent plug-ins, but only the specified plug-ins are available for node actions used by control policies.
A device using a wireless network is detected on a different platform
A false positive occurs when you use another manufacturer's OUI while changing the MAC address to RANDOM MAC as a function of mobile and PC. The RANDOM MAC setting is located in the wireless lan profile detail setting and can be taken action by setting the MAC address type to the MAC of the terminal. Wireless LAN User Devices Are Detecting as Wrong Platform
What are Agent Sensor and Network Sensor?
Agent Sensor: Collects asset information on the same network by installing the agent on some endpoints.
Network Sensor: Collects asset information present on the network by setting up a physical server.
How do I use the Agent Sensor feature?
Web Console → Policy (top menu) → Click the node policy to apply → Click Assign Agent Actions, move 'Sensor' to Selected and click Edit. Then click Edit at the bottom and click Apply Changed Policy (top right) to enable the Agent Sensor feature.
How do I set up the Network Sensor?
Refer to the guide: Installing Network Sensor to configure a physical server (mini PC, desktop, server, etc.).
What information can I collect and view via the Agent Sensor?
Automatically collects the IP, MAC, and host name of endpoints connected to the network and helps you easily identify them.
What information can I collect and view via the Network Sensor?
Automatically collects and lets you easily view device type (PC, Network Appliance, Mobile Device, etc.), IP, MAC, host name, platform, NIC vendor, open ports, and service list.
What is the capacity of the trial license?
You can automatically register and identify up to 300 endpoints.
Can I manage device/equipment information separately?
Yes.
Device: Management → Nodes → Click a device → In the Device Information tab, you can enter and manage manufacture date, vendor, serial number, etc.
Node: Use the Description field, or manage with custom fields if categorization is needed.
Why do I see the agent Location Service permission pop-up on Windows 11 (24H2)?
What changed? Starting with Windows 11 24H2, by Microsoft policy, apps that use Location Services must ask for permission the first time.
Why does it appear? The plugin needs location permission to retrieve Wi-Fi lists, scan, and manage connections.
Affected features: Interface control, network information collection, wireless LAN control, wireless connection manager.
If you don't allow Location Services, these plugins may not function properly.