End Point Management

Endpoint Management

The purpose of this section is to provide basic instructions on how to configure, deploy, and manage FortiClient configurations from your FortiGate device or EMS.

Configure endpoint management

With FortiClient 5.4 and newer, configuration and management of endpoints can be handled by a FortiGate device or FortiClient EMS.

You can configure your FortiGate device or EMS to discover new devices on the network, enforce FortiClient registration, and deploy pre-configured profiles to connected devices. Multiple profiles can be configured.

The FortiClient profile consists of the following sections:

  • Antivirus Protection l Web Category Filtering

You can select the web filtering security profile to associate with the FortiClient profile. You can also select to enable Web Filtering when the client is protected by the FortiGate/EMS (On-Net).

  • VPN

Select to enable client VPN provisioning. You can specify the VPN name, type, gateway and other settings the client will use to connect to your FortiGate device via the VPN connection. Two-factor authentication is configured in the FortiGate VPN configuration.

  • Application Firewall

You can select the application control sensor to associate with the FortiClient profile.

  • Endpoint Vulnerability on Client

You can select to scan daily, weekly or monthly. You can also select to scan the client after registration with your FortiGate device. Vulnerability Scan must be enabled via the CLI in order for it to be displayed in the FortiClient Profile.

  • Upload logs to FortiAnalyzer/FortiManager

You can select to use the same IP address as the FortiGate device or specify a different device IP address. You can specify the frequency of the log upload. FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer/FortiManager.

  • Use FortiManager for client software/signature update

Select to enable this feature and enter the IP address of your FortiManager device. You can select to failover over to the FortiGuard Distribution Network (FDN) when the FortiManager is not available.

  • Dashboard Banner

You can select to display or hide the FortiClient advertisement banner. FortiClient ads are downloaded from the FortiGuard Distribution Servers.

Select if profile details may be displayed before endpoint control registration is completed.

  • Client-based Logging when On-Net

Select to enable client-based logging when protected by the FortiGate/EMS (On-Net).

See the FortiOS Handbook or the FortiClient EMS Administration Guide for more information on configuring your device, .

FortiGate

Configure endpoint management on the FortiGate device:

  1. Enable device management and broadcast discovery messages.
    1. Go to Network > Interfaces, select the applicable interface, then select Edit in the toolbar.
    2. On the Edit Interface page you can select to enable Detect and Identify Devices.
    3. To enable Broadcast Discovery Messages (optional) you must first enable FCT-Access under Administrative Access.
    4. Select OK to save the setting.

Broadcast Discovery Messages is an optional configuration. When enabled, the FortiGate will broadcast messages to your network, allowing client connections to discover the FortiGate for FortiClient registration. Without this feature enabled, the user will enter the IP address or URL of the FortiGate to complete registration.

  1. Configure the following settings:
Administrative Access Select the checkbox for FCT-Access. This option is available for both IPv4 and IPv6 Administrative Access.
Security Mode Select None or Captive Portal. When selecting Captive Portal, users are forwarded to a captive portal where they need to enter their username and password to authenticate with the FortiGate. You can customize the portal message and specify user groups.

This option is available when Addressing mode is set to Manual.

Device Management  
Detect and

Identify Devices

Select to detect and identify devices on the selected interface.
Broadcast

Discovery

Messages

Once enabled, the FortiGate unit broadcasts a discovery message that includes the IP address of the interface and listening port number to the local network. All PCs running FortiClient on that network listen for this discovery message.

This option is available when FCT-Access is enabled.

  1. When configuring FortiClient access on an internal interface, you can select to send users to a captive portal.
Security Mode Select Captive Portal from the drop-down list
Authentication Portal Select either Local or External. When selecting External, you can specify the link path.
User Groups Select user groups from the drop-down list.

FortiClient does not support nested groups in FortiOS.

Exempt List Select an exempt list from the drop-down list.
Customize Portal Messages Enable and select the edit icon to edit the portal replacement message.

Configure the FortiClient profile:

  1. To configure the FortiClient profile, go to Security Profiles > FortiClient Profiles. You can edit the default profile or create a new FortiClient profile.
  2. Configure the following settings:

 

Toolbar Options FortiClient Profile page

Select Create New to create a new FortiClient profile. Select a profile in the list and select Edit to edit the FortiClient Profile. Select a profile in the list and select Delete to delete the

FortiClient Profile.

Edit FortiClient Profile page

Select the create new icon to create a new FortiClient profile. Select the clone icon to create a clone of an existing FortiClient profile. Select the view list icon to view FortiClient profiles and assignment.

Profile Name When editing the default profile, the name cannot be changed. When creating a new FortiClient profile, XSS vulnerability characters are not allowed.

Enter a name for the new FortiClient profile.

Comments Enter a profile description. (optional)
Assign to Profile To: l Device Groups: Select device groups in the drop-down list. Use the add icon to assign multiple device groups to the FortiClient profile, for example Mac and Windows PC. l User Groups: Select user groups in the drop-down list. l Users: Select users in the drop-down list. l Source Address: Select source addresses.

These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.

On-Net Detection By Address Select addresses from the drop-down list to enable On-Net detection on them.
Security  
AntiVirus Toggle the button on or off to enable or disable this feature.
Web Filter Toggle the button on or off to enable or disable this feature.

When enabled, you can select a web filter profile in the drop-down list. Select the checkbox to disable web category filtering on the client when protected by the FortiGate (On-net).

Application Firewall Toggle the button on or off to enable or disable this feature.

When enabled, you can select an application control sensor in the dropdown list.

VPN Toggle the button on or off to enable or disable this feature.

Select the checkbox for Client VPN Provisioning. When enabled, you can configure multiple IPsec VPN and SSL VPN connections.

Use the add icon to add additional VPN connections. Enter the VPN name, type, remote gateway, and authentication method information.

Select the checkbox to auto connect to a VPN when the client is Off-Net.

Select a VPN from the drop-down list.

Advanced  
Install CA Certificates Select to install CA certificates.
Disable

Unregister

Option

Select to disable the option of unregistering from the FortiGate.
Upload Logs to

FortiAnalyzer

Toggle the button on or off to enable or disable this feature.

When enabled, you can select to use the same FortiAnalyzer/FortiManager used by the FortiGate or select Specify to enter a different device IP address. You can set the schedule to hourly or daily. The FortiClient upload logs to the FortiAnalyzer/FortiManager only when it is able to connect to the device on the specified IP address.

FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer/FortiManager.

When upgrading from FortiOS 5.2 to 5.4, a FortiClient 5.4 license must be applied against the FortiGate for this option to be available in the FortiClient Profile. Optionally, you can enable this setting in the FortiOS CLI.

FortiManager updates Toggle the button on or off to enable or disable this feature.

When enabled, you can specify the IP address of the FortiManager. Select the checkbox to failover to the FortiGuard Distribution Network when the FortiManager is not available.

Dashboard Banner Toggle the button on or off to enable or disable this feature.
Client-based Logging when Toggle the button on or off to enable or disable this feature.
  1. Select Apply to save the FortiClient profile setting.

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

For information on configuring firewall policies for Endpoint Management, see the FortiOS Handbook -The Complete Guide forFortiOS.

Configure firewall policies (Optional):

  1. To configure a firewall policy for Endpoint Management, go to Policy & Objects > IPv4 Policy and select Create New in the toolbar. The New Policy window is displayed.
  2. Configure the policy as required. Select the source user(s) and source device types from the drop-down list.
  3. Toggle Compliant with FortiClient Profile to ON. Users will be redirected (via a web browser) to a dedicated portal where they can download the client. Once registered to the FortiGate, the FortiClient profile will be assigned.
  4. Select OK to save the rule.

After the FortiGate configuration has been completed, you can proceed with FortiClient configuration. Configure your Windows PC on the corporate network with the default gateway set to the IP address of the FortiGate.

FortiClient endpoint network topologies

The following FortiClient Profile topologies are supported:

  1. Client is directly connected to FortiGate; either to a physical port, switch port or WiFi SSID.

This topology supports client registration, configuration sync, and FortiClient profile enforcement.

  1. Client is connected to FortiGate, but is behind a router or NAT device. This topology supports client registration and configuration sync.
  2. Client is connected to FortiGate across a VPN connection.

This topology supports client registration, configuration sync, and FortiClient profile enforcement.

Network topologies

Configure FortiClient for endpoint management:

  1. Download and install the FortiClient software.

Open a web browser from your workstation and attempt to open a web page, the web page will be directed to the NAC Download Portal. Follow the instructions in the portal to download and install FortiClient.

To allow users to download FortiClient, you must enable this setting in the SSL VPN Portal on your FortiGate device. To enable this feature, go to VPN > SSL-VPN Portals and select Create New in the toolbar.

To configure NAC download portal endpoint control replacement messages, go to

System > Replacement Message. Select Extended View in the toolbar to display Endpoint Control replacement messages for Android, iOS, Mac, Windows, and other.

  1. Register FortiClient.

After FortiClient completes installation, FortiClient will automatically launch and search for a FortiGate device for registration.

There are four ways that the FortiClient/FortiGate communication is initiated:

l FortiClient will attempt to connect to the default gateway IP address; l FortiClient will attempt endpoint control registration over VPN (if configured on the FortiGate); l FortiClient will attempt to connect to a remembered FortiGate; l FortiClient will attempt to connect to a redundant FortiGate.

FortiClient will search for available FortiGate devices to complete registration. You can include the option to prompt the user to enter the FortiClient registration key password. Select the RegisterEndpoint button in the FortiClient console to retry the search.

If FortiClient is unable to detect a FortiGate device, enter the IP address or URL of the device and select the

Go icon. When FortiClient locates the FortiGate, you will be prompted to confirm the registration. Select the Accept button to complete registration. Upon successful registration, the FortiGate will send the FortiClient profile configuration.

  1. Deploy the FortiClient profile from the FortiGate device.

The FortiGate will deploy the FortiClient profile after registration is complete. This FortiClient profile will permit traffic through the FortiGate. A system tray bubble message will be displayed once update is complete.

The FortiClient console will display that it is successfully registered to the FortiGate. The FortiClient profile is installed on FortiClient.

Deploy the FortiClient profile to clients over a VPN connection:

  1. In the FortiClient console, select the RegisterEndpoint Enter the IP address and port number (if required) of the FortiGate’s internal interface and select the Go icon.
  2. Configure an IPsec VPN connection from FortiClient to the management FortiGate. For more information on configuring IPsec VPN see Create a new IPsec VPN connection on page 87.
  3. Connect to the VPN.
  4. You can now search for the FortiGate gateway. For more information see Register FortiClient.
  5. After registration, the client is able to receive the FortiClient profile.

When creating a new FortiClient VPN (IPsec) or SSL VPN tunnel configuration on your

FortiGate device, you must enable Endpoint Registration. See the IPsec VPN for FortiOS and SSL VPN forFortiOS sections of the FortiOS Handbook for more information.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website