Tag Archives: forticlient how to

Appendix A – Deployment Scenarios

Appendix A – Deployment Scenarios

Basic FortiClient profile

In this scenario, you want to configure a FortiClient profile by using the FortiGate GUI. When clients connect FortiClient Telemetry to FortiGate, they will receive the settings configured in the FortiClient profile. You can configure the default profile, or create a new profile. When creating a new profile, you have additional options to specify device groups, user groups, and users.

Create a basic FortiClient profile:

  1. In the FortiGate GUI, go to Security Profiles > FortiClient Profiles. You can either select the default FortiClient profile or select Create New in the toolbar. The Edit Endpoint Profile page opens.

The default FortiClient profile does not include the Assign Profile To setting.

  1. Set the profile settings as required, and click OK.

Advanced FortiClient profile

In this scenario, you have created a custom XML configuration file. The custom file includes all settings required by the client at the time of deployment. When FortiClient connects Telemetry to FortiGate or EMS, you want to ensure that the client receives the full XML configuration. For future configuration changes, you can edit the XML in the profile by using EMS.

To reduce the size of the FortiClient XML configuration file, you can delete all help text found within the <!– …. –> comment tags.

Create an advanced FortiClient profile with the full XML configuration provisioned:

  1. In EMS, go to Endpoint Profiles > Add a new profile.
  2. Select the Advanced.
  3. (Optional) On Install tab, select a FortiClient installer.
  4. On the Configuration tab, overwrite the XML by pasting the XML from your custom XML configuration file into the pane.
    1. Open the FortiClient XML configuration file in a source code editor.
    2. Copy the FortiClient XML.
    3. Paste the FortiClient XML into the Configuration tab.
  5. Click Save.

 

Use Active Directory Groups                                                               Appendix A – Deployment Scenarios

Use Active Directory Groups

Some organizations may choose to deploy different FortiClient profiles to different user groups. FortiGate and EMS are able to send different FortiClient profiles based on the AD group of the user. This requires use of the FortiAuthenticator.

No special configuration is required on FortiClient.

Monitor connected users

Administrators can monitor managed FortiClient users. When the client successfully connects FortiClient Telemetry to the FortiGate/EMS, the client can be monitored on the FortiGate/EMS.

In the FortiGate GUI, all connected clients can be observed on the Monitor> FortiClient Monitor page.

Either of the following FortiGate CLI commands will list all connected clients: l diagnose endpoint registration list, or l diagnose endpoint record-list.

In the EMS, connected clients can be observed on the Workgroups page.

Customize FortiClient using XML settings

FortiClient configurations can be customized at the XML level. For more information, see the FortiClient XML Reference.

Appendix A – Deployment Scenarios                                        Customize FortiClient using XML settings

Silent connection

You may want to configure FortiClient to silently connect to FortiGate without any user interaction. When configured, the user will not be prompted to connect to a FortiGate. The <silent_registration> tag is intended to be used with the <disable_unregister> tab. For more information, see Disable disconnect on page 124. The following XML elements can be used to enable this:

<forticlient_configuration>

<endpoint_control>

<silent_registration>1</silent_registration>

</endpoint_control>

</forticlient_configuration>

Locked FortiClient settings

End-users with administrator permission on their Windows system have access to the FortiClientsettings page. If this is not desired, it can be locked with a password from the FortiGate. The following FortiOS CLI command, when included, requires that any client connected to the FortiGate to provide the password before they can access the settings page.

config endpoint-control profile edit “fmgr” config forticlient-winmac-settings … set forticlient-settings-lock disable set forticlient-settings-lock-passwd <password> …

end

next

end

Disable disconnect

With silent endpoint control connection enabled, a user could disconnect after FortiClient has connected to the FortiGate. The capability to disconnect can be disabled using the following XML element:

<forticlient_configuration>

<endpoint_control>

<disable_unregister>1</disable_unregister>

</endpoint_control>

</forticlient_configuration>

Put it together

Here is a sample complete FortiClient5.4.1XML configuration file with the capabilities discussed above:

<forticlient_configuration>

<partial_configuration>1</partial_configuration>

<endpoint_control>

<enabled>1</enabled>

<disable_unregister>1</disable_unregister>

<silent_registration>1</silent_registration>

<fortigates>

<fortigate>

124

Customize FortiClient using XML settings                                        Appendix A – Deployment Scenarios

<serial_number />

<name />

<registration_password>un9r3Ak@b!e</registration_password>

<addresses>newyork.example.com</addresses>

</fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The FortiGate that is connected to is listed in the <fortigates> element. The <registration_ password> element is required if the endpoint control configuration on the FortiOS requires one. This can be exported as an encrypted file from a connected FortiClient.

The configuration provided above is not the full FortiClient configuration file. Thus, the <partial_ configuration> element is set to 1.

 

Settings

Settings

This section describes the available options on the File > Settings page for FortiClient in standalone mode.

In managed mode, options on the Settings page are configured in the FortiClient profile by using FortiGate/EMS.

Backup or restore full configuration

To backup or restore the full configuration file, select File > Settings from the toolbar. Expand the System section, then select Backup or Restore as needed. Restore is only available when operating in standalone mode.

When performing a backup, you can select the file destination, password requirements, and add comments as needed.

Signature updates

This setting can only be configured when FortiClient is in standalone mode.

To configure updates, select File > Settings from the toolbar, then expand the System section.

Select to either automatically download and install updates when they are available on the FortiGuard Distribution Servers, or to send an alert when updates are available.

In managed mode, you can select to use a FortiManager device for signature updates. When configuring the endpoint profile in EMS, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device.

To configure FortiClient to use FortiManager for signature updates (EMS):

  1. On EMS, select an endpoint profile, then go to the System Settings
  2. Toggle the Use FortiManagerforclient software/signature update option to ON.
  3. Specify the IP address or hostname of the FortiManager device.
  4. Select Failoverto FDN when FortiManageris not available to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
  5. Select Save to save the settings.

Logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

Logging

VPN VPN logging is available when in standalone mode or in managed mode when FortiClient is connected to FortiGate/EMS.
Application Firewall Application Firewall logging is available in managed mode when FortiClient is connected to FortiGate/EMS.
AntiVirus Antivirus activity logging is available when in standalone mode or in managed mode when FortiClient is connected to FortiGate/EMS.
Web Security/Web Filter Web Security logging is available when in standalone mode. Web Filter logging is available in managed mode.
Update Update logging is available when in standalone mode or in managed mode when FortiClient is connected to FortiGate/EMS.
Vulnerability Scan Vulnerability Scan logging is available in managed mode when FortiClient is connected to FortiGate/EMS.
Log Level This setting can be configured when in standalone mode. When FortiClient is connected to FortiGate, this setting is set by the XML configuration (if configured).
Log File The option to export the log file (.log) is available when in standalone mode or in managed mode when FortiClient is connected to

FortiGate/EMS. The option to clear logs is only available when in standalone mode.

The following table lists the logging levels and description:

Logging Level Description
Emergency The system becomes unstable.
Alert Immediate action is required.
Critical Functionality is affected.
Error An error condition exists and functionality could be affected.
Warning Functionality could be affected.

Logging

Logging Level   Description
Notice   Information about normal events.
Information   General information about system operations.
Debug   Debug FortiClient.

It is recommended to use the debug logging level only when needed. Do not leave the debug logging level permanently enabled in a production environment to avoid unnecessarily consuming disk space.

Sending logs to FortiAnalyzer or FortiManager

To configure FortiClient to send logs to FortiAnalyzer or FortiManager, you require the following:

l FortiClient 5.2.0 or later l A FortiGate device running FortiOS 5.2.0 or later or EMS 1.0 or later l A FortiAnalyzer or FortiManager device running 5.0.7 or later

The connected FortiClient device can send traffic logs, vulnerability scan logs, and event logs to the log device on port 514 TCP.

Enable logging on the FortiGate device:

  1. On your FortiGate device, select Log & Report > Log Settings. The Log Settings window opens.
  2. Enable Send Logs to FortiAnalyzer/FortiManager.
  3. Enter the IP address of your log device in the IP Address You can select Test Connectivity to ensure your FortiGate is able to communicate with the log device on this IP address.
  4. Select Apply to save the setting.

Enable logging in the FortiGate FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page opens.
  3. Enable Upload Logs to FortiAnalyzer.

VPN options

  1. Select either Same as System to send the logs to the FortiAnalyzer or FortiManager configured in the Log Settings, or Specify to enter a different IP address.
  2. In the Schedule field, select to upload logs Hourly or Daily.
  3. Select Apply to save the settings.

Once the FortiClient Profile change is synchronized with the client, you will start receiving logs from connected clients on your FortiAnalyzer/FortiManager system.

Alternatively, you can configure logging in the command line interface. Go to System > Dashboard > Status. In the CLI Console widget, enter the following CLI commands:

config endpoint-control profile edit <profile-name>

config forticlient-winmac-settings set forticlient-log-upload enable set forticlient-log-upload-server <IP address> set forticlient-log-upload-schedule {hourly | daily} set forticlient-log-ssl-upload {enable | disable} set client-log-when-on-net {enable | disable}

end

end

Enable logging in the EMS endpoint profile:

  1. On EMS, select an endpoint profile, then go to the System Settings
  2. Enable Upload Logs to FortiAnalyzer/FortiManager.
  3. Enable the type of logs to upload. Choose from traffic, vulnerability, and event.
  4. Enter the IP address or hostname, schedule upload (in minutes), and log generation timeout (in seconds).
  5. Select Save to save the settings.

VPN options

To configure VPN options, select File > Settings from the toolbar and expand the VPN section. Select Enable VPN before logon to enable VPN before log on.

This setting can only be configured when in standalone mode.

Certificate management

To configure VPN certificates, select File > Settings from the toolbar and expand the Certificate Management section. Select Use local certificate uploads (IPsec only) to configure IPsec VPN to use local certificates and import certificates to FortiClient.

This setting can only be configured when in standalone mode.

Antivirus options

To configure antivirus options, select File > Settings from the toolbar and expand the Antivirus Options section.

Advanced options

These settings can be configured only when FortiClient is in standalone mode.

Configure the following settings:

Grayware Options Grayware is an umbrella term applied to a wide range of malicious applications such as spyware, adware and key loggers that are often secretly installed on a user’s computer to track and/or report certain information back to an external source without the user’s permission or knowledge.
Adware Select to enable adware detection and quarantine during the antivirus scan.
Riskware Select to enable riskware detection and quarantine during the antivirus scan.
Scan removable media on

insertion

Select to scan removable media when it is inserted.
Alert when viruses are detected Select to have FortiClient provide a notification alert when a threat is detected on your personal computer. When Alert when viruses are detected under AntiVirus Options is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.
Pause background scanning on battery power Select to pause background scanning when your computer is operating on battery power.
Enable FortiGuard Ana-

lytics

Select to automatically send suspicious files to the FortiGuard Network for analysis.

When connected to FortiGate/EMS, you can enable or disable FortiClient Antivirus Protection in the FortiClient profile.

Advanced options

To configure advanced options, select File > Settings from the toolbar and expand the Advance section.

These settings can be configured only when FortiClient is in standalone mode. When a FortiClient endpoint is connected to FortiGate/EMS, these settings are set by the XML configuration (if configured).

Single Sign-On mobility agent

Configure the following settings:

Enable WAN Optimization Select to enable WAN Optimization. You should enable only if you have a FortiGate device and your FortiGate is configured for WAN Optimization.

This setting can be configured when in standalone mode.

Maximum Disk Cache Size Select to configure the maximum disk cache size. The default value is 512MB.
Enable Single Sign-On mobility agent Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device.

This setting can be configured when in standalone mode.

Server address Enter the FortiAuthenticator IP address.
Customize port Enter the port number. The default port is 8001.
Pre-shared Key Enter the pre-shared key. The pre-shared key should match the key configured on your FortiAuthenticator device.
Disable proxy (troubleshooting only) Select to disable proxy when troubleshooting FortiClient.

This setting can be configured when in standalone mode.

Default tab Select the default tab to be displayed when opening FortiClient. This setting can be configured when in standalone mode.

Single Sign-On mobility agent

The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates FortiAuthenticator with user logon and network information.

FortiClient/FortiAuthenticator protocol

The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator, which replies with an acknowledgment packet.

FortiClient/FortiAuthenticator communication requires the following:

  • The IP address should be unique in the entire network. l The FortiAuthenticator should be accessible from clients in all locations.

Single Sign-On mobility agent

  • The FortiAuthenticator should be accessible by all FortiGates.

FortiClient Single Sign-On Mobility Agent requires a FortiAuthenticator running 2.0.0 or later, or v3.0.0 or later. Enter the FortiAuthenticator (server) IP address, port number, and the pre-shared key configured on the FortiAuthenticator.

Enable Single Sign-On mobility agent on FortiClient:

  1. Select File in the toolbar and select Settings in the drop-down menu.
  2. Select Advanced to view the drop-down menu.
  3. Select Enable Single Sign-On mobility agent.
  4. Enter the FortiAuthenticator server address and the pre-shared key.

This setting can be configured when in standalone mode. When connected to FortiGate, this setting is set by the XML configuration (if configured).

Enable FortiClient SSO mobility agent service on the FortiAuthenticator:

  1. Select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
  2. Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
  3. Select Enable authentication and enter a secret key or password.
  4. Select OK to save the setting.

Enable FortiClient FSSO services on the interface:

  1. Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network Interface window opens.
  2. Select the checkbox to enable FortiClient FSSO.
  3. Select OK to save the setting.

Configuration lock

To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you must first apply the applicable FortiClient license for FortiAuthenticator. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

For information on purchasing a FortiClient license for FortiAuthenticator, please contact your authorized Fortinet reseller.

Configuration lock

To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked, configuration changes are restricted and FortiClient cannot be shut down or uninstalled.

When the configuration is locked you can perform the following actions:

  • Compliance l Connect and disconnect FortiClient for Endpoint Control
  • Antivirus l Complete an antivirus scan, view threats found, and view logs l Select Update Now to update signatures
  • Web Security l View violations
  • Application Firewall l View applications blocked
  • Remote Access l Configure, edit, or delete an IPsec VPN or SSL VPN connection l Connect to a VPN connection
  • Vulnerability Scan l Complete a vulnerability scan of the system l View vulnerabilities found
  • Settings l Export FortiClient logs l Back up the FortiClient configuration

To perform configuration changes, or to shut down FortiClient, select the lock icon and enter the password used to lock the configuration.

FortiTray

When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is closed.

  • Default menu options: l Open FortiClient console FortiTray
  • Shut down FortiClient
  • Dynamic menu options, depending on configuration:
  • Connect to a configured IPsec VPN or SSL VPN connection l Display the antivirus scan window (if a scheduled scan is currently running) l Display the Vulnerability scan window (if a vulnerability scan is running)

If you hover the mouse cursor over the FortiTray icon, you will receive various notifications including the version, antivirus signature, and antivirus engine.

Connecting to VPN connections

To connect to a VPN connection from FortiTray, select the Windows System Tray and right-click in the FortiTray icon. Select the connection you wish to connect to, enter your username and password in the authentication window, then select OK to connect.

 

Vulnerability Scan

Vulnerability Scan

FortiClient includes a Vulnerability Scan module to check endpoint workstations for known system vulnerabilities. The vulnerability scan results can include:

  • List of vulnerabilities for Microsoft operating systems, third-party software, and Microsoft software detected on the endpoint device
  • Links to more information l Links to Microsoft bulletin reports
  • Software patches that can be installed to resolve or close detected vulnerabilities

You can scan on-demand. The scan results display a summary of vulnerabilities found in the system with links to more details, including links to the FortiGuard Center (FortiGuard.com) for more information. Links to remediation patches might also be included.

Whether and how remediation patches are applied to endpoints depends on the settings in the FortiClient profile that is assigned to the endpoint. Patches can be automatically applied to the FortiClient endpoint to enforce network compliance, or you can manually apply patches. FortiClient checks vulnerabilities for the following software:

  • Microsoft Security Update l Firefox l Firefox ESR l Google Chrome l Java JDK l Java JRE l Adobe Flash Player

For the latest list of supported software, see the FortiGuard Center (FortiGuard.com) .

Enable vulnerability scan

The administrator enables and configures the vulnerability scan feature in a FortiClient profile by using FortiGate/EMS.

Enable vulnerability scan in FortiClient profiles (EMS)

In EMS 1.0.1 and later, the vulnerability scan feature is visible by default in the FortiClient profile. The EMS administrator may choose to enable this feature in the FortiClient profile. The EMS administrator can also schedule vulnerability scans and configure remediation patches to be automatically installed on endpoints. For more information, see the FortiClient EMS Administration Guide.

 

Scan now

Enable vulnerability scan in FortiClient profiles (FortiGate)

In FortiGate 5.4.1 and later, the vulnerability scan feature is visible by default in the FortiClient profile. The FortiGate administrator may choose to enable this feature in the FortiClient profile.

Scan now

To scan now:

  1. In the FortiClient console, click the Vulnerability Scan
  2. Click the Scan Now FortiClient scans your workstation for known vulnerabilities.

When the scan is complete, FortiClient displays a summary of vulnerabilities found on the system.

View scan results

Vulnerability scan results are organized into the following categories:

l Critical vulnerabilities l Vulnerabilities detected

You can use the vulnerability scan results to learn more about vulnerabilities on your computer and to learn what actions you can take to address the vulnerabilities.

When remediation patches are available for software that is running on the managed endpoint, the vulnerability scan results might include the option to install software patches that address the identified vulnerability. See Install remediation patches on page 97.

View scan results

To view scan results:

  1. In the FortiClient console, click the Vulnerability Scan
  2. Beside Vulnerabilities Detected, click the <number>

A summary of vulnerabilities detected on your system is displayed.

  1. Click the tabs, such as OS, Browser, and so on, to view all vulnerabilities.
  2. On each tab, click Critical Vulnerabilities, High Vulnerabilities, Medium Vulnerabilities, and Low Vulnerabilities to view the vulnerabilities in each category for each tab.

View scan results

  1. When available, click the Details icon to view details about the vulnerability.

You can scroll to the bottom of the window to click links to more information about CVE IDs and vendor information.

  1. Click OK to return to the previous screen, and click Close to return to the Vulnerability Scan For information on installing patches, see Install remediation patches on page 97.

View details of scan results

View details of scan results

To view details of scan results:

  1. In the FortiClient console, click the Vulnerability Scan
  2. Under Vulnerabilities Detected, click Critical, High, Medium, or Low when the results are greater than 0.

A summary of vulnerabilities detected on your system is displayed. Click the tabs, such as OS, Browser, and so on, to view all vulnerabilities.

  1. Click the Details icon for more information.

You can scroll to the bottom of the window to click links to more information about CVE (common vulnerabilities and exposures) IDs and vendor information.

Install remediation patches

  1. Click OK to return to the previous screen, and click Close to return to the Vulnerability Scan

Install remediation patches

When remediation patches are available for software that is running on the managed endpoint, the vulnerability scan results might include the option to install software patches that address the identified vulnerability.

Access to software patches is controlled by the FortiClient profile configuration. Depending on the FortiClient profile settings, the patches might be installed for you, or you might be able to choose what patches to install. In some cases, you must install the software patches to maintain network access. For example, if compliance is configured to block network access for non-compliant endpoints, software patches must be installed to maintain network access.

To install remediation patches:

  1. In the FortiClient console, click the Vulnerability Scan
  2. Beside Vulnerabilities Detected, click the <number> link to review information about vulnerabilities before installing patches.

Alternately, you can click Fix Now to install all remediation patches.

Install remediation patches

  1. Select the check box for each patch that you want to install.

Click the tabs, such as OS, Browser, and so on, to view all vulnerabilities. On each tab, click Critical Vulnerabilities, High Vulnerabilities, Medium Vulnerabilities, and Low Vulnerabilities to view the vulnerabilities in each category for each tab.

You may be unable to choose which patches to install, depending on your FortiClient configuration.

  1. Click the Install Selected button to install the selected patches.

FortiClient installs the patches. You may need to reboot the endpoint device to complete installation.

 

IPsec VPN and SSL VPN

IPsec VPN and SSL VPN

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. Administrators can provision client VPN connections to FortiGate in profiles from EMS, and you can configure new connections in FortiClient console.

Add new connections

You can add new SSL VPN connections and IPsec VPN connections.

Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)

Create SSL VPN connections

To create SSL VPN connections:

  1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
  2. Select SSL-VPN, then configure the following settings:

 

Add new connections

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Customize port Select to change the port. The default port is 443.
Authentication Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled.
Username If you selected to save login, enter the username in the dialog box.
Client Certificate Select to enable client certificates, then select the certificate from the dropdown list.
Do not Warn Invalid Server

Certificate

Select if you do not want to warned if the server presents an invalid certificate.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.
  1. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Create IPsec VPN connections

To create IPsec VPN connections:

  1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
  2. Select IPsec VPN, then configure the following settings:
Connection Name   Enter a name for the connection.
Description   Enter a description for the connection. (optional)

Add new connections

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Authentication Method Select either X.509 Certificate or Pre-shared Key in the dropdown menu.
Authentication (XAuth) Select to prompt on login, save login, or disable.
Username If you selected save login, enter the username in the dialog box.
Advanced Settings Configure VPN settings, Phase 1, and Phase 2 settings.
VPN Settings  
Mode Select one of the following:

Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.

Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

Options Select one of the following:

Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.

DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling.

Phase 1 Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.

Add new connections

  DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.
  Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
  Local ID Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.
  Dead Peer

Detection

Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
  NAT Traversal Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Phase 2   Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.
  Key Life The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
  Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
  Enable Perfect

Forward Secrecy

(PFS)

Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
  DH Group Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses.
Add   Select the add icon to add a new connection.
Delete   Select a connection and then select the delete icon to delete a connection.

Advanced features (Microsoft Windows)

  1. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Advanced features (Microsoft Windows)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in EMS to ensure the FortiClient profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.

Activate VPN before Windows Log on

When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.

To make this change, proceed as follows:

In FortiClient:

  1. Create the VPN tunnels of interest or connect to FortiClient EMS, which provides the VPN list of interest
  2. Enable VPN before log on to the FortiClient Settings page, see VPN options on page 102.

On the Microsoft Windows system,

  1. Start an elevated command line prompt.
  2. Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
  3. Check the check box for Users must entera username and password to use this computer.
  4. Click OK to save the setting.

Connect VPNs before logging on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.

<forticlient_configuration>

<vpn>

<options>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials> </options>

</vpn>

</forticlient_configuration>

Create redundant IPsec VPNs

To use VPN resiliency/redundancy, you will configure a list of EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

Advanced features (Microsoft Windows)

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate starting with the first in the list.

Create priority-based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate must use the same TCP port.

Advanced features (Mac OS X)

Advanced features (Mac OS X)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient profile options in EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.

Create redundant IPsec VPNs

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Create priority-based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

 

tunnel & script

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

VPN tunnel & script

This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on EMS’s XML format FortiClient profile. The profile will be pushed down to FortiClient from EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.

Windows

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>

</script>

</script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>windows</os> <script>

90

VPN tunnel & script

<script>

<![CDATA[ net use x: /DELETE ]]>

</script>

</script>

</script>

</on_disconnect>

OS X

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>mac</os>

<script>

/bin/mkdir /Volumes/installers

/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt

/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers

/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt

/bin/mkdir /Users/admin/Desktop/dropbox/dir

/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/. </script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>mac</os>

<script>

/sbin/umount /Volumes/installers

/bin/rm -fr /Users/admin/Desktop/dropbox/*

</script>

</script>

</on_disconnect>

Application Firewall

Application Firewall

FortiClient can recognize the traffic generated by a large number of applications. You can create rules to block or allow this traffic per category, or application.

Enable/disable Application Firewall

The administrator enables the application firewall feature by using a FortiClient profile. The FortiClient profile includes the application firewall configuration.

The FortiClient Endpoint Control feature enables the site administrator to distribute an Application Control sensor from FortiGate/EMS.

On the FortiGate, the process is as follows:

l Create an Application Sensor and Application Filter on the FortiGate, l Add the Application Sensor to the FortiClient Profile on the FortiGate.

On EMS, the application firewall is part of the endpoint profile.

For more information on configuring application control security profiles, see the FortiOS Handbook -The Complete Guide to FortiOS available in the Fortinet Document Library.

View application firewall profiles

To view the application firewall profile, select Show all.

Application Firewall                                                                                                 View blocked applications

View blocked applications

To view blocked applications, select the Applications Blocked link in the FortiClient console. This page lists all applications blocked in the past seven days, including the count and time of last occurrence.

Web Security/Web Filter

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When a FortiClient endpoint is connected to FortiGate/EMS, the Web Security tab becomes the Web Filter tab in the FortiClient console.

Enable/disable Web Security/Web Filter

For FortiClient in standalone mode, you can enable, disable, and configure web security by using the FortiClient console. You can define what sites are allowed, blocked, or monitored, and you can view violations.

For FortiClient in managed mode, an administrator enables, disables, and configures Web Filter by using a FortiClient profile. See FortiClient profiles on page 29.

Enable/disable Web Security

This setting can only be configured when FortiClient is in standalone mode.

To enable or disable Web Security:

  1. On the Web Security tab, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

The following options are available:

Enable/Disable Select to enable or disable Web Security.

Configure Web Security profiles

X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Enable/disable Web Filter

This setting can only be configured when FortiClient is in managed mode. When FortiClient is connected to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

A FortiClient profile can include a Web Filter profile from a FortiGate or EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.

Configure Web Security profiles

This setting can only be configured when FortiClient is in standalone mode.

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories.

Edit Web Security exclusion lists                                                                             Web Security/Web Filter

To configure web security profiles:

  1. On the Web Filter tab, click the Settings
  2. Click a site category.
  3. Click the Action icon, and select an action in the drop-down menu.

The following actions are available:

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

  1. Click OK.

Edit Web Security exclusion lists

This setting can only be configured when FortiClient is in standalone mode.

You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt.

Edit Web Security exclusion lists

To manage the exclusion list:

  1. On the Web Security tab, click the Settings
  2. Click the Exclusion List
  3. Click the Add icon to add URLs to the exclusion list.

If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

  1. Configure the following settings:
Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression

Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

  1. Click OK.

Configure Web Security settings                                                                             Web Security/Web Filter

Configure Web Security settings

This setting can only be configured when FortiClient is in standalone mode.

To configure web security settings:

  1. On the Web Security tab, click the Settings icon
  2. Click the Settings
  3. Configure the following settings:
Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.
  1. Click OK.

View violations

This section applies to FortiClient in standalone mode and managed mode.

To view Web Security violations:

  1. On the Web Security tab, click the Settings

Alternately, you can click the X Violations (In the Last 7 Days) link.

  1. Click the Violations

View violations

The following information is displayed.

Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.
  1. Click Close.

 

Roaming clients (multiple redundant gateways)

Roaming clients (multiple redundant gateways)

The following figure illustrates three corporate FortiGate networks. Each FortiGate can reach each other over a WAN network. FortiClient can only reach one FortiGate at a time. FortiClient may connect directly to the FortiGate or through a NAT device.

If FortiClient connects through a NAT device to the FortiGate, do not enforce endpoint control compliance on the FortiGate.

On each of the three FortiGate devices configure the following:

l Interface IP addresses l FortiClient profile l Device identification in the interface l FortiClient profile in the applicable firewall policy l Endpoint control synchronization

Endpoint control synchronization allows you to synchronize endpoint control for multiple FortiGate devices. To enable endpoint control synchronization via the CLI enter the following commands on your FortiGate:

config endpoint-control forticlient-registration-sync edit 1 set peer-ip 172.20.52.19

next edit 2

set peer-ip 172.22.53.29

end end

Roaming clients (multiple redundant gateways)

The IP addresses set for the peer-ip field are the WAN IP addresses for each of the FortiGate devices in the synchronization group.

You need to add the following XML configuration to FortiClient for this synchronization group. Modify the configuration file to add the following:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Corporate Network</name>

<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The IP addresses are the internal IP addresses for each of the three FortiGates in the synchronization group. FortiClient can reach any of these IPs, one at a time.

If the three FortiGate devices share the same DNS name, use the following XML configuration:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Fortinet Americas</name>

<addresses>fct_americas.fortinet.com</addresses> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The DNS server should return one reachable FortiGate IP address for the domain name used.

You will need to manually add FortiClient to the synchronization group when FortiClient initially connects with the FortiGate. Once added, no further action is required.

On your FortiGate, use the following CLI command to list all connected FortiClient endpoints:

diagnose endpoint registration list registered-forticlients FortiClient #1 (0):

UID = BE6B76C509DB4CF3A8CB942AED200000

vdom = root status = registered

registering time = Fri May 2 15:00:07 2014 registration expiry time = none source IP = 172.172.172.111 source MAC = b0:ac:6f:70:e0:a0

user = user

host OS = Microsoft Windows 7 , 64-bit

restored registration = no remote registration = yes registration FGT = FGT60C3G11000000 Total number of licences: 10

Total number of granted licenses: 1

Total number of available licences: 9

Roaming clients (multiple redundant gateways)

The remote registration entry indicates whether this specific FortiClient is connected to this FortiGate, or to another FortiGate within the synchronization group.

If any of the FortiGate devices require a password to complete connection, you can use the following XML configuration to provide password information to FortiClient:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Corporate Network</name>

<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses>

<registration_password>uNbre@kab1e</registration_password> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>