Settings
This sections describe the available options in the settings menu.
Backup or restore full configuration
To backup or restore the full configuration file, select File > Settings from the toolbar. Expand the System section, then select Backup or Restore as needed. Restore is only available when operating in standalone mode.
When performing a backup you can select the file destination, password requirements, and add comments as needed.
Logging
To configure logging, select File > Settings from the toolbar then expand the Logging section.
VPN | VPN logging is available when in standalone mode or when registered to FortiGate/EMS. |
Application Firewall | Application Firewall logging is available when registered to FortiGate/EMS. |
AntiVirus | Antivirus activity logging is available when in standalone mode or when registered to FortiGate/EMS. |
Web Filter | Web Filter logging is available when in standalone mode (Web Security) or when registered to FortiGate/EMS. |
Update | Update logging is available when in standalone mode or when registered to FortiGate/EMS. |
Vulnerability Scan | Vulnerability Scan logging is available when registered to FortiGate/EMS. |
Logging
Log Level | This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured). |
Log File | The option to export the log file (.log) is available when in standalone mode or when registered to FortiGate/EMS. The option to clear logs is only available when in standalone mode. |
The following table lists the logging levels and description:
Logging Level | Description | |
Emergency | The system becomes unstable. | |
Alert | Immediate action is required. | |
Critical | Functionality is affected. | |
Error | An error condition exists and functionality could be affected. | |
Warning | Functionality could be affected. | |
Notice | Information about normal events. | |
Information | General information about system operations. | |
Debug | Debug FortiClient. |
It is recommended to use the debug logging level only when needed. Do not leave the debug logging level permanently enabled in a production environment to avoid unnecessarily consuming disk space.
Configure logging to FortiAnalyzer or FortiManager
To configure FortiClient to log to your FortiAnalyzer or FortiManager you require the following:
l FortiClient 5.2.0 or later l A FortiGate device running FortiOS 5.2.0 or later, or EMS 1.0 l A FortiAnalyzer or FortiManager device running 5.0.7 or later
The registered FortiClient device will send traffic logs, vulnerability scan logs, and event logs to the log device on port 514 TCP.
Logging
Enable logging on the FortiGate device:
- On your FortiGate device, select Log & Report > Log Settings. The Log Settings window opens.
- Enable Send Logs to FortiAnalyzer/FortiManager.
- Enter the IP address of your log device in the IP Address You can select Test Connectivity to ensure your FortiGate is able to communicate with the log device on this IP address.
- Select Apply to save the setting.
Enable logging in the FortiGate FortiClient profile:
- Go to Security Profiles > FortiClient Profiles.
- Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page opens.
- In the Advanced tab, enable Upload Logs to FortiAnalyzer.
- Select either Same as System to send the logs to the FortiAnalyzer or FortiManager configured in the Log Settings, or Specify to enter a different IP address.
- In the Schedule field, select to upload logs wither Hourly or Daily.
- Select Apply to save the settings.
Once the FortiClient Profile change is synchronized with the client, you will start receiving logs from registered clients on your FortiAnalyzer/FortiManager system.
Alternatively, you can configure logging in the command line interface. Go to System > Dashboard > Status. In the CLI Console widget, enter the following CLI commands:
config endpoint-control profile edit <profile-name>
config forticlient-winmac-settings set forticlient-log-upload enable set forticlient-log-upload-server <IP address> set forticlient-log-upload-schedule {hourly | daily} set forticlient-log-ssl-upload {enable | disable} set client-log-when-on-net {enable | disable}
end
end
To download the FortiClient log files on the FortiAnalyzer go to the Log View tab, select the ADOM, and select the FortiClient menu object.
Updates
Enable logging in the EMS endpoint profile:
- On EMS, select an endpoint profile, then go to the System Settings
- Enable Upload Logs to FortiAnalyzer/FortiManager.
- Enter the IP address or hostname, schedule upload (in minutes), and log generation timeout (in seconds).
- Select Save to save the settings.
Updates
To configure updates, select File > Settings from the toolbar, then expand the System section.
Select to either automatically download and install updates when they are available on the FortiGuard Distribution Servers, or to send an alert when updates are available.
This setting can only be configured when in standalone mode.
You can select to use a FortiManager device for signature updates. When configuring the endpoint profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device.
To configure FortiClient to use FortiManager for signature updates (FortiGate):
- On your FortiOS device, select Security Profiles > FortiClient Profiles.
- On the Advanced tab, enable FortiManagerupdates.
- Specify the IP address or domain name of the FortiManager device.
- Select Failoverto FDN to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
- Select Apply to save the settings.
To configure FortiClient to use FortiManager for signature updates (EMS):
- On EMS, select an endpoint profile, then go to the System Settings
- Toggle the Use FortiManagerforclient software/signature update option to ON.
- Specify the IP address or hostname of the FortiManager device.
- Select Failoverto FDN when FortiManageris not available to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
- Select Save to save the settings.
VPN options
To configure VPN options, select File > Settings from the toolbar and expand the VPN section. Select Enable VPN before logon to enable VPN before log on.
This setting can only be configured when in standalone mode.
Certificate management
Certificate management
To configure VPN certificates, select File > Settings from the toolbar and expand the Certificate Management section. Select Use local certificate uploads (IPsec only) to configure IPsec VPN to use local certificates and import certificates to FortiClient.
This setting can only be configured when in standalone mode.
Antivirus options
To configure antivirus options, select File > Settings from the toolbar and expand the Antivirus Options section.
These settings can only be configured when in standalone mode.
Configure the following settings:
Grayware Options | Grayware is an umbrella term applied to a wide range of malicious applications such as spyware, adware and key loggers that are often secretly installed on a user’s computer to track and/or report certain information back to an external source without the user’s permission or knowledge. |
Adware | Select to enable adware detection and quarantine during the antivirus scan. |
Riskware | Select to enable riskware detection and quarantine during the antivirus scan. |
Scan removable media on
insertion |
Select to scan removable media when it is inserted. |
Alert when viruses are detected | Select to have FortiClient provide a notification alert when a threat is detected on your personal computer. When Alert when viruses are detected under AntiVirus Options is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser. |
Pause background scanning on battery power | Select to pause background scanning when your computer is operating on battery power. |
Advanced options
Enable FortiGuard Ana-
lytics |
Select to automatically send suspicious files to the FortiGuard Network for analysis. |
When registered to FortiGate, you can select to enable or disable FortiClient Antivirus Protection in the FortiClient Profile.
Advanced options
To configure advanced options, select File > Settings from the toolbar and expand the Advance section.
These settings can only be configured when in standalone mode. When registered to FortiGate/EMS, these settings are set by the XML configuration (if configured).
Configure the following settings:
Enable WAN Optimization | Select to enable WAN Optimization. You should enable only if you have a FortiGate device and your FortiGate is configured for WAN Optimization.
This setting can be configured when in standalone mode. |
Maximum Disk Cache Size | Select to configure the maximum disk cache size. The default value is 512MB. |
Enable Single Sign-On mobility agent | Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device.
This setting can be configured when in standalone mode. |
Server address | Enter the FortiAuthenticator IP address. |
Customize port | Enter the port number. The default port is 8001. |
Pre-shared Key | Enter the pre-shared key. The pre-shared key should match the key configured on your FortiAuthenticator device. |
Single Sign-On mobility agent
Disable proxy (troubleshooting only) | Select to disable proxy when troubleshooting FortiClient.
This setting can be configured when in standalone mode. |
Default tab | Select the default tab to be displayed when opening FortiClient. This setting can be configured when in standalone mode. |
Single Sign-On mobility agent
The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates with FortiAuthenticator with user logon and network information.
FortiClient/FortiAuthenticator protocol
The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator, which replies with an acknowledgment packet.
FortiClient/FortiAuthenticator communication requires the following:
l The IP address should be unique in the entire network. l The FortiAuthenticator should be accessible from clients in all locations. l The FortiAuthenticator should be accessible by all FortiGates.
FortiClient Single Sign-On Mobility Agent requires a FortiAuthenticator running 2.0.0 or later, or v3.0.0 or later. Enter the FortiAuthenticator (server) IP address, port number, and the pre-shared key configured on the FortiAuthenticator.
Enable Single Sign-On mobility agent on FortiClient:
- Select File in the toolbar and select Settings in the drop-down menu.
- Select Advanced to view the drop-down menu.
- Select to Enable Single Sign-On mobility agent.
- Enter the FortiAuthenticator server address and the pre-shared key.
This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured).
Enable FortiClient SSO mobility agent service on the FortiAuthenticator:
- Select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
- Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
- Select Enable authentication and enter a secret key or password.
- Select OK to save the setting.
Configuration lock
To enable FortiClient FSSO services on the interface:
- Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network Interface window opens.
- Select the checkbox to enable FortiClient FSSO.
- Select OK to save the setting.
To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you must first apply the applicable FortiClient license for FortiAuthenticator. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.
For information on purchasing a FortiClient license for FortiAuthenticator, please contact your authorized Fortinet reseller.
Configuration lock
To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked, configuration changes are restricted and FortiClient cannot be shutdown or uninstalled.
When the configuration is locked you can perform the following actions:
- Antivirus l Complete an antivirus scan, view threats found, and view logs l Select Update Now to update signatures l Web Security
FortiTray
- View violations
- Application Firewall l View applications blocked
- Remote Access l Configure, edit, or delete an IPsec VPN or SSL VPN connection l Connect to a VPN connection
- Vulnerability Scan l Complete a vulnerability scan of the system l View vulnerabilities found
- Register and unregister FortiClient for Endpoint Control l Settings l Export FortiClient logs l Backup the FortiClient configuration
To perform configuration changes or to shut down FortiClient, select the lock icon and enter the password used to lock the configuration.
FortiTray
When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is closed.
- Default menu options l Open FortiClient console l Shutdown FortiClient
- Dynamic menu options depending on configuration l Connect to a configured IPsec VPN or SSL VPN connection l Display the antivirus scan window (if a scheduled scan is currently running) l Display the Vulnerability scan window (if a vulnerability scan is running)
If you hover the mouse cursor over the FortiTray icon, you will receive various notifications including the version, antivirus signature, and antivirus engine.
Connect to a VPN connection
To connect to a VPN connection from FortiTray, select the Windows System Tray and right-click in the FortiTray icon. Select the connection you wish to connect to, enter your username and password in the authentication window, then select OK to connect.