Category Archives: FortiClient

IPsec VPN and SSL VPN

IPsec VPN and SSL VPN

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. Administrators can provision client VPN connections to FortiGate in profiles from EMS, and you can configure new connections in FortiClient console.

Add new connections

You can add new SSL VPN connections and IPsec VPN connections.

Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)

Create SSL VPN connections

To create SSL VPN connections:

  1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
  2. Select SSL-VPN, then configure the following settings:

 

Add new connections

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Customize port Select to change the port. The default port is 443.
Authentication Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled.
Username If you selected to save login, enter the username in the dialog box.
Client Certificate Select to enable client certificates, then select the certificate from the dropdown list.
Do not Warn Invalid Server

Certificate

Select if you do not want to warned if the server presents an invalid certificate.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.
  1. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Create IPsec VPN connections

To create IPsec VPN connections:

  1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
  2. Select IPsec VPN, then configure the following settings:
Connection Name   Enter a name for the connection.
Description   Enter a description for the connection. (optional)

Add new connections

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Authentication Method Select either X.509 Certificate or Pre-shared Key in the dropdown menu.
Authentication (XAuth) Select to prompt on login, save login, or disable.
Username If you selected save login, enter the username in the dialog box.
Advanced Settings Configure VPN settings, Phase 1, and Phase 2 settings.
VPN Settings  
Mode Select one of the following:

Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.

Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

Options Select one of the following:

Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.

DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling.

Phase 1 Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.

Add new connections

  DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.
  Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
  Local ID Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.
  Dead Peer

Detection

Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
  NAT Traversal Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Phase 2   Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.
  Key Life The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
  Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
  Enable Perfect

Forward Secrecy

(PFS)

Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
  DH Group Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses.
Add   Select the add icon to add a new connection.
Delete   Select a connection and then select the delete icon to delete a connection.

Advanced features (Microsoft Windows)

  1. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Advanced features (Microsoft Windows)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in EMS to ensure the FortiClient profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.

Activate VPN before Windows Log on

When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.

To make this change, proceed as follows:

In FortiClient:

  1. Create the VPN tunnels of interest or connect to FortiClient EMS, which provides the VPN list of interest
  2. Enable VPN before log on to the FortiClient Settings page, see VPN options on page 102.

On the Microsoft Windows system,

  1. Start an elevated command line prompt.
  2. Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
  3. Check the check box for Users must entera username and password to use this computer.
  4. Click OK to save the setting.

Connect VPNs before logging on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.

<forticlient_configuration>

<vpn>

<options>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials> </options>

</vpn>

</forticlient_configuration>

Create redundant IPsec VPNs

To use VPN resiliency/redundancy, you will configure a list of EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

Advanced features (Microsoft Windows)

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate starting with the first in the list.

Create priority-based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate must use the same TCP port.

Advanced features (Mac OS X)

Advanced features (Mac OS X)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient profile options in EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.

Create redundant IPsec VPNs

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Create priority-based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

 

tunnel & script

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

VPN tunnel & script

This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on EMS’s XML format FortiClient profile. The profile will be pushed down to FortiClient from EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.

Windows

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>

</script>

</script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>windows</os> <script>

90

VPN tunnel & script

<script>

<![CDATA[ net use x: /DELETE ]]>

</script>

</script>

</script>

</on_disconnect>

OS X

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>mac</os>

<script>

/bin/mkdir /Volumes/installers

/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt

/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers

/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt

/bin/mkdir /Users/admin/Desktop/dropbox/dir

/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/. </script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>mac</os>

<script>

/sbin/umount /Volumes/installers

/bin/rm -fr /Users/admin/Desktop/dropbox/*

</script>

</script>

</on_disconnect>

Application Firewall

Application Firewall

FortiClient can recognize the traffic generated by a large number of applications. You can create rules to block or allow this traffic per category, or application.

Enable/disable Application Firewall

The administrator enables the application firewall feature by using a FortiClient profile. The FortiClient profile includes the application firewall configuration.

The FortiClient Endpoint Control feature enables the site administrator to distribute an Application Control sensor from FortiGate/EMS.

On the FortiGate, the process is as follows:

l Create an Application Sensor and Application Filter on the FortiGate, l Add the Application Sensor to the FortiClient Profile on the FortiGate.

On EMS, the application firewall is part of the endpoint profile.

For more information on configuring application control security profiles, see the FortiOS Handbook -The Complete Guide to FortiOS available in the Fortinet Document Library.

View application firewall profiles

To view the application firewall profile, select Show all.

Application Firewall                                                                                                 View blocked applications

View blocked applications

To view blocked applications, select the Applications Blocked link in the FortiClient console. This page lists all applications blocked in the past seven days, including the count and time of last occurrence.

Web Security/Web Filter

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When a FortiClient endpoint is connected to FortiGate/EMS, the Web Security tab becomes the Web Filter tab in the FortiClient console.

Enable/disable Web Security/Web Filter

For FortiClient in standalone mode, you can enable, disable, and configure web security by using the FortiClient console. You can define what sites are allowed, blocked, or monitored, and you can view violations.

For FortiClient in managed mode, an administrator enables, disables, and configures Web Filter by using a FortiClient profile. See FortiClient profiles on page 29.

Enable/disable Web Security

This setting can only be configured when FortiClient is in standalone mode.

To enable or disable Web Security:

  1. On the Web Security tab, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

The following options are available:

Enable/Disable Select to enable or disable Web Security.

Configure Web Security profiles

X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Enable/disable Web Filter

This setting can only be configured when FortiClient is in managed mode. When FortiClient is connected to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

A FortiClient profile can include a Web Filter profile from a FortiGate or EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.

Configure Web Security profiles

This setting can only be configured when FortiClient is in standalone mode.

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories.

Edit Web Security exclusion lists                                                                             Web Security/Web Filter

To configure web security profiles:

  1. On the Web Filter tab, click the Settings
  2. Click a site category.
  3. Click the Action icon, and select an action in the drop-down menu.

The following actions are available:

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

  1. Click OK.

Edit Web Security exclusion lists

This setting can only be configured when FortiClient is in standalone mode.

You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt.

Edit Web Security exclusion lists

To manage the exclusion list:

  1. On the Web Security tab, click the Settings
  2. Click the Exclusion List
  3. Click the Add icon to add URLs to the exclusion list.

If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

  1. Configure the following settings:
Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression

Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

  1. Click OK.

Configure Web Security settings                                                                             Web Security/Web Filter

Configure Web Security settings

This setting can only be configured when FortiClient is in standalone mode.

To configure web security settings:

  1. On the Web Security tab, click the Settings icon
  2. Click the Settings
  3. Configure the following settings:
Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.
  1. Click OK.

View violations

This section applies to FortiClient in standalone mode and managed mode.

To view Web Security violations:

  1. On the Web Security tab, click the Settings

Alternately, you can click the X Violations (In the Last 7 Days) link.

  1. Click the Violations

View violations

The following information is displayed.

Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.
  1. Click Close.

 

Antivirus

Antivirus

FortiClient includes an antivirus module to scan system files, executable files, removable media, dynamic-link library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, file-based malware, malicious websites, phishing, and spam URL protection are part of the antivirus module. Scanning can also be extended by using FortiSandbox.

Enable/disable realtime protection

For FortiClient in standalone mode, you can enable and disable realtime protection by using the FortiClient console.

For FortiClient in managed mode, an administrator enables, disables, and configures realtime protection by using a FortiClient profile. See FortiClient profiles on page 29.

Enable/disable Antivirus

This setting can only be configured when FortiClient is in standalone mode.

To enable Antivirus:

  1. On the AntiVirus tab, click the settings icon next to Realtime Protection Disabled. The real-time protection settings page opens.
  2. Select the Scan files as they are downloaded orcopied to my system check box.
  3. Click OK.

If you have another antivirus program installed on your system, FortiClient will show a warning that your system may lock up due to conflicts between different antivirus products.

Conflicting antivirus warning

To disable antivirus:

  1. On the AntiVirus tab, click the settings icon next to Realtime Protection Enable. The real-time protection settings page opens.

Enable/disable realtime protection

  1. Clear the Scan files as they are downloaded orcopied to my system check box, and click OK.

Enable/disable FortiSandbox

This setting can only be configured when FortiClient is in standalone mode.

FortiClient integration with FortiSandbox allows you to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

You cannot configure this option when FortiClient is connected to FortiGate/EMS. The administrator configures this option on FortiGate/EMS.

To enable FortiSandbox:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Extend scanning using FortiSandbox.
  3. Enter the FortiSandbox IP address, then select Test to ensure that the connection is correct.

 

Scan and analysis on demand

  1. Set the remaining options as needed.
  2. Click OK to apply your changes.

Compliance

Compliance

The Compliance tab displays whether FortiClient Telemetry is connected to FortiGate or EMS.

When FortiClient Telemetry is connected to FortiGate, the Compliance tab displays whether FortiClient and the endpoint device are compliant with the compliance rules defined by FortiGate. When FortiClient and/or the endpoint device are not compliant, the Compliance tab displays information about how FortiClient and the endpoint device can be returned to a status of compliant.

You can also use the Compliance tab to connect FortiClient Telemetry to FortiGate/EMS and disconnect FortiClient Telemetry from FortiGate/EMS.

Enable compliance

For FortiClient in standalone mode, the Compliance tab is not used.

For FortiClient in managed mode, an administrator enables and disables endpoint compliance by using

FortiGate. When endpoint compliance is enabled, FortiClient must be installed on endpoint devices, and FortiClient Telemetry must be connected to FortiGate. When FortiClient Telemetry is connected, the FortiClient endpoint receives a profile from FortiGate that contains the compliance rules and optionally some FortiClient configuration information.

If FortiGate is integrated with EMS, the FortiClient endpoint might also receive a profile from EMS that contains FortiClient configuration information.

Connect FortiClient Telemetry manually

On endpoints, FortiClient Telemetry must be connected to FortiGate to use the compliance feature. Alternately, FortiClient Telemetry can be connected to EMS, but you cannot use the compliance feature when FortiClient Telemetry is connected to EMS.

If FortiClient Telemetry was not automatically connected after FortiClient installation, you can manually connect FortiClient Telemetry to FortiGate/EMS.

To manually connect FortiClient Telemetry:

  1. Go to the Compliance
  2. In the FortiGate IP box, type the IP address or URL of FortiGate or EMS, and click Connect.

FortiClient Telemetry connects to FortiGate/EMS, FortiClient downloads a profile from FortiGate/EMS.

Disconnect FortiClient Telemetry

You must disconnect FortiClient Telemetry from FortiGate/EMS to connect to another FortiGate/EMS or to uninstall FortiClient.

To disconnect FortiClient Telemetry:

  1. On the Compliance tab, click the Click to Disconnect A confirmation dialog box is displayed.
  2. Click Yes to disconnect FortiClient from FortiGate/EMS.

After you disconnect FortiClient Telemetry from FortiGate/EMS, FortiClient Telemetry automatically connects with the FortiGate/EMS when you re-join the network. See also Forget gateway IP addresses on page 60.

View compliance status

Information available on the Compliance tab depends on whether FortiClient is running in standalone mode or managed mode. In managed mode, the information displayed on the Compliance tab also depends on whether FortiClient Telemetry is connected to FortiGate or FortiClient EMS.

When FortiClient Telemetry is connected to EMS and the feature is enabled in EMS, a picture of the endpoint user might display on the Compliance tab. FortiClient displays the picture that is defined for the Windows operating system on the endpoint device. If FortiClient cannot find a picture defined for the Windows operating system on the endpoint device, no picture is displayed on the Compliance tab.

Standalone mode

When FortiClient is running in standalone mode, the Compliance tab is not used. The Compliance tab is labeled Not Participating. The unlocked icon at the bottom left of the screen indicates that settings in FortiClient console are unlocked, and the endpoint user can change them.

If you want to use the compliance feature, you must connect FortiClient Telemetry to FortiGate.

View compliance

The Compliance tab displays the following information:

FortiGate IP Type the IP address or URL of FortiGate/EMS, and click Connect to connect FortiClient Telemetry.
Unlocked icon Indicates that the settings in FortiClient console are unlocked and can be changed.

FortiClient Telemetry connected to EMS

When FortiClient Telemetry is connected to EMS, compliance is not enforced. The Compliance tab is labeled Connected to EMS. The locked icon at the bottom left of the screen indicates that settings in the FortiClient console are locked by EMS. EMS controls the settings by pushing a profile to FortiClient.

The Compliance tab displays the following information:

Compliance status Indicates that the compliance enforcement feature requires FortiClient Telemetry connection to FortiGate.
FortiClient EMS information Displays the name and IP address of the EMS to which FortiClient Telemetry is connected. You can disconnect by clicking the Click to Disconnect link, view details about the endpoint device by clicking the View Details link, and view the gateway IP list that FortiClient is using for FortiClient Telemetry connection by clicking the Show IP List That This FortiClient is Sending Telemetry Data to link.
FortiClient Telemetry information Displays how often FortiClient Telemetry communicates with FortiClient EMS and when the next communication will occur. FortiClient Telemetry also downloads FortiClient configuration information from EMS.
Locked icon Indicates that the settings in FortiClient console are locked by EMS. You can change the settings by using a profile in EMS.

FortiClient Telemetry connected to FortiGate

When FortiClient Telemetry is connected to FortiGate, network access compliance is enforced. The locked icon at the bottom left of the screen indicates one of the following statuses:

  • The settings in the FortiClient console are locked by the profile from EMS. In this case, FortiGate is integrated with EMS, and the non-compliance action in FortiGate is set to block or warn. FortiGate provides the compliance rules, and EMS provides the profile of FortiClient settings.
  • The settings in the FortiClient console are unlocked. In this case, FortiGate provides the compliance rules, and the non-compliance action in FortiGate is set to auto-update. You can change the FortiClient settings unrelated to the compliance rules.

In the following example, FortiClient Telemetry is connected to FortiGate, but EMS provides the profile of FortiClient settings. The settings are locked by EMS.

In the following example, FortiClient Telemetry is connected to FortiGate, and a profile is not provided by EMS. The settings are locked by FortiGate.

View compliance

The Compliance tab displays the following information:

Compliance status Displays the compliance status of the computer on which FortiClient is installed. The computer is either in compliance or not compliant with FortiGate.
FortiGate information Displays the name and IP address of the FortiGate to which FortiClient Telemetry is connected. You can perform the following actions:

l  Disconnect FortiClient Telemetry by clicking the Click to Disconnect link l View details about the endpoint device by clicking the View Details link

l  View compliance rules from FortiGate by clicking the Show Compliance Rules From

<FortiGate> link l View the gateway IP list being used for FortiClient Telemetry connection by clicking the Show IP List That This FortiClient is Sending Telemetry Data to link.

FortiClient Telemetry information Displays how often FortiClient Telemetry communicates with FortiGate and when the next communication will occur. FortiClient Telemetry communicates information between FortiClient and FortiGate, sending status information to FortiGate and receiving network-access rules and possibly some FortiClient configuration information from FortiGate. When

FortiGate is integrated with EMS, notification information is also sent to EMS. Depending on the FortiGate settings, EMS might also send FortiClient configuration information to FortiClient.

Monitoring Displays whether the endpoint is monitored by EMS.
Locked or unlocked icon Indicates whether the settings in FortiClient console are locked or unlocked.

View user details

You can view user details when FortiClient is compliant with FortiGate rules. You cannot view user details when FortiClient is not compliant with FortiGate rules.

To view user details:

  1. On the Compliance tab, view the name of the user beside the View Details
  2. Click the View Details link to view the following information:
Online/offline Displays whether the endpoint device is online or offline. A green icon indicates the endpoint is online.
Off-Net/On-Net Displays whether the endpoint device is on-net or off-net. A green On-Net icon indicates the endpoint is on-net.
Username Displays the name of the user logged into FortiClient on the endpoint.
Hostname Displays the name of the device on which FortiClient is installed.
Domain Displays the name of the domain to which the endpoint device is connected, if applicable.
  1. Click the X to close the dialog box.

View gateway IP lists

You can view the following gateway IP lists in FortiClient:

  • Gateway IP List

The Gateway IP list is created by administrators. Endpoint users cannot change the list. For more information, see Telemetry Gateway IP Lists on page 31.

  • Local Gateway IP List

The Local Gateway IP list is created by endpoint users. It is the list of remembered FortiGate/EMS devices. When FortiClient Telemetry is connected for the first time, you can choose to remember the gateway IP address. See Remember gateway IP addresses on page 52.

The gateway IP lists are used to automatically connect FortiClient Telemetry to FortiGate/EMS.

To view gateway IP lists:

  1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to

The Gateway IP List and the Local Gateway IP List are displayed.

Fix not compliant

  1. Click X to close the list.

Forget gateway IP addresses

When you instruct FortiClient to forget an IP address for FortiGate/EMS, FortiClient Telemetry will not use the IP address to automatically connect to FortiGate/EMS when re-joining the network.

To forget FortiGate/EMS:

  1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to
  2. In the Local Gateway IP List, click Forget beside the gateway IP addresses that you no longer want FortiClient to remember.
  3. Click X to close the list.

Fix not compliant status

You can maintain compliance by ensuring that FortiClient software is configured to meet the requirements specified in the compliance rules defined by the FortiGate to which FortiClient Telemetry is connected. FortiGate might also require the endpoint device to run a specific version of FortiClient or operating system software.

When FortiClient displays a status of Not-Compliant, you can take actions that will make FortiClient compliant with FortiGate again.

View not-compliant status

When a FortiClient endpoint does not comply with the FortiGate compliance rules, the Compliance tab displays a status of Not-Compliant.

 

Fix not compliant

The following information is displayed on the Compliance tab:

This computer is Not Compliant with Displays the name and IP address of the FortiGate to which FortiClient Telemetry is connected. You can view the compliance rules by clicking the Show Compliance Rules from <FortiGate> link.
Vulnerability Scan Displays critical vulnerabilities found for the endpoint when detected. You must fix the critical vulnerabilities to return to compliant status by clicking Fix Now. You can also click the Details link to view details about the vulnerabilities.
Software Out of Date Displays whether FortiClient software is outdated. You must upgrade to the specified FortiClient version to return to compliant status by clicking Update Now.
System Compliant Displays whether the operating system of the endpoint complies with FortiGate rules. You must use the specified operating system to return to compliant status. You can view the allowed operating systems by clicking the Details link.
Fix All Click to fix all reported issues. This option is available when the non-compliance setting in FortiGate is set to block or warn, and EMS has not provided a profile to the FortiClient endpoint. This option is not available when the non-compliance setting in FortiGate is set to auto-update.

If the Fix All link is not displayed, contact your administrator to help adjust the FortiClient Console and computer settings to remain in compliance with FortiGate.

View compliance rules

When FortiClient Telemetry is connected to FortiGate, you can view the compliance rules from FortiGate. The compliance rules communicate the settings required on FortiClient console for the FortiClient endpoint to remain compliant.

Fix not compliant

To view compliance rules:

  1. On the Compliance tab, click the Show Compliance Rules From <FortiGate>

The compliance rules from FortiGate are displayed.

  1. Click Close to return to the Compliance

Fix now

Issues that caused a not-compliant status can be fixed to return FortiClient endpoints to a compliant status. When available, you can click the Update Now, Fix Now, or Fix All links on the Compliance tab to return FortiClient endpoints to compliant status.

When FortiClient has a not compliant status and the Update Now, Fix Now, or Fix All links are not displayed, endpoint users should contact their system administrator for help with configuring the endpoint and FortiClient Console to remain in compliance with FortiGate.

What links are available depend on the configuration of FortiGate and EMS. The following table summarizes when links are available:

Configuration Compliance Rules FortiClient

Configuration

Options
FortiGate Yes No FortiClient settings are unlocked. Click Update Now, Fix Now, and Fix All links when available.

View notifications

Configuration Compliance Rules FortiClient

Configuration

Options
FortiGate integrated with EMS Yes No FortiClient settings are unlocked. Click Update Now, Fix Now, and Fix All links when available.
Yes Yes FortiClient settings are locked by EMS. Use EMS to update the profile that contains the FortiClient configuration to meet the requirements of the compliance rules.

To fix now:

  1. On the Compliance tab, perform one of the following options:

l Click Fix All. l Click Update Now. l Click Fix Now.

The non-compliance issues are fixed, and the FortiClient endpoint returns to a status of compliant.

  1. If the Fix All, Update Now, or Fix Now links are not displayed on the Compliance tab, contact your system administrator for help with changing the endpoint and FortiClient Console settings.

Examples of blocked FortiClient endpoints

FortiClient endpoint access to the network can be blocked a number of ways. The following table provides examples of how FortiClient endpoints can be blocked from accessing the network and how to regain access.

Configuration Failure Blocked By Solution
Endpoint control is enabled on FortiGate. FortiClient Telemetry is connected to FortiGate. FortiClient configuration fails to meet the com-

pliance rules specified by FortiGate

FortiClient View the Compliance tab in

FortiClient console, and follow the instructions to configure FortiClient to meet the compliance rules specified by FortiGate.

Endpoint control is enabled on FortiGate. FortiClient Telemetry is not connected to FortiGate. FortiClient Telemetry is not connected FortiGate In FortiClient console, connect FortiClient Telemetry to FortiGate.

View notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

 

View notifications

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

To view notifications:

  1. In FortiClient Console, click the Notifications icon in the top-right corner. The list of notifications is displayed.
  2. Click Close to close the list.

FortiClient Telemetry Connection

FortiClient Telemetry Connection

In managed mode, FortiClient uses a gateway IP address to connect FortiClient Telemetry to FortiGate or FortiClient EMS. For more information, see Telemetry Gateway IP Lists on page 31.

How FortiClient locates FortiGate/EMS

FortiClient uses the following methods in the following order to automatically locate FortiGate/EMS for Telemetry connection:

  • Telemetry Gateway IP List

FortiClient Telemetry searches for IP addresses in its subnet in the Gateway IP list. It connects to the FortiGate in the list that is also in the same subnet as the host system.

If FortiClient cannot find any FortiGates in its subnet, it will attempt to connect to the first reachable FortiGate in the list, starting from the top. The order of the list is maintained as it was configured in the Gateway IP list.

  • Remembered gateway IP list

You can configure FortiClient to remember gateway IP addresses when you connect Telemetry to

FortiGate/EMS. Later FortiClient can use the remembered IP addresses to automatically connect Telemetry to FortiGate/EMS.

  • Default gateway IP address

The default gateway IP address is specified on the FortiClient endpoint and is used to automatically connect to FortiGate. This method does not support connection to EMS.

FortiClient obtains the default gateway IP address from the operating system on the endpoint device. The default gateway IP address of the endpoint device should be the IP address for the FortiGate interface with Telemetry enabled.

If FortiClient is unable to automatically locate a FortiGate/EMS on the network for Telemetry connection, you can use the following methods to manually connect Telemetry to FortiGate/EMS: l Type the gateway IP address of FortiGate/EMS. See Connect FortiClient Telemetry manually on page 54.

FortiClient uses the same process to connect Telemetry to FortiGate/EMS after the FortiClient endpoint reboots, rejoins the network, or encounters a network change.

Telemetry Connection                                  Connect FortiClient Telemetry after installation

Connect FortiClient Telemetry after installation

After FortiClient software installation completes on an endpoint, FortiClient automatically launches and searches for a FortiGate or FortiClient EMS for FortiClient Telemetry connection. See also How FortiClient locates FortiGate/EMS on page 51.

When FortiClient locates a FortiGate or EMS, the FortiGate Detected or Enterprise Management Server (EMS) Detected dialog box is displayed.

The following options are availble:

Endpoint User Displays the name of the endpoint user that is logged into the endpoint device.
Logged into Domain Displays the name of domain if applicable.
Hostname Displays the name of the endpoint device.
Profile Details Click to display details of the profile that FortiClient will download after you accept connection to FortiGate/EMS. See also FortiClient profiles on page 29.
Remember this FortiGate Select for FortiClient to remember the gateway IP address of the

FortiGate/EMS to which you are connecting Telemetry. See also Remember gateway IP addresses on page 52.

Click Accept to connect FortiClient Telemetry to the identified FortiGate/EMS. Alternately, you can click Cancel to launch FortiClient software without connecting FortiClient Telemetry. FortiClient launches in standalone mode. You can manually connect FortiClient Telemetry later.

After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient downloads a profile from FortiGate/EMS. A system tray bubble message will be displayed once the profile download is complete.

Remember gateway IP addresses

When you confirm Telemetry connection to a FortiGate/EMS, you can instruct FortiClient to remember the gateway IP address of the FortiGate/EMS. If a connection key is required, FortiClient remembers the connection password too. FortiClient can remember up to 20 gateway IP addresses for FortiGate/EMS. 52

Remember gateway IP addresses                                                           FortiClient Telemetry Connection

The remembered IP addresses display in the Local Gateway IP list. FortiClient can use the remembered gateway IP addresses to automatically connect to FortiGate/EMS.

See also Forget gateway IP addresses on page 60.

To remember FortiGate/EMS:

  1. In the FortiGate/EMS Detected dialog box, select the Rememberthis FortiGate or Rememberthis EMS (not shown) check box.
  2. Click Accept.

FortiClient remembers the IP address and password, if applicable.

 

Deploy FortiClient using EMS

Deploy FortiClient using EMS

You can use FortiClient EMS to deploy FortiClient (Windows) in managed mode to devices in your network that are running a supported Windows operating system. For installation information, see the FortiClient

Upgrade FortiClient

EMS Administration Guide.

An upgrade schedule dialog box is displayed in advance when deploying FortiClient from EMS to endpoints running Windows operating system. If no FortiClient is installed on the endpoint, no reboot is required for the installation, and no upgrade schedule dialog box is displayed. The user can postpone the reboot for a maximum of 24 hours. Before the mandatory reboot occurs, a FortiClient dialog box is displayed with a 15 minute warning.

Upgrade FortiClient

For information about supported upgrade paths for FortiClient, see the FortiClient Release Notes.

 

Deploy FortiClient using Microsoft Active Directory servers

Deploy FortiClient using Microsoft Active Directory servers

There are multiple ways to deploy FortiClient to endpoint devices including using Microsoft Active Directory (AD).

Deploy                       using EMS

The following instructions are based from Microsoft Windows Server 2008. If you are using a different version of Microsoft Server, your MMC or snap-in locations may be different.

Using Microsoft AD to deploy FortiClient:

  1. On your domain controller, create a distribution point.
  2. Log on to the server computer as an administrator.
  3. Create a shared network folder where the FortiClient MSI installer file will be distributed from.
  4. Set file permissions on the share to allow access to the distribution package. Copy the FortiClient MSI installer package into this share folder.
  5. Select Start > Administrative Tools > Active Directory Users and Computers.
  6. After selecting your domain, right-click to select a new Organizational Unit (OU).
  7. Move all the computers you wish to distribute the FortiClient software to into the newly-created OU.
  8. Select Start > Administrative Tools > Group Policy Management The Group Policy Management MMC Snap-in will open. Select the OU you just created. Right-click it, Select Create a GPO in this domain, and Link it here. Give the new GPO a name then select OK.
  9. Expand the Group Policy Object container and find the GPO you just created. Right-click the GPO and select Edit. The Group Policy Management Editor MMC Snap-in will open.
  10. Expand ComputerConfiguration > Policies > Software Settings. Right-click Software Settings and select New > Package.
  11. Select the path of your distribution point and FortiClient installer file and then select Open. Select Assigned and select OK. The package will then be generated.
  12. If you wish to expedite the installation process, on both the server and client computers, force a GPO update.
  13. The software will be installed on the client computer’s next reboot. You can also wait for the client computer to poll the domain controller for GPO changes and install the software then.

Uninstall FortiClient using Microsoft Active Directory server:

  1. On your domain controller, select Start > Administrative Tools > Group Policy Management. The Group Policy Management MMC Snap-in will open. Expand the Group Policy Objects container and right-click the Group Policy Object you created to install FortiClient and select Edit. The Group Policy Management Editor will open.
  2. Select ComputerConfiguration > Policy > Software Settings > Software Installation. You will now be able to see the package that was used to install FortiClient.
  3. Right-click the package, select All Tasks > Remove. Choose Immediately uninstall the software from users and computers, or Allow users to continue to use the software but prevent new installations. Select OK. The package will delete.
  4. If you wish to expedite the uninstall process, on both the server and client computers, force a GPO update as shown in the previous section. The software will be uninstalled on the client computer’s next reboot. You can also wait for the client computer to poll the domain controller for GPO changes and uninstall the software then.