Appendix A – Deployment Scenarios

Appendix A – Deployment Scenarios

Basic FortiClient profile

In this scenario, you want to configure a FortiClient profile by using the FortiGate GUI. When clients connect FortiClient Telemetry to FortiGate, they will receive the settings configured in the FortiClient profile. You can configure the default profile, or create a new profile. When creating a new profile, you have additional options to specify device groups, user groups, and users.

Create a basic FortiClient profile:

  1. In the FortiGate GUI, go to Security Profiles > FortiClient Profiles. You can either select the default FortiClient profile or select Create New in the toolbar. The Edit Endpoint Profile page opens.

The default FortiClient profile does not include the Assign Profile To setting.

  1. Set the profile settings as required, and click OK.

Advanced FortiClient profile

In this scenario, you have created a custom XML configuration file. The custom file includes all settings required by the client at the time of deployment. When FortiClient connects Telemetry to FortiGate or EMS, you want to ensure that the client receives the full XML configuration. For future configuration changes, you can edit the XML in the profile by using EMS.

To reduce the size of the FortiClient XML configuration file, you can delete all help text found within the <!– …. –> comment tags.

Create an advanced FortiClient profile with the full XML configuration provisioned:

  1. In EMS, go to Endpoint Profiles > Add a new profile.
  2. Select the Advanced.
  3. (Optional) On Install tab, select a FortiClient installer.
  4. On the Configuration tab, overwrite the XML by pasting the XML from your custom XML configuration file into the pane.
    1. Open the FortiClient XML configuration file in a source code editor.
    2. Copy the FortiClient XML.
    3. Paste the FortiClient XML into the Configuration tab.
  5. Click Save.

 

Use Active Directory Groups                                                               Appendix A – Deployment Scenarios

Use Active Directory Groups

Some organizations may choose to deploy different FortiClient profiles to different user groups. FortiGate and EMS are able to send different FortiClient profiles based on the AD group of the user. This requires use of the FortiAuthenticator.

No special configuration is required on FortiClient.

Monitor connected users

Administrators can monitor managed FortiClient users. When the client successfully connects FortiClient Telemetry to the FortiGate/EMS, the client can be monitored on the FortiGate/EMS.

In the FortiGate GUI, all connected clients can be observed on the Monitor> FortiClient Monitor page.

Either of the following FortiGate CLI commands will list all connected clients: l diagnose endpoint registration list, or l diagnose endpoint record-list.

In the EMS, connected clients can be observed on the Workgroups page.

Customize FortiClient using XML settings

FortiClient configurations can be customized at the XML level. For more information, see the FortiClient XML Reference.

Appendix A – Deployment Scenarios                                        Customize FortiClient using XML settings

Silent connection

You may want to configure FortiClient to silently connect to FortiGate without any user interaction. When configured, the user will not be prompted to connect to a FortiGate. The <silent_registration> tag is intended to be used with the <disable_unregister> tab. For more information, see Disable disconnect on page 124. The following XML elements can be used to enable this:

<forticlient_configuration>

<endpoint_control>

<silent_registration>1</silent_registration>

</endpoint_control>

</forticlient_configuration>

Locked FortiClient settings

End-users with administrator permission on their Windows system have access to the FortiClientsettings page. If this is not desired, it can be locked with a password from the FortiGate. The following FortiOS CLI command, when included, requires that any client connected to the FortiGate to provide the password before they can access the settings page.

config endpoint-control profile edit “fmgr” config forticlient-winmac-settings … set forticlient-settings-lock disable set forticlient-settings-lock-passwd <password> …

end

next

end

Disable disconnect

With silent endpoint control connection enabled, a user could disconnect after FortiClient has connected to the FortiGate. The capability to disconnect can be disabled using the following XML element:

<forticlient_configuration>

<endpoint_control>

<disable_unregister>1</disable_unregister>

</endpoint_control>

</forticlient_configuration>

Put it together

Here is a sample complete FortiClient5.4.1XML configuration file with the capabilities discussed above:

<forticlient_configuration>

<partial_configuration>1</partial_configuration>

<endpoint_control>

<enabled>1</enabled>

<disable_unregister>1</disable_unregister>

<silent_registration>1</silent_registration>

<fortigates>

<fortigate>

124

Customize FortiClient using XML settings                                        Appendix A – Deployment Scenarios

<serial_number />

<name />

<registration_password>un9r3Ak@b!e</registration_password>

<addresses>newyork.example.com</addresses>

</fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The FortiGate that is connected to is listed in the <fortigates> element. The <registration_ password> element is required if the endpoint control configuration on the FortiOS requires one. This can be exported as an encrypted file from a connected FortiClient.

The configuration provided above is not the full FortiClient configuration file. Thus, the <partial_ configuration> element is set to 1.

 

This entry was posted in FortiClient and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.