Tag Archives: forticlient help

Web Security/Web Filter

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When a FortiClient endpoint is connected to FortiGate/EMS, the Web Security tab becomes the Web Filter tab in the FortiClient console.

Enable/disable Web Security/Web Filter

For FortiClient in standalone mode, you can enable, disable, and configure web security by using the FortiClient console. You can define what sites are allowed, blocked, or monitored, and you can view violations.

For FortiClient in managed mode, an administrator enables, disables, and configures Web Filter by using a FortiClient profile. See FortiClient profiles on page 29.

Enable/disable Web Security

This setting can only be configured when FortiClient is in standalone mode.

To enable or disable Web Security:

  1. On the Web Security tab, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

The following options are available:

Enable/Disable Select to enable or disable Web Security.

Configure Web Security profiles

X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Enable/disable Web Filter

This setting can only be configured when FortiClient is in managed mode. When FortiClient is connected to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

A FortiClient profile can include a Web Filter profile from a FortiGate or EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.

Configure Web Security profiles

This setting can only be configured when FortiClient is in standalone mode.

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories.

Edit Web Security exclusion lists                                                                             Web Security/Web Filter

To configure web security profiles:

  1. On the Web Filter tab, click the Settings
  2. Click a site category.
  3. Click the Action icon, and select an action in the drop-down menu.

The following actions are available:

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

  1. Click OK.

Edit Web Security exclusion lists

This setting can only be configured when FortiClient is in standalone mode.

You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt.

Edit Web Security exclusion lists

To manage the exclusion list:

  1. On the Web Security tab, click the Settings
  2. Click the Exclusion List
  3. Click the Add icon to add URLs to the exclusion list.

If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

  1. Configure the following settings:
Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression

Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

  1. Click OK.

Configure Web Security settings                                                                             Web Security/Web Filter

Configure Web Security settings

This setting can only be configured when FortiClient is in standalone mode.

To configure web security settings:

  1. On the Web Security tab, click the Settings icon
  2. Click the Settings
  3. Configure the following settings:
Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.
  1. Click OK.

View violations

This section applies to FortiClient in standalone mode and managed mode.

To view Web Security violations:

  1. On the Web Security tab, click the Settings

Alternately, you can click the X Violations (In the Last 7 Days) link.

  1. Click the Violations

View violations

The following information is displayed.

Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.
  1. Click Close.

 

FortiClient Provisioning

FortiClient Provisioning

FortiClient can be installed on a standalone computer using the installation wizard or deployed to multiple Microsoft Windows systems by using Microsoft Active Directory (AD).

You can use FortiClient EMS to deply FortiClient to multiple Microsoft Windows systems. For information, see the FortiClient EMS Administration Guide.

This chapter contains the following sections:

l Install FortiClient on computers l Install FortiClient on infected systems l Install FortiClient as part of cloned disk images l Deploy FortiClient using Microsoft Active Directory servers

For information on customizing your FortiClient installation, see Custom FortiClient Installations.

Download FortiClient installation files

The FortiClient installation files can be downloaded from the following sites:

Requires a support account with a valid support contract. Download either the Microsoft Windows (32-bit/64bit) or the Mac OS X installation file.

Download the FortiClient online installation file. The installer file performs a virus and malware scan of the target system prior to installing FortiClient.

Download the FortiClient online installation file. On this page you can download the latest version of FortiClient for Microsoft Windows and Mac OS X, and link to the iOS, and Android versions.

Install FortiClient on computers

The following section describes how to install FortiClient on a computer that is running a Microsoft Windows or Apple Mac operating system.

Microsoft Windows computer

The following instructions will guide you though the installation of FortiClient on a Microsoft Windows computer. For more information, see the FortiClient (Windows)Release Notes.

When installing FortiClient, it is recommended to use the FortiClientOnlineInstaller file. This file will launch the FortiClient Virus Cleaner which will scan the target system prior to installing the FortiClient application.

Install                        on computers

To check the digital signature of FortiClient, right-click on the installation file and select Properties. In this menu you can set file attributes, run the compatibility troubleshooter, view the digital signature and certificate, install the certificate, set file permissions, and view file details.

To install FortiClient (Windows):

  1. Double-click the FortiClient executable file. The Setup Wizard

When using the FortiClient Online Installer file, the FortiClient Virus Cleaner will run before launching the Setup Wizard.

If a virus is found that prevents the infected system from downloading the new FortiClient package, see Install FortiClient on infected systems on page 47.

  1. In the Welcome screen, read the license agreement, select the Yes, I have read and accept the license checkbox, and select Next to continue. The Choose Setup Type screen is displayed.

You can read the license agreement by clicking the License Agreement button. You have the option to print the EULA in this License Agreement screen.

  1. Select one of the following setup types:

l Complete: All Endpoint Security and VPN components will be installed. l VPN Only: Only VPN components (IPsec and SSL) will be installed.

Install FortiClient on computers

  1. Select Next to continue. The Destination Folder screen is displayed.
  2. Select Change to choose an alternate folder destination for installation.
  3. Select Next to continue.

FortiClient will search the target system for other installed antivirus software. If found, FortiClient will display the Conflicting Antivirus Software page. You can either exit the current installation and uninstall the antivirus software, disable the antivirus feature of the conflicting software, or continue with the installation with FortiClient real-time protection disabled.

This dialog box is displayed during a new installation of FortiClient and when upgrading from an older version of FortiClient, which does not have the antivirus feature installed.

It is recommended to uninstall the conflicting antivirus software before installing FortiClient or enabling the antivirus real-time protection feature. Alternatively, you can disable the antivirus feature of the conflicting software.

  1. Select Next to continue.
  2. Select Install to begin the installation.
  3. Select Finish to exit the FortiClient Setup Wizard.

On a new FortiClient installation, you do not need to reboot your system. When upgrading the FortiClient version, you must restart your system for the configuration changes made to FortiClient to take effect. Select Yes to restart your system now, or select No to manually restart later.

FortiClient will update signatures and components from the FortiGuard Distribution Network (FDN).

  1. FortiClient will attempt to connect FortiClient Telemetry to the FortiGate.

If the FortiGate cannot be located on the network, manually connect FortiClient Telemetry. See Connect FortiClient Telemetry manually on page 54.

  1. To launch FortiClient, double-click the desktop shortcut icon.

Microsoft Server

You can install FortiClient on a Microsoft Windows Server 2008 R2, 2012, or 2012 R2 server. You can use the regular FortiClient Windows image for Server installations.

Please refer to the Microsoft knowledge base for caveats on installing antivirus software in a server environment. See the Microsoft Anti-Virus exclusion list: http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virusexclusion-list.aspx

Install                        on infected systems

Mac OS X computer

The following instructions will guide you though the installation of FortiClient on a Mac OS X computer. For more information, see the FortiClient (Mac OS X)Release Notes.

To install FortiClient (Mac OS X):

  1. Double-click the FortiClient .dmg installer file to launch the FortiClient installer. The FortiClient Installer will install FortiClient on your computer. Select Continue.
  2. Select the lock icon in the upper right corner to view certificate details.
  3. Read the Software License Agreement and select Continue. You have the option to print or save the Software Agreement in this window. You will be prompted to Agree with the terms of the license agreement.
  4. Select the destination folder for the installation.
  5. Select Install to perform a standard installation on this computer. You can change the install location from this screen.
  6. Depending on your system, you may be prompted to enter your system password.
  7. After the installation completes successfully, select Close to exit the installer.
  8. FortiClient has been saved to the Applications
  9. Double-click the FortiClient icon to launch the application. The application console loads to your desktop. Select the lock icon in the FortiClient console to make changes to the FortiClient configuration.

Install FortiClient on infected systems

The FortiClient installer always runs a quick antivirus scan on the target host system before proceeding with the complete installation. If the system is clean, installation proceeds as usual.

Any virus found during this step is quarantined before installation continues.

In case a virus on an infected system prevents downloading of the new FortiClient package, use the following process:

Install FortiClient as part of cloned disk images

  • Boot into “safe mode with networking” (which is required for the FortiClient installer to download the latest signature packages from the Fortinet Distribution Network).
  • Run the FortiClient installer.

This scans the entire file system. A log file is generated in the logs sub-directory. If a virus is found, it will be quarantined. When complete, reboot back into normal mode and run the FortiClient installer to complete the installation.

Microsoft Windows will not allow FortiClient installation to complete in safe mode. An error message will be generated. It is necessary to reboot back into normal mode to complete the installation.

Roaming clients (multiple redundant gateways)

Roaming clients (multiple redundant gateways)

The following figure illustrates three corporate FortiGate networks. Each FortiGate can reach each other over a WAN network. FortiClient can only reach one FortiGate at a time. FortiClient may connect directly to the FortiGate or through a NAT device.

If FortiClient connects through a NAT device to the FortiGate, do not enforce endpoint control compliance on the FortiGate.

On each of the three FortiGate devices configure the following:

l Interface IP addresses l FortiClient profile l Device identification in the interface l FortiClient profile in the applicable firewall policy l Endpoint control synchronization

Endpoint control synchronization allows you to synchronize endpoint control for multiple FortiGate devices. To enable endpoint control synchronization via the CLI enter the following commands on your FortiGate:

config endpoint-control forticlient-registration-sync edit 1 set peer-ip 172.20.52.19

next edit 2

set peer-ip 172.22.53.29

end end

Roaming clients (multiple redundant gateways)

The IP addresses set for the peer-ip field are the WAN IP addresses for each of the FortiGate devices in the synchronization group.

You need to add the following XML configuration to FortiClient for this synchronization group. Modify the configuration file to add the following:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Corporate Network</name>

<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The IP addresses are the internal IP addresses for each of the three FortiGates in the synchronization group. FortiClient can reach any of these IPs, one at a time.

If the three FortiGate devices share the same DNS name, use the following XML configuration:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Fortinet Americas</name>

<addresses>fct_americas.fortinet.com</addresses> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The DNS server should return one reachable FortiGate IP address for the domain name used.

You will need to manually add FortiClient to the synchronization group when FortiClient initially connects with the FortiGate. Once added, no further action is required.

On your FortiGate, use the following CLI command to list all connected FortiClient endpoints:

diagnose endpoint registration list registered-forticlients FortiClient #1 (0):

UID = BE6B76C509DB4CF3A8CB942AED200000

vdom = root status = registered

registering time = Fri May 2 15:00:07 2014 registration expiry time = none source IP = 172.172.172.111 source MAC = b0:ac:6f:70:e0:a0

user = user

host OS = Microsoft Windows 7 , 64-bit

restored registration = no remote registration = yes registration FGT = FGT60C3G11000000 Total number of licences: 10

Total number of granted licenses: 1

Total number of available licences: 9

Roaming clients (multiple redundant gateways)

The remote registration entry indicates whether this specific FortiClient is connected to this FortiGate, or to another FortiGate within the synchronization group.

If any of the FortiGate devices require a password to complete connection, you can use the following XML configuration to provide password information to FortiClient:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Corporate Network</name>

<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses>

<registration_password>uNbre@kab1e</registration_password> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

 

Monitor FortiClient connections

Monitor FortiClient connections

The following FortiOS CLI command lists information about connected clients. This includes domain-related details for the client (if any).

diagnose endpoint record-list Record #1:

IP_Address = 172.172.172.111(1)

MAC_Address = b0:ac:6f:70:e0:a0

Host MAC_Address = b0:ac:6f:70:e0:a0

MAC list = b0-ac-6f-70-e0-a0;

VDOM = root

Registration status: Forticlient installed but not registered

Online status: offline

DHCP on-net status: off-net

DHCP server: None

FCC connection handle: 6

FortiClient version: 5.1.29

AVDB version: 22.137

FortiClient app signature version: 3.0

FortiClient vulnerability scan engine version: 1.258

FortiClient feature version status: 0

FortiClient UID: BE6B76C509DB4CF3A8CB942AED2064A0 (0)

FortiClient config dirty: 1:1:1

FortiClient KA interval dirty: 0

FortiClient Full KA interval dirty: 0

FortiClient server config: d9f86534f03fbed109676ee49f6cfc09:: FortiClient config: 1

FortiClient iOS server mconf:

FortiClient iOS mconf:

FortiClient iOS server ipsec_vpn mconf: FortiClient iOS ipsec_vpn mconf:

Endpoint Profile: Documentation

Reg record pos: 0 Auth_AD_groups:

Auth_group:

Auth_user:

Host_Name:

OS_Version: Microsoft Windows 7 , 64-bit Service Pack 1 (build 7601) Host_Description: AT/AT COMPATIBLE Domain:

Last_Login_User: FortiClient_User_Name Host_Model: Studio 1558 Host_Manufacturer: Dell Inc.

CPU_Model: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz

Memory_Size: 6144

Installed features: 55 Enabled features: 21

online records: 0; offline records: 1

status — none: 0; uninstalled: 0; unregistered: 1; registered: 0; blocked: 0

Roaming clients (multiple redundant gateways)

Configure FortiClient Telemetry connections with AD user groups

Configure FortiClient Telemetry connections with AD user groups

When FortiClient Telemetry connects to FortiGate/EMS, the user’s AD domain name and group are both sent to FortiGate/EMS. Administrators may configure the FortiGate/EMS to deploy endpoint and/or firewall profiles based on the end user’s AD domain group. The following steps are discussed in more details:

l Configure users and groups on AD servers l Configure FortiAuthenticator l Configure FortiGate/EMS l Connect FortiClient Telemetry to FortiGate/EMS l Monitor FortiClient connections

Configure users and groups on AD servers

Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.

Configure FortiAuthenticator

Configure FortiAuthenticator to use the AD server that you created. For more information see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

Configure FortiGate/EMS

FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

  1. Go to User& Device > Single Sign-On.
  2. Select Create New in the toolbar. The New Single Sign-On Server window opens.
  3. In the type field, select Fortinet Single-Sign-On Agent.

 

Telemetry connections with AD user groups

  1. Enter the information required for the agent. This includes the name, primary and secondary IP addresses, and passwords. Select an LDAP server in the drop-down list if applicable. Select More FSSO agents to add up to three additional agents.
  2. Select OK to save the agent configuration.

Create a user group:

  1. Go to User& Device > UserGroups.
  2. Select Create New in the toolbar. The New UserGroup window opens.
  3. In the type field, select Fortinet Single-Sign-On (FSSO).
  4. Select members from the drop-down list.
  5. Select OK to save the group configuration.

Configure the FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select Create New in the toolbar. The New FortiClient Profile window opens.
  3. Enter a profile name and optional comments.
  4. In the Assign Profile To drop-down list select the FSSO user group(s).
  5. Configure FortiClient configuration as required.
  6. Select OK to save the new FortiClient profile.

Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who connect successfully, but have no matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy as described in Configure firewall policies on page 35. Ensure that Compliant with FortiClient Profile is selected in the policy.

EMS

Add a new domain:

  1. Under the Endpoints heading, in the Domains section, select Add a new domain. The Domain Settings window opens.
  2. Enter the domain information as required.
  3. Select Test to confirm functionality, then, if successful, select Save to add the domain.

The domain’s organizational units (OUs) will automatically be populated in the Domains section under the Endpoints heading. For more information, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Connect FortiClient Telemetry to FortiGate/EMS

The Microsoft Windows system on which FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain user name.

Configure FortiClient Telemetry connections with AD user groups

Following this, FortiClient endpoint connections will send the logged-in user’s name and domain to the FortiGate/EMS. The FortiGate/EMS will assign the appropriate profiles based on the configurations.

Use FortiClient console

Use FortiClient console

This section describes how a FortiClient endpoint user can use the FortiClient console when FortiClient is managed by FortiGate/EMS.

To use the FortiClient console:

  1. View FortiClient Telemetry connection status, last profile update, and the gateway IP list. See Compliance on page 54.

If FortiClient Telemetry is connected to FortiGate, you can also view compliance status and instructions for remaining compliant on the Compliance tab.

  1. View Antivirus threats. See Antivirus on page 65.
  2. View web filter results. See View violations on page 79.
  3. View application firewall results. See Application Firewall on page 81.
  4. Configure and use remote access. See IPsec VPN and SSL VPN on page 83.
  5. View vulnerability scan results. See Vulnerability Scan on page 92.
  6. View notifications. See View notifications on page 63.

Configure FortiGate

This section provides an overview of configuring FortiGate for endpoint control.

Get started

FortiGate endpoint control is configured by completing the following tasks:

  1. Enable the endpoint control feature. See Enable the Endpoint Control feature on page 34.
  2. Enable FortiTelemetry on an interface. See Enable FortiTelemetry on an interface on page 34.
  3. Configure firewall policies. See Configure firewall policies on page 35.
  4. Configure FortiClient profiles. See Configure FortiClient profiles on page 35.

Configure FortiGate

After FortiClient software is installed on endpoints, and the FortiClient endpoints connect FortiTelemetry to FortiGate, FortiClient downloads a FortiClient profile from FortiGate.

Additional configuration options are available, depending on the needs of your network.

Enable the Endpoint Control feature

When using the GUI for configuration, you must enable endpoint control on FortiGate devices to use the device for FortiClient endpoint management.

When using the CLI for configuration, you can skip this step.

To enable the endpoint control feature:

  1. Go to System > Feature Select.
  2. In the Security Features list, enable Endpoint Control.
  3. In the Additional Features list, enable Multiple Security Profiles.
  4. Click Apply.

Enable FortiTelemetry on an interface

You must configure FortiClient communication on a FortiGate interface by specifying an IP address and enabling FortiTelemetry communication.

The IP address for the interface defines the gateway IP address for the FortiGate that FortiClient endpoints will use to connect FortiClient Telemetry to FortiGate.

You can also add any devices that are exempt from requiring FortiClient software to an exemption list for the interface.

To enable FortiTelemetry on an interface:

  1. Go to Network > Interfaces.
  2. Select an interface, and click Edit.
  3. Set the following options:
Address In the IP/Network Mask, type the gateway IP address.
Restrict Access Beside Administrative Access, select the FortiTelemetry check box to enable endpoints to send FortiTelemetry to FortiGate.
Networked Devices Enable Device Detection to allow FortiGate to detect the operating system on connected endpoint devices.
Admission Control Enable Enforce FortiTelemetry forAll FortiClients to require endpoint compliance for all endpoints.
Click the Exempt Sources box, and add the devices that are exempt from requiring FortiClient software with a FortiClient Telemetry connection to the FortiGate, such as Linux PC. For example, FortiClient software currently does not support Linux operating system. You can add this type of device to the Exempt Sources list.
Click the Exempt Destinations/Services box, and add the destinations and services.
  1. Configure the remaining options as required.
  2. Click OK.

Configure firewall policies

You must configure a firewall policy for FortiClient access to the Internet. The firewall policy must include the incoming interface that is defined for FortiTelemetry communication, and the outgoing interfaces that you want FortiClient endpoints to use for accessing the Internet. Otherwise, endpoints will be unable to access the Internet.

To configure firewall policies:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Click Create New in the toolbar. The New Policy window is displayed.
  3. In the Name box, type a name for the firewall policy.
  4. In the Incoming Interface list, select the port defined for FortiTelemetry communication.
  5. In the Outgoing Interface, select the port(s) defined for outgoing traffic from FortiGate.
  6. Configure the remaining options as required.
  7. Click OK.