Tag Archives: forticlient tips

Configure FortiClient Telemetry connections with AD user groups

Configure FortiClient Telemetry connections with AD user groups

When FortiClient Telemetry connects to FortiGate/EMS, the user’s AD domain name and group are both sent to FortiGate/EMS. Administrators may configure the FortiGate/EMS to deploy endpoint and/or firewall profiles based on the end user’s AD domain group. The following steps are discussed in more details:

l Configure users and groups on AD servers l Configure FortiAuthenticator l Configure FortiGate/EMS l Connect FortiClient Telemetry to FortiGate/EMS l Monitor FortiClient connections

Configure users and groups on AD servers

Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.

Configure FortiAuthenticator

Configure FortiAuthenticator to use the AD server that you created. For more information see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

Configure FortiGate/EMS

FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

  1. Go to User& Device > Single Sign-On.
  2. Select Create New in the toolbar. The New Single Sign-On Server window opens.
  3. In the type field, select Fortinet Single-Sign-On Agent.

 

Telemetry connections with AD user groups

  1. Enter the information required for the agent. This includes the name, primary and secondary IP addresses, and passwords. Select an LDAP server in the drop-down list if applicable. Select More FSSO agents to add up to three additional agents.
  2. Select OK to save the agent configuration.

Create a user group:

  1. Go to User& Device > UserGroups.
  2. Select Create New in the toolbar. The New UserGroup window opens.
  3. In the type field, select Fortinet Single-Sign-On (FSSO).
  4. Select members from the drop-down list.
  5. Select OK to save the group configuration.

Configure the FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select Create New in the toolbar. The New FortiClient Profile window opens.
  3. Enter a profile name and optional comments.
  4. In the Assign Profile To drop-down list select the FSSO user group(s).
  5. Configure FortiClient configuration as required.
  6. Select OK to save the new FortiClient profile.

Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who connect successfully, but have no matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy as described in Configure firewall policies on page 35. Ensure that Compliant with FortiClient Profile is selected in the policy.

EMS

Add a new domain:

  1. Under the Endpoints heading, in the Domains section, select Add a new domain. The Domain Settings window opens.
  2. Enter the domain information as required.
  3. Select Test to confirm functionality, then, if successful, select Save to add the domain.

The domain’s organizational units (OUs) will automatically be populated in the Domains section under the Endpoints heading. For more information, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Connect FortiClient Telemetry to FortiGate/EMS

The Microsoft Windows system on which FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain user name.

Configure FortiClient Telemetry connections with AD user groups

Following this, FortiClient endpoint connections will send the logged-in user’s name and domain to the FortiGate/EMS. The FortiGate/EMS will assign the appropriate profiles based on the configurations.

Use FortiClient console

Use FortiClient console

This section describes how a FortiClient endpoint user can use the FortiClient console when FortiClient is managed by FortiGate/EMS.

To use the FortiClient console:

  1. View FortiClient Telemetry connection status, last profile update, and the gateway IP list. See Compliance on page 54.

If FortiClient Telemetry is connected to FortiGate, you can also view compliance status and instructions for remaining compliant on the Compliance tab.

  1. View Antivirus threats. See Antivirus on page 65.
  2. View web filter results. See View violations on page 79.
  3. View application firewall results. See Application Firewall on page 81.
  4. Configure and use remote access. See IPsec VPN and SSL VPN on page 83.
  5. View vulnerability scan results. See Vulnerability Scan on page 92.
  6. View notifications. See View notifications on page 63.

Configure FortiGate

This section provides an overview of configuring FortiGate for endpoint control.

Get started

FortiGate endpoint control is configured by completing the following tasks:

  1. Enable the endpoint control feature. See Enable the Endpoint Control feature on page 34.
  2. Enable FortiTelemetry on an interface. See Enable FortiTelemetry on an interface on page 34.
  3. Configure firewall policies. See Configure firewall policies on page 35.
  4. Configure FortiClient profiles. See Configure FortiClient profiles on page 35.

Configure FortiGate

After FortiClient software is installed on endpoints, and the FortiClient endpoints connect FortiTelemetry to FortiGate, FortiClient downloads a FortiClient profile from FortiGate.

Additional configuration options are available, depending on the needs of your network.

Enable the Endpoint Control feature

When using the GUI for configuration, you must enable endpoint control on FortiGate devices to use the device for FortiClient endpoint management.

When using the CLI for configuration, you can skip this step.

To enable the endpoint control feature:

  1. Go to System > Feature Select.
  2. In the Security Features list, enable Endpoint Control.
  3. In the Additional Features list, enable Multiple Security Profiles.
  4. Click Apply.

Enable FortiTelemetry on an interface

You must configure FortiClient communication on a FortiGate interface by specifying an IP address and enabling FortiTelemetry communication.

The IP address for the interface defines the gateway IP address for the FortiGate that FortiClient endpoints will use to connect FortiClient Telemetry to FortiGate.

You can also add any devices that are exempt from requiring FortiClient software to an exemption list for the interface.

To enable FortiTelemetry on an interface:

  1. Go to Network > Interfaces.
  2. Select an interface, and click Edit.
  3. Set the following options:
Address In the IP/Network Mask, type the gateway IP address.
Restrict Access Beside Administrative Access, select the FortiTelemetry check box to enable endpoints to send FortiTelemetry to FortiGate.
Networked Devices Enable Device Detection to allow FortiGate to detect the operating system on connected endpoint devices.
Admission Control Enable Enforce FortiTelemetry forAll FortiClients to require endpoint compliance for all endpoints.
Click the Exempt Sources box, and add the devices that are exempt from requiring FortiClient software with a FortiClient Telemetry connection to the FortiGate, such as Linux PC. For example, FortiClient software currently does not support Linux operating system. You can add this type of device to the Exempt Sources list.
Click the Exempt Destinations/Services box, and add the destinations and services.
  1. Configure the remaining options as required.
  2. Click OK.

Configure firewall policies

You must configure a firewall policy for FortiClient access to the Internet. The firewall policy must include the incoming interface that is defined for FortiTelemetry communication, and the outgoing interfaces that you want FortiClient endpoints to use for accessing the Internet. Otherwise, endpoints will be unable to access the Internet.

To configure firewall policies:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Click Create New in the toolbar. The New Policy window is displayed.
  3. In the Name box, type a name for the firewall policy.
  4. In the Incoming Interface list, select the port defined for FortiTelemetry communication.
  5. In the Outgoing Interface, select the port(s) defined for outgoing traffic from FortiGate.
  6. Configure the remaining options as required.
  7. Click OK.

Vulnerability Scan

Vulnerability Scan

FortiClient includes an Vulnerability Scan module to check your workstation for known system vulnerabilities. You can scan on-demand or on a scheduled basis. This feature is disabled by default and the tab is hidden for standalone clients. For users who are registered to a FortiGate using endpoint control, the FortiGate administrator may choose to enable this feature. Vulnerability Scan is enabled via the FortiGate Command Line Interface (CLI) only. Once enabled, the Endpoint Vulnerability Scan on Client setting is available in the FortiClient Profile.

Enable vulnerability scan

This section describes how to enable Vulnerability Scan in the FortiClient Profile via the FortiGate CLI and configuration options.

  1. Enable Vulnerability Scan in the FortiClient Profile:
  2. Log in to your FortiGate CLI.
  3. Enter the following CLI commands: config endpoint-control profile edit <profile-name> config forticlient-winmac-settings set forticlient-vuln-scan enable set forticlient-vuln-scan-schedule {daily | weekly | monthly} set forticlient-vuln-scan-on-registration {enable | disable} set forticlient-ui-options {av | wf | af | vpn | vs}

end end

<profile-name>          Enter the name of the FortiClient Profile.
forticlient-vuln-scan Enable or disable the Vulnerability Scan module. {enable | disable}
forticlient-vuln-  Configure a daily, weekly, or monthly vulnerability scan on the client scan-schedule    workstation.

{daily | weekly |

monthly}

forticlient-vuln-      Enable or disable vulnerability scan on client registration to FortiGate.

scan-on-registration {enable | disable}

 

Scan now                                                                                                                               Vulnerability Scan

forticlient-uioptions {av | wf | af | vpn | vs} Set the FortiClient components that will be available to the client upon registration with FortiGate. l av: Antivirus l wf: Web Filter l af: Application Firewall l vpn: Remote Access l vs: Vulnerability Scan
  1. The FortiGate will send the FortiClient Profile configuration update to registered clients. The Vulnerability Scan tab is now accessible in FortiClient.

Scan now

To perform a vulnerability scan, select the Scan Now button in the FortiClient console. FortiClient will scan your workstation for known vulnerabilities. The console displays the date of the last scan above the button.

You can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient Profile, select Use FortiManagerforclient software/signature update to enable the feature and enter the IP address of your FortiManager device.

View vulnerabilities

When the scan is complete, FortiClient will display the number of vulnerabilities found in the FortiClient console.

Select the Vulnerabilities Detected link to view a list of vulnerabilities detected on your system. Conversely, select Detected: X on the Vulnerability Scan tab to view the vulnerabilities.

Vulnerability Scan                                                                                                               View vulnerabilities

This page displays the following:

Vulnerability Name The name of the vulnerability
Severity The severity level assigned to the vulnerability: Critical, High, Medium, Low, or Info.
Details FortiClient vulnerability scan lists a Bugtraq (BID) number under the details column. You can select the BID to view details of the vulnerability on the FortiGuard site, or search the web using this BID number.
Close Close the window and return to the FortiClient console.

Select the Details ID number from the list to view information on the selected vulnerability on the FortiGuard site.

The site details the release date, severity, impact, description, affected products, and recommended actions.

Antivirus

Antivirus

This chapter includes the following sections:

l FortiClient Antivirus l Antivirus logging l Antivirus options l Endpoint control

FortiClient Antivirus

FortiClient includes an antivirus module to scan system files, executable files, removable media, dynamic-link library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, File Based Malware, Malicious Websites, Phishing, and Spam URL protection is part of the antivirus module. Scanning can also be extended using FortiSandbox.

This section describes how to enable and configure antivirus options.

Enable or disable antivirus

To enable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Disabled. The real-time protection settings page will open.
  2. Select Scan files as they are downloaded orcopied to my system.
  3. Select OK.

If you have another antivirus program installed on your system, FortiClient will show a warning that your system may lock up due to conflicts between different antivirus products.

To disable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Enable. The real-time protection settings page will open.
  2. Deselect Scan files as they are downloaded orcopied to my system.
  3. Select OK.

Conflicting antivirus warning

FortiSandbox

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

This option cannot be configured on a registered endpoint, and must instead be configured on the FortiGate/EMS.

To extend scanning using FortiSandbox:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Extend scanning using FortiSandbox.
  3. Enter the FortiSandbox IP address, then select Test to ensure that the connection is correct.
  4. Optionally, select Identify malware & exploits using signatures received from FortiSandbox.
  5. Select OK to apply your changes.

Blocking access and communication channels

To block access to malicious websites and known communication channels used by attackers:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Block all access to malicious websites and Block known communication channels used by attackers.
  3. Select OK to apply your changes.

Notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

Scan now

To perform on-demand antivirus scanning, select the Scan Now button in the FortiClient console. Use the dropmenu to select Custom Scan, Full Scan, Quick Scan, or Removable media Scan. The console displays the date of the last scan to the left of the button.

  • Custom Scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.
  • Full Scan runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan including all files, executable files, DLLs, and drivers for threats.
  • Quick System Scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, and drivers that are currently running for threats.
  • Removable media Scan runs the rootkit detection engine to detect and remove rootkits. It scans all connected removable media, such as USB drives.

Scan a file or folder on your workstation

To perform a virus scan a specific file or folder on your workstation, right-click the file or folder and select Scan with FortiClient AntiVirus from the menu.

Submit a file for analysis

You can select to send up to 5 files a day to FortiGuard for analysis. To submit a file, right-click a file or executable and select Submit foranalysis from the menu. A dialog box will be displayed which allows you to see the number of files you have submitted. Confirm the location of the file you want to submit then select the Submit button.

View FortiClient engine and signature versions

To view the current FortiClient version, engine, and signature information, select Help in the toolbar, and select About in the menu. Hover the mouse over the status field to see the date and time that FortiClient last updated the selected item.

When FortiClient is registered to FortiGate for endpoint control, you can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device. You can select to failover to FDN when FortiManager is not available.

Schedule antivirus scanning

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Scheduled Scan tab to schedule antivirus scanning.

Scans cannot be scheduled on registered endpoint.

Configure the following settings:

Schedule Type Select Daily, Weekly, or Monthly from the drop-down list.
Scan On For Weekly scheduled scan, select the day of the week in the drop-down list.

For Monthly scheduled scan, select the day of the month in the drop-down list.

Start Select the time of day that the scan starts. The time format uses a 24-hour clock.
Scan Type Select the scan type:

Quick system scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, drivers that are currently running for threats.

Full system scan runs the rootkit detection engine to detect and remove rootkits. It then performs a full system scan including all files, executable files, DLLs, and drivers for threats.

Custom scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.

You cannot schedule a removable media scan. A full scan will scan removable media.

Disable Scheduled Scan Select to disable scheduled scan.

Select OK to save the setting and return to the main FortiClient console page.

If you configure monthly scans to occur on the 31st of each month, the scan will occur on the first day of the month for those months with less than 31 days.

Add files/folders to an exclusion list

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Exclusion List tab.

To add files/folders to the antivirus exclusion list, select the add icon and then select Add file or Add folder from the drop-down list. Any files or folders in this exclusion list will not be scanned. Select the minus icon to remove files or folders from the list.

Select OK to save the setting and return to the FortiClient console page.

View quarantined threats

To view quarantined threats, select the X Threats Detected link in the FortiClient console, then select the Quarantined Files tab. In this page you can view, restore, or delete the quarantined file. You can also view the original file location, the virus name, submit the suspicious file to FortiGuard, and view logs.

This page displays the following:

File Name The name of the file.
Date Quarantined The date and time that the file was quarantined by FortiClient.
Refresh Select to refresh the quarantined files list.
Details Select a file from the list to view detailed information including the file name, original location, date and time that the virus was quarantined, the submitted status, status, virus name, and quarantined file name.
Logs Select to view FortiClient log data.
Refresh Select to refresh the list.
Submit Select to submit the quarantined file to FortiGuard. Press and hold the control key to submit multiple entries.
Restore Select to restore the quarantined file. A confirmation dialog box will be displayed. You can select Yes to add this file/folder to the exclusion list, No to restore the file, or

Cancel to exit the operation. Press and hold the control key to restore multiple entries.

Delete Select to delete the quarantined file. A confirmation dialog box will be displayed, select Yes to continue. Press and hold the control key to delete multiple entries.
Close Select to close the page and return to the FortiClient console.

View site violations

To view site violations, select the X Threats Detected link in the FortiClient console, then select the Site Violations tab. On this page you can view site violations and submit sites to be re-categorized.

This page displays the following:

Website Displays the name of the website.
Time Displays the date and time of the site violation.
Refresh Select to refresh the site violation list.
Details Select an entry in the list to view site violation details including the website name, category, date and time, user name, and status.

Select the category link to request to have the site category re-evaluated.

View alerts dialog box

When FortiClient antivirus detects a virus while attempting to download a file via a web-browser, you will receive a warning dialog message.

Select View recently detected virus(es) to collapse the virus list. Select a file in the list and right-click to access the context menu.

Delete Select to delete a quarantined or restored file.
Quarantine Select to quarantine a restored file.
Restore Select to restore a quarantined file.
Submit Suspicious File Select to submit a file to FortiGuard as a suspicious file.
Submit as False Positive Select to submit a quarantined file to FortiGuard as a false positive.
Add to Exclusion List Select to add a restored file to the exclusion list. Any files in the exclusion list will not be scanned.
Open File Location Select to open the file location on your workstation.

When Alert when viruses are detected under AntiVirus Options on the Settings page is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.

Realtime Protection events

When an antivirus real-time protection event has occurred you can select to view these events in the FortiClient console. From the AntiVirus tab, select X Threats Detected, then select Real-time Protection events (x) in the left pane. The realtime_scan.log will open in the default viewer.

Example log output:

Realtime scan result: time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com

 

logging

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com.txt

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicarcom2.zip

time: 09/29/15 10:46:08, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar_com.zip

time: 09/29/15 10:46:39, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\3g_bl8y9.com.part

time: 03/18/15 10:48:13, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\xntwh8q1.zip.part

Antivirus logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

Configure the following settings:

Enable logging for these features Select antivirus to enable logging for this feature.
Log Level Select the level of logging:

Emergency: The system becomes unstable. l Alert: Immediate action is required. l Critical: Functionality is affected. l Error: An error condition exists and functionality could be affected. l Warning: Functionality could be affected. l Notice: Information about normal events.

Information: General information about system operations. l Debug: Debug FortiClient.

Log file  
Export logs Select to export logs to your local hard disk drive (HDD) in .log format.
Clear logs Select to clear all logs. You will be presented a confirmation window, select Yes to proceed.

Antivirus options

For information on configuring antivirus options, see Antivirus options on page 109.

Endpoint control

Endpoint control

When FortiClient is registered to FortiGate/EMS for endpoint control, FortiClient receives configuration and settings via the FortiClient Profile configured on the device.

To enable antivirus protection on FortiGate:

  1. Log in to your FortiGate.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. In the right pane, in the Edit FortiClient Profile page, in the Security tab, enable AntiVirus.
  4. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

To enable antivirus protection on EMS:

  1. Log in to the EMS.
  2. Go to Endpoint Profiles and select a profile to edit.
  3. In the right pane, select AntiVirus Protection to enable antivirus protection and configure as needed.
  4. Select Save to save the profile.

The EMS will send the FortiClient Profile configuration update to registered clients.

Antivirus profile settings

FortiGate and EMS share similar settings for antivirus profiles. EMS also includes advanced options.

Endpoint control

After enabling antivirus protection on FortiGate/EMS, the following settings can be configured:

Scan Downloads Scan files as they are downloaded or copied to my system.
Scan with FortiSandbox Extended scanning using FortiSandbox.

FortiClient will send supported files downloaded over the internet to

FortiSandbox if they cannot be detected by the local, real-time scanning

FortiSandbox IP address The IP address of the FortiSandbox device.
Wait for

FortiSandbox results

Wait for FortiSandbox results before allowing file access.
Use FortiSandbox signatures Identify malware & exploits using signatures or URLs received from FortiSandbox.

Endpoint control

Block malicious websites Block all access to malicious websites.

EMS also has the option of using the exclusion list defined in the web filter profile.

Block attack channels Block known communcation channels used by attackers.
Alert when viruses are detected This option is EMS only.
Schedule Scan Schedule automatic scans daily, weekly, or monthly at a specific time of day. Quick, Full, and Custom scans can be run automatically.
Excluded Paths Files or folders that are not scanned.

Advanced options available on EMS only include:

Scan Downloads Files that are scanned as they are downloaded or copied to the system can be treated in one of the following ways:

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files l Deny access to infected files

Scan with FortiSandbox If waiting for FortiSandbox results is enabled, access to downloaded files can be denied if FortiSandbox is offline.
Scan compresses files Scan compressed files that are up to a specified size (default: 10Mb).
Scan email Scan email messages and attachments.
User process scanning l Scan files when processes read or write them l Scan files when processes read them l Scan files when processes write them
Scan network files Scan network files.
System process scanning l Scan files when system processes read or write them l Scan files when system processes read them l Scan files when system processes write them l Do not scan files when system processes read or write them

Endpoint control

On demand scanning Configure on-demand file scan options.

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files

Integrate FortiClient into Windows Explorer’s mouse menu Add the options to Scan with FortiClient AntiVirus and Submit foranalysis to the Windows Explorer right-click menu.
Pause scanning when running on battery power Pause a scanning process when the computer is running on battery power.
Automatically submit suspicious files to FortiGuard for analysis Submit all files to FortiGuard for analysis.
Scan compresses

files

Scan compressed files that are up to a specified size (default: 10Mb, 0 means unlimited)
Maximize scan speed Select the amount of memory a computer must have before FortiClient maximizes its scan speed. One of: 4MB, 6MB, 8MB, 12MB, 16MB.
More Options Enable or disable various other options, including:

l Scan for rootkits l Scan for adware l Scan for riskware l Enable advanced heuristics l Scan removable media on insertion l Scan mime files (inbox files) l Enable FortiGuard Analytics l Notify logged in users if their AntiVirus signatures expire