Tag Archives: forticlient 5.4.1 administration guide

Configure FortiClient profiles

Configure FortiClient profiles

FortiGate includes a default FortiClient profile. You can edit the default profile or create a new profile. FortiClient profiles are used to communicate compliance rules to FortiClient endpoints.

The option to assign the profile to device groups, user groups, and users is available only when you create a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication.

For more information about creating FortiClient profiles by using FortiGate, see the FortiOS Handbook-Security Profiles.

Configure FortiGate

To configure FortiClient profiles:

  1. Go to Security Profiles > FortiClient Profiles. You can edit the default profile or create a new FortiClient profile.
  2. Set the following options:
Profile Name Type a name for the profile.
Comments Type comments about the profile.
Assign Profile To Click to specify which devices, users, and addresses will receive the FortiClient profile. This options is available only when enable multiple security profiles and you create a new profile.
FortiClient endpoint compliance Use the options in this section to specify how to handle FortiClient endpoints that fail to meet the compliance rules.
Non-compliance action Select either Block, Warning, Auto-update. See also Non-compliance action on page 29.
Endpoint Vulnerability Scan on Client You can enable or disable Endpoint Vulnerability Scan on Client. When enabled, FortiClient is required to have Vulnerability Scan enabled. When Non-compliance action is set to Auto-update, you can enable and configure Endpoint Vulnerability Scan on Client by using only FortiGate.
System Compliance You can enable or disable System Compliance. When enabled, a minimum

FortiClient version is required on endpoints.

When Non-compliance action is set to Auto-update, you can enable and configure Minimum FortiClient version by using only FortiGate.

You can also enable logging to FortiAnalyzer, and select what types of logs to send to FortiAnalyzer.

AntiVirus You can enable or disable AntiVirus. When enabled, FortiClient console is required to have Antivirus enabled.

When Non-compliance action is set to Auto-update, you can enable and configure AntiVirus by using only FortiGate.

Web Filter You can enable or disable Web Filter and select a profile. When enabled, FortiClient is required to have Web Filter enabled.

When Non-compliance action is set to Auto-update, you can enable and configure Web Filter by using only FortiGate.

Application Firewall You can enable or disable Application Firewall and select a profile. When enabled, FortiClient is required to have Application Firewall enabled. When Non-compliance action is set to Auto-update, you can enable and configure Application Firewall by using only FortiGate.
  1. Click OK.

Enable a key password for FortiTelemetry connection

You can configure a connection key password for FortiClient Telemetry connection to FortiGate devices. When connecting FortiClient Telemetry to FortiGate, the user must enter the connection key password in FortiClient console before the connection can be completed.

You must use the CLI to enable a key password.

To enable key password:

  1. On your FortiGate device, go to Dashboard > CLI Console, and enter the following CLI command: config endpoint-control settings set forticlient-key-enforce enable set forticlient-reg-key <password>

end

FortiClient users can select to remember the connection key password in the FortiClient console when they connect FortiClient Telemetry.

View connected FortiClient endpoints

You can view all connected FortiClient endpoints in FortiGate GUI. On FortiGate, each new connection is automatically added to the device table.

To view connected devices, go to Monitor > FortiClient Monitor.

Configure FortiClient Telemetry connections with AD user groups

Use FortiClient console

Use FortiClient console

This section describes how a FortiClient endpoint user can use the FortiClient console when FortiClient is managed by FortiGate/EMS.

To use the FortiClient console:

  1. View FortiClient Telemetry connection status, last profile update, and the gateway IP list. See Compliance on page 54.

If FortiClient Telemetry is connected to FortiGate, you can also view compliance status and instructions for remaining compliant on the Compliance tab.

  1. View Antivirus threats. See Antivirus on page 65.
  2. View web filter results. See View violations on page 79.
  3. View application firewall results. See Application Firewall on page 81.
  4. Configure and use remote access. See IPsec VPN and SSL VPN on page 83.
  5. View vulnerability scan results. See Vulnerability Scan on page 92.
  6. View notifications. See View notifications on page 63.

Configure FortiGate

This section provides an overview of configuring FortiGate for endpoint control.

Get started

FortiGate endpoint control is configured by completing the following tasks:

  1. Enable the endpoint control feature. See Enable the Endpoint Control feature on page 34.
  2. Enable FortiTelemetry on an interface. See Enable FortiTelemetry on an interface on page 34.
  3. Configure firewall policies. See Configure firewall policies on page 35.
  4. Configure FortiClient profiles. See Configure FortiClient profiles on page 35.

Configure FortiGate

After FortiClient software is installed on endpoints, and the FortiClient endpoints connect FortiTelemetry to FortiGate, FortiClient downloads a FortiClient profile from FortiGate.

Additional configuration options are available, depending on the needs of your network.

Enable the Endpoint Control feature

When using the GUI for configuration, you must enable endpoint control on FortiGate devices to use the device for FortiClient endpoint management.

When using the CLI for configuration, you can skip this step.

To enable the endpoint control feature:

  1. Go to System > Feature Select.
  2. In the Security Features list, enable Endpoint Control.
  3. In the Additional Features list, enable Multiple Security Profiles.
  4. Click Apply.

Enable FortiTelemetry on an interface

You must configure FortiClient communication on a FortiGate interface by specifying an IP address and enabling FortiTelemetry communication.

The IP address for the interface defines the gateway IP address for the FortiGate that FortiClient endpoints will use to connect FortiClient Telemetry to FortiGate.

You can also add any devices that are exempt from requiring FortiClient software to an exemption list for the interface.

To enable FortiTelemetry on an interface:

  1. Go to Network > Interfaces.
  2. Select an interface, and click Edit.
  3. Set the following options:
Address In the IP/Network Mask, type the gateway IP address.
Restrict Access Beside Administrative Access, select the FortiTelemetry check box to enable endpoints to send FortiTelemetry to FortiGate.
Networked Devices Enable Device Detection to allow FortiGate to detect the operating system on connected endpoint devices.
Admission Control Enable Enforce FortiTelemetry forAll FortiClients to require endpoint compliance for all endpoints.
Click the Exempt Sources box, and add the devices that are exempt from requiring FortiClient software with a FortiClient Telemetry connection to the FortiGate, such as Linux PC. For example, FortiClient software currently does not support Linux operating system. You can add this type of device to the Exempt Sources list.
Click the Exempt Destinations/Services box, and add the destinations and services.
  1. Configure the remaining options as required.
  2. Click OK.

Configure firewall policies

You must configure a firewall policy for FortiClient access to the Internet. The firewall policy must include the incoming interface that is defined for FortiTelemetry communication, and the outgoing interfaces that you want FortiClient endpoints to use for accessing the Internet. Otherwise, endpoints will be unable to access the Internet.

To configure firewall policies:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Click Create New in the toolbar. The New Policy window is displayed.
  3. In the Name box, type a name for the firewall policy.
  4. In the Incoming Interface list, select the port defined for FortiTelemetry communication.
  5. In the Outgoing Interface, select the port(s) defined for outgoing traffic from FortiGate.
  6. Configure the remaining options as required.
  7. Click OK.

Telemetry Gateway IP Lists

Telemetry Gateway IP Lists

In managed mode, FortiClient can use a Telemetry Gateway IP List to automatically locate FortiGate/EMS for FortiClient Telemetry connection.

The Telemetry Gateway IP List is a list of gateway IP addresses that FortiClient can use to connect FortiClient Telemetry to FortiGate/EMS. After FortiClient installation completes on the endpoint device, FortiClient automatically launches and uses the Telemetry Gateway IP List to locate FortiGate/EMS for FortiClient Telemetry connection.

After FortiClient is installed on the endpoint and FortiClient Telemetry is connected to FortiGate/EMS, you can view the Telemetry Gateway IP List in the FortiClient console. See View gateway IP lists on page 59.

Configure Telemetry Gateway IP Lists (EMS)

FortiClient EMS includes the option to create one or more Telemetry Gateway IP Lists. The list can include IP addresses for EMS and for FortiGate. You can assign Telemetry Gateway IP Lists to domains and workgroups in EMS. You can also update the assigned Telemetry Gateway IP Lists after FortiClient is installed, and the updated lists are pushed to FortiClient endpoints. See the FortiClient EMS Administration Guide.

Configure Telemetry Gateway IP Lists (FortiGate)

If you are using FortiGate without EMS, you can add Telemetry Gateway IP addresses to the FortiClient installer by using the Configurator Tool. See Custom FortiClient Installations on page 110.

Get started

This section provides an overview of how to configure, provision, and use FortiClient in managed mode.

 

Get started

Configure endpoint management

Before you provision FortiClient in managed mode, you must configure FortiGate or EMS to manage FortiClient endpoints. You can use FortiGate, EMS, or both FortiGate/EMS to manage FortiClient endpoints. The configuration process depends on what product you will use to manage FortiClient endpoints.

When FortiGate is integrated with EMS, you can sometimes assign two profiles to FortiClient endpoints. Each profile has a different purpose. The purpose of the profile from FortiGate is to communicate the compliance rules to FortiClient endpoints. If the profile created by using FortiGate has non-compliance set to block or warn, you can optionally create a profile by using EMS to communicate configuration settings for FortiClient software on endpoints. For more information, see the FortiClient EMS Administration Guide.

If the compliance action is set to block or warn in the FortiClient profile created by using FortiGate, FortiGate does not provision the FortiClient endpoint, and you must manually configure FortiClient or configure FortiClient by using EMS. If the compliance action is set to auto-update, FortiGate makes a best effort to provision FortiClient endpoints to be compliant with the compliance rules.

To configure endpoint management:

  1. Configure the product or products that you will use to manage FortiClient endpoints. The following table identifies where to find instructions:
FortiGate Configure FortiGate endpoint control. See Configure FortiGate on page 33. For more information, see the FortiOS Handbook.
EMS See the FortiClient EMS Administration Guide.
FortiGate integrated with

EMS

For FortiGate, configure endpoint control. See Configure FortiGate on page 33. For more information, see the FortiOS Handbook.

For EMS, see the FortiClient EMS Administration Guide.

After you configure EMS, FortiGate, or both FortiGate/EMS to manage FortiClient endpoints, you are ready to provision FortiClient.

Provision FortiClient

This section provides an overview of how to provision FortiClient in managed mode.

To provision FortiClient:

  1. Ensure that you have configured EMS, FortiGate, or both FortiGate/EMS to manage FortiClient endpoints.
  2. Provision FortiClient on endpoint computers with Internet access. See FortiClient Provisioning on page 44. You can use one of the following methods:

l FortiClient EMS with a Microsoft Active Directory server l Microsoft Active Directory server

After FortiClient installs, FortiClient Telemetry attempts connection to FortiGate/EMS. For more information, see FortiClient Telemetry Connection on page 51.

After FortiClient Telemetry is connected to FortiGate/EMS, FortiClient downloads a profile from FortiGate/EMS. The computer with FortiClient installed and FortiClient Telemetry connected is now a managed endpoint.

  1. Use one or more of the following methods to monitor managed endpoints: l FortiGate l FortiClient EMS