FortiClient Settings

Settings

This sections describe the available options in the settings menu.

Backup or restore full configuration

To backup or restore the full configuration file, select File > Settings from the toolbar. Expand the System section, then select Backup or Restore as needed. Restore is only available when operating in standalone mode.

When performing a backup you can select the file destination, password requirements, and add comments as needed.

Logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

VPN VPN logging is available when in standalone mode or when registered to FortiGate/EMS.
Application Firewall Application Firewall logging is available when registered to FortiGate/EMS.
AntiVirus Antivirus activity logging is available when in standalone mode or when registered to FortiGate/EMS.
Web Filter Web Filter logging is available when in standalone mode (Web Security) or when registered to FortiGate/EMS.
Update Update logging is available when in standalone mode or when registered to FortiGate/EMS.
Vulnerability Scan Vulnerability Scan logging is available when registered to FortiGate/EMS.

 

Logging

Log Level This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured).
Log File The option to export the log file (.log) is available when in standalone mode or when registered to FortiGate/EMS. The option to clear logs is only available when in standalone mode.

The following table lists the logging levels and description:

Logging Level   Description
Emergency   The system becomes unstable.
Alert   Immediate action is required.
Critical   Functionality is affected.
Error   An error condition exists and functionality could be affected.
Warning   Functionality could be affected.
Notice   Information about normal events.
Information   General information about system operations.
Debug   Debug FortiClient.

It is recommended to use the debug logging level only when needed. Do not leave the debug logging level permanently enabled in a production environment to avoid unnecessarily consuming disk space.

Configure logging to FortiAnalyzer or FortiManager

To configure FortiClient to log to your FortiAnalyzer or FortiManager you require the following:

l FortiClient 5.2.0 or later l A FortiGate device running FortiOS 5.2.0 or later, or EMS 1.0 l A FortiAnalyzer or FortiManager device running 5.0.7 or later

The registered FortiClient device will send traffic logs, vulnerability scan logs, and event logs to the log device on port 514 TCP.

Logging

Enable logging on the FortiGate device:

  1. On your FortiGate device, select Log & Report > Log Settings. The Log Settings window opens.
  2. Enable Send Logs to FortiAnalyzer/FortiManager.
  3. Enter the IP address of your log device in the IP Address You can select Test Connectivity to ensure your FortiGate is able to communicate with the log device on this IP address.
  4. Select Apply to save the setting.

Enable logging in the FortiGate FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page opens.
  3. In the Advanced tab, enable Upload Logs to FortiAnalyzer.
  4. Select either Same as System to send the logs to the FortiAnalyzer or FortiManager configured in the Log Settings, or Specify to enter a different IP address.
  5. In the Schedule field, select to upload logs wither Hourly or Daily.
  6. Select Apply to save the settings.

Once the FortiClient Profile change is synchronized with the client, you will start receiving logs from registered clients on your FortiAnalyzer/FortiManager system.

Alternatively, you can configure logging in the command line interface. Go to System > Dashboard > Status. In the CLI Console widget, enter the following CLI commands:

config endpoint-control profile edit <profile-name>

config forticlient-winmac-settings set forticlient-log-upload enable set forticlient-log-upload-server <IP address> set forticlient-log-upload-schedule {hourly | daily} set forticlient-log-ssl-upload {enable | disable} set client-log-when-on-net {enable | disable}

end

end

To download the FortiClient log files on the FortiAnalyzer go to the Log View tab, select the ADOM, and select the FortiClient menu object.

Updates

Enable logging in the EMS endpoint profile:

  1. On EMS, select an endpoint profile, then go to the System Settings
  2. Enable Upload Logs to FortiAnalyzer/FortiManager.
  3. Enter the IP address or hostname, schedule upload (in minutes), and log generation timeout (in seconds).
  4. Select Save to save the settings.

Updates

To configure updates, select File > Settings from the toolbar, then expand the System section.

Select to either automatically download and install updates when they are available on the FortiGuard Distribution Servers, or to send an alert when updates are available.

This setting can only be configured when in standalone mode.

You can select to use a FortiManager device for signature updates. When configuring the endpoint profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device.

To configure FortiClient to use FortiManager for signature updates (FortiGate):

  1. On your FortiOS device, select Security Profiles > FortiClient Profiles.
  2. On the Advanced tab, enable FortiManagerupdates.
  3. Specify the IP address or domain name of the FortiManager device.
  4. Select Failoverto FDN to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
  5. Select Apply to save the settings.

To configure FortiClient to use FortiManager for signature updates (EMS):

  1. On EMS, select an endpoint profile, then go to the System Settings
  2. Toggle the Use FortiManagerforclient software/signature update option to ON.
  3. Specify the IP address or hostname of the FortiManager device.
  4. Select Failoverto FDN when FortiManageris not available to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
  5. Select Save to save the settings.

VPN options

To configure VPN options, select File > Settings from the toolbar and expand the VPN section. Select Enable VPN before logon to enable VPN before log on.

This setting can only be configured when in standalone mode.

Certificate management

Certificate management

To configure VPN certificates, select File > Settings from the toolbar and expand the Certificate Management section. Select Use local certificate uploads (IPsec only) to configure IPsec VPN to use local certificates and import certificates to FortiClient.

This setting can only be configured when in standalone mode.

Antivirus options

To configure antivirus options, select File > Settings from the toolbar and expand the Antivirus Options section.

These settings can only be configured when in standalone mode.

Configure the following settings:

Grayware Options Grayware is an umbrella term applied to a wide range of malicious applications such as spyware, adware and key loggers that are often secretly installed on a user’s computer to track and/or report certain information back to an external source without the user’s permission or knowledge.
Adware Select to enable adware detection and quarantine during the antivirus scan.
Riskware Select to enable riskware detection and quarantine during the antivirus scan.
Scan removable media on

insertion

Select to scan removable media when it is inserted.
Alert when viruses are detected Select to have FortiClient provide a notification alert when a threat is detected on your personal computer. When Alert when viruses are detected under AntiVirus Options is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.
Pause background scanning on battery power Select to pause background scanning when your computer is operating on battery power.

Advanced options

Enable FortiGuard Ana-

lytics

Select to automatically send suspicious files to the FortiGuard Network for analysis.

When registered to FortiGate, you can select to enable or disable FortiClient Antivirus Protection in the FortiClient Profile.

Advanced options

To configure advanced options, select File > Settings from the toolbar and expand the Advance section.

These settings can only be configured when in standalone mode. When registered to FortiGate/EMS, these settings are set by the XML configuration (if configured).

Configure the following settings:

Enable WAN Optimization Select to enable WAN Optimization. You should enable only if you have a FortiGate device and your FortiGate is configured for WAN Optimization.

This setting can be configured when in standalone mode.

Maximum Disk Cache Size Select to configure the maximum disk cache size. The default value is 512MB.
Enable Single Sign-On mobility agent Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device.

This setting can be configured when in standalone mode.

Server address Enter the FortiAuthenticator IP address.
Customize port Enter the port number. The default port is 8001.
Pre-shared Key Enter the pre-shared key. The pre-shared key should match the key configured on your FortiAuthenticator device.

Single Sign-On mobility agent

Disable proxy (troubleshooting only) Select to disable proxy when troubleshooting FortiClient.

This setting can be configured when in standalone mode.

Default tab Select the default tab to be displayed when opening FortiClient. This setting can be configured when in standalone mode.

Single Sign-On mobility agent

The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates with FortiAuthenticator with user logon and network information.

FortiClient/FortiAuthenticator protocol

The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator, which replies with an acknowledgment packet.

FortiClient/FortiAuthenticator communication requires the following:

l The IP address should be unique in the entire network. l The FortiAuthenticator should be accessible from clients in all locations. l The FortiAuthenticator should be accessible by all FortiGates.

FortiClient Single Sign-On Mobility Agent requires a FortiAuthenticator running 2.0.0 or later, or v3.0.0 or later. Enter the FortiAuthenticator (server) IP address, port number, and the pre-shared key configured on the FortiAuthenticator.

Enable Single Sign-On mobility agent on FortiClient:

  1. Select File in the toolbar and select Settings in the drop-down menu.
  2. Select Advanced to view the drop-down menu.
  3. Select to Enable Single Sign-On mobility agent.
  4. Enter the FortiAuthenticator server address and the pre-shared key.

This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured).

Enable FortiClient SSO mobility agent service on the FortiAuthenticator:

  1. Select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
  2. Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
  3. Select Enable authentication and enter a secret key or password.
  4. Select OK to save the setting.

Configuration lock

To enable FortiClient FSSO services on the interface:

  1. Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network Interface window opens.
  2. Select the checkbox to enable FortiClient FSSO.
  3. Select OK to save the setting.

To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you must first apply the applicable FortiClient license for FortiAuthenticator. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

For information on purchasing a FortiClient license for FortiAuthenticator, please contact your authorized Fortinet reseller.

Configuration lock

To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked, configuration changes are restricted and FortiClient cannot be shutdown or uninstalled.

When the configuration is locked you can perform the following actions:

  • Antivirus l Complete an antivirus scan, view threats found, and view logs l Select Update Now to update signatures l Web Security

FortiTray

  • View violations
  • Application Firewall l View applications blocked
  • Remote Access l Configure, edit, or delete an IPsec VPN or SSL VPN connection l Connect to a VPN connection
  • Vulnerability Scan l Complete a vulnerability scan of the system l View vulnerabilities found
  • Register and unregister FortiClient for Endpoint Control l Settings l Export FortiClient logs l Backup the FortiClient configuration

To perform configuration changes or to shut down FortiClient, select the lock icon and enter the password used to lock the configuration.

FortiTray

When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is closed.

  • Default menu options l Open FortiClient console l Shutdown FortiClient
  • Dynamic menu options depending on configuration l Connect to a configured IPsec VPN or SSL VPN connection l Display the antivirus scan window (if a scheduled scan is currently running) l Display the Vulnerability scan window (if a vulnerability scan is running)

If you hover the mouse cursor over the FortiTray icon, you will receive various notifications including the version, antivirus signature, and antivirus engine.

Connect to a VPN connection

To connect to a VPN connection from FortiTray, select the Windows System Tray and right-click in the FortiTray icon. Select the connection you wish to connect to, enter your username and password in the authentication window, then select OK to connect.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiClient and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

9 thoughts on “FortiClient Settings

  1. Alvydas

    Hello,

    We are using the forticlient 5.4.2 full version (antivirus to). Forticlient was deployed witch SCCM 2012. Forticlient settings locked with password.
    I would like to change the settings and refuse antivirus.

    Is there a way to deregister FC remote script or GPO?

    Do you have any idea ?

    Many Thanks

    Reply
  2. Alvydas

    Solved:
    Uninstall or GPO shutdown script:
    **********************************************************************
    if not exist “%programfiles(x86)%\Fortinet\FortiClient\quarantine” goto finito
    “%programfiles(x86)%\Fortinet\Forticlient\fcconfig.exe” -m all -f “\\server\NETLOGON\Program\FortiClient_No_antivirus\No_password.conf” -o import -k password -q
    echo %errorlevel% > c:\windows\control\FortiClient_deleted.txt
    wmic product where name=”FortiClient” call uninstall /nointeractive >> c:\windows\control\FortiClient_deleted.txt
    echo %errorlevel% >> c:\windows\control\FortiClient_deleted.txt
    :finito
    *********************************************************************
    Install or GPO startup script:

    *********************************************************************
    If not exist c:\windows\control\FortiClient_deleted.txt goto finito
    msiexec /i “\\server\NETLOGON\Program\FortiClient_No_antivirus\FortiClient.msi” /q TRANSFORMS=”\\server\NETLOGON\Program\FortiClient_No_antivirus\FortiClient.mst” /L c:\windows\control\FortiClient_rewrited.txt
    :finito
    ******************************************************************
    When the computer is restarted, then is rewritten FortiClient version .

    Reply
    1. Mike Post author

      Awesome work. If it is ok with you I would like to make this a Q&A Post on the site. (giving you credit of course)

      Reply
        1. Mike Post author

          Awesome! Thanks so much! I will get a post out this weekend regarding the issue you were having and your script that fixed it.

          Reply
  3. Eva Roggenstein

    We need to de-register about 500 Forticlients because we are changing our AV supplier. But our Fortigate (where they were originally registered from) is not in service anymore. So the above script theoretically would solve our problem. But I can’t get it to work. I obtained the No_password.conf file from the “Backup” of a manually unregistered Forticlient. Is that the correct thing to do? Would I need to edit it in any way before importing it to a registered Forticlient? The import appears to work without error but that Forticlient stays registered.

    Reply
  4. nksamy

    Am using forticlient 5.2.3… how to access vpn by proxy server.. added 192.168.20.753128 .. these lines to configuration file ..but no hope…. it is not worked at all..

    please help me out

    Reply

Leave a Reply to Mike Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.