The Forescout interim release version 8.2.1 delivers the following features and enhancements:
- Expanded overlapping IP support to strengthen OT and M&A use cases
- RADIUS enhancements including customizable CoA support for Arista and other vendors
- Enhanced handling of multi-homed OSX devices
- Automatic vendor detection for switches and network devices
- Security enhancements
- Limited appliance support for CT-R/5110 appliances
- Intra-Enterprise Manager and Appliance authentication
- Support for Arista centrally-managed network solutions
- Compatibility with eyeExtend Connect Module 6
Supported Forescout Versions:
- Forescout Version 8.1.1
- Forescout Version 8.1.2
- Forescout Version 8.1.3
- Forescout Version 8.1.4
- Forescout Version 8.2.0
Components updated in this release include:
- Authentication Module 1.2.1
- Core Extensions Module 1.2.1
- Endpoint Module 1.2.1
- Network Module 1.2.1
- Hybrid Cloud Module 1.1
- Content Modules:
- Switch Content Module 1.1.0
- Network Controller Content Module 1.0.1
For more details, refer to the Forescout Platform and Base Modules Release Notes 8.2.1.
Forescout Flexx Licensing Customers:
Download the release and related documentation from the Customer Support Portal.
Forescout Per Appliance Licensing Customers:
Download the release and related documentation from the Updates Portal.
The ISO is available for download at the following location:
The Upgrade Package is available for download at the following location:
The Windows Console is available for download at the following location:
The Linux Console is available for download at the following location:
The OSX Console (32-bit) is available for download at the following location:
Expanded Overlapping IP Support
Overlapping IP addresses occur when IP addresses repeat across your network, as in branch offices, Operational Technology or plant/production environments, or when corporate networks merge. In version 8.2, new tools let you configure distinct IP Reuse Domains to distinguish network segments with overlapping IPs.
In this release, the following components now support this feature:
- Wireless Plugin 2.0.1
- VPN Concentrator Plugin 4.3.1
- Rogue Device Plugin 1.1.1
- Reports Plugin 5.2.1
- VMware VSPhere Plugin 2.5.1
- Flow Collector Plugin 1.1.1
- DNS Enforce Plugin 1.4.1
- CEF Plugin 2.8.2
With this feature enabled, changes may be required to policy scoping, query logic for Forescout eyeExtend modules such as eyeExtend for Splunk, and other settings. For details, refer to the Working with Overlapping IP Addresses section of the Forescout Administration Guide.
Change of Authorization (CoA) Without Session Disconnect
The Forescout RADIUS plugin can now use CoA messages with all network devices.
With this release, the RADIUS Plugin supports CoA via devices of all vendors. The plugin can be used for role-based endpoint management, including MAB, while maintaining session stability and connectivity.
New options let you configure CoA behavior:
- In Pre-admission Authorization rules
- In the RADIUS Authorize action
Use these options to impose a new authorization on endpoints without undesired disconnection.
In addition, new options in the Switch Plugin and the Wireless Plugin let you configure per-vendor defaults for session ID and other information used in CoA messages.
Enhanced Support for Multi-Homed OSX Devices
To manage a device, SecureConnector always uses one network interface of the device. When a device has multiple network interfaces (such as wired and wireless NICs), the Console lists each of these interfaces as a separate endpoint as they are detected. However, only the endpoint corresponding to the interface used by SecureConnector is identified as Managed by SecureConnector.
With the release of OS X Plugin 2.3.1, you can now resolve multi-homed endpoints managed by SecureConnector. The new Macintosh Manageable SecureConnector (via any interface) host property identifies the additional interfaces of a multi-homed endpoint that are not used by SecureConnector. The new Multi-Homed SecureConnector for OS X policy template shows how to use this property in policies.
For details refer to the OS X Plugin Configuration Guide.
Automatic Detection of Switch Vendor
This release introduces the first of several enhancements that automate definition and configuration of large numbers of switches.
Many of the Switch Plugin’s network device definition settings are vendor-specific. When the new Add Auto-Vendor option is used to add switches, the Switch Plugin automatically resolves the vendor of each new device. This lets you add many switches of various vendors in a single action. You can then select similar devices of the same vendor and configure them in groups.
For details refer to the Switch Plugin Configuration Guide.
With this version, the Forescout platform incorporates additional security enhancements that ensure more robust platform security and, thereby, reduce an attacker’s ability to impose damage and/or take control of platform processing.
Note: This security update may impact third-party plugins using Forescout plugin SDK. For the list of plugins, refer to the Forescout Platform and Base Modules Release Notes 8.2.1.
The relevant vendors have been informed. If you have customers using these plugins that would like to upgrade to version 8.2.1, contact Product Management for assistance.
Limited Appliance Support for CT-R/5110 Appliances
Due to memory limitations, 5110 and CT-R series Appliances do not fully support version 8.2.1. However, you can install the Limited Appliance package (with limited plugin functionality) for version 8.2.1 on 5110 and CT-R series Appliances.
- DHCP Classifier
- DNS Client
- Device Classification Engine
- Device Profile Library
- HPS Agent Manager
- HPS Inspection Engine
- Hardware Inventory
- NIC Vendor DB
- Packet Engine
Intra-Enterprise Manager and Appliance Authentication
Customer-issued CA certificates ensure secure communication between Enterprise Managers and Appliances. Customers can generate certificate signing requests to a CA Service and import the signed certificate and its certificate chain for each Enterprise Manager and Appliance.
Disabled by default, certificate verification enforcement must be enabled using the fs.enforce.cert.verify property. Once enabled, signed certificates of both existing and future Enterprise Managers and Appliances are required. Before enabling verification, be sure to import signed certificates on each Enterprise Manager and Appliance.
Support for Arista Centrally-managed Network Solutions
The Network Controller Plugin 1.0.1 now provides support for the following centrally-managed network solutions:
- Arista Cloudvision WiFi centrally-managed networks (cloud based)
- Arista CloudVision Wired centrally-managed networks (premise based)
For details, refer to both the Forescout Network Module: Network Controller Plugin Configuration Guide 1.0.1 and the Forescout Content Module Network Controller Content Plugin Configuration Guide 1.0.1.