Tag Archives: how to configure forticlient

Appendix B – FortiClient API

Appendix B – FortiClient API

You can operate FortiClient VPNs using the COM-based FortiClient API. The API can be used with IPsec VPN only. SSL VPN is currently not supported. This chapter contains the following sections:

l Overview l API reference

Overview

The FortiClient COM library provides functionality to:

  • Retrieve a list of the VPN tunnels configured in the FortiClient application. l Start and stop any of the configured VPN tunnels. l Send XAuth credentials.
Disconnect(bstrTunnelName As String) Close the named VPN tunnel.
GetPolicy pbAV As Boolean, pbAS As

Boolean, pbFW As Boolean, pbWF

As Boolean)

Command is deprecated in FortiClient v5.0.
  • Retrieve status information: l configured tunnel list l active tunnel name l connected or not l idle or not l remaining key life
  • Respond to FortiClient-related events:
  • VPN connect l VPN disconnect l VPN is idle
  • XAuth authentication requested

For more information, see the vpn_com_examples ZIP file located in the VPN Automation file folder in the FortiClientTools file.

API reference

The following tables provide API reference values.

API reference                                                                                                       Appendix B – FortiClient API

GetRemainingKeyLife(bstrTunnelName As String, pSecs As Long, pKBytes As Long) Retrieve the remaining key life for the named connection. Whether keylife time (pSecs) or data (pKBytes) are significant depends on the detailed settings in the FortiClient application.
MakeSystemPolicyCompliant() Command is deprecated in FortiClient v5.0.
SendXAuthResponse (tunnelName As String, userName As String, password As String, savePassword As Boolean) Send XAuth credentials for the named connection:

l User name, Password l True if password should be saved.

SetPolicy (bAV As Boolean, bAS As

Boolean, bFW As Boolean, bWF

As Boolean)

Command is deprecated in FortiClient v5.0.
GetTunnelList() Retrieve the list of all connections configured in the FortiClient application.
IsConnected (bstrTunnelName As String) As Boolean Return True if the named connection is up.
IsIdle (bstrTunnelName As String) As Boolean Return True if the named connection is idle.
OnDisconnect(bstrTunnelName As String) Connection disconnected.
OnIdle(bstrTunnelName As String) Connection idle.
OnOutOfCompliance(bAV As Boolean, bAS As Boolean, bFW As Boolean, bWF As Boolean) Command is deprecated in FortiClient v5.0.
OnXAuthRequest(bstrTunnelName As String) The VPN peer on the named connection requests XAuth authentication.

Application Firewall

Application Firewall

FortiClient can recognize the traffic generated by a large number of applications. You can create rules to block or allow this traffic per category, or application.

Enable/disable Application Firewall

The administrator enables the application firewall feature by using a FortiClient profile. The FortiClient profile includes the application firewall configuration.

The FortiClient Endpoint Control feature enables the site administrator to distribute an Application Control sensor from FortiGate/EMS.

On the FortiGate, the process is as follows:

l Create an Application Sensor and Application Filter on the FortiGate, l Add the Application Sensor to the FortiClient Profile on the FortiGate.

On EMS, the application firewall is part of the endpoint profile.

For more information on configuring application control security profiles, see the FortiOS Handbook -The Complete Guide to FortiOS available in the Fortinet Document Library.

View application firewall profiles

To view the application firewall profile, select Show all.

Application Firewall                                                                                                 View blocked applications

View blocked applications

To view blocked applications, select the Applications Blocked link in the FortiClient console. This page lists all applications blocked in the past seven days, including the count and time of last occurrence.

Compliance

Compliance

The Compliance tab displays whether FortiClient Telemetry is connected to FortiGate or EMS.

When FortiClient Telemetry is connected to FortiGate, the Compliance tab displays whether FortiClient and the endpoint device are compliant with the compliance rules defined by FortiGate. When FortiClient and/or the endpoint device are not compliant, the Compliance tab displays information about how FortiClient and the endpoint device can be returned to a status of compliant.

You can also use the Compliance tab to connect FortiClient Telemetry to FortiGate/EMS and disconnect FortiClient Telemetry from FortiGate/EMS.

Enable compliance

For FortiClient in standalone mode, the Compliance tab is not used.

For FortiClient in managed mode, an administrator enables and disables endpoint compliance by using

FortiGate. When endpoint compliance is enabled, FortiClient must be installed on endpoint devices, and FortiClient Telemetry must be connected to FortiGate. When FortiClient Telemetry is connected, the FortiClient endpoint receives a profile from FortiGate that contains the compliance rules and optionally some FortiClient configuration information.

If FortiGate is integrated with EMS, the FortiClient endpoint might also receive a profile from EMS that contains FortiClient configuration information.

Connect FortiClient Telemetry manually

On endpoints, FortiClient Telemetry must be connected to FortiGate to use the compliance feature. Alternately, FortiClient Telemetry can be connected to EMS, but you cannot use the compliance feature when FortiClient Telemetry is connected to EMS.

If FortiClient Telemetry was not automatically connected after FortiClient installation, you can manually connect FortiClient Telemetry to FortiGate/EMS.

To manually connect FortiClient Telemetry:

  1. Go to the Compliance
  2. In the FortiGate IP box, type the IP address or URL of FortiGate or EMS, and click Connect.

FortiClient Telemetry connects to FortiGate/EMS, FortiClient downloads a profile from FortiGate/EMS.

Disconnect FortiClient Telemetry

You must disconnect FortiClient Telemetry from FortiGate/EMS to connect to another FortiGate/EMS or to uninstall FortiClient.

To disconnect FortiClient Telemetry:

  1. On the Compliance tab, click the Click to Disconnect A confirmation dialog box is displayed.
  2. Click Yes to disconnect FortiClient from FortiGate/EMS.

After you disconnect FortiClient Telemetry from FortiGate/EMS, FortiClient Telemetry automatically connects with the FortiGate/EMS when you re-join the network. See also Forget gateway IP addresses on page 60.

View compliance status

Information available on the Compliance tab depends on whether FortiClient is running in standalone mode or managed mode. In managed mode, the information displayed on the Compliance tab also depends on whether FortiClient Telemetry is connected to FortiGate or FortiClient EMS.

When FortiClient Telemetry is connected to EMS and the feature is enabled in EMS, a picture of the endpoint user might display on the Compliance tab. FortiClient displays the picture that is defined for the Windows operating system on the endpoint device. If FortiClient cannot find a picture defined for the Windows operating system on the endpoint device, no picture is displayed on the Compliance tab.

Standalone mode

When FortiClient is running in standalone mode, the Compliance tab is not used. The Compliance tab is labeled Not Participating. The unlocked icon at the bottom left of the screen indicates that settings in FortiClient console are unlocked, and the endpoint user can change them.

If you want to use the compliance feature, you must connect FortiClient Telemetry to FortiGate.

View compliance

The Compliance tab displays the following information:

FortiGate IP Type the IP address or URL of FortiGate/EMS, and click Connect to connect FortiClient Telemetry.
Unlocked icon Indicates that the settings in FortiClient console are unlocked and can be changed.

FortiClient Telemetry connected to EMS

When FortiClient Telemetry is connected to EMS, compliance is not enforced. The Compliance tab is labeled Connected to EMS. The locked icon at the bottom left of the screen indicates that settings in the FortiClient console are locked by EMS. EMS controls the settings by pushing a profile to FortiClient.

The Compliance tab displays the following information:

Compliance status Indicates that the compliance enforcement feature requires FortiClient Telemetry connection to FortiGate.
FortiClient EMS information Displays the name and IP address of the EMS to which FortiClient Telemetry is connected. You can disconnect by clicking the Click to Disconnect link, view details about the endpoint device by clicking the View Details link, and view the gateway IP list that FortiClient is using for FortiClient Telemetry connection by clicking the Show IP List That This FortiClient is Sending Telemetry Data to link.
FortiClient Telemetry information Displays how often FortiClient Telemetry communicates with FortiClient EMS and when the next communication will occur. FortiClient Telemetry also downloads FortiClient configuration information from EMS.
Locked icon Indicates that the settings in FortiClient console are locked by EMS. You can change the settings by using a profile in EMS.

FortiClient Telemetry connected to FortiGate

When FortiClient Telemetry is connected to FortiGate, network access compliance is enforced. The locked icon at the bottom left of the screen indicates one of the following statuses:

  • The settings in the FortiClient console are locked by the profile from EMS. In this case, FortiGate is integrated with EMS, and the non-compliance action in FortiGate is set to block or warn. FortiGate provides the compliance rules, and EMS provides the profile of FortiClient settings.
  • The settings in the FortiClient console are unlocked. In this case, FortiGate provides the compliance rules, and the non-compliance action in FortiGate is set to auto-update. You can change the FortiClient settings unrelated to the compliance rules.

In the following example, FortiClient Telemetry is connected to FortiGate, but EMS provides the profile of FortiClient settings. The settings are locked by EMS.

In the following example, FortiClient Telemetry is connected to FortiGate, and a profile is not provided by EMS. The settings are locked by FortiGate.

View compliance

The Compliance tab displays the following information:

Compliance status Displays the compliance status of the computer on which FortiClient is installed. The computer is either in compliance or not compliant with FortiGate.
FortiGate information Displays the name and IP address of the FortiGate to which FortiClient Telemetry is connected. You can perform the following actions:

l  Disconnect FortiClient Telemetry by clicking the Click to Disconnect link l View details about the endpoint device by clicking the View Details link

l  View compliance rules from FortiGate by clicking the Show Compliance Rules From

<FortiGate> link l View the gateway IP list being used for FortiClient Telemetry connection by clicking the Show IP List That This FortiClient is Sending Telemetry Data to link.

FortiClient Telemetry information Displays how often FortiClient Telemetry communicates with FortiGate and when the next communication will occur. FortiClient Telemetry communicates information between FortiClient and FortiGate, sending status information to FortiGate and receiving network-access rules and possibly some FortiClient configuration information from FortiGate. When

FortiGate is integrated with EMS, notification information is also sent to EMS. Depending on the FortiGate settings, EMS might also send FortiClient configuration information to FortiClient.

Monitoring Displays whether the endpoint is monitored by EMS.
Locked or unlocked icon Indicates whether the settings in FortiClient console are locked or unlocked.

View user details

You can view user details when FortiClient is compliant with FortiGate rules. You cannot view user details when FortiClient is not compliant with FortiGate rules.

To view user details:

  1. On the Compliance tab, view the name of the user beside the View Details
  2. Click the View Details link to view the following information:
Online/offline Displays whether the endpoint device is online or offline. A green icon indicates the endpoint is online.
Off-Net/On-Net Displays whether the endpoint device is on-net or off-net. A green On-Net icon indicates the endpoint is on-net.
Username Displays the name of the user logged into FortiClient on the endpoint.
Hostname Displays the name of the device on which FortiClient is installed.
Domain Displays the name of the domain to which the endpoint device is connected, if applicable.
  1. Click the X to close the dialog box.

View gateway IP lists

You can view the following gateway IP lists in FortiClient:

  • Gateway IP List

The Gateway IP list is created by administrators. Endpoint users cannot change the list. For more information, see Telemetry Gateway IP Lists on page 31.

  • Local Gateway IP List

The Local Gateway IP list is created by endpoint users. It is the list of remembered FortiGate/EMS devices. When FortiClient Telemetry is connected for the first time, you can choose to remember the gateway IP address. See Remember gateway IP addresses on page 52.

The gateway IP lists are used to automatically connect FortiClient Telemetry to FortiGate/EMS.

To view gateway IP lists:

  1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to

The Gateway IP List and the Local Gateway IP List are displayed.

Fix not compliant

  1. Click X to close the list.

Forget gateway IP addresses

When you instruct FortiClient to forget an IP address for FortiGate/EMS, FortiClient Telemetry will not use the IP address to automatically connect to FortiGate/EMS when re-joining the network.

To forget FortiGate/EMS:

  1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to
  2. In the Local Gateway IP List, click Forget beside the gateway IP addresses that you no longer want FortiClient to remember.
  3. Click X to close the list.

Fix not compliant status

You can maintain compliance by ensuring that FortiClient software is configured to meet the requirements specified in the compliance rules defined by the FortiGate to which FortiClient Telemetry is connected. FortiGate might also require the endpoint device to run a specific version of FortiClient or operating system software.

When FortiClient displays a status of Not-Compliant, you can take actions that will make FortiClient compliant with FortiGate again.

View not-compliant status

When a FortiClient endpoint does not comply with the FortiGate compliance rules, the Compliance tab displays a status of Not-Compliant.

 

Fix not compliant

The following information is displayed on the Compliance tab:

This computer is Not Compliant with Displays the name and IP address of the FortiGate to which FortiClient Telemetry is connected. You can view the compliance rules by clicking the Show Compliance Rules from <FortiGate> link.
Vulnerability Scan Displays critical vulnerabilities found for the endpoint when detected. You must fix the critical vulnerabilities to return to compliant status by clicking Fix Now. You can also click the Details link to view details about the vulnerabilities.
Software Out of Date Displays whether FortiClient software is outdated. You must upgrade to the specified FortiClient version to return to compliant status by clicking Update Now.
System Compliant Displays whether the operating system of the endpoint complies with FortiGate rules. You must use the specified operating system to return to compliant status. You can view the allowed operating systems by clicking the Details link.
Fix All Click to fix all reported issues. This option is available when the non-compliance setting in FortiGate is set to block or warn, and EMS has not provided a profile to the FortiClient endpoint. This option is not available when the non-compliance setting in FortiGate is set to auto-update.

If the Fix All link is not displayed, contact your administrator to help adjust the FortiClient Console and computer settings to remain in compliance with FortiGate.

View compliance rules

When FortiClient Telemetry is connected to FortiGate, you can view the compliance rules from FortiGate. The compliance rules communicate the settings required on FortiClient console for the FortiClient endpoint to remain compliant.

Fix not compliant

To view compliance rules:

  1. On the Compliance tab, click the Show Compliance Rules From <FortiGate>

The compliance rules from FortiGate are displayed.

  1. Click Close to return to the Compliance

Fix now

Issues that caused a not-compliant status can be fixed to return FortiClient endpoints to a compliant status. When available, you can click the Update Now, Fix Now, or Fix All links on the Compliance tab to return FortiClient endpoints to compliant status.

When FortiClient has a not compliant status and the Update Now, Fix Now, or Fix All links are not displayed, endpoint users should contact their system administrator for help with configuring the endpoint and FortiClient Console to remain in compliance with FortiGate.

What links are available depend on the configuration of FortiGate and EMS. The following table summarizes when links are available:

Configuration Compliance Rules FortiClient

Configuration

Options
FortiGate Yes No FortiClient settings are unlocked. Click Update Now, Fix Now, and Fix All links when available.

View notifications

Configuration Compliance Rules FortiClient

Configuration

Options
FortiGate integrated with EMS Yes No FortiClient settings are unlocked. Click Update Now, Fix Now, and Fix All links when available.
Yes Yes FortiClient settings are locked by EMS. Use EMS to update the profile that contains the FortiClient configuration to meet the requirements of the compliance rules.

To fix now:

  1. On the Compliance tab, perform one of the following options:

l Click Fix All. l Click Update Now. l Click Fix Now.

The non-compliance issues are fixed, and the FortiClient endpoint returns to a status of compliant.

  1. If the Fix All, Update Now, or Fix Now links are not displayed on the Compliance tab, contact your system administrator for help with changing the endpoint and FortiClient Console settings.

Examples of blocked FortiClient endpoints

FortiClient endpoint access to the network can be blocked a number of ways. The following table provides examples of how FortiClient endpoints can be blocked from accessing the network and how to regain access.

Configuration Failure Blocked By Solution
Endpoint control is enabled on FortiGate. FortiClient Telemetry is connected to FortiGate. FortiClient configuration fails to meet the com-

pliance rules specified by FortiGate

FortiClient View the Compliance tab in

FortiClient console, and follow the instructions to configure FortiClient to meet the compliance rules specified by FortiGate.

Endpoint control is enabled on FortiGate. FortiClient Telemetry is not connected to FortiGate. FortiClient Telemetry is not connected FortiGate In FortiClient console, connect FortiClient Telemetry to FortiGate.

View notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

 

View notifications

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

To view notifications:

  1. In FortiClient Console, click the Notifications icon in the top-right corner. The list of notifications is displayed.
  2. Click Close to close the list.

FortiClient Telemetry Connection

FortiClient Telemetry Connection

In managed mode, FortiClient uses a gateway IP address to connect FortiClient Telemetry to FortiGate or FortiClient EMS. For more information, see Telemetry Gateway IP Lists on page 31.

How FortiClient locates FortiGate/EMS

FortiClient uses the following methods in the following order to automatically locate FortiGate/EMS for Telemetry connection:

  • Telemetry Gateway IP List

FortiClient Telemetry searches for IP addresses in its subnet in the Gateway IP list. It connects to the FortiGate in the list that is also in the same subnet as the host system.

If FortiClient cannot find any FortiGates in its subnet, it will attempt to connect to the first reachable FortiGate in the list, starting from the top. The order of the list is maintained as it was configured in the Gateway IP list.

  • Remembered gateway IP list

You can configure FortiClient to remember gateway IP addresses when you connect Telemetry to

FortiGate/EMS. Later FortiClient can use the remembered IP addresses to automatically connect Telemetry to FortiGate/EMS.

  • Default gateway IP address

The default gateway IP address is specified on the FortiClient endpoint and is used to automatically connect to FortiGate. This method does not support connection to EMS.

FortiClient obtains the default gateway IP address from the operating system on the endpoint device. The default gateway IP address of the endpoint device should be the IP address for the FortiGate interface with Telemetry enabled.

If FortiClient is unable to automatically locate a FortiGate/EMS on the network for Telemetry connection, you can use the following methods to manually connect Telemetry to FortiGate/EMS: l Type the gateway IP address of FortiGate/EMS. See Connect FortiClient Telemetry manually on page 54.

FortiClient uses the same process to connect Telemetry to FortiGate/EMS after the FortiClient endpoint reboots, rejoins the network, or encounters a network change.

Telemetry Connection                                  Connect FortiClient Telemetry after installation

Connect FortiClient Telemetry after installation

After FortiClient software installation completes on an endpoint, FortiClient automatically launches and searches for a FortiGate or FortiClient EMS for FortiClient Telemetry connection. See also How FortiClient locates FortiGate/EMS on page 51.

When FortiClient locates a FortiGate or EMS, the FortiGate Detected or Enterprise Management Server (EMS) Detected dialog box is displayed.

The following options are availble:

Endpoint User Displays the name of the endpoint user that is logged into the endpoint device.
Logged into Domain Displays the name of domain if applicable.
Hostname Displays the name of the endpoint device.
Profile Details Click to display details of the profile that FortiClient will download after you accept connection to FortiGate/EMS. See also FortiClient profiles on page 29.
Remember this FortiGate Select for FortiClient to remember the gateway IP address of the

FortiGate/EMS to which you are connecting Telemetry. See also Remember gateway IP addresses on page 52.

Click Accept to connect FortiClient Telemetry to the identified FortiGate/EMS. Alternately, you can click Cancel to launch FortiClient software without connecting FortiClient Telemetry. FortiClient launches in standalone mode. You can manually connect FortiClient Telemetry later.

After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient downloads a profile from FortiGate/EMS. A system tray bubble message will be displayed once the profile download is complete.

Remember gateway IP addresses

When you confirm Telemetry connection to a FortiGate/EMS, you can instruct FortiClient to remember the gateway IP address of the FortiGate/EMS. If a connection key is required, FortiClient remembers the connection password too. FortiClient can remember up to 20 gateway IP addresses for FortiGate/EMS. 52

Remember gateway IP addresses                                                           FortiClient Telemetry Connection

The remembered IP addresses display in the Local Gateway IP list. FortiClient can use the remembered gateway IP addresses to automatically connect to FortiGate/EMS.

See also Forget gateway IP addresses on page 60.

To remember FortiGate/EMS:

  1. In the FortiGate/EMS Detected dialog box, select the Rememberthis FortiGate or Rememberthis EMS (not shown) check box.
  2. Click Accept.

FortiClient remembers the IP address and password, if applicable.

 

Deploy FortiClient using EMS

Deploy FortiClient using EMS

You can use FortiClient EMS to deploy FortiClient (Windows) in managed mode to devices in your network that are running a supported Windows operating system. For installation information, see the FortiClient

Upgrade FortiClient

EMS Administration Guide.

An upgrade schedule dialog box is displayed in advance when deploying FortiClient from EMS to endpoints running Windows operating system. If no FortiClient is installed on the endpoint, no reboot is required for the installation, and no upgrade schedule dialog box is displayed. The user can postpone the reboot for a maximum of 24 hours. Before the mandatory reboot occurs, a FortiClient dialog box is displayed with a 15 minute warning.

Upgrade FortiClient

For information about supported upgrade paths for FortiClient, see the FortiClient Release Notes.

 

Deploy FortiClient using Microsoft Active Directory servers

Deploy FortiClient using Microsoft Active Directory servers

There are multiple ways to deploy FortiClient to endpoint devices including using Microsoft Active Directory (AD).

Deploy                       using EMS

The following instructions are based from Microsoft Windows Server 2008. If you are using a different version of Microsoft Server, your MMC or snap-in locations may be different.

Using Microsoft AD to deploy FortiClient:

  1. On your domain controller, create a distribution point.
  2. Log on to the server computer as an administrator.
  3. Create a shared network folder where the FortiClient MSI installer file will be distributed from.
  4. Set file permissions on the share to allow access to the distribution package. Copy the FortiClient MSI installer package into this share folder.
  5. Select Start > Administrative Tools > Active Directory Users and Computers.
  6. After selecting your domain, right-click to select a new Organizational Unit (OU).
  7. Move all the computers you wish to distribute the FortiClient software to into the newly-created OU.
  8. Select Start > Administrative Tools > Group Policy Management The Group Policy Management MMC Snap-in will open. Select the OU you just created. Right-click it, Select Create a GPO in this domain, and Link it here. Give the new GPO a name then select OK.
  9. Expand the Group Policy Object container and find the GPO you just created. Right-click the GPO and select Edit. The Group Policy Management Editor MMC Snap-in will open.
  10. Expand ComputerConfiguration > Policies > Software Settings. Right-click Software Settings and select New > Package.
  11. Select the path of your distribution point and FortiClient installer file and then select Open. Select Assigned and select OK. The package will then be generated.
  12. If you wish to expedite the installation process, on both the server and client computers, force a GPO update.
  13. The software will be installed on the client computer’s next reboot. You can also wait for the client computer to poll the domain controller for GPO changes and install the software then.

Uninstall FortiClient using Microsoft Active Directory server:

  1. On your domain controller, select Start > Administrative Tools > Group Policy Management. The Group Policy Management MMC Snap-in will open. Expand the Group Policy Objects container and right-click the Group Policy Object you created to install FortiClient and select Edit. The Group Policy Management Editor will open.
  2. Select ComputerConfiguration > Policy > Software Settings > Software Installation. You will now be able to see the package that was used to install FortiClient.
  3. Right-click the package, select All Tasks > Remove. Choose Immediately uninstall the software from users and computers, or Allow users to continue to use the software but prevent new installations. Select OK. The package will delete.
  4. If you wish to expedite the uninstall process, on both the server and client computers, force a GPO update as shown in the previous section. The software will be uninstalled on the client computer’s next reboot. You can also wait for the client computer to poll the domain controller for GPO changes and uninstall the software then.

Install FortiClient as part of cloned disk images

Install FortiClient as part of cloned disk images

If you configure computers using a cloned hard disk image, you need to remove the unique identifier from the FortiClient application. You will encounter problems with FortiGate if you deploy multiple FortiClient applications with the same identifier.

This section describes how to include a custom FortiClient installation in a cloned hard disk image but remove its unique identifier. On each computer configured with the cloned hard disk image, the FortiClient application will generate its own unique identifier the first time the computer is started.

To include a FortiClient installation in a hard disk image:

  1. Install and configure the FortiClient application to suit your requirements. You can use a standard or a customized installation package.
  2. Right-click the FortiClient icon in the system tray and select Shutdown FortiClient.
  3. From the folder where you expanded the FortiClientTools.zip file, run RemoveFCTID.exe. The RemoveFCTID tool requires administrative rights.
  4. Shut down the computer.

Do not reboot the Windows operating system on the computer before you create the hard disk image. The FortiClient identifier is created before you log on.

  1. Create the hard disk image and deploy it as needed.

FortiClient Provisioning

FortiClient Provisioning

FortiClient can be installed on a standalone computer using the installation wizard or deployed to multiple Microsoft Windows systems by using Microsoft Active Directory (AD).

You can use FortiClient EMS to deply FortiClient to multiple Microsoft Windows systems. For information, see the FortiClient EMS Administration Guide.

This chapter contains the following sections:

l Install FortiClient on computers l Install FortiClient on infected systems l Install FortiClient as part of cloned disk images l Deploy FortiClient using Microsoft Active Directory servers

For information on customizing your FortiClient installation, see Custom FortiClient Installations.

Download FortiClient installation files

The FortiClient installation files can be downloaded from the following sites:

Requires a support account with a valid support contract. Download either the Microsoft Windows (32-bit/64bit) or the Mac OS X installation file.

Download the FortiClient online installation file. The installer file performs a virus and malware scan of the target system prior to installing FortiClient.

Download the FortiClient online installation file. On this page you can download the latest version of FortiClient for Microsoft Windows and Mac OS X, and link to the iOS, and Android versions.

Install FortiClient on computers

The following section describes how to install FortiClient on a computer that is running a Microsoft Windows or Apple Mac operating system.

Microsoft Windows computer

The following instructions will guide you though the installation of FortiClient on a Microsoft Windows computer. For more information, see the FortiClient (Windows)Release Notes.

When installing FortiClient, it is recommended to use the FortiClientOnlineInstaller file. This file will launch the FortiClient Virus Cleaner which will scan the target system prior to installing the FortiClient application.

Install                        on computers

To check the digital signature of FortiClient, right-click on the installation file and select Properties. In this menu you can set file attributes, run the compatibility troubleshooter, view the digital signature and certificate, install the certificate, set file permissions, and view file details.

To install FortiClient (Windows):

  1. Double-click the FortiClient executable file. The Setup Wizard

When using the FortiClient Online Installer file, the FortiClient Virus Cleaner will run before launching the Setup Wizard.

If a virus is found that prevents the infected system from downloading the new FortiClient package, see Install FortiClient on infected systems on page 47.

  1. In the Welcome screen, read the license agreement, select the Yes, I have read and accept the license checkbox, and select Next to continue. The Choose Setup Type screen is displayed.

You can read the license agreement by clicking the License Agreement button. You have the option to print the EULA in this License Agreement screen.

  1. Select one of the following setup types:

l Complete: All Endpoint Security and VPN components will be installed. l VPN Only: Only VPN components (IPsec and SSL) will be installed.

Install FortiClient on computers

  1. Select Next to continue. The Destination Folder screen is displayed.
  2. Select Change to choose an alternate folder destination for installation.
  3. Select Next to continue.

FortiClient will search the target system for other installed antivirus software. If found, FortiClient will display the Conflicting Antivirus Software page. You can either exit the current installation and uninstall the antivirus software, disable the antivirus feature of the conflicting software, or continue with the installation with FortiClient real-time protection disabled.

This dialog box is displayed during a new installation of FortiClient and when upgrading from an older version of FortiClient, which does not have the antivirus feature installed.

It is recommended to uninstall the conflicting antivirus software before installing FortiClient or enabling the antivirus real-time protection feature. Alternatively, you can disable the antivirus feature of the conflicting software.

  1. Select Next to continue.
  2. Select Install to begin the installation.
  3. Select Finish to exit the FortiClient Setup Wizard.

On a new FortiClient installation, you do not need to reboot your system. When upgrading the FortiClient version, you must restart your system for the configuration changes made to FortiClient to take effect. Select Yes to restart your system now, or select No to manually restart later.

FortiClient will update signatures and components from the FortiGuard Distribution Network (FDN).

  1. FortiClient will attempt to connect FortiClient Telemetry to the FortiGate.

If the FortiGate cannot be located on the network, manually connect FortiClient Telemetry. See Connect FortiClient Telemetry manually on page 54.

  1. To launch FortiClient, double-click the desktop shortcut icon.

Microsoft Server

You can install FortiClient on a Microsoft Windows Server 2008 R2, 2012, or 2012 R2 server. You can use the regular FortiClient Windows image for Server installations.

Please refer to the Microsoft knowledge base for caveats on installing antivirus software in a server environment. See the Microsoft Anti-Virus exclusion list: http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virusexclusion-list.aspx

Install                        on infected systems

Mac OS X computer

The following instructions will guide you though the installation of FortiClient on a Mac OS X computer. For more information, see the FortiClient (Mac OS X)Release Notes.

To install FortiClient (Mac OS X):

  1. Double-click the FortiClient .dmg installer file to launch the FortiClient installer. The FortiClient Installer will install FortiClient on your computer. Select Continue.
  2. Select the lock icon in the upper right corner to view certificate details.
  3. Read the Software License Agreement and select Continue. You have the option to print or save the Software Agreement in this window. You will be prompted to Agree with the terms of the license agreement.
  4. Select the destination folder for the installation.
  5. Select Install to perform a standard installation on this computer. You can change the install location from this screen.
  6. Depending on your system, you may be prompted to enter your system password.
  7. After the installation completes successfully, select Close to exit the installer.
  8. FortiClient has been saved to the Applications
  9. Double-click the FortiClient icon to launch the application. The application console loads to your desktop. Select the lock icon in the FortiClient console to make changes to the FortiClient configuration.

Install FortiClient on infected systems

The FortiClient installer always runs a quick antivirus scan on the target host system before proceeding with the complete installation. If the system is clean, installation proceeds as usual.

Any virus found during this step is quarantined before installation continues.

In case a virus on an infected system prevents downloading of the new FortiClient package, use the following process:

Install FortiClient as part of cloned disk images

  • Boot into “safe mode with networking” (which is required for the FortiClient installer to download the latest signature packages from the Fortinet Distribution Network).
  • Run the FortiClient installer.

This scans the entire file system. A log file is generated in the logs sub-directory. If a virus is found, it will be quarantined. When complete, reboot back into normal mode and run the FortiClient installer to complete the installation.

Microsoft Windows will not allow FortiClient installation to complete in safe mode. An error message will be generated. It is necessary to reboot back into normal mode to complete the installation.