Tag Archives: forticlient administration guide

FortiClient 5.4.1 Administration Guide

Introduction

FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security combines strong prevention with detection and mitigation is critical.

Standalone FortiClient (Free) Managed FortiClient (Licensed)
Installation Options l Complete: All Endpoint Security and VPN components will be installed.

l VPN Only: only VPN components (IPsec and

SSL) will be installed.

Installation Options l Complete: All Endpoint Security and VPN components will be installed.

l VPN Only: only VPN components (IPsec and

SSL) will be installed. l Create a custom FortiClient installer using the FortiClient Configurator tool.

Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) Threat Protection l Real-time Antivirus Protection l FortiSandbox support l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) l Cloud-Based Behavior Scanning
Web Content l Web Filtering l YouTube Education Filter Web Content l Web Filtering l YouTube Education Filter

This document was written for FortiClient (Windows) 5.4.1. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.1.

FortiClient modes and features

FortiClient offers two licensing modes: Standalone mode and Managed mode. The standalone mode is free, and the managed mode is licensed. In managed mode, FortiClient is used with FortiGate, FortiClient Enterprise Management Server (EMS), or both FortiGate and EMS.

The following table provides a feature comparison between standalone FortiClient (free version) and managed FortiClient (licensed version).

FortiClient modes and features

Standalone FortiClient (Free) Managed FortiClient (Licensed)
VPN l SSL VPN l IPsec VPN

l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication

VPN l SSL VPN l IPsec VPN

l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication

Logging l VPN, Antivirus, Web Security, and Update

Logging l View logs locally

Logging l VPN, Application Firewall, Antivirus, Web

Filter, Update, and Vulnerability Scan

Logging l View logs locally

  Network Access Compliance l Compliance l Define and enforce enterprise security policies when FortiClient used with FortiGate.
  Application Control l Application Firewall l Block Specific Application Traffic
  Vulnerability Management l Vulnerability Scan l Link to FortiGuard with information on the impact and recommended actions

l Receive remediation instructions for addressing endpoint vulnerabilities, including access to software patches

  Central Management l Centralized Client Management and monitoring

l Centralized configuration provisioning and deployment

  Central Logging l Upload logs to FortiAnalyzer or

FortiManager. FortiClient must connect to FortiGate or EMS to upload logs to FortiAnalyzer or FortiManager.

 

Fortinet product support for FortiClient

Standalone mode

In standalone mode, FortiClient is not connected to a FortiGate or EMS. In this mode, FortiClient is free both for private individuals and commercial businesses to use; no license is required. See Standalone FortiClient on page 24.

Support for FortiClient in standalone mode is provided on the Fortinet Forums (forum.fortinet.com). Phone support is not provided.

Managed mode

Companies with large installations of FortiClient usually need a means to manage their endpoints. EMS can be used to provision and centrally manage FortiClient endpoints, and FortiGate can be used with FortiClient endpoints for network security. Each FortiClient endpoint can register to a FortiGate or an EMS. In this mode, FortiClient licensing is applied to the FortiGate or EMS. No separate license is required on FortiClient itself. See Managed FortiClient on page 25.

FortiClient banner and modes

If FortiClient (full version or VPN only) is running in standalone mode and not connected to a FortiGate or EMS, a single banner at the bottom of the FortiClient console is displayed. When FortiClient is running in managed mode and connected to a FortiGate or EMS, the banner is hidden by default. Similarly, when you create a FortiClient installer by using FortiClient Configurator (Windows) or Repackager (OS X), no banner is displayed by default.

IPsec VPN and SSL VPN

IPsec VPN and SSL VPN

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. You can provision client VPN connections in the FortiClient Profile or configure new connections in the FortiClient console.

This section describes how to configure remote access.

Add a new connection

Select Configure VPN in the FortiClient console to add a new VPN configuration.

Create a new SSL VPN connection

To create a new SSL VPN connection, select Configure VPNor use the drop-down menu in the FortiClient console.

Select SSL-VPN, then configure the following settings:

Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)
Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Customize port Select to change the port. The default port is 443.

Add a new connection

Authentication Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled.
Username If you selected to save login, enter the username in the dialog box.
Client Certificate Select to enable client certificates, then select the certificate from the dropdown list.
Do not Warn Invalid Server

Certificate

Select if you do not want to warned if the server presents an invalid certificate.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.
Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)

Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.

Create a new IPsec VPN connection

To create a new IPsec VPN connection, select Configure VPN or use the drop-down menu in the FortiClient console.

Select IPsec VPN, then configure the following settings:

Add a new connection

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Authentication Method Select either X.509 Certificate or Pre-shared Key in the dropdown menu.
Authentication (XAuth) Select to prompt on login, save login, or disable.
Username If you selected save login, enter the username in the dialog box.
Advanced Settings Configure VPN settings, Phase 1, and Phase 2 settings.
VPN Settings  
Mode Select one of the following:

Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted. Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

Options Select one of the following:

Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.

DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling.

Add a new connection

Phase 1   Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.
  DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.
  Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
  Local ID Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.
  Dead Peer Detection Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
  NAT Traversal Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Phase 2   Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.

 

Key Life The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
Enable Perfect

Forward Secrecy

(PFS)

Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
DH Group Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.

Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.

Provision client VPN connections

You can provision client VPN connections in the FortiClient Profile for registered clients.

FortiGate VPN provisioning

Provision a client VPN in the FortiClient Profile:

  1. Log in to your FortiGate device.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. Select the FortiClient profile and select Edit from the toolbar.
  4. Select the VPN

Provision client VPN connections

  1. Turn on VPN and Client VPN Provisioning.
  2. Configure the following:
IPsec VPN Configure remote gateway and authentication settings for IPsec VPN.
SSL-VPN Configure remote gateway and access settings for SSL VPN.
Auto-connect when Off-Net Turn on the automatically connect when Off-Net, then configure the following: l VPN Name: Select a VPN from the list.

Prevent VPN Disconnect: Turn on to not allow users to disconnect when the VPN is connected.

Captive Portal Support: Turn on the enable support for captive portals.

VPN before Windows logon Enable VPN connection before Windows log on.
  1. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

When registered to a FortiGate, VPN settings are enabled and configured in the FortiClient Profile.

Alternatively, you can provision a client VPN using the advanced VPN FortiClient Profile options in FortiGate. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

EMS VPN provisioning

Provision a client VPN in the FortiClient Profile:

  1. Log in to EMS.
  2. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  3. Select the VPN
  4. Select the on/off button to enable VPN.

Provision client VPN connections

  1. Configure the following settings:
Allow Personal VPN Select to enable personal VPN connections
Disable

Connect/Disconnect

Select to disable not allowing users to disconnect when the VPN is connected.
Show VPN Before Logon  Enable VPN connection before Windows log on, and select from the following options:

l Use Legacy VPN Before Logon l Use Windows Credentials

Local Computer Windows

Store Certificates (IPSec only)

Select to enable local Windows store certificates (IPsec only).
Current User Windows Store Certificates (IPSec only) Select to enable current user Windows store certificates (IPsec only).
Auto-connect only when

Off-Net

Turn on the automatically connect only when Off-Net.
Add VPN Tunnel Select to add a VPN tunnel, then enter the following information: l VPN Name: Enter the VPN name.

l  Type: Select the type of VPN tunnel, either SSL VPN or IPsec VPN.

l  Remote Gateway: Enter the remote gateway IP address or hostname.

l  Require Certificate: Turn on to require a certificate (SSL VPN only). l Access Port: Enter the access port number (SSL VPN only).

l  Authentication Method: Select the authentication method, wither Pre-shared Key or Certificate (IPsec VPN only).

l  Pre-Shared Key: Enter the pre-shared key (IPsec VPN with preshared key only).

l  Advanced Configuration:

  1. Select Save to save your changes.

Connect to a VPN

To connect to a VPN, select the VPN connection from the drop-down menu. Enter your username, password, and select the Connect button.

Optionally, you can click on the system tray, right-click the FortiClient icon and select the VPN connection you want to connect to.

You can also select to edit an existing VPN connection and delete an existing VPN connection using the dropdown menu.

When connected, the console will display the connection status, duration, and other relevant information. You can now browse your remote network. Select the Disconnect button when you are ready to terminate the VPN session.

Save Password, Auto Connect, and Always Up

Save Password, Auto Connect, and Always Up

When configuring a FortiClient IPsec or SSL VPN connection on your FortiGate/EMS, you can select to enable the following features:

  • Save Password: Allows the user to save the VPN connection password in the console. l Auto Connect: When FortiClient is launched, the VPN connection will automatically connect.
  • Always Up (Keep Alive): When selected, the VPN connection is always up even when no data is being processed. If the connection fails, keep alive packets sent to the FortiGate will sense when the VPN connection is available and re-connect.

When enabled in the FortiGate configuration, once the FortiClient is connected to the FortiGate, the client will receive these configuration options.

For FortiClient VPN configurations, once these features are enabled they may only be edited from the command line. Use the following FortiOS CLI commands to disable these features:

config vpn ipsec phase1-interface edit [vpn name] set save-password disable set client-auto-negotiate disable set client-keep-alive disable

end

end

FortiToken and FortiClient VPN

You can use FortiToken with FortiClient for two-factor authentication. See the FortiOS Handbook for information on configuring FortiToken, user groups, VPN, and two-factor authentication on your FortiGate device for

 

Advanced features (Microsoft Windows)

FortiClient VPN connections.

Advanced features (Microsoft Windows)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.

Activating VPN before Windows Log on

When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.

To make this change, proceed as follows:

In FortiClient:

  1. Create the VPN tunnels of interest or use Endpoint Control to register to a FortiGate/EMS which provides the VPN list of interest
  2. Enable VPN before log on on the FortiClient Settings page, see VPN options on page 108.

On the Microsoft Windows system,

  1. Start an elevated command line prompt.
  2. Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
  3. Check the check box for Users must entera username and password to use this computer.
  4. Click OK to save the setting.

Connect VPN before log on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.

Advanced features (Microsoft Windows)

<forticlient_configuration>

<vpn>

<options>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials> </options>

</vpn>

</forticlient_configuration>

Create a redundant IPsec VPN

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Priority based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

Advanced features (Mac OS X)

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

Advanced features (Mac OS X)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.

Create a redundant IPsec VPN

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

VPN tunnel & script

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Priority based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

VPN tunnel & script

This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on FortiGate/EMS’s XML format FortiClient Profile. The profile will be pushed down to FortiClient from FortiGate/EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.

 

tunnel & script

Windows

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>

</script>

</script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: /DELETE ]]>

</script>

</script>

</script>

</on_disconnect>

OS X

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>mac</os>

<script>

/bin/mkdir /Volumes/installers

/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt

/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers

/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt

/bin/mkdir /Users/admin/Desktop/dropbox/dir

/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/.

</script>

</script>

</on_connect>

VPN tunnel & script

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>mac</os>

<script>

/sbin/umount /Volumes/installers

/bin/rm -fr /Users/admin/Desktop/dropbox/*

</script>

</script>

</on_disconnect>

Web Security / Web Filter – FortiClient 5.4

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When FortiClient is not registered to FortiGate, you can enable or disable the Web Security feature. You can define what sites are allowed, blocked, or monitored and view violations.

Enable/Disable Web Security

To enable or disable FortiClient Web Security, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

Enable/Disable Select to enable or disable Web Security.
X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Web Security profile

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories. Select the settings icon, then select the site category. Select the action icon, then select the action in the drop-down menu for each category or sub-category.

Web Security exclusion list

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

Web Security exclusion list

To manage the exclusion list, select the settings icon then select Exclusion List from the menu. You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt. Use the add icon to add URLs to the exclusion list. If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

Web Security settings

Configure the following settings:

Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression

Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

Web Security settings

To configure web security settings, select the settings icon then select Settings from the menu.

View violations

Configure the following settings:

Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.

View violations

To view Web Security violations, either select the settings icon then select Violations from the menu, or select X Violations (In the Last 7 Days).

 

Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.

Web Filter

When FortiClient is registered to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

The FortiClient Endpoint Control feature enables the site administrator to distribute a Web Filter profile from a FortiGate or add web filtering to an endpoint profile on EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.

Filter

FortiGate

Step 1: Create a Web Filter Profile on the FortiGate

Use the following steps to create a custom Web Filter profile on the FortiGate:

  1. Go to Security Profiles > Web Filter.
  2. To create a new profile, click the create new icon in the toolbar. The New Web FilterProfile page opens.
  3. Configure the following settings:

 

Name Enter a name for the Web Filter profile.
Comments Enter a description in the comments field. (optional)
Inspection Mode This setting is not applicable to FortiClient.
FortiGuard Categories Select category and sub-category actions.

l  In FortiClient5.4.0, the Security Risk category is part of the AntiVirus module. The Local Categories category is not applicable to FortiClient. The Authenticate and Disable actions are not applicable to FortiClient.

l  When FortiGuard Categories is disabled, FortiClient will be protected by the Exclusion List configured in the URL in the

FortiClient profile.

Categories Usage Quota This setting is not applicable to FortiClient.
Allow users to override blocked categories This setting is not applicable to FortiClient.
Search Engines  
Enforce ‘Safe Search’ Select to enable search engine Safe Search on Google, Yahoo!, Bing, and Yandex.
YouTube

Education Filter

Select to enable the YouTube educational filter and enter your filter code. The filter blocks non-educational content as per your YouTube filter code.
Log all search keywords This setting is not applicable to FortiClient.
Static URL Filter  
Block invalid

URLs

This setting is not applicable to FortiClient.
URL Filter Select to enable URL filter. Select Create New to add a URL to the list. For Type, select one of Simple, Reg. Expression, or Wildcard. For Action, select one of Exempt, Block, Allow, or Monitor. For Status, select either Enable or Disable.

FortiClient does not support the Exempt action. Any URLs in the URL filter with an exempt action will be added to the FortiClient Exclusion List with an allow action.

Block malicious URLs discovered by FortiSandbox Select to block URLs that have been marked as malicious by FortiSandbox. A FortiSandbox device or cloud must be configured.

Filter

Web Content

Filter

This setting is not applicable to FortiClient.
Rating Options These settings are not applicable to FortiClient.
Proxy Options These settings are not applicable to FortiClient.
  1. Select OK to save the profile.

Step 2: Add the Web Filter profile to the FortiClient Profile

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile then select Edit. The Edit FortiClient Profile page is displayed.
  3. Enable Web Filter, then select the Web Filter profile from the drop-down list.
  4. Optionally, select to enable Client Side when On-Net.
  5. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

The Web Filtering module is now available in FortiClient.

EMS

To add web filtering to an endpoint profile:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Web Filter
  3. Select the on/off button to add web filtering to the profile.
  4. Adjust the web filter settings as required, then select Save to save your changes.

 

Antivirus

Antivirus

This chapter includes the following sections:

l FortiClient Antivirus l Antivirus logging l Antivirus options l Endpoint control

FortiClient Antivirus

FortiClient includes an antivirus module to scan system files, executable files, removable media, dynamic-link library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, File Based Malware, Malicious Websites, Phishing, and Spam URL protection is part of the antivirus module. Scanning can also be extended using FortiSandbox.

This section describes how to enable and configure antivirus options.

Enable or disable antivirus

To enable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Disabled. The real-time protection settings page will open.
  2. Select Scan files as they are downloaded orcopied to my system.
  3. Select OK.

If you have another antivirus program installed on your system, FortiClient will show a warning that your system may lock up due to conflicts between different antivirus products.

To disable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Enable. The real-time protection settings page will open.
  2. Deselect Scan files as they are downloaded orcopied to my system.
  3. Select OK.

Conflicting antivirus warning

FortiSandbox

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

This option cannot be configured on a registered endpoint, and must instead be configured on the FortiGate/EMS.

To extend scanning using FortiSandbox:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Extend scanning using FortiSandbox.
  3. Enter the FortiSandbox IP address, then select Test to ensure that the connection is correct.
  4. Optionally, select Identify malware & exploits using signatures received from FortiSandbox.
  5. Select OK to apply your changes.

Blocking access and communication channels

To block access to malicious websites and known communication channels used by attackers:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Block all access to malicious websites and Block known communication channels used by attackers.
  3. Select OK to apply your changes.

Notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

Scan now

To perform on-demand antivirus scanning, select the Scan Now button in the FortiClient console. Use the dropmenu to select Custom Scan, Full Scan, Quick Scan, or Removable media Scan. The console displays the date of the last scan to the left of the button.

  • Custom Scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.
  • Full Scan runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan including all files, executable files, DLLs, and drivers for threats.
  • Quick System Scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, and drivers that are currently running for threats.
  • Removable media Scan runs the rootkit detection engine to detect and remove rootkits. It scans all connected removable media, such as USB drives.

Scan a file or folder on your workstation

To perform a virus scan a specific file or folder on your workstation, right-click the file or folder and select Scan with FortiClient AntiVirus from the menu.

Submit a file for analysis

You can select to send up to 5 files a day to FortiGuard for analysis. To submit a file, right-click a file or executable and select Submit foranalysis from the menu. A dialog box will be displayed which allows you to see the number of files you have submitted. Confirm the location of the file you want to submit then select the Submit button.

View FortiClient engine and signature versions

To view the current FortiClient version, engine, and signature information, select Help in the toolbar, and select About in the menu. Hover the mouse over the status field to see the date and time that FortiClient last updated the selected item.

When FortiClient is registered to FortiGate for endpoint control, you can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device. You can select to failover to FDN when FortiManager is not available.

Schedule antivirus scanning

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Scheduled Scan tab to schedule antivirus scanning.

Scans cannot be scheduled on registered endpoint.

Configure the following settings:

Schedule Type Select Daily, Weekly, or Monthly from the drop-down list.
Scan On For Weekly scheduled scan, select the day of the week in the drop-down list.

For Monthly scheduled scan, select the day of the month in the drop-down list.

Start Select the time of day that the scan starts. The time format uses a 24-hour clock.
Scan Type Select the scan type:

Quick system scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, drivers that are currently running for threats.

Full system scan runs the rootkit detection engine to detect and remove rootkits. It then performs a full system scan including all files, executable files, DLLs, and drivers for threats.

Custom scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.

You cannot schedule a removable media scan. A full scan will scan removable media.

Disable Scheduled Scan Select to disable scheduled scan.

Select OK to save the setting and return to the main FortiClient console page.

If you configure monthly scans to occur on the 31st of each month, the scan will occur on the first day of the month for those months with less than 31 days.

Add files/folders to an exclusion list

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Exclusion List tab.

To add files/folders to the antivirus exclusion list, select the add icon and then select Add file or Add folder from the drop-down list. Any files or folders in this exclusion list will not be scanned. Select the minus icon to remove files or folders from the list.

Select OK to save the setting and return to the FortiClient console page.

View quarantined threats

To view quarantined threats, select the X Threats Detected link in the FortiClient console, then select the Quarantined Files tab. In this page you can view, restore, or delete the quarantined file. You can also view the original file location, the virus name, submit the suspicious file to FortiGuard, and view logs.

This page displays the following:

File Name The name of the file.
Date Quarantined The date and time that the file was quarantined by FortiClient.
Refresh Select to refresh the quarantined files list.
Details Select a file from the list to view detailed information including the file name, original location, date and time that the virus was quarantined, the submitted status, status, virus name, and quarantined file name.
Logs Select to view FortiClient log data.
Refresh Select to refresh the list.
Submit Select to submit the quarantined file to FortiGuard. Press and hold the control key to submit multiple entries.
Restore Select to restore the quarantined file. A confirmation dialog box will be displayed. You can select Yes to add this file/folder to the exclusion list, No to restore the file, or

Cancel to exit the operation. Press and hold the control key to restore multiple entries.

Delete Select to delete the quarantined file. A confirmation dialog box will be displayed, select Yes to continue. Press and hold the control key to delete multiple entries.
Close Select to close the page and return to the FortiClient console.

View site violations

To view site violations, select the X Threats Detected link in the FortiClient console, then select the Site Violations tab. On this page you can view site violations and submit sites to be re-categorized.

This page displays the following:

Website Displays the name of the website.
Time Displays the date and time of the site violation.
Refresh Select to refresh the site violation list.
Details Select an entry in the list to view site violation details including the website name, category, date and time, user name, and status.

Select the category link to request to have the site category re-evaluated.

View alerts dialog box

When FortiClient antivirus detects a virus while attempting to download a file via a web-browser, you will receive a warning dialog message.

Select View recently detected virus(es) to collapse the virus list. Select a file in the list and right-click to access the context menu.

Delete Select to delete a quarantined or restored file.
Quarantine Select to quarantine a restored file.
Restore Select to restore a quarantined file.
Submit Suspicious File Select to submit a file to FortiGuard as a suspicious file.
Submit as False Positive Select to submit a quarantined file to FortiGuard as a false positive.
Add to Exclusion List Select to add a restored file to the exclusion list. Any files in the exclusion list will not be scanned.
Open File Location Select to open the file location on your workstation.

When Alert when viruses are detected under AntiVirus Options on the Settings page is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.

Realtime Protection events

When an antivirus real-time protection event has occurred you can select to view these events in the FortiClient console. From the AntiVirus tab, select X Threats Detected, then select Real-time Protection events (x) in the left pane. The realtime_scan.log will open in the default viewer.

Example log output:

Realtime scan result: time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com

 

logging

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com.txt

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicarcom2.zip

time: 09/29/15 10:46:08, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar_com.zip

time: 09/29/15 10:46:39, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\3g_bl8y9.com.part

time: 03/18/15 10:48:13, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\xntwh8q1.zip.part

Antivirus logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

Configure the following settings:

Enable logging for these features Select antivirus to enable logging for this feature.
Log Level Select the level of logging:

Emergency: The system becomes unstable. l Alert: Immediate action is required. l Critical: Functionality is affected. l Error: An error condition exists and functionality could be affected. l Warning: Functionality could be affected. l Notice: Information about normal events.

Information: General information about system operations. l Debug: Debug FortiClient.

Log file  
Export logs Select to export logs to your local hard disk drive (HDD) in .log format.
Clear logs Select to clear all logs. You will be presented a confirmation window, select Yes to proceed.

Antivirus options

For information on configuring antivirus options, see Antivirus options on page 109.

Endpoint control

Endpoint control

When FortiClient is registered to FortiGate/EMS for endpoint control, FortiClient receives configuration and settings via the FortiClient Profile configured on the device.

To enable antivirus protection on FortiGate:

  1. Log in to your FortiGate.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. In the right pane, in the Edit FortiClient Profile page, in the Security tab, enable AntiVirus.
  4. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

To enable antivirus protection on EMS:

  1. Log in to the EMS.
  2. Go to Endpoint Profiles and select a profile to edit.
  3. In the right pane, select AntiVirus Protection to enable antivirus protection and configure as needed.
  4. Select Save to save the profile.

The EMS will send the FortiClient Profile configuration update to registered clients.

Antivirus profile settings

FortiGate and EMS share similar settings for antivirus profiles. EMS also includes advanced options.

Endpoint control

After enabling antivirus protection on FortiGate/EMS, the following settings can be configured:

Scan Downloads Scan files as they are downloaded or copied to my system.
Scan with FortiSandbox Extended scanning using FortiSandbox.

FortiClient will send supported files downloaded over the internet to

FortiSandbox if they cannot be detected by the local, real-time scanning

FortiSandbox IP address The IP address of the FortiSandbox device.
Wait for

FortiSandbox results

Wait for FortiSandbox results before allowing file access.
Use FortiSandbox signatures Identify malware & exploits using signatures or URLs received from FortiSandbox.

Endpoint control

Block malicious websites Block all access to malicious websites.

EMS also has the option of using the exclusion list defined in the web filter profile.

Block attack channels Block known communcation channels used by attackers.
Alert when viruses are detected This option is EMS only.
Schedule Scan Schedule automatic scans daily, weekly, or monthly at a specific time of day. Quick, Full, and Custom scans can be run automatically.
Excluded Paths Files or folders that are not scanned.

Advanced options available on EMS only include:

Scan Downloads Files that are scanned as they are downloaded or copied to the system can be treated in one of the following ways:

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files l Deny access to infected files

Scan with FortiSandbox If waiting for FortiSandbox results is enabled, access to downloaded files can be denied if FortiSandbox is offline.
Scan compresses files Scan compressed files that are up to a specified size (default: 10Mb).
Scan email Scan email messages and attachments.
User process scanning l Scan files when processes read or write them l Scan files when processes read them l Scan files when processes write them
Scan network files Scan network files.
System process scanning l Scan files when system processes read or write them l Scan files when system processes read them l Scan files when system processes write them l Do not scan files when system processes read or write them

Endpoint control

On demand scanning Configure on-demand file scan options.

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files

Integrate FortiClient into Windows Explorer’s mouse menu Add the options to Scan with FortiClient AntiVirus and Submit foranalysis to the Windows Explorer right-click menu.
Pause scanning when running on battery power Pause a scanning process when the computer is running on battery power.
Automatically submit suspicious files to FortiGuard for analysis Submit all files to FortiGuard for analysis.
Scan compresses

files

Scan compressed files that are up to a specified size (default: 10Mb, 0 means unlimited)
Maximize scan speed Select the amount of memory a computer must have before FortiClient maximizes its scan speed. One of: 4MB, 6MB, 8MB, 12MB, 16MB.
More Options Enable or disable various other options, including:

l Scan for rootkits l Scan for adware l Scan for riskware l Enable advanced heuristics l Scan removable media on insertion l Scan mime files (inbox files) l Enable FortiGuard Analytics l Notify logged in users if their AntiVirus signatures expire

 

End Point Management

Endpoint Management

The purpose of this section is to provide basic instructions on how to configure, deploy, and manage FortiClient configurations from your FortiGate device or EMS.

Configure endpoint management

With FortiClient 5.4 and newer, configuration and management of endpoints can be handled by a FortiGate device or FortiClient EMS.

You can configure your FortiGate device or EMS to discover new devices on the network, enforce FortiClient registration, and deploy pre-configured profiles to connected devices. Multiple profiles can be configured.

The FortiClient profile consists of the following sections:

  • Antivirus Protection l Web Category Filtering

You can select the web filtering security profile to associate with the FortiClient profile. You can also select to enable Web Filtering when the client is protected by the FortiGate/EMS (On-Net).

  • VPN

Select to enable client VPN provisioning. You can specify the VPN name, type, gateway and other settings the client will use to connect to your FortiGate device via the VPN connection. Two-factor authentication is configured in the FortiGate VPN configuration.

  • Application Firewall

You can select the application control sensor to associate with the FortiClient profile.

  • Endpoint Vulnerability on Client

You can select to scan daily, weekly or monthly. You can also select to scan the client after registration with your FortiGate device. Vulnerability Scan must be enabled via the CLI in order for it to be displayed in the FortiClient Profile.

  • Upload logs to FortiAnalyzer/FortiManager

You can select to use the same IP address as the FortiGate device or specify a different device IP address. You can specify the frequency of the log upload. FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer/FortiManager.

  • Use FortiManager for client software/signature update

Select to enable this feature and enter the IP address of your FortiManager device. You can select to failover over to the FortiGuard Distribution Network (FDN) when the FortiManager is not available.

  • Dashboard Banner

You can select to display or hide the FortiClient advertisement banner. FortiClient ads are downloaded from the FortiGuard Distribution Servers.

Select if profile details may be displayed before endpoint control registration is completed.

  • Client-based Logging when On-Net

Select to enable client-based logging when protected by the FortiGate/EMS (On-Net).

See the FortiOS Handbook or the FortiClient EMS Administration Guide for more information on configuring your device, .

FortiGate

Configure endpoint management on the FortiGate device:

  1. Enable device management and broadcast discovery messages.
    1. Go to Network > Interfaces, select the applicable interface, then select Edit in the toolbar.
    2. On the Edit Interface page you can select to enable Detect and Identify Devices.
    3. To enable Broadcast Discovery Messages (optional) you must first enable FCT-Access under Administrative Access.
    4. Select OK to save the setting.

Broadcast Discovery Messages is an optional configuration. When enabled, the FortiGate will broadcast messages to your network, allowing client connections to discover the FortiGate for FortiClient registration. Without this feature enabled, the user will enter the IP address or URL of the FortiGate to complete registration.

  1. Configure the following settings:
Administrative Access Select the checkbox for FCT-Access. This option is available for both IPv4 and IPv6 Administrative Access.
Security Mode Select None or Captive Portal. When selecting Captive Portal, users are forwarded to a captive portal where they need to enter their username and password to authenticate with the FortiGate. You can customize the portal message and specify user groups.

This option is available when Addressing mode is set to Manual.

Device Management  
Detect and

Identify Devices

Select to detect and identify devices on the selected interface.
Broadcast

Discovery

Messages

Once enabled, the FortiGate unit broadcasts a discovery message that includes the IP address of the interface and listening port number to the local network. All PCs running FortiClient on that network listen for this discovery message.

This option is available when FCT-Access is enabled.

  1. When configuring FortiClient access on an internal interface, you can select to send users to a captive portal.
Security Mode Select Captive Portal from the drop-down list
Authentication Portal Select either Local or External. When selecting External, you can specify the link path.
User Groups Select user groups from the drop-down list.

FortiClient does not support nested groups in FortiOS.

Exempt List Select an exempt list from the drop-down list.
Customize Portal Messages Enable and select the edit icon to edit the portal replacement message.

Configure the FortiClient profile:

  1. To configure the FortiClient profile, go to Security Profiles > FortiClient Profiles. You can edit the default profile or create a new FortiClient profile.
  2. Configure the following settings:

 

Toolbar Options FortiClient Profile page

Select Create New to create a new FortiClient profile. Select a profile in the list and select Edit to edit the FortiClient Profile. Select a profile in the list and select Delete to delete the

FortiClient Profile.

Edit FortiClient Profile page

Select the create new icon to create a new FortiClient profile. Select the clone icon to create a clone of an existing FortiClient profile. Select the view list icon to view FortiClient profiles and assignment.

Profile Name When editing the default profile, the name cannot be changed. When creating a new FortiClient profile, XSS vulnerability characters are not allowed.

Enter a name for the new FortiClient profile.

Comments Enter a profile description. (optional)
Assign to Profile To: l Device Groups: Select device groups in the drop-down list. Use the add icon to assign multiple device groups to the FortiClient profile, for example Mac and Windows PC. l User Groups: Select user groups in the drop-down list. l Users: Select users in the drop-down list. l Source Address: Select source addresses.

These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.

On-Net Detection By Address Select addresses from the drop-down list to enable On-Net detection on them.
Security  
AntiVirus Toggle the button on or off to enable or disable this feature.
Web Filter Toggle the button on or off to enable or disable this feature.

When enabled, you can select a web filter profile in the drop-down list. Select the checkbox to disable web category filtering on the client when protected by the FortiGate (On-net).

Application Firewall Toggle the button on or off to enable or disable this feature.

When enabled, you can select an application control sensor in the dropdown list.

VPN Toggle the button on or off to enable or disable this feature.

Select the checkbox for Client VPN Provisioning. When enabled, you can configure multiple IPsec VPN and SSL VPN connections.

Use the add icon to add additional VPN connections. Enter the VPN name, type, remote gateway, and authentication method information.

Select the checkbox to auto connect to a VPN when the client is Off-Net.

Select a VPN from the drop-down list.

Advanced  
Install CA Certificates Select to install CA certificates.
Disable

Unregister

Option

Select to disable the option of unregistering from the FortiGate.
Upload Logs to

FortiAnalyzer

Toggle the button on or off to enable or disable this feature.

When enabled, you can select to use the same FortiAnalyzer/FortiManager used by the FortiGate or select Specify to enter a different device IP address. You can set the schedule to hourly or daily. The FortiClient upload logs to the FortiAnalyzer/FortiManager only when it is able to connect to the device on the specified IP address.

FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer/FortiManager.

When upgrading from FortiOS 5.2 to 5.4, a FortiClient 5.4 license must be applied against the FortiGate for this option to be available in the FortiClient Profile. Optionally, you can enable this setting in the FortiOS CLI.

FortiManager updates Toggle the button on or off to enable or disable this feature.

When enabled, you can specify the IP address of the FortiManager. Select the checkbox to failover to the FortiGuard Distribution Network when the FortiManager is not available.

Dashboard Banner Toggle the button on or off to enable or disable this feature.
Client-based Logging when Toggle the button on or off to enable or disable this feature.
  1. Select Apply to save the FortiClient profile setting.

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

For information on configuring firewall policies for Endpoint Management, see the FortiOS Handbook -The Complete Guide forFortiOS.

Configure firewall policies (Optional):

  1. To configure a firewall policy for Endpoint Management, go to Policy & Objects > IPv4 Policy and select Create New in the toolbar. The New Policy window is displayed.
  2. Configure the policy as required. Select the source user(s) and source device types from the drop-down list.
  3. Toggle Compliant with FortiClient Profile to ON. Users will be redirected (via a web browser) to a dedicated portal where they can download the client. Once registered to the FortiGate, the FortiClient profile will be assigned.
  4. Select OK to save the rule.

After the FortiGate configuration has been completed, you can proceed with FortiClient configuration. Configure your Windows PC on the corporate network with the default gateway set to the IP address of the FortiGate.

FortiClient endpoint network topologies

The following FortiClient Profile topologies are supported:

  1. Client is directly connected to FortiGate; either to a physical port, switch port or WiFi SSID.

This topology supports client registration, configuration sync, and FortiClient profile enforcement.

  1. Client is connected to FortiGate, but is behind a router or NAT device. This topology supports client registration and configuration sync.
  2. Client is connected to FortiGate across a VPN connection.

This topology supports client registration, configuration sync, and FortiClient profile enforcement.

Network topologies

Configure FortiClient for endpoint management:

  1. Download and install the FortiClient software.

Open a web browser from your workstation and attempt to open a web page, the web page will be directed to the NAC Download Portal. Follow the instructions in the portal to download and install FortiClient.

To allow users to download FortiClient, you must enable this setting in the SSL VPN Portal on your FortiGate device. To enable this feature, go to VPN > SSL-VPN Portals and select Create New in the toolbar.

To configure NAC download portal endpoint control replacement messages, go to

System > Replacement Message. Select Extended View in the toolbar to display Endpoint Control replacement messages for Android, iOS, Mac, Windows, and other.

  1. Register FortiClient.

After FortiClient completes installation, FortiClient will automatically launch and search for a FortiGate device for registration.

There are four ways that the FortiClient/FortiGate communication is initiated:

l FortiClient will attempt to connect to the default gateway IP address; l FortiClient will attempt endpoint control registration over VPN (if configured on the FortiGate); l FortiClient will attempt to connect to a remembered FortiGate; l FortiClient will attempt to connect to a redundant FortiGate.

FortiClient will search for available FortiGate devices to complete registration. You can include the option to prompt the user to enter the FortiClient registration key password. Select the RegisterEndpoint button in the FortiClient console to retry the search.

If FortiClient is unable to detect a FortiGate device, enter the IP address or URL of the device and select the

Go icon. When FortiClient locates the FortiGate, you will be prompted to confirm the registration. Select the Accept button to complete registration. Upon successful registration, the FortiGate will send the FortiClient profile configuration.

  1. Deploy the FortiClient profile from the FortiGate device.

The FortiGate will deploy the FortiClient profile after registration is complete. This FortiClient profile will permit traffic through the FortiGate. A system tray bubble message will be displayed once update is complete.

The FortiClient console will display that it is successfully registered to the FortiGate. The FortiClient profile is installed on FortiClient.

Deploy the FortiClient profile to clients over a VPN connection:

  1. In the FortiClient console, select the RegisterEndpoint Enter the IP address and port number (if required) of the FortiGate’s internal interface and select the Go icon.
  2. Configure an IPsec VPN connection from FortiClient to the management FortiGate. For more information on configuring IPsec VPN see Create a new IPsec VPN connection on page 87.
  3. Connect to the VPN.
  4. You can now search for the FortiGate gateway. For more information see Register FortiClient.
  5. After registration, the client is able to receive the FortiClient profile.

When creating a new FortiClient VPN (IPsec) or SSL VPN tunnel configuration on your

FortiGate device, you must enable Endpoint Registration. See the IPsec VPN for FortiOS and SSL VPN forFortiOS sections of the FortiOS Handbook for more information.

FortiClient 5.4.0 Administration Guide – Introduction

Introduction

FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security combines strong prevention with detection and mitigation is critical.

This document provides an overview of FortiClient 5.4.0.

This document was written for FortiClient (Windows) 5.4.0. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.0.

FortiClient features

FortiClient offers two licensing modes: Standalone mode and Managed mode. It can also be integrated with FortiSandbox.

The following table provides a feature comparison between the standalone client (free version) and the managed client (licensed version).

Standalone Client (Free Version) Managed Client (Licensed Version)
Installation Options l Complete: All Endpoint Security and VPN components will be installed.

l  VPN Only: only VPN components (IPsec and

SSL) will be installed.

l  Create a custom FortiClient installer using the FortiClient Configurator tool using the trial mode. In trial mode, all online updates are disabled.

Installation Options l Complete: All Endpoint Security and VPN components will be installed.

l VPN Only: only VPN components (IPsec and

SSL) will be installed. l Create a custom FortiClient installer using the FortiClient Configurator tool.

Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) l Cloud Based Behavior Scanning
Web Content l Web Filtering l YouTube Education Filter Web Content l Web Filtering l YouTube Education Filter

FortiClient features

Standalone Client (Free Version) Managed Client (Licensed Version)
VPN l SSL VPN l IPsec VPN

l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication

VPN l SSL VPN l IPsec VPN

l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication

Logging l VPN, Antivirus, Web Security, and Update

Logging l View logs locally

Logging l VPN, Application Firewall, Antivirus, Web

Filter, Update, and Vulnerability Scan

Logging l View logs locally

  Application Control l Application Firewall l Block Specific Application Traffic
  Vulnerability Management l Vulnerability Scan l Link to FortiGuard with information on the impact and recommended actions
  Central Management l Centralized Client Management and monitoring

l Centralized configuration provisioning and deployment l Enforcement of enterprise security policies.

  Central Logging l Upload logs to a FortiAnalyzer or

FortiManager. FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer or FortiManager.

Standalone mode

In standalone mode, FortiClient is not registered to a FortiGate or Enterprise Management Server (EMS). In this mode, FortiClient is free both for private individuals and commercial businesses to use; no license is required. All features and functions are activated.

 

FortiClient features

Managed mode

Companies with large installations of FortiClient usually need a method to manage their endpoints. This is accomplished by registering each FortiClient to a FortiGate or an Enterprise Management Server (EMS). In this mode, FortiClient licensing is applied to the FortiGate or EMS. No separate license is required on FortiClient itself.

FortiSandbox

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file can be blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

For more information, see the FortiSandbox Administration Guide, available in the Fortinet Document Library.

On-Net / Off-Net

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided. FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

Licensing

Licensing

Licensing on the FortiGate is based on the number of registered clients. FortiGate 30 series and higher models support ten (10) free managed FortiClient licenses. For additional managed clients, a FortiClient license subscription must be purchased. The maximum number of managed clients varies per device model.

The VPN on-net, off-net feature in Endpoint Control will be activated only when the FortiGate, to which FortiClient is registered, is running FortiOS 5.2 or 5.4 with a FortiClient 5.2 or 5.4 license.

FortiGate Client limits

The following table shows client limits per FortiGate model series.

FortiGate Series Free Registrations FortiClient License Upgrade
FortiGate/FortiWiFi 30 to 90 series 10 1 year FortiClient license subscription for up to 200 clients
FortiGate 100 to 300 series 10 1 year FortiClient license subscription for up to 600 clients
FortiGate 500 to 800 series, FortiGate

VM01, FortiGate VM02

10 1 year FortiClient license subscription for up to 2000 clients
FortiGate 1000 series, FortiGate VM04 10 1 year FortiClient license subscription for up to 8000 clients
FortiGate 3000 to 5000 series,

FortiGate VM08

10 1 year FortiClient license subscription for up to 20 000 clients

Installation information

EMS client limits

A newly installed EMS offers 20 000 trial client licenses over a period of 60 days from the day of installation. After the trail period lapses, the number of client licenses will be 10, same as for a new FortiGate to which no FortiClient license has been applied.

A license may be applied to the EMS at any time during or after the trial period. Licenses are available in multiples of 100 seats, with a minimum of 100 seats.

Installation information

The following table lists operating system support and the minimum system requirements.

Operating System Support Minimum System Requirements
l Microsoft Windows XP (32-bit) l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows 8.1 (32-bit and 64-bit) l Microsoft Windows 10 (32-bit and 64-bit) l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

l Microsoft Windows Server 2008 R2 l Microsoft Windows Server 2012 l Microsoft Windows Server 2012 R2 l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

Firmware images and tools

Operating System Support Minimum System Requirements
l Mac OS X v10.8 Mountain Lion l Mac OS X v10.9 Mavericks l Mac OS X v10.10 Yosemite l Mac OS X v10.11 El Capitan l Apple Mac computer with an Intel processor l 256MB of RAM l 20MB of hard disk drive (HDD) space l TCP/IP communication protocol l Ethernet NIC for network connections l Wireless adapter for wireless network connections

Firmware images and tools

Microsoft Windows

The following files are available in the firmware image file folder:

  • 4.xx.xxxx.exe

Standard installer for Microsoft Windows (32-bit).

  • 4.xx.xxxx.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx_x64.exe

Standard installer for Microsoft Windows (64-bit).

  • 4.xx.xxxx_x64.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx.zip
    • zip package containing miscellaneous tools including the FortiClient Configurator tool and VPN Automation files:
  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • FortiClientVirusCleaner A virus cleaner.
  • SSLVPNcmdline

Command line SSL VPN client.

  • SupportUtils

Includes diagnostic, uninstallation, and reinstallation tools.

Language support

  • VPNAutomation

A VPN automation tool.

When creating a custom FortiClient 5.4 installer using the FortiClient Configurator tool, you can choose which features to install. You can also select to enable or disable software updates, configure SSO, and rebrand FortiClient

Mac OS X

The following files are available in the firmware image file folder:

  • 4.x.xxx_macosx.dmg Standard installer or Mac OS X.
  • 4.x.xxx_macosx.tar

FortiClient includes various utility tools and files to help with installations. The following tools and files are available in the FortiClientTools .tar file:

  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • RebrandingResources

Rebranding resources used by the FortiClient Configurator tool.

When creating a custom FortiClient 5.4.0 installer using the FortiClient Repackager tool, you can choose to install Everything, VPN Only, or SSO only. You can also select to enable or disable software updates and rebrand

FortiClient.

FortiClient 5.4 cannot use FortiClient version 5.0 licenses. To use FortiClient Configurator, you need to use the FortiClient version 5.4 license file.

Language support

The following table lists FortiClient language support information.

Language Graphical User Interface XML Configuration Documentation
English (United States) ü ü ü
Chinese (Simplified) ü
Chinese (Traditional) ü

Language support

Language Graphical User Interface XML Configuration Documentation
French (France) ü
German ü
Japanese ü
Korean ü
Portuguese (Brazil) ü
Spanish (Spain) ü