FortiClient 5.4.0 Administration Guide – Introduction

Introduction

FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security combines strong prevention with detection and mitigation is critical.

This document provides an overview of FortiClient 5.4.0.

This document was written for FortiClient (Windows) 5.4.0. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.0.

FortiClient features

FortiClient offers two licensing modes: Standalone mode and Managed mode. It can also be integrated with FortiSandbox.

The following table provides a feature comparison between the standalone client (free version) and the managed client (licensed version).

Standalone Client (Free Version) Managed Client (Licensed Version)
Installation Options l Complete: All Endpoint Security and VPN components will be installed.

l  VPN Only: only VPN components (IPsec and

SSL) will be installed.

l  Create a custom FortiClient installer using the FortiClient Configurator tool using the trial mode. In trial mode, all online updates are disabled.

Installation Options l Complete: All Endpoint Security and VPN components will be installed.

l VPN Only: only VPN components (IPsec and

SSL) will be installed. l Create a custom FortiClient installer using the FortiClient Configurator tool.

Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) l Cloud Based Behavior Scanning
Web Content l Web Filtering l YouTube Education Filter Web Content l Web Filtering l YouTube Education Filter

FortiClient features

Standalone Client (Free Version) Managed Client (Licensed Version)
VPN l SSL VPN l IPsec VPN

l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication

VPN l SSL VPN l IPsec VPN

l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication

Logging l VPN, Antivirus, Web Security, and Update

Logging l View logs locally

Logging l VPN, Application Firewall, Antivirus, Web

Filter, Update, and Vulnerability Scan

Logging l View logs locally

  Application Control l Application Firewall l Block Specific Application Traffic
  Vulnerability Management l Vulnerability Scan l Link to FortiGuard with information on the impact and recommended actions
  Central Management l Centralized Client Management and monitoring

l Centralized configuration provisioning and deployment l Enforcement of enterprise security policies.

  Central Logging l Upload logs to a FortiAnalyzer or

FortiManager. FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer or FortiManager.

Standalone mode

In standalone mode, FortiClient is not registered to a FortiGate or Enterprise Management Server (EMS). In this mode, FortiClient is free both for private individuals and commercial businesses to use; no license is required. All features and functions are activated.

 

FortiClient features

Managed mode

Companies with large installations of FortiClient usually need a method to manage their endpoints. This is accomplished by registering each FortiClient to a FortiGate or an Enterprise Management Server (EMS). In this mode, FortiClient licensing is applied to the FortiGate or EMS. No separate license is required on FortiClient itself.

FortiSandbox

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file can be blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

For more information, see the FortiSandbox Administration Guide, available in the Fortinet Document Library.

On-Net / Off-Net

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided. FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

Licensing

Licensing

Licensing on the FortiGate is based on the number of registered clients. FortiGate 30 series and higher models support ten (10) free managed FortiClient licenses. For additional managed clients, a FortiClient license subscription must be purchased. The maximum number of managed clients varies per device model.

The VPN on-net, off-net feature in Endpoint Control will be activated only when the FortiGate, to which FortiClient is registered, is running FortiOS 5.2 or 5.4 with a FortiClient 5.2 or 5.4 license.

FortiGate Client limits

The following table shows client limits per FortiGate model series.

FortiGate Series Free Registrations FortiClient License Upgrade
FortiGate/FortiWiFi 30 to 90 series 10 1 year FortiClient license subscription for up to 200 clients
FortiGate 100 to 300 series 10 1 year FortiClient license subscription for up to 600 clients
FortiGate 500 to 800 series, FortiGate

VM01, FortiGate VM02

10 1 year FortiClient license subscription for up to 2000 clients
FortiGate 1000 series, FortiGate VM04 10 1 year FortiClient license subscription for up to 8000 clients
FortiGate 3000 to 5000 series,

FortiGate VM08

10 1 year FortiClient license subscription for up to 20 000 clients

Installation information

EMS client limits

A newly installed EMS offers 20 000 trial client licenses over a period of 60 days from the day of installation. After the trail period lapses, the number of client licenses will be 10, same as for a new FortiGate to which no FortiClient license has been applied.

A license may be applied to the EMS at any time during or after the trial period. Licenses are available in multiples of 100 seats, with a minimum of 100 seats.

Installation information

The following table lists operating system support and the minimum system requirements.

Operating System Support Minimum System Requirements
l Microsoft Windows XP (32-bit) l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows 8.1 (32-bit and 64-bit) l Microsoft Windows 10 (32-bit and 64-bit) l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

l Microsoft Windows Server 2008 R2 l Microsoft Windows Server 2012 l Microsoft Windows Server 2012 R2 l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

Firmware images and tools

Operating System Support Minimum System Requirements
l Mac OS X v10.8 Mountain Lion l Mac OS X v10.9 Mavericks l Mac OS X v10.10 Yosemite l Mac OS X v10.11 El Capitan l Apple Mac computer with an Intel processor l 256MB of RAM l 20MB of hard disk drive (HDD) space l TCP/IP communication protocol l Ethernet NIC for network connections l Wireless adapter for wireless network connections

Firmware images and tools

Microsoft Windows

The following files are available in the firmware image file folder:

  • 4.xx.xxxx.exe

Standard installer for Microsoft Windows (32-bit).

  • 4.xx.xxxx.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx_x64.exe

Standard installer for Microsoft Windows (64-bit).

  • 4.xx.xxxx_x64.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx.zip
    • zip package containing miscellaneous tools including the FortiClient Configurator tool and VPN Automation files:
  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • FortiClientVirusCleaner A virus cleaner.
  • SSLVPNcmdline

Command line SSL VPN client.

  • SupportUtils

Includes diagnostic, uninstallation, and reinstallation tools.

Language support

  • VPNAutomation

A VPN automation tool.

When creating a custom FortiClient 5.4 installer using the FortiClient Configurator tool, you can choose which features to install. You can also select to enable or disable software updates, configure SSO, and rebrand FortiClient

Mac OS X

The following files are available in the firmware image file folder:

  • 4.x.xxx_macosx.dmg Standard installer or Mac OS X.
  • 4.x.xxx_macosx.tar

FortiClient includes various utility tools and files to help with installations. The following tools and files are available in the FortiClientTools .tar file:

  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • RebrandingResources

Rebranding resources used by the FortiClient Configurator tool.

When creating a custom FortiClient 5.4.0 installer using the FortiClient Repackager tool, you can choose to install Everything, VPN Only, or SSO only. You can also select to enable or disable software updates and rebrand

FortiClient.

FortiClient 5.4 cannot use FortiClient version 5.0 licenses. To use FortiClient Configurator, you need to use the FortiClient version 5.4 license file.

Language support

The following table lists FortiClient language support information.

Language Graphical User Interface XML Configuration Documentation
English (United States) ü ü ü
Chinese (Simplified) ü
Chinese (Traditional) ü

Language support

Language Graphical User Interface XML Configuration Documentation
French (France) ü
German ü
Japanese ü
Korean ü
Portuguese (Brazil) ü
Spanish (Spain) ü

 

This entry was posted in Administration Guides, FortiClient and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.