Tag Archives: forticlient administration guide 5.4.1

Standalone FortiClient

Standalone FortiClient

About standalone mode

In standalone mode, FortiClient software is installed to computers or devices that have Internet access and are running a supported operating system. After FortiClient is installed, FortiClient automatically connects to FortiGuard Center (http://www.fortiguard.com) to protect the computer or device.

Get started

In standalone mode, you can configure FortiClient settings by using the FortiClient console. This section provides an overview of provisioning, configuring, and using FortiClient in standalone mode.

Provision and configure

In standalone mode, you can install FortiClient software to computers or devices with Internet access and configure a number of settings.

To provision and configure FortiClient:

  1. Install FortiClient on computers or devices. See FortiClient Provisioning on page 44. FortiClient connects to the Fortinet FortiGuard server to protect the computer.
  2. Configure FortiClient settings. See Settings on page 99.
  3. Configure Antivirus settings. See Antivirus on page 65.
  4. (Optional) Configure remote access. See IPsec VPN and SSL VPN on page 83.

Use FortiClient console

In standalone mode, you can use the following tabs in FortiClient console:

l Antivirus l Web Security l Remote Access

The Compliance tab is used only when FortiClient is running in managed mode. See Managed FortiClient on page 25.

To use the FortiClient console:

  1. View Antivirus threats. See View scan results on page 71.
  2. View web security results. See View violations on page 79.
  3. Use remote access. See Add new connections on page 83.
  4. View notifications. See View notifications on page 63.

Managed FortiClient

About managed mode

In managed mode, FortiClient software is installed to computers or devices on your network that have Internet access and are running a supported operating system. The computers or devices are referred to as endpoints or FortiClient endpoints. After FortiClient software is installed on endpoint devices, FortiClient:

l Automatically connects to FortiGuard Center (http://www.fortiguard.com) to protect the endpoint l Automatically attempts to connect FortiClient Telemetry to FortiGate or EMS

The endpoint user confirms the request to complete the FortiClient Telemetry connection to FortiGate/EMS.

You can optionally configure a FortiClient Telemetry connection that requires no confirmation by the endpoint user. See Custom FortiClient Installations on page 110.

After FortiClient Telemetry is connected to FortiGate/EMS, FortiClient downloads a profile from FortiGate/EMS, and the endpoint is managed.

FortiClient Telemetry connection options

FortiClient Telemetry can be connected to EMS or FortiGate. When EMS and FortiGate are integrated, FortiClient Telemetry connects to FortiGate as well as EMS.

FortiGate and EMS are used for the following different purposes. FortiGate is used to ensure that FortiClient endpoints adhere to the compliance rules defined for network access. EMS is used to provision, configure, and monitor FortiClient on endpoints.

FortiClient EMS

In this configuration, FortiClient Telemetry is connected to EMS and sends notifications to EMS, and EMS pushes a profile to FortiClient. The profile contains the configuration information for FortiClient.

After receiving the profile, all settings in the FortiClient console are locked because they are controlled by the profile.

FortiGate

In this configuration, FortiClient Telemetry is connected to FortiGate, and FortiClient downloads a profile from FortiGate.

The profile contains the compliance rules and optionally some configuration information for FortiClient. The compliance rules are used to configure endpoints for Network Access Compliance (NAC) and to specify what happens when endpoints fail to meet compliance rules. Endpoint users can use FortiClient console to view compliance status, compliance rules, and the steps required to remain compliant. See also Non-compliance action on page 29.

After receiving the profile, some settings in the FortiClient console are locked because they are controlled by the compliance rules and configuration information in the profile. However, endpoint users can change settings in FortiClient console that are not controlled by the profile.

FortiGate and EMS integration

In this configuration, FortiClient Telemetry connects to FortiGate for NAC and EMS for configuration information and real-time monitoring. This configuration is sometimes called integrated mode.

When FortiClient Telemetry is connected to FortiGate, a profile is pushed to FortiClient. The contents of the profile depend on the non-compliance action in the profile.

Non-compliance set to auto-update

When you use FortiGate to configure a FortiClient profile that contains compliance rules with a non-compliance setting of auto-update, you can also include some configuration information.

When FortiClient Telemetry connects to FortiGate, FortiClient downloads the profile that contains compliance rules and some configuration information from FortiGate.

After receiving the profile, some settings in the FortiClient console are locked because they are controlled by the compliance rules and configuration information in the profile. However, endpoint users can change settings in FortiClient console that are not controlled by the profile.

 

About managed mode

Non-compliance action set to block or warn

When you use FortiGate to configure a FortiClient profile that contains compliance rules with a non-compliance action of warn or block, you must either use EMS to provision FortiClient endpoints, or you must manually configure FortiClient endpoints. In this configuration, FortiGate provides only the compliance rules; it does not provision the FortiClient endpoints.

When FortiClient Telemetry connects to FortiGate, FortiClient downloads the compliance rules from FortiGate, and EMS pushes the configuration information to FortiClient.

You should ensure that the configuration pushed from EMS matches the compliance rules set on FortiGate to avoid conflicting settings.

After receiving the compliance rules and profile, all settings in the FortiClient console are locked because they are controlled by the compliance rules and configuration information in the profile.

FortiGate network topologies and FortiClient

This section describes the supported FortiGate network topologies for FortiClient in managed mode. The following topologies are supported:

  1. FortiClient is directly connected to FortiGate; either to a physical port, switch port or WiFi network.
  2. FortiClient is connected to FortiGate, but is behind a router or NAT device.
  3. FortiClient is connected to FortiGate across a VPN connection.

On-net / off-net

The on-net feature requires a FortiGate to be used as a DHCP server. This is usually configured on the same FortiGate to which FortiClient is connected. When the device on which FortiClient is running has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off-net.

On the FortiGate, the DHCP server can be used, or several network subnets can be provided for the on-net feature. FortiClient is on-net if:

l FortiClient Telemetry is connected to FortiGate, l FortiClient belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

About managed mode

What’s New in FortiClient 5.4

What’s New in FortiClient 5.4

The following is a list of new features and enhancements in FortiClient 5.4.

This document was written for FortiClient (Windows) 5.4.1. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.1.

FortiClient 5.4.1

The following is a list of new features in FortiClient version 5.4.1.

Endpoint control

FortiClient Telemetry

FortiClient Telemetry is the new name of the connection between FortiClient and FortiGate/EMS. You no longer register FortiClient endpoints to FortiGate/EMS, but connect FortiClient Telemetry to FortiGate/EMS. See FortiClient Telemetry Connection on page 51.

Endpoint compliance

FortiClient includes a Compliance tab that communicates whether FortiClient is connected to FortiGate or EMS and whether the endpoint is compliant.

When connected to FortiGate, the Compliance tab communicates whether FortiClient and the endpoint device are compliant with the compliance rules defined by FortiGate. Endpoint users can view the Compliance tab to review compliance rules and status. Endpoint users can also view information about steps required to remain compliant with the network access rules. See Compliance on page 54.

Picture of endpoint user

FortiClient can now display a small picture of the endpoint user on the Compliance tab. This feature is available when FortiClient is used with EMS, and the feature is enabled in EMS. When enabled, FortiClient uses the picture defined in the Windows operating system on the endpoint device. FortiClient displays no picture when no picture is found in the Windows operating system.

FortiClient Telemetry can also send the picture to FortiGate and EMS.

FortiGate endpoint control

FortiGate 5.4.1 has changed how it manages FortiClient endpoints. Now FortiGate is used to define the compliance rules for NAC in a FortiClient profile, and FortiClient helps to enforce the rules on endpoints. When you use FortiGate to create a FortiClient profile, you define the compliance rules, and you specify how to handle non-compliant FortiClient endpoints. Non-compliant endpoints can be blocked from network access, warned about non-compliance while maintaining network access, or automatically updated to maintain network access.

See About managed mode on page 25.

Improved installation process for FortiClient (Windows)

An upgrade schedule dialog box is displayed in advance when deploying FortiClient from EMS to endpoints running Windows operating system. If no FortiClient is installed on the endpoint, no reboot is required for the installation, and no upgrade schedule dialog box is displayed. The user can postpone the reboot for a maximum of 24 hours. Before the mandatory reboot occurs, a FortiClient dialog box is displayed with a 15 minute warning.

Vulnerability scan

The Vulnerability scan feature requires specific versions of products. If you are using FortiGate, FortiOS 5.4.1 is required. If you are using FortiClient EMS, version 1.0.1 is required.

Vulnerability scan enhancements

Vulnerability scan feature in FortiClient (Windows) can perform a full scan of the endpoint to find any OS,

Microsoft Office, browser and third-party vulnerabilities. FortiClient can then report the vulnerabilities to FortiAnalyzer and Central Management in FortiGate or FortiClient EMS, depending on whether FortiClient is connected to FortiGate or FortiClient EMS. See Vulnerability Scan on page 92.

Vulnerability auto-patching

FortiClient (Windows) supports automatic patching of vulnerabilities where FortiClient will initiate and apply any updates required to resolve detected vulnerabilities and return endpoints to a secure state. See Vulnerability Scan on page 92.

FortiSandbox support for removable media

Files on removable media can now be sent for on-demand FortiSandbox scanning. You can configure FortiSandbox to scan files on removable media by using FortiClient XML. For more information, see the FortiClient XML Reference.

Configurator tool

You can now use the FortiClient Configurator tool to add a Telemetry Gateway IP List to a custom FortiClient installer. See Custom FortiClient Installations on page 110.

FortiClient 5.4.0

The following is a list of new features in FortiClient version 5.4.0.

Antivirus

Advanced Persistent Threats

FortiClient 5.4.0 has enhanced capabilities for the detection of Advanced Persistent Threats (APT). There are two changes added in this respect:

l Botnet Command and Control Communications Detection l FortiSandbox integration (Windows only)

Botnet Communication Detection

Botnets running on compromised systems usually generate outbound network traffic directed towards Command and Control (C&C) servers of their respective owners. The servers may provide updates for the botnet, or commands on actions to execute locally, or on other accessible, remote systems. When the new botnet feature is enabled, FortiClient monitors and compares network traffic with a list of known Command and Control servers. Any such network traffic will be blocked.

FortiSandbox Integration

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run (sandboxed) in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

Enhanced Real-Time Protection Implementation

The Real-Time Protection (RTP) or on-access feature in FortiClient uses tight integration with Microsoft Windows to monitor files locally, or over a network file system, as they are being downloaded, saved, run, copied, renamed, opened, or written to. The FortiClient driver coupling with Windows has been re-written to use modern APIs provided by Microsoft. All basic features remain the same, with a few minor differences in behavior. Some noticeable performance enhancements could be observed in various use case scenarios.

Web Filtering

Web Browser Usage and Duration

If configured, FortiClient will record detailed information about the user’s web browser activities, such as:

l A history of websites visited by the user (as shown in regular web browser history) l An estimate of the duration or length of stay on the website.

These logs are sent to FortiAnalyzer, if configured. With FortiAnalyzer 5.4.0 or newer, the FortiClient logs sent from various endpoints may be viewed in FortiView.

VPN

Authorized Machine Detection

For enterprises where new computers may be brought into the organization by employees, FortiClient can be configured to check or identify the computer before allowing it to establish IPsec VPN or SSL VPN connections to the FortiGate. The administrator may configure restrictions with one or more of the following:

l Registry check: Ensure a specific registry path contains a predetermined value l File check: Verify the existence of a specific file at a specified location l Application check: Ensure that a specific application is installed and running

The verification criteria can be configured using advanced FortiClient XML configurations on the FortiGate or FortiClient Enterprise Management Server (EMS).

New SSL VPN Windows driver

The FortiClient SSL VPN driver pppop.sys was re-written to use the latest Microsoft recommended CoNDIS WAN driver model. The new driver is selected when FortiClient is installed on Windows 7 or newer. The SSL VPN driver included in the previous versions of FortiClient will still be maintained.

New IPsec VPN Windows drivers

FortiClient IPsec VPN drivers have been updated to support Microsoft Windows NDIS 6.3 specification. The new drivers are compatible with Microsoft Windows 8.1 or newer.

Support for DTLS

FortiClient SSL VPN connections to FortiGate now support Datagram Transport Layer Security (DTLS) by using User Datagram Protocol (UDP) as the transport protocol. Previously FortiClient SSL VPN connections supported only Transport Control Protocol (TCP). You can now use FortiGate to configure SSL VPN connections that use DTLS. You cannot use FortiClient to configure SSL VPN connections that use DTLS. When FortiClient endpoints use a DTLS-enabled SSL VPN connection with FortiGate, and FortiGate communicates DTLS support, FortiClient uses DTLS via UDP. If DTLS fails, FortiClient will fall back to use TLS to establish an SSL VPN connection.

Installation requirements

Installation requirements

The following table lists operating system support and the minimum system requirements.

Operating System Support Minimum System Requirements
l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows 8.1 (32-bit and 64-bit) l Microsoft Windows 10 (32-bit and 64-bit) l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

l Microsoft Windows Server 2008 R2 l Microsoft Windows Server 2012 l Microsoft Windows Server 2012 R2 l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

Firmware images and tools

Operating System Support Minimum System Requirements
l Mac OS X v10.8 Mountain Lion l Mac OS X v10.9 Mavericks l Mac OS X v10.10 Yosemite l Mac OS X v10.11 El Capitan l Apple Mac computer with an Intel processor l 256MB of RAM l 20MB of hard disk drive (HDD) space l TCP/IP communication protocol l Ethernet NIC for network connections l Wireless adapter for wireless network connections

Windows XP (32-bit) is supported when FortiClient software updates are disabled. You can disable FortiClient software updates by using EMS or FortiClient XML. Signature updates remain supported when FortiClient software updates are disabled.

Firmware images and tools

Microsoft Windows

The following files are available in the firmware image file folder:

  • 4.xx.xxxx.exe

Standard installer for Microsoft Windows (32-bit).

  • 4.xx.xxxx.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx_x64.exe

Standard installer for Microsoft Windows (64-bit).

  • 4.xx.xxxx_x64.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx.zip
    • zip package containing miscellaneous tools including the FortiClient Configurator tool and VPN Automation files:

The following tools and files are available in the FortiClientTools_5.4.xx.xxxx.zip file:

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • FortiClientVirusCleaner A virus cleaner.
  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • SSLVPNcmdline

Firmware images and tools

Command line SSL VPN client.

  • SupportUtils

Includes diagnostic, uninstallation, and reinstallation tools. l VPNAutomation

  • VPN automation tool.

When creating a custom FortiClient 5.4 installer by using the FortiClient Configurator tool, you can choose which features to install. You can also select to enable or disable software updates, configure SSO, and rebrand FortiClient.

Mac OS X

The following files are available in the firmware image file folder:

  • 4.x.xxx_macosx.dmg Standard installer or Mac OS X.
  • 4.x.xxx_macosx.tar

FortiClient includes various utility tools and files to help with installations.

The following tools and files are available in the FortiClientTools .tar file:

  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • RebrandingResources

Rebranding resources used by the FortiClient Configurator tool.

When creating a custom FortiClient 5.4.1 installer by using the FortiClient Repackager tool, you can choose to install Everything, VPN Only, or SSO only. You can also select to enable or disable software updates and rebrand

FortiClient.

FortiClient 5.4 cannot use FortiClient version 5.0 licenses. To use FortiClient Configurator, you need to use the FortiClient version 5.4 license file.