Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:
According to the Forescout Administration Guide, "Host becomes offline" is NOT an admission event. Admission events are triggers that cause policy rechecks, and according to the documentation:
What IS an Admission Event:
According to the official documentation:
"An admission event is a trigger that causes policies to be rechecked. Examples of admission events include:
DHCP Request
IP Address Change
Switch Port Change
Authentication via RADIUS or other authentication servers
Login to an authentication server
New VPN user"
Specific Admission Events Listed:
According to the Policy Main Rule Advanced Options documentation:
Admission events include:
DHCP Request - When an endpoint sends a DHCP request
IP Address Change - When an endpoint's IP address changes
Switch Port Change - When an endpoint moves to a different switch port
Authentication Events - When endpoints authenticate to RADIUS or other servers
VPN Events - When VPN users connect
Why "Host becomes offline" is NOT an Admission Event:
According to the documentation:
A host becoming offline is NOT listed as an admission event. Instead, policies handle offline hosts differently:
By default, policies are rechecked every 8 hours regardless of online/offline status
Offline detection is a property state change, not an admission event
The system tracks whether a host was "seen" or is currently "online," but this doesn't trigger admission event rechecks
Why Other Options ARE Admission Events:
A. DHCP Request ✓- Explicitly listed admission event
B. IP Address Change ✓- Explicitly listed admission event
D. Login to an authentication server ✓- Explicitly listed admission event
E. New VPN user ✓- Explicitly listed admission event
Referenced Documentation:
Forescout eyeSight policy main rule advanced options
Working with Policy Templates - When Are Policies Run
Event Properties documentation
Submit