FortiOS 6 – FortiClient Compliance Profiles

Configuring endpoint protection

Endpoint Protection requires that all hosts connecting to an interface have the FortiClient Endpoint Security application installed. Make sure that all endpoints behind the interface are able to install this application. Currently, FortiClient Endpoint Security is available for Microsoft Windows (2000 and later), Apple (Mac OS X and later), and Android devices only.

By default, the FortiGuard service provides the FortiClient installer. If you prefer to host it on your own server, see Changing the FortiClient installer download location, below.

To set up Endpoint Protection, complete the following:

  • Create a FortiClient Profile or use the default profile. See Creating a FortiClient profile on page 186. Enable the application sensor and web category filtering profiles that you want to use.
  • Configure the FortiGate unit to support endpoint registration using FortiTelemetry (under Network > Interfaces, allow FortiTelemetry admission control).
  • Optionally, enforce FortiClient registration. See Enforcing FortiClient registration on page 187.
  • Optionally, configure application sensors and web filter profiles as needed to monitor or block applications. l Optionally, modify the Endpoint NAC Download Portal replacement messages (one per platform). See Modifying the endpoint protection replacement messages on page 195.

Creating a FortiClient profile

FortiClient profiles allow you to perform vulnerability scans on endpoints and make sure endpoints are running compliant versions of FortiClient. Also, security posture features cause FortiClient to apply realtime protection, AntiVirus, web filtering, and application control on endpoints.

It is possible for more than one profile to be assigned to a device type. As with security policies, clients are matched to FortiClient profiles in the order that the profiles appear in the list.

Features involving general settings have been removed from the FortiClient profile GUI in 5.4.1. Features emphasizing compliance of the endpoint devices have been added. These enhancements facilitate integration with the Security Fabric.

To create a FortiClient profile – GUI

  1. If you plan to use the Application Firewall feature in the FortiClient profile, go to Security Profiles > Application Control to create the Application Sensors that you will need.
  2. If you plan to use the Web Category Filtering, go to Security Profiles > Web Filter to create the Web Filter Profile that you will need.
  3. Go to Security Profiles > FortiClient Compliance. If there is only the default FortiClient profile, it will be displayed and ready to edit. At the top right of the page you can select or create other profiles.
  4. Select Create New or edit an existing profile.
  5. In Assign Profile To, select the device groups, user groups, and users to which this FortiClient profile applies. This is not available for the default
  6. Set the Endpoint Vulnerability Scan on Client quarantine level. Similar to FortiOS 5.4, you can set the FortiClient Profile to run the FortiClient vulnerability scanner on endpoints and you can set the vulnerability quarantine level to quarantine endpoints that don’t comply.The FortiGate will quarantine a host when a 186

Configuring endpoint protection

vulnerability with the level of severity selected, or higher, is detected. Options are: Critical, High, Medium, Low, and Information.

  1. System ComplianceFortiOS 5.6 system compliance settings are similar to those in 5.4 with the addition of a non-compliance action. System compliance checking is performed by FortiClient but the non-compliance action is applied by the FortiGate:
    • select the Minimum FortiClient version, if necessary. The lowest supported version is 5.4.1.
    • identify which logs, if any, you will upload to FortiAnalyzer l set the Non-compliance action: Block or Warning.
  2. Under Security Posture Check, enable the required options for your network:
    • Realtime Protection
    • Third party AntiVirus on Windows is required for Windows endpoints l identify which logs, if any, you will upload to FortiAnalyzer l select whether to enable an Web Filter security profile, and / or anApplication Control
    • set the Non-compliance action: Block or Warning.
  3. Select OK or Apply.

To create a FortiClient profile – CLI:

This example creates a profile for Windows and Mac computers.

config endpoint-control profile edit ep-profile1 set device-groups mac windows-pc config forticlient-winmac-settings set forticlient-av enable set forticlient-wf enable set forticlient-wf-profile default

end

end

Support FortiClient for Linux

FortiClient for Linux (Ubuntu, CentOS, Red Hat, and Fedora) is also supported.

Syntax

config forticlient-winmac-settings config forticlient-operating-system edit <id> set os-type {ubuntu-linux | centos-linux | redhat-linux | fedora-linux | …}

next

set forticlient-linux-ver <forticlient-version>

end

Enforcing FortiClient registration

When you enable FortiTelemetry (formerly known as FortiHeartbeat) on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the

FortiGate and install FortiClient before gaining access to network services.

The following example includes editing the default FortiClient Profile to enforce real time antivirus protection and malicious website blocking.

To enforce FortiClient registration on the internal interface – GUI:

  1. On the FortiGate, go to System > Feature Visibility and enable Endpoint Control.
  2. Go to Network > Interfaces and edit the internal interface.
  3. Under Administrative Access, enable FortiClient Telemetry.
  4. Under Admission Control, enable Enforce FortiClient Compliance Check.

Once this is enabled, you have the option to Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.

  1. Go to Security Profiles > FortiClient Profiles.
  2. Under the Security Posture Check , enable Realtime Protection, Up-to-date signatures.

Endpoint compliance checking

Previously, as part of the Endpoint Compliance – Authorized Machine Detection feature, the administrator could specify a process name and SHA256 signature for a process, and only allow access to hosts with the specified process/application running. The FortiGate verifies if the process name and hash is matched on the connecting host to allow access.

In FortiOS 6.0, however, the FortiGate only matches the process name, and matching the SHA256 signature is optional (since the process may be updated dynamically and the signature may not match). The administrator can specify a process name and not specify a checksum, and so only the file name will be matched. If both file name and MD5 are specified, then both fields will still be matched.

A host check table has been added to the FortiClient Profile GUI, which is similar to a policy table; the match is performed from top to bottom. At the bottom of the table, there is an implicit entry, representing everything that does not match the higher entries. This implicit entry is always available, but the administrator can change the action to either present or absent (in reference to the specified process/application).

Syntax

A new attribute application-check-rule determines if the entry is for checking the presence or absence of an application:

config endpoint-control profile edit <name> config forticlient-winmac-settings …. config forticlient-running-app edit 1 set app-name “MSOffice”

set application-check-rule {present | absent} set process-name “word.exe”

next …

In addition, the app-sha256-signature entry is no longer mandatory, so long as the process-name entry is set:

config endpoint-control profile

Configuring endpoint protection

edit <name> config forticlient-winmac-settings …. config forticlient-running-app edit <name> set app-name <name> set application-check-rule present set process-name “word.exe”

set app-sha256-signature ” set process-name2 “excel.exe” <== this field can be left empty
set app-sha256-signature2 ” set process-name3 ” <== not mandatory if process-name entry is set
set app-sha256-signature3 ” set process-name4 ” <== not mandatory if process-name entry is set
set app-sha256-signature4 ”

next …

<== not mandatory if process-name entry is set

Enforcing FortiClient EMS requirements

FortiClient Compliance Profiles allow you to add up to three Enterprise Management Server (EMS) servers under Security Profiles > FortiClient Compliance Profiles.

This replaces the feature-related configuration (i.e AV, WF configuration) for compliance checks. Instead, if a FortiClient endpoint is managed by the defined EMS and is “in-sync” with the EMS profile then it is considered compliant.

An endpoint is considered compliant (thus allowed network access) only when the following conditions are met:

  • the endpoint has FortiClient software
  • the FortiClient software is managed by the authorized EMS server

Any endpoint that does not meet the above criteria (unless exempted) will be blocked from network access, regardless of FortiClient settings on that endpoint.

Syntax

config endpoint-control profile edit <name> config {forticlient-winmac-settings | forticlient-android-settings | forticlientios-settings}

set forticlient-ems-compliance {enable | disable} set forticlient-ems-compliance-action {block | warning} set forticlient-ems-entries [addr1] [addr2] [addr3]

next

end

end

config endpoint-control settings set forticlient-ems-rest-api-call-timeout <milliseconds> end

Changing the FortiClient installer download location

By default, FortiClient installers are downloaded from the FortiGuard network. You can also host these installers on a server for your users to download. In that case, you must configure FortiOS with this custom download location. For example, to set the download location to a customer web server with address custom.example.com, enter the following command:

config endpoint-control settings set download-location custom

set download-custom-link “http://custom.example.com”

end

Storing FortiClient configuration files

Advanced FortiClient configuration files of up to 32k may be stored:

  1. Enable the advanced FortiClient configuration option in the endpoint profile:

config endpoint-control profile edit “default” set forticlient-config-deployment enable set fct-advanced-cfg enable set fct-advanced-cfg-buffer “hello” set forticlient-license-timeout 1 set netscan-discover-hosts enable

next

end

  1. Export the configuration from FortiClient (xml format).
  2. Copy the contents of the configuration file and paste in the advanced FortiClient configuration box.

If the configure file is greater than 32k, you need to use the following CLI:

config endpoint-control profile edit <profile> config forticlient-winmac-settings config extra-buffer-entries edit <entry_id> set buffer xxxxxx

next

end

end

next

end

Blocking access to unsupported FortiClient endpoints

You can use the following command to deny registration of unsupported FortiClient endpoints. An unsupported FortiClient endpoint means the endpoint is running FortiClient but for some reason not all of the criteria are available to identify the endpoint, or the endpoint may be running an unsupported version of FortiClient.

Information required that is not available could include the endpoint’s IP address or MAC address is not visible.

config endpoint-control setting set forticlient-dereg-unsupported-client enable end

Configuring endpoint registration over a VPN

Configuring the FortiClient offline grace period

Administrators can configure an offline grace period for registered and offline FortiClients so that PROBE can be processed and, as a result, endpoint compliance is not triggered.

l The grace period is allowed for a client that is compliant, registered, and offline. l The grace period has a used status which determines if the client is before, during, or after grace period. l Online and compliant clients will reset the grace status to unused.

Syntax

config endpoint-control settings set forticlient-offline-grace {enable | disable}

set forticlient-offline-grace-interval <seconds> <– The default is 120

end

This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiOS 6 – FortiClient Compliance Profiles

  1. German Taboadela

    Hey! Great article. Do you know if this feature was removed in FortiOS 6.2.3? I’ve already enabled Endpoint Control feature buth the “FortiClient Compliance” menu is still missing… perhaps they moved that functionality to EMS completely? Ijust can’t find a way to log forticlient data without EMS.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.