Tag Archives: forticlient administration guide

Monitor FortiClient connections

Monitor FortiClient connections

The following FortiOS CLI command lists information about connected clients. This includes domain-related details for the client (if any).

diagnose endpoint record-list Record #1:

IP_Address = 172.172.172.111(1)

MAC_Address = b0:ac:6f:70:e0:a0

Host MAC_Address = b0:ac:6f:70:e0:a0

MAC list = b0-ac-6f-70-e0-a0;

VDOM = root

Registration status: Forticlient installed but not registered

Online status: offline

DHCP on-net status: off-net

DHCP server: None

FCC connection handle: 6

FortiClient version: 5.1.29

AVDB version: 22.137

FortiClient app signature version: 3.0

FortiClient vulnerability scan engine version: 1.258

FortiClient feature version status: 0

FortiClient UID: BE6B76C509DB4CF3A8CB942AED2064A0 (0)

FortiClient config dirty: 1:1:1

FortiClient KA interval dirty: 0

FortiClient Full KA interval dirty: 0

FortiClient server config: d9f86534f03fbed109676ee49f6cfc09:: FortiClient config: 1

FortiClient iOS server mconf:

FortiClient iOS mconf:

FortiClient iOS server ipsec_vpn mconf: FortiClient iOS ipsec_vpn mconf:

Endpoint Profile: Documentation

Reg record pos: 0 Auth_AD_groups:

Auth_group:

Auth_user:

Host_Name:

OS_Version: Microsoft Windows 7 , 64-bit Service Pack 1 (build 7601) Host_Description: AT/AT COMPATIBLE Domain:

Last_Login_User: FortiClient_User_Name Host_Model: Studio 1558 Host_Manufacturer: Dell Inc.

CPU_Model: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz

Memory_Size: 6144

Installed features: 55 Enabled features: 21

online records: 0; offline records: 1

status — none: 0; uninstalled: 0; unregistered: 1; registered: 0; blocked: 0

Roaming clients (multiple redundant gateways)

Configure FortiClient Telemetry connections with AD user groups

Configure FortiClient Telemetry connections with AD user groups

When FortiClient Telemetry connects to FortiGate/EMS, the user’s AD domain name and group are both sent to FortiGate/EMS. Administrators may configure the FortiGate/EMS to deploy endpoint and/or firewall profiles based on the end user’s AD domain group. The following steps are discussed in more details:

l Configure users and groups on AD servers l Configure FortiAuthenticator l Configure FortiGate/EMS l Connect FortiClient Telemetry to FortiGate/EMS l Monitor FortiClient connections

Configure users and groups on AD servers

Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.

Configure FortiAuthenticator

Configure FortiAuthenticator to use the AD server that you created. For more information see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

Configure FortiGate/EMS

FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

  1. Go to User& Device > Single Sign-On.
  2. Select Create New in the toolbar. The New Single Sign-On Server window opens.
  3. In the type field, select Fortinet Single-Sign-On Agent.

 

Telemetry connections with AD user groups

  1. Enter the information required for the agent. This includes the name, primary and secondary IP addresses, and passwords. Select an LDAP server in the drop-down list if applicable. Select More FSSO agents to add up to three additional agents.
  2. Select OK to save the agent configuration.

Create a user group:

  1. Go to User& Device > UserGroups.
  2. Select Create New in the toolbar. The New UserGroup window opens.
  3. In the type field, select Fortinet Single-Sign-On (FSSO).
  4. Select members from the drop-down list.
  5. Select OK to save the group configuration.

Configure the FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select Create New in the toolbar. The New FortiClient Profile window opens.
  3. Enter a profile name and optional comments.
  4. In the Assign Profile To drop-down list select the FSSO user group(s).
  5. Configure FortiClient configuration as required.
  6. Select OK to save the new FortiClient profile.

Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who connect successfully, but have no matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy as described in Configure firewall policies on page 35. Ensure that Compliant with FortiClient Profile is selected in the policy.

EMS

Add a new domain:

  1. Under the Endpoints heading, in the Domains section, select Add a new domain. The Domain Settings window opens.
  2. Enter the domain information as required.
  3. Select Test to confirm functionality, then, if successful, select Save to add the domain.

The domain’s organizational units (OUs) will automatically be populated in the Domains section under the Endpoints heading. For more information, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Connect FortiClient Telemetry to FortiGate/EMS

The Microsoft Windows system on which FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain user name.

Configure FortiClient Telemetry connections with AD user groups

Following this, FortiClient endpoint connections will send the logged-in user’s name and domain to the FortiGate/EMS. The FortiGate/EMS will assign the appropriate profiles based on the configurations.

Configure FortiClient profiles

Configure FortiClient profiles

FortiGate includes a default FortiClient profile. You can edit the default profile or create a new profile. FortiClient profiles are used to communicate compliance rules to FortiClient endpoints.

The option to assign the profile to device groups, user groups, and users is available only when you create a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication.

For more information about creating FortiClient profiles by using FortiGate, see the FortiOS Handbook-Security Profiles.

Configure FortiGate

To configure FortiClient profiles:

  1. Go to Security Profiles > FortiClient Profiles. You can edit the default profile or create a new FortiClient profile.
  2. Set the following options:
Profile Name Type a name for the profile.
Comments Type comments about the profile.
Assign Profile To Click to specify which devices, users, and addresses will receive the FortiClient profile. This options is available only when enable multiple security profiles and you create a new profile.
FortiClient endpoint compliance Use the options in this section to specify how to handle FortiClient endpoints that fail to meet the compliance rules.
Non-compliance action Select either Block, Warning, Auto-update. See also Non-compliance action on page 29.
Endpoint Vulnerability Scan on Client You can enable or disable Endpoint Vulnerability Scan on Client. When enabled, FortiClient is required to have Vulnerability Scan enabled. When Non-compliance action is set to Auto-update, you can enable and configure Endpoint Vulnerability Scan on Client by using only FortiGate.
System Compliance You can enable or disable System Compliance. When enabled, a minimum

FortiClient version is required on endpoints.

When Non-compliance action is set to Auto-update, you can enable and configure Minimum FortiClient version by using only FortiGate.

You can also enable logging to FortiAnalyzer, and select what types of logs to send to FortiAnalyzer.

AntiVirus You can enable or disable AntiVirus. When enabled, FortiClient console is required to have Antivirus enabled.

When Non-compliance action is set to Auto-update, you can enable and configure AntiVirus by using only FortiGate.

Web Filter You can enable or disable Web Filter and select a profile. When enabled, FortiClient is required to have Web Filter enabled.

When Non-compliance action is set to Auto-update, you can enable and configure Web Filter by using only FortiGate.

Application Firewall You can enable or disable Application Firewall and select a profile. When enabled, FortiClient is required to have Application Firewall enabled. When Non-compliance action is set to Auto-update, you can enable and configure Application Firewall by using only FortiGate.
  1. Click OK.

Enable a key password for FortiTelemetry connection

You can configure a connection key password for FortiClient Telemetry connection to FortiGate devices. When connecting FortiClient Telemetry to FortiGate, the user must enter the connection key password in FortiClient console before the connection can be completed.

You must use the CLI to enable a key password.

To enable key password:

  1. On your FortiGate device, go to Dashboard > CLI Console, and enter the following CLI command: config endpoint-control settings set forticlient-key-enforce enable set forticlient-reg-key <password>

end

FortiClient users can select to remember the connection key password in the FortiClient console when they connect FortiClient Telemetry.

View connected FortiClient endpoints

You can view all connected FortiClient endpoints in FortiGate GUI. On FortiGate, each new connection is automatically added to the device table.

To view connected devices, go to Monitor > FortiClient Monitor.

Configure FortiClient Telemetry connections with AD user groups

FortiClient profiles

FortiClient profiles

When FortiClient is in managed mode, a profile is used to communicate compliance rules and to configure FortiClient software on endpoints. FortiClient receives the profile after FortiClient Telemetry is connected to FortiGate/EMS. The contents of the profile depend on whether FortiGate or EMS provide the profile.

FortiGate and compliance rules

In FortiGate, a FortiClient profile is used to achieve the following goals:

l Define compliance rules for endpoint access to the network through FortiGate l Define the non-compliance action—that is, how endpoints are handled that fail to comply with compliance rules l (Optional) Define some configuration settings for FortiClient software on endpoints

Compliance rules

FortiGate compliance rules are used to define what configuration FortiClient software must have for the endpoint to maintain access to the network through FortiGate. Following is a sample of the compliance rules that you can define (enable or disable) by using the GUI:

  • Antivirus l Web filter l Application firewall l Vulnerability scan
  • FortiClient software specific version

You can also define additional compliance rules by using the FortiOS CLI.

Non-compliance action

You define how FortiClient endpoints are handled that fail to comply with the compliance rules. You can block, warn, or automatically update FortiClient endpoints. You set the rules by using FortiGate, and both FortiGate and FortiClient enforce the rules.

Both FortiGate and FortiClient enforce compliance rules for FortiClient 5.4.1 and later endpoints. FortiGate enforces compliance for FortiClient 5.4.0 and earlier endpoints, and for all versions of unregistered/unconnected FortiClient endpoints.

Following is a description of how each setting affects FortiClient endpoints:

  • Block

When FortiClient endpoints fail to comply with compliance rules, FortiClient blocks endpoint access to the network. Noncompliance information is displayed in the FortiClient console. The administrator or endpoint user is responsible for reading the noncompliance information and updating FortiClient software on the endpoint to adhere to the compliance rules. In this case, endpoint users can edit settings in the FortiClient console that are not controlled by the compliance rules or EMS.

  • Warn

When FortiClient endpoints fail to comply with compliance rules, FortiClient warns the endpoint users, but allows the endpoint user to access the network. Noncompliance information is displayed in the FortiClient console. The administrator or endpoint user is responsible for reading the noncompliance information and updating FortiClient software on the endpoint to adhere to the compliance rules. In this case, endpoint users can edit settings in the FortiClient console that are not controlled by the compliance rules or EMS. l Auto-update

FortiGate provides the compliance rules and some configuration information for FortiClient software that helps FortiClient and the endpoint remain compliant. However FortiClient endpoints can fail to comply with compliance rules because FortiGate cannot automatically update all aspects of the compliance rules, such as the required version of FortiClient or the operating system on the endpoint. FortiGate displays noncompliance information in the FortiOS GUI. The FortiGate administrator and endpoint user are responsible for reading the noncompliance information and keeping FortiClient endpoints compliant. In this case, most settings in FortiClient console are read-only. However, the endpoint user can edit some settings.

FortiClient configuration

When you use FortiGate to configure a FortiClient profile with a non-compliance setting of auto-update, the FortiClient profile can include configuration information for FortiClient software, which helps the FortiClient endpoint remain compliant with the compliance rules.

You can specify the following configuration information for FortiClient software:

l AntiVirus l Web Filter l Application Firewall l Vulnerability Scan l System Compliance

When the FortiClient endpoint receives the configuration information from FortiGate in the FortiClient profile, the settings in FortiClient console are automatically updated. Most settings in FortiClient console are read-only when FortiGate provides the configuration in a FortiClient profile. However, the endpoint user can change settings in FortiClient console that are not controlled by the FortiClient profile.

For more information about configuring FortiClient profiles by using FortiGate, see the FortiOS Handbook, available in the Fortinet Document Library.

FortiGate and EMS integration

When FortiGate is integrated with EMS, and the non-compliance action in FortiGate is set to block or warn, you can use EMS to assign a profile to endpoints. The profile from EMS is in addition to the compliance rules from FortiGate. When FortiClient receives compliance rules from FortiGate and a profile from EMS, settings in the FortiClient console are locked. Administrators can control the settings by updating the assigned profile in FortiGate/EMS.

CLI only

When using FortiGate to create FortiClient profiles, some settings can be configured only by using the

FortiOS CLI. You must use the CLI to configure the following options in FortiClient profiles provided by FortiGate: l Allowed operating system for FortiClient endpoints l Required third-party applications for FortiClient endpoints l Registry entries for FortiClient endpoints l File in the file system on FortiClient endpoints

Get started

For more information, see the CLI Reference forFortiOS.

EMS and profiles

In FortiClient EMS, a profile is used to install FortiClient on endpoint devices and/or define the configuration for FortiClient software on endpoint devices. The profile consists of the following sections:

  • FortiClient Installer l Antivirus l Web Filtering l Application Firewall
  • VPN
  • Vulnerability Scan l System Settings

When the FortiClient endpoint receives the configuration information in the FortiClient profile, the settings in FortiClient console are automatically updated. Settings in FortiClient console are locked and read-only when EMS provides the configuration in a profile.

For more information about configuring profiles by using FortiClient EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Endpoint Control

Endpoint Control

Integration with the new FortiClient EMS

FortiClient Enterprise Management Server (EMS) is a new product from Fortinet for businesses to use to manage their computer endpoints. It runs on a Windows Server, not requiring a physical Fortinet device. Administrators may use it to gain insight into the status of their endpoints. The EMS supports devices running Microsoft Windows, Mac OS X, Android, and iOS.

FortiClient Endpoint Control (EC) protocol has been updated to seamlessly integrate with FortiClient EMS. Various changes were added to support EMS features, including:

l Deployment of FortiClient to new Microsoft Windows devices l Continuous monitoring of device statuses l AV engine and signature update status reports l AV scanning schedules and requests for AV scans l Notifications about protection statuses.

FortiGate Network Access Control when FortiClient is Deployed using EMS

The new EMS can be used to deploy FortiClient to a large number of Microsoft Windows endpoints. While creating a profile for FortiClient deployment, the EMS administrator can choose to configure the FortiClient to register to the same EMS, or to a FortiGate.

Changes in FortiClient 5.4.0 allow the EMS administrator to deploy FortiClient to endpoints, and configure it to register to a FortiGate, while simultaneously notifying the EMS of its registration status. The FortiClient EC registration to the FortiGate is required for Network Access Compliance (NAC). The administrator can configure the FortiGate to allow access to network resources only if the client is compliant with the appropriate interface EC profile.

EMS can only deploy FortiClient to endpoint devices that are running Microsoft Windows. This feature requires FortiOS 5.4.0 or newer.

Quarantine an Infected Endpoint from the FortiGate or EMS

A computer endpoint that is considered to be infected may be quarantined by the FortiGate or EMS administrator. FortiClient needs to be online, using FortiClient EC protocol, and registered to the FortiGate or EMS.

Once quarantined, all network traffic to or from the infected endpoint will be blocked locally. This allows time for remediation actions to be taken on the endpoint, such as scanning and cleaning the infected system, reverting to a known clean system restore point, or re-installing the operating system.

The administrator may un-quarantine the endpoint in the future from the same FortiGate or EMS.

Importing FortiGate CA Certificate after EC Registration

When the FortiGate is configured to use SSL deep inspection, users visiting encrypted websites will usually receive an invalid certificate warning. The certificate signed by the FortiGate does not have a Certificate Authority (CA) at the endpoint to verify it. Users can manually import the FortiGate CA certificate to stop the error from being displayed; however, all users will have to do the same.

When registering FortiClient to a FortiGate, the FortiClient will receive the FortiGate’s CA certificate and install it into the system store. If Firefox is installed on the endpoint, the FortiGate’s CA certificate will also be installed into the Firefox certificate store. This way the end user will no longer receive the invalid certificate error message when visiting encrypted websites.

Enhancement to On-net/Off-net Configuration

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided.

FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

FortiClient GUI

Antivirus Settings Page

With the introduction of botnet detection, and the integration with FortiSandbox with FortiClient (Windows), the AV settings page on the FortiClient GUI has been updated to allow configuration of the new features. The AV settings page is accessible from the FortiClient dashboard. Select the AV tab on the left pane. Then click the settings icon on Real-Time Protection in the right pane. The following may be selected on the AV settings page:

  • File scanning (previously, Real-Time Protection or RTP) l Scan unknown, supported files using FortiSandbox (Windows only) l Malicious website detection
  • Botnet detection (block known communication channels)

FortiClient Banner Design

If FortiClient (full version or VPN only) is running in standalone mode and not registered to a FortiGate or EMS, a single banner at the bottom of the GUI is displayed. When registered to a FortiGate or EMS, the banner is hidden by default. Similarly, when created from a FortiClient Configurator (Windows) or Repackager (OS X), no banner is displayed by default.

Logging

Enhancement to FortiClient logs

FortiClient will create a log entry to show just the URL visited by the user through a web browser. This is in addition to the network level logs generated by FortiClient.

 

What’s New in FortiClient 5.4

What’s New in FortiClient 5.4

The following is a list of new features and enhancements in FortiClient 5.4.

This document was written for FortiClient (Windows) 5.4.1. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.1.

FortiClient 5.4.1

The following is a list of new features in FortiClient version 5.4.1.

Endpoint control

FortiClient Telemetry

FortiClient Telemetry is the new name of the connection between FortiClient and FortiGate/EMS. You no longer register FortiClient endpoints to FortiGate/EMS, but connect FortiClient Telemetry to FortiGate/EMS. See FortiClient Telemetry Connection on page 51.

Endpoint compliance

FortiClient includes a Compliance tab that communicates whether FortiClient is connected to FortiGate or EMS and whether the endpoint is compliant.

When connected to FortiGate, the Compliance tab communicates whether FortiClient and the endpoint device are compliant with the compliance rules defined by FortiGate. Endpoint users can view the Compliance tab to review compliance rules and status. Endpoint users can also view information about steps required to remain compliant with the network access rules. See Compliance on page 54.

Picture of endpoint user

FortiClient can now display a small picture of the endpoint user on the Compliance tab. This feature is available when FortiClient is used with EMS, and the feature is enabled in EMS. When enabled, FortiClient uses the picture defined in the Windows operating system on the endpoint device. FortiClient displays no picture when no picture is found in the Windows operating system.

FortiClient Telemetry can also send the picture to FortiGate and EMS.

FortiGate endpoint control

FortiGate 5.4.1 has changed how it manages FortiClient endpoints. Now FortiGate is used to define the compliance rules for NAC in a FortiClient profile, and FortiClient helps to enforce the rules on endpoints. When you use FortiGate to create a FortiClient profile, you define the compliance rules, and you specify how to handle non-compliant FortiClient endpoints. Non-compliant endpoints can be blocked from network access, warned about non-compliance while maintaining network access, or automatically updated to maintain network access.

See About managed mode on page 25.

Improved installation process for FortiClient (Windows)

An upgrade schedule dialog box is displayed in advance when deploying FortiClient from EMS to endpoints running Windows operating system. If no FortiClient is installed on the endpoint, no reboot is required for the installation, and no upgrade schedule dialog box is displayed. The user can postpone the reboot for a maximum of 24 hours. Before the mandatory reboot occurs, a FortiClient dialog box is displayed with a 15 minute warning.

Vulnerability scan

The Vulnerability scan feature requires specific versions of products. If you are using FortiGate, FortiOS 5.4.1 is required. If you are using FortiClient EMS, version 1.0.1 is required.

Vulnerability scan enhancements

Vulnerability scan feature in FortiClient (Windows) can perform a full scan of the endpoint to find any OS,

Microsoft Office, browser and third-party vulnerabilities. FortiClient can then report the vulnerabilities to FortiAnalyzer and Central Management in FortiGate or FortiClient EMS, depending on whether FortiClient is connected to FortiGate or FortiClient EMS. See Vulnerability Scan on page 92.

Vulnerability auto-patching

FortiClient (Windows) supports automatic patching of vulnerabilities where FortiClient will initiate and apply any updates required to resolve detected vulnerabilities and return endpoints to a secure state. See Vulnerability Scan on page 92.

FortiSandbox support for removable media

Files on removable media can now be sent for on-demand FortiSandbox scanning. You can configure FortiSandbox to scan files on removable media by using FortiClient XML. For more information, see the FortiClient XML Reference.

Configurator tool

You can now use the FortiClient Configurator tool to add a Telemetry Gateway IP List to a custom FortiClient installer. See Custom FortiClient Installations on page 110.

FortiClient 5.4.0

The following is a list of new features in FortiClient version 5.4.0.

Antivirus

Advanced Persistent Threats

FortiClient 5.4.0 has enhanced capabilities for the detection of Advanced Persistent Threats (APT). There are two changes added in this respect:

l Botnet Command and Control Communications Detection l FortiSandbox integration (Windows only)

Botnet Communication Detection

Botnets running on compromised systems usually generate outbound network traffic directed towards Command and Control (C&C) servers of their respective owners. The servers may provide updates for the botnet, or commands on actions to execute locally, or on other accessible, remote systems. When the new botnet feature is enabled, FortiClient monitors and compares network traffic with a list of known Command and Control servers. Any such network traffic will be blocked.

FortiSandbox Integration

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run (sandboxed) in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

Enhanced Real-Time Protection Implementation

The Real-Time Protection (RTP) or on-access feature in FortiClient uses tight integration with Microsoft Windows to monitor files locally, or over a network file system, as they are being downloaded, saved, run, copied, renamed, opened, or written to. The FortiClient driver coupling with Windows has been re-written to use modern APIs provided by Microsoft. All basic features remain the same, with a few minor differences in behavior. Some noticeable performance enhancements could be observed in various use case scenarios.

Web Filtering

Web Browser Usage and Duration

If configured, FortiClient will record detailed information about the user’s web browser activities, such as:

l A history of websites visited by the user (as shown in regular web browser history) l An estimate of the duration or length of stay on the website.

These logs are sent to FortiAnalyzer, if configured. With FortiAnalyzer 5.4.0 or newer, the FortiClient logs sent from various endpoints may be viewed in FortiView.

VPN

Authorized Machine Detection

For enterprises where new computers may be brought into the organization by employees, FortiClient can be configured to check or identify the computer before allowing it to establish IPsec VPN or SSL VPN connections to the FortiGate. The administrator may configure restrictions with one or more of the following:

l Registry check: Ensure a specific registry path contains a predetermined value l File check: Verify the existence of a specific file at a specified location l Application check: Ensure that a specific application is installed and running

The verification criteria can be configured using advanced FortiClient XML configurations on the FortiGate or FortiClient Enterprise Management Server (EMS).

New SSL VPN Windows driver

The FortiClient SSL VPN driver pppop.sys was re-written to use the latest Microsoft recommended CoNDIS WAN driver model. The new driver is selected when FortiClient is installed on Windows 7 or newer. The SSL VPN driver included in the previous versions of FortiClient will still be maintained.

New IPsec VPN Windows drivers

FortiClient IPsec VPN drivers have been updated to support Microsoft Windows NDIS 6.3 specification. The new drivers are compatible with Microsoft Windows 8.1 or newer.

Support for DTLS

FortiClient SSL VPN connections to FortiGate now support Datagram Transport Layer Security (DTLS) by using User Datagram Protocol (UDP) as the transport protocol. Previously FortiClient SSL VPN connections supported only Transport Control Protocol (TCP). You can now use FortiGate to configure SSL VPN connections that use DTLS. You cannot use FortiClient to configure SSL VPN connections that use DTLS. When FortiClient endpoints use a DTLS-enabled SSL VPN connection with FortiGate, and FortiGate communicates DTLS support, FortiClient uses DTLS via UDP. If DTLS fails, FortiClient will fall back to use TLS to establish an SSL VPN connection.

Installation requirements

Installation requirements

The following table lists operating system support and the minimum system requirements.

Operating System Support Minimum System Requirements
l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows 8.1 (32-bit and 64-bit) l Microsoft Windows 10 (32-bit and 64-bit) l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

l Microsoft Windows Server 2008 R2 l Microsoft Windows Server 2012 l Microsoft Windows Server 2012 R2 l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

Firmware images and tools

Operating System Support Minimum System Requirements
l Mac OS X v10.8 Mountain Lion l Mac OS X v10.9 Mavericks l Mac OS X v10.10 Yosemite l Mac OS X v10.11 El Capitan l Apple Mac computer with an Intel processor l 256MB of RAM l 20MB of hard disk drive (HDD) space l TCP/IP communication protocol l Ethernet NIC for network connections l Wireless adapter for wireless network connections

Windows XP (32-bit) is supported when FortiClient software updates are disabled. You can disable FortiClient software updates by using EMS or FortiClient XML. Signature updates remain supported when FortiClient software updates are disabled.

Firmware images and tools

Microsoft Windows

The following files are available in the firmware image file folder:

  • 4.xx.xxxx.exe

Standard installer for Microsoft Windows (32-bit).

  • 4.xx.xxxx.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx_x64.exe

Standard installer for Microsoft Windows (64-bit).

  • 4.xx.xxxx_x64.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx.zip
    • zip package containing miscellaneous tools including the FortiClient Configurator tool and VPN Automation files:

The following tools and files are available in the FortiClientTools_5.4.xx.xxxx.zip file:

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • FortiClientVirusCleaner A virus cleaner.
  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • SSLVPNcmdline

Firmware images and tools

Command line SSL VPN client.

  • SupportUtils

Includes diagnostic, uninstallation, and reinstallation tools. l VPNAutomation

  • VPN automation tool.

When creating a custom FortiClient 5.4 installer by using the FortiClient Configurator tool, you can choose which features to install. You can also select to enable or disable software updates, configure SSO, and rebrand FortiClient.

Mac OS X

The following files are available in the firmware image file folder:

  • 4.x.xxx_macosx.dmg Standard installer or Mac OS X.
  • 4.x.xxx_macosx.tar

FortiClient includes various utility tools and files to help with installations.

The following tools and files are available in the FortiClientTools .tar file:

  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • RebrandingResources

Rebranding resources used by the FortiClient Configurator tool.

When creating a custom FortiClient 5.4.1 installer by using the FortiClient Repackager tool, you can choose to install Everything, VPN Only, or SSO only. You can also select to enable or disable software updates and rebrand

FortiClient.

FortiClient 5.4 cannot use FortiClient version 5.0 licenses. To use FortiClient Configurator, you need to use the FortiClient version 5.4 license file.

 

Fortinet Product Support For FortiClient

Fortinet product support for FortiClient

The following Fortinet products work together to support FortiClient in managed mode:

l FortiClient EMS l FortiManager l FortiGate l FortiAnalyzer l FortiSandbox Fortinet product support for FortiClient

FortiClient EMS

FortiClient EMS runs on a Windows server. EMS deploys FortiClient (Windows) and profiles to endpoints, and the endpoints can connect FortiClient Telemetry to FortiGate or EMS. When FortiClient endpoints are connected to FortiGate or EMS, you can use EMS to monitor FortiClient endpoints in real time.

For information on EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document

Library.

FortiManager

FortiManager provides central FortiClient management for FortiGate devices that are managed by FortiManager. In FortiManager, you can create one or more FortiClient profiles that you can assign to multiple FortiGate devices. You can also import FortiClient profiles from one FortiGate device and assign the FortiClient profile to other FortiGate devices. When FortiClient endpoints are connected to managed FortiGate devices, you can use FortiManager to monitor FortiClient endpoints from multiple FortiGate devices.

For information on FortiManager, see the FortiManagerAdministration Guide, available in the Fortinet Document Library.

Licensing

FortiGate

FortiGate provides network security. FortiGate devices define compliance rules for NAC (network access control) for connected FortiClient endpoints, and FortiClient communicates the compliance rules to endpoints. FortiGate devices communicate between FortiClient endpoints, EMS, and FortiManager, when FortiManager is used.

For information on FortiGate, see the FortiOS Handbook, available in the Fortinet Document Library.

FortiAnalyzer

FortiAnalyzer can receive logs from FortiClient endpoints that are connected to FortiGate or EMS, and you can use FortiAnalyzer to analyze the logs and run reports. FortiAnalyzer receives logs directly from FortiClient. However, in FortiAnalyzer, you view FortiClient logs under the device to which the FortiClient endpoint is connected. For example, when FortiClient endpoints are connected to FortiGate devices, you must add the FortiGate devices to FortiAnalyzer to view FortiClient logs for the FortiClient endpoints that are connected to FortiGates.

For information on FortiAnalyzer, see the FortiAnalyzerAdministration Guide, available in the Fortinet Document Library.

FortiSandbox

FortiSandbox offers the capabilities to analyze new, previously unknown, and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files from removable media or the network to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file can be blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

For more information, see the FortiSandbox Administration Guide, available in the Fortinet Document Library.

Licensing

FortiClient managed mode requires a license. In managed mode, FortiClient licensing is applied to FortiGate or EMS.

Installation requirements

FortiClient licenses for FortiGate

FortiGate 30 series and higher models include a FortiClient license for ten (10) free, connected FortiClient endpoints. For additional connected endpoints, you must purchase a FortiClient license subscription. Contact your Fortinet sales representative for information about FortiClient licenses.

FortiClient licenses for EMS

EMS includes a FortiClient license for ten (10) free, connected FortiClient endpoints for evaluation. For additional connected endpoints, you must purchase a FortiClient license subscription. Contact your Fortinet sales representative for information about FortiClient licenses.