Vulnerability Scan

Vulnerability Scan

FortiClient includes an Vulnerability Scan module to check your workstation for known system vulnerabilities. You can scan on-demand or on a scheduled basis. This feature is disabled by default and the tab is hidden for standalone clients. For users who are registered to a FortiGate using endpoint control, the FortiGate administrator may choose to enable this feature. Vulnerability Scan is enabled via the FortiGate Command Line Interface (CLI) only. Once enabled, the Endpoint Vulnerability Scan on Client setting is available in the FortiClient Profile.

Enable vulnerability scan

This section describes how to enable Vulnerability Scan in the FortiClient Profile via the FortiGate CLI and configuration options.

  1. Enable Vulnerability Scan in the FortiClient Profile:
  2. Log in to your FortiGate CLI.
  3. Enter the following CLI commands: config endpoint-control profile edit <profile-name> config forticlient-winmac-settings set forticlient-vuln-scan enable set forticlient-vuln-scan-schedule {daily | weekly | monthly} set forticlient-vuln-scan-on-registration {enable | disable} set forticlient-ui-options {av | wf | af | vpn | vs}

end end

<profile-name>          Enter the name of the FortiClient Profile.
forticlient-vuln-scan Enable or disable the Vulnerability Scan module. {enable | disable}
forticlient-vuln-  Configure a daily, weekly, or monthly vulnerability scan on the client scan-schedule    workstation.

{daily | weekly |

monthly}

forticlient-vuln-      Enable or disable vulnerability scan on client registration to FortiGate.

scan-on-registration {enable | disable}

 

Scan now                                                                                                                               Vulnerability Scan

forticlient-uioptions {av | wf | af | vpn | vs} Set the FortiClient components that will be available to the client upon registration with FortiGate. l av: Antivirus l wf: Web Filter l af: Application Firewall l vpn: Remote Access l vs: Vulnerability Scan
  1. The FortiGate will send the FortiClient Profile configuration update to registered clients. The Vulnerability Scan tab is now accessible in FortiClient.

Scan now

To perform a vulnerability scan, select the Scan Now button in the FortiClient console. FortiClient will scan your workstation for known vulnerabilities. The console displays the date of the last scan above the button.

You can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient Profile, select Use FortiManagerforclient software/signature update to enable the feature and enter the IP address of your FortiManager device.

View vulnerabilities

When the scan is complete, FortiClient will display the number of vulnerabilities found in the FortiClient console.

Select the Vulnerabilities Detected link to view a list of vulnerabilities detected on your system. Conversely, select Detected: X on the Vulnerability Scan tab to view the vulnerabilities.

Vulnerability Scan                                                                                                               View vulnerabilities

This page displays the following:

Vulnerability Name The name of the vulnerability
Severity The severity level assigned to the vulnerability: Critical, High, Medium, Low, or Info.
Details FortiClient vulnerability scan lists a Bugtraq (BID) number under the details column. You can select the BID to view details of the vulnerability on the FortiGuard site, or search the web using this BID number.
Close Close the window and return to the FortiClient console.

Select the Details ID number from the list to view information on the selected vulnerability on the FortiGuard site.

The site details the release date, severity, impact, description, affected products, and recommended actions.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiClient and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

7 thoughts on “Vulnerability Scan

  1. Dane Seelen

    I am looking into deploying the vulnerability scan for 90 workstations and would like FortiClient to patch the updates if possible. Is there a way to control when the patches and restarts will occur and or enable a prompt for the user to control this aspect so their work is not interrupted?

    Reply
      1. Dane

        From the EMS, really the issue here is we have teachers in 3 different buildings and not much for workstation management. If we could maintain some of the updates using the vulnerability aspect that would be great. But when we run it the workstations restart to install updates with no real logic. So I am trying to figure out where the restart factor is coming in and can it be manipulated to wait for a specific time or prompt the user.

        Reply
  2. Matt

    I have a customer that’s neither controlling by the gate or EMS, they are just stand alone clients. Seems that in 5.6 the vulnerability piece is ON by default, and runs when you install it. The customer states that he’s had several users that say it really impacts their laptop while the scan is running. Is there a way to 1) remove the scan piece from the default install or 2) create a custom package where it’s removed? They don’t want it at all, and are not centrally controlling Forticlient’s via profile.

    Reply
    1. Mike Post author

      They can edit the config file to change behaviors and scan times if they are doing it manually. I would highly suggest they control the client via EMS or Gate though. It helps so much from an ease of configuration point of view.

      Reply

Leave a Reply to Dane Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.