This video shows you the basic configuration of a FortiGate that is running FortiOS 5.4. This version of the firmware makes the device run so much better in my experience. I am sure you guys will love it.
Learn how to setup Captive Portal with the FortiToken 200 in FortiOS 5.4 by watching the video attached!
Video posted by Fortinet about Security in the age of virtualization. Some pretty good tidbits in here. Definitely worth checking out so click play on the video below and learn some stuff!
Custom FortiClient Installations
The FortiClient Configurator tool FortiClient is the recommended method of creating customized FortiClient installation files.
You can also customize which modules are displayed in the FortiClient dashboard in the FortiClient Profile. This will allow you to activate any of the modules at a later date without needing to re-install FortiClient. Any changes made to the FortiClient Profile are pushed to registered clients.
When creating VPN only installation files, you cannot enable other modules in the FortiClient Profile as only the VPN module is installed.
When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.
The FortiClient Configurator tool is included with the FortiClient Tools file in FortiClient 5.2. This file is only available on the Customer Service & Support portal and is located in the same file directory as the FortiClient images.
The Configurator tool requires activation with a license file. Ensure that you have completed the following steps prior to logging in to your FortiCare product web portal:
This video explains how to purchase and apply a FortiClient License: http://www.youtube.com/watch?feature=player_embedded&v=sIkWaUXK0Ok This chapter contains the following sections:
To retrieve your license file:
Fortinet offers a repacking tool for both Microsoft Windows and Mac OS X operating systems. The following section provides instructions on creating a custom installer file using the FortiClient Configurator tool.
When selecting to install custom features, only modules selected are installed. To enable other features you will need to uninstall FortiClient, and reinstall an MSI file with these features included in the installer.
To create a custom installer using the FortiClient Configurator tool:
The tool opens at the Welcome page.
| Licensed | Licensed mode requires a FortiClient license file. |
| Trial | In FortiClient 5.4, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment. |
| Select Config File (optional) | The configuration file (.conf, .sconf) settings will be included in the installer file. |
| Password | If the configuration file is encrypted (.sconf), enter the password used to encrypt the file. |
You can use an XML editor to make changes to the FortiClient configuration file. For more information on FortiClient XML configuration, see the FortiClient XML Reference in the Fortinet Document Library, http://docs.fortinet.com.
The following options are available for custom installations:
| Features to Install | |
| Everything | All Security and VPN components will be installed. |
| Client security only | Only AntiVirus, Web Filtering, and Application Firewall will be installed. |
| VPN only | Only VPN components (IPsec and SSL) will be installed. |
| Other | Select one of the following from the drop-down list:
l AntiVirus & Web Filtering only l Web Filtering only l Application Firewall only l Application Firewall & Web Filtering only l Web Filtering, VPN and Application Firewall l Single Sign-On mobility agent only |
| Options | |
| Desktop Shortcut | Select to create a FortiClient desktop icon. |
| Start Menu | Select to add FortiClient to the start menu. |
| Enable Software Update | Select to enable software updates. This option is disabled when Rebrand
FortiClient is selected. This option is also disabled when using Trial mode. |
| Configure Single Sign-On mobility agent | Select to configure Singe Sign-On mobility agent for use with FortiAuthenticator. |
| Features to Install | |
| Rebrand
FortiClient |
Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137. |
If you selected to configure the single sign-on mobility agent, the Single Sign-On Mobility Agent Settings page is displayed.
| Server IP/FQDN | Enter the IP address or FQDN of the FortiAuthenticator server. |
| Port Number | Enter the port number. The default port is 8001. |
| Pre-Shared Key | Enter the FortiAuthenticator pre-shared key. |
| Confirm Pre-Shared Key | Enter the FortiAuthenticator pre-shared key confirmation. |
| Select Code Signing Certificate (optional) | If you have a code signing certificate, you can use it to digitally sign the installer package this tool generates. |
| Password | If the certificate file is password protected, enter the password. |
This page provides details of the installer file creation and the location of files for Active Directory deployment and manual distribution. The tool creates files for both 32-bit (x86) and 64-bit (x64) operating systems.
Before deploying the custom MSI files, it is recommended that you test the packages to confirm that they install correctly. In FortiClient 5.2.0 and later, an .exe installation file is created for manual distribution.
Installation files are organized in folders within the FortiClientTools > FortiClient Configurator > FortiClient repackaged folder. Folder names identify the type of installation files that were created and the creation date.
To create a custom installer using the FortiClient Configurator tool:
FortiClientConfigurator.dmg application file, and double-click the FCTConfigurator icon to launch the tool. The Configurator tool opens.
| Licensed | Trial | Licensed mode requires a FortiClient 5.2 license file. In FortiClient v5.2, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment. |
| Source | Select the FortiClient Installer file on your management computer. You must use the full installer file, otherwise FortiClient Configurator will fail to create a custom installation file.
The FortiClient Installer version and FortiClient Configurator version must match, otherwise the Configurator will fail to create a custom installation file. |
| Destination | Enter a name for the custom installation file and select a destination to save the file on your management computer. |
| Features to Install | Select to install all FortiClient modules, VPN only, or SSO only. If SSO only is selected, you must configure the SSO settings in the attached configuration file. |
| Server IP/FQDN | Enter the IP address or FQDN of the FortiAuthenticator server.
This option is available when selecting SSO only for features to install. |
| Port Number | Enter the port number. The default port is 8001.
This option is available when selecting SSO only for features to install. |
| Pre-Shared Key | Enter the FortiAuthenticator pre-shared key.
This option is available when selecting SSO only for features to install. |
| Confirm Pre-Shared Key | Enter the FortiAuthenticator pre-shared key confirmation.
This option is available when selecting SSO only for features to install. |
Custom installation packages
| Config file | Optionally, select a pre-configured FortiClient backup configuration file. If you selected Everything or VPN only for features to install, you must use a configuration file to configure the related settings. |
| Software Update | Select to enable or disable software updates. |
| Rebrand | Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137. |
| Rebranding resources | Select the FortiClient resources file on your management computer. |
When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.
Advanced FortiClient profiles
After the configurator tool generates the custom installation packages, it can be used to deploy the FortiClient software either manually, or using Active Directory. Both options can be found in the …/FortiClient_packaged directory. Files are created for both x86 (32-bit) and x64 (64-bit) operating systems.
If Active Directory is being used to deploy FortiClient, you can use the custom installer with the MST file found in the …/ActiveDirectory folder.
For manual distribution, use the .exe file in the …/ManualDistribution folder.
When creating custom FortiClient MSI files for deployment, you will need to configure advanced FortiClient profiles on the FortiGate/EMS to ensure that settings in the FortiClient profile do not overwrite your custom XML settings. You can configure the FortiClient profile to deliver the full XML configuration, VPN only, or specific FortiClient XML configurations. For more information on customizing the FortiClient XML configuration file, see the Appendix C – Rebranding FortiClient on page 137.
Fortinet recommends creating OS specific endpoint profiles when provisioning XML settings. When creating a new FortiClient profile, select the device group as either Windows PC or Mac. If a FortiClient (Windows) XML configuration is pushed to a FortiClient (Mac OS X) system, FortiClient (Mac OS X) will ignore settings which are not supported.
You can deploy the full XML configuration file from the CLI or GUI.
To deploy the full XML configuration via the CLI:
config forticlient-winmac-settings set forticlient-advanced-cfg enable
set forticlient-advanced-cfg-buffer “Copy & Paste your FortiClient XML configuration here”
Advanced FortiClient profiles
Copy directly from your XML editor, preserving the XML file format. Copy all information from the <?xml version=”1.0″ encoding=”UTF-8″ ?> start of syntax to the </forticlient_configuration> end of syntax XML tags. Add double quotes at the start and end of the XML syntax statements.
To deploy the full XML configuration via the FortiGate GUI:
| Profile Name | Enter a unique name to identify the FortiClient profile. |
| Comments | Optionally, enter a comment. |
| Assign Profile To | For more information on configuring device groups, user groups, and users, see the FortiOS Handbook.
These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN. FortiClient does not support nested groups in FortiOS. |
| XML text window | Copy and paste the FortiClient XML configuration file in the text window. The XML syntax must be preserved. |
To deploy the full XML configuration via EMS:
The current buffer size is 32kB. This may not be large enough to accommodate your FortiClient XML configuration. As a workaround, you can use the FortiClient Configurator tool to create a custom MSI installation file using a .confFortiClient backup configuration that contains static custom configurations. You can then include a partial configuration in the advanced FortiClient profile. This will push the partial configuration when the client registers with the FortiGate. The partial configuration will be merged with the existing XML configuration on the client.
To provision specific FortiClient XML configuration while preserving custom XML configurations in your MSI file, cut & paste the specific XML configuration into the FortiClient Profile in the following format:
<?xml version=”1.0″ encoding=”UTF-8″ ?>
Advanced FortiClient profiles
<forticlient_configuration>
<partial_configuration>1</partial_configuration>
<system>
<ui>
<ads>0</ads>
<default_tab>VPN</default_tab>
<flashing_system_tray_icon>0</flashing_system_tray_icon>
<hide_system_tray_icon>0</hide_system_tray_icon>
<suppress_admin_prompt>0</suppress_admin_prompt>
<culture_code>os-default</culture_code>
</ui>
<update>
<use_custom_server>0</use_custom_server>
<port>80</port>
<timeout>60</timeout>
<failoverport>8000</failoverport>
<fail_over_to_fdn>1</fail_over_to_fdn>
<scheduled_update>
<enabled>0</enabled>
<type>interval</type>
<daily_at>03:00</daily_at>
<update_interval_in_hours>3</update_interval_in_hours>
</scheduled_update>
</update>
</system>
</forticlient_configuration>
Ensure that the <partial_configuration>1</partial_configuration> tag is set to 1 to indicate that this partial configuration will be deployed upon registration with the FortiGate. All other XML configuration will be preserved.
You need to enable VPN provisioning and advanced VPN from the FortiOS CLI to import the FortiClient XML VPN configuration syntax. You can import the XML VPN configuration in the CLI or the GUI.
Import XML VPN configuration into the FortiClient Profile via the CLI:
config forticlient-winmac-settings set forticlient-vpn-provisioning enable set forticlient-advanced-vpn enable set auto-vpn-when-off-net enable set auto-vpn-name <VPN name to connect to automatically when off-net> set forticlient-advanced-vpn-buffer <Copy & paste the advanced VPN configuration>
end
end
After the forticlient-vpn-provisioning and forticlient-advancedvpn CLI commands are enabled, the forticlient-advanced-vpn-buffer CLI command is available from the CLI.
Advanced FortiClient profiles
Copy directly from your XML editor, preserving the XML file format. Copy all information from the <vpn> start of syntax to the </vpn> end of syntax XML tags. Add double quotes before the <vpn> tag and after the </vpn> tag.
| Profile Name | Enter a unique name to identify the FortiClient profile. |
| Comments | Optionally, enter a comment. |
| Assign Profile To | For more information on configuring device groups, user groups, and users, see the FortiOS Handbook.
These options are only available when creating a new endpoint profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN. FortiClient does not support nested groups in FortiOS. |
| VPN | Enable Client VPN Provisioning.
Cut and paste the FortiClient XML configuration <vpn> to </vpn> tags in the text window. The XML syntax must be preserved. Enable Auto-connect when Off-Net and select a VPN name from the dropdown list. |
For more information, see Appendix A – Deployment Scenarios on page 127.
Settings
This sections describe the available options in the settings menu.
To backup or restore the full configuration file, select File > Settings from the toolbar. Expand the System section, then select Backup or Restore as needed. Restore is only available when operating in standalone mode.
When performing a backup you can select the file destination, password requirements, and add comments as needed.
To configure logging, select File > Settings from the toolbar then expand the Logging section.
| VPN | VPN logging is available when in standalone mode or when registered to FortiGate/EMS. |
| Application Firewall | Application Firewall logging is available when registered to FortiGate/EMS. |
| AntiVirus | Antivirus activity logging is available when in standalone mode or when registered to FortiGate/EMS. |
| Web Filter | Web Filter logging is available when in standalone mode (Web Security) or when registered to FortiGate/EMS. |
| Update | Update logging is available when in standalone mode or when registered to FortiGate/EMS. |
| Vulnerability Scan | Vulnerability Scan logging is available when registered to FortiGate/EMS. |
Logging
| Log Level | This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured). |
| Log File | The option to export the log file (.log) is available when in standalone mode or when registered to FortiGate/EMS. The option to clear logs is only available when in standalone mode. |
The following table lists the logging levels and description:
| Logging Level | Description | |
| Emergency | The system becomes unstable. | |
| Alert | Immediate action is required. | |
| Critical | Functionality is affected. | |
| Error | An error condition exists and functionality could be affected. | |
| Warning | Functionality could be affected. | |
| Notice | Information about normal events. | |
| Information | General information about system operations. | |
| Debug | Debug FortiClient. |
It is recommended to use the debug logging level only when needed. Do not leave the debug logging level permanently enabled in a production environment to avoid unnecessarily consuming disk space.
To configure FortiClient to log to your FortiAnalyzer or FortiManager you require the following:
l FortiClient 5.2.0 or later l A FortiGate device running FortiOS 5.2.0 or later, or EMS 1.0 l A FortiAnalyzer or FortiManager device running 5.0.7 or later
The registered FortiClient device will send traffic logs, vulnerability scan logs, and event logs to the log device on port 514 TCP.
Logging
Enable logging on the FortiGate device:
Enable logging in the FortiGate FortiClient profile:
Once the FortiClient Profile change is synchronized with the client, you will start receiving logs from registered clients on your FortiAnalyzer/FortiManager system.
Alternatively, you can configure logging in the command line interface. Go to System > Dashboard > Status. In the CLI Console widget, enter the following CLI commands:
config endpoint-control profile edit <profile-name>
config forticlient-winmac-settings set forticlient-log-upload enable set forticlient-log-upload-server <IP address> set forticlient-log-upload-schedule {hourly | daily} set forticlient-log-ssl-upload {enable | disable} set client-log-when-on-net {enable | disable}
end
end
To download the FortiClient log files on the FortiAnalyzer go to the Log View tab, select the ADOM, and select the FortiClient menu object.
Updates
Enable logging in the EMS endpoint profile:
To configure updates, select File > Settings from the toolbar, then expand the System section.
Select to either automatically download and install updates when they are available on the FortiGuard Distribution Servers, or to send an alert when updates are available.
This setting can only be configured when in standalone mode.
You can select to use a FortiManager device for signature updates. When configuring the endpoint profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device.
To configure FortiClient to use FortiManager for signature updates (FortiGate):
To configure FortiClient to use FortiManager for signature updates (EMS):
To configure VPN options, select File > Settings from the toolbar and expand the VPN section. Select Enable VPN before logon to enable VPN before log on.
This setting can only be configured when in standalone mode.
Certificate management
To configure VPN certificates, select File > Settings from the toolbar and expand the Certificate Management section. Select Use local certificate uploads (IPsec only) to configure IPsec VPN to use local certificates and import certificates to FortiClient.
This setting can only be configured when in standalone mode.
To configure antivirus options, select File > Settings from the toolbar and expand the Antivirus Options section.
These settings can only be configured when in standalone mode.
Configure the following settings:
| Grayware Options | Grayware is an umbrella term applied to a wide range of malicious applications such as spyware, adware and key loggers that are often secretly installed on a user’s computer to track and/or report certain information back to an external source without the user’s permission or knowledge. |
| Adware | Select to enable adware detection and quarantine during the antivirus scan. |
| Riskware | Select to enable riskware detection and quarantine during the antivirus scan. |
| Scan removable media on
insertion |
Select to scan removable media when it is inserted. |
| Alert when viruses are detected | Select to have FortiClient provide a notification alert when a threat is detected on your personal computer. When Alert when viruses are detected under AntiVirus Options is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser. |
| Pause background scanning on battery power | Select to pause background scanning when your computer is operating on battery power. |
Advanced options
| Enable FortiGuard Ana-
lytics |
Select to automatically send suspicious files to the FortiGuard Network for analysis. |
When registered to FortiGate, you can select to enable or disable FortiClient Antivirus Protection in the FortiClient Profile.
To configure advanced options, select File > Settings from the toolbar and expand the Advance section.
These settings can only be configured when in standalone mode. When registered to FortiGate/EMS, these settings are set by the XML configuration (if configured).
Configure the following settings:
| Enable WAN Optimization | Select to enable WAN Optimization. You should enable only if you have a FortiGate device and your FortiGate is configured for WAN Optimization.
This setting can be configured when in standalone mode. |
| Maximum Disk Cache Size | Select to configure the maximum disk cache size. The default value is 512MB. |
| Enable Single Sign-On mobility agent | Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device.
This setting can be configured when in standalone mode. |
| Server address | Enter the FortiAuthenticator IP address. |
| Customize port | Enter the port number. The default port is 8001. |
| Pre-shared Key | Enter the pre-shared key. The pre-shared key should match the key configured on your FortiAuthenticator device. |
Single Sign-On mobility agent
| Disable proxy (troubleshooting only) | Select to disable proxy when troubleshooting FortiClient.
This setting can be configured when in standalone mode. |
| Default tab | Select the default tab to be displayed when opening FortiClient. This setting can be configured when in standalone mode. |
The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates with FortiAuthenticator with user logon and network information.
The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator, which replies with an acknowledgment packet.
FortiClient/FortiAuthenticator communication requires the following:
l The IP address should be unique in the entire network. l The FortiAuthenticator should be accessible from clients in all locations. l The FortiAuthenticator should be accessible by all FortiGates.
FortiClient Single Sign-On Mobility Agent requires a FortiAuthenticator running 2.0.0 or later, or v3.0.0 or later. Enter the FortiAuthenticator (server) IP address, port number, and the pre-shared key configured on the FortiAuthenticator.
Enable Single Sign-On mobility agent on FortiClient:
This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured).
Enable FortiClient SSO mobility agent service on the FortiAuthenticator:
Configuration lock
To enable FortiClient FSSO services on the interface:
To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you must first apply the applicable FortiClient license for FortiAuthenticator. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.
For information on purchasing a FortiClient license for FortiAuthenticator, please contact your authorized Fortinet reseller.
To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked, configuration changes are restricted and FortiClient cannot be shutdown or uninstalled.
When the configuration is locked you can perform the following actions:
FortiTray
To perform configuration changes or to shut down FortiClient, select the lock icon and enter the password used to lock the configuration.
When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is closed.
If you hover the mouse cursor over the FortiTray icon, you will receive various notifications including the version, antivirus signature, and antivirus engine.
To connect to a VPN connection from FortiTray, select the Windows System Tray and right-click in the FortiTray icon. Select the connection you wish to connect to, enter your username and password in the authentication window, then select OK to connect.
Vulnerability Scan
FortiClient includes an Vulnerability Scan module to check your workstation for known system vulnerabilities. You can scan on-demand or on a scheduled basis. This feature is disabled by default and the tab is hidden for standalone clients. For users who are registered to a FortiGate using endpoint control, the FortiGate administrator may choose to enable this feature. Vulnerability Scan is enabled via the FortiGate Command Line Interface (CLI) only. Once enabled, the Endpoint Vulnerability Scan on Client setting is available in the FortiClient Profile.
This section describes how to enable Vulnerability Scan in the FortiClient Profile via the FortiGate CLI and configuration options.
end end
| <profile-name> Enter the name of the FortiClient Profile. |
| forticlient-vuln-scan Enable or disable the Vulnerability Scan module. {enable | disable} |
| forticlient-vuln- Configure a daily, weekly, or monthly vulnerability scan on the client scan-schedule workstation.
{daily | weekly | monthly} |
| forticlient-vuln- Enable or disable vulnerability scan on client registration to FortiGate.
scan-on-registration {enable | disable} |
Scan now Vulnerability Scan
| forticlient-uioptions {av | wf | af | vpn | vs} | Set the FortiClient components that will be available to the client upon registration with FortiGate. l av: Antivirus l wf: Web Filter l af: Application Firewall l vpn: Remote Access l vs: Vulnerability Scan |
To perform a vulnerability scan, select the Scan Now button in the FortiClient console. FortiClient will scan your workstation for known vulnerabilities. The console displays the date of the last scan above the button.
You can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient Profile, select Use FortiManagerforclient software/signature update to enable the feature and enter the IP address of your FortiManager device.
When the scan is complete, FortiClient will display the number of vulnerabilities found in the FortiClient console.
Select the Vulnerabilities Detected link to view a list of vulnerabilities detected on your system. Conversely, select Detected: X on the Vulnerability Scan tab to view the vulnerabilities.
Vulnerability Scan View vulnerabilities
This page displays the following:
| Vulnerability Name | The name of the vulnerability |
| Severity | The severity level assigned to the vulnerability: Critical, High, Medium, Low, or Info. |
| Details | FortiClient vulnerability scan lists a Bugtraq (BID) number under the details column. You can select the BID to view details of the vulnerability on the FortiGuard site, or search the web using this BID number. |
| Close | Close the window and return to the FortiClient console. |
Select the Details ID number from the list to view information on the selected vulnerability on the FortiGuard site.
The site details the release date, severity, impact, description, affected products, and recommended actions.
IPsec VPN and SSL VPN
FortiClient supports both IPsec and SSL VPN connections to your network for remote access. You can provision client VPN connections in the FortiClient Profile or configure new connections in the FortiClient console.
This section describes how to configure remote access.
Select Configure VPN in the FortiClient console to add a new VPN configuration.
To create a new SSL VPN connection, select Configure VPNor use the drop-down menu in the FortiClient console.
Select SSL-VPN, then configure the following settings:
| Connection Name | Enter a name for the connection. |
| Description | Enter a description for the connection. (optional) |
| Remote Gateway | Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway. |
| Customize port | Select to change the port. The default port is 443. |
Add a new connection
| Authentication | Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled. |
| Username | If you selected to save login, enter the username in the dialog box. |
| Client Certificate | Select to enable client certificates, then select the certificate from the dropdown list. |
| Do not Warn Invalid Server
Certificate |
Select if you do not want to warned if the server presents an invalid certificate. |
| Add | Select the add icon to add a new connection. |
| Delete | Select a connection and then select the delete icon to delete a connection. |
| Connection Name | Enter a name for the connection. |
| Description | Enter a description for the connection. (optional) |
Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.
To create a new IPsec VPN connection, select Configure VPN or use the drop-down menu in the FortiClient console.
Select IPsec VPN, then configure the following settings:
Add a new connection
| Remote Gateway | Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway. |
| Authentication Method | Select either X.509 Certificate or Pre-shared Key in the dropdown menu. |
| Authentication (XAuth) | Select to prompt on login, save login, or disable. |
| Username | If you selected save login, enter the username in the dialog box. |
| Advanced Settings | Configure VPN settings, Phase 1, and Phase 2 settings. |
| VPN Settings | |
| Mode | Select one of the following:
l Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. l Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted. Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID). |
| Options | Select one of the following:
l Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses. l Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling. l DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling. |
Add a new connection
| Phase 1 | Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.
You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define. |
|
| IKE Proposal | Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists. | |
| DH Group | Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. | |
| Key Life | Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds. | |
| Local ID | Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options. | |
| Dead Peer Detection | Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. | |
| NAT Traversal | Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably. | |
| Phase 2 | Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer. | |
| IKE Proposal | Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists. |
| Key Life | The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service. |
| Enable Replay Detection | Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them. |
| Enable Perfect
Forward Secrecy (PFS) |
Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time. |
| DH Group | Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses. |
| Add | Select the add icon to add a new connection. |
| Delete | Select a connection and then select the delete icon to delete a connection. |
Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.
You can provision client VPN connections in the FortiClient Profile for registered clients.
Provision a client VPN in the FortiClient Profile:
Provision client VPN connections
| IPsec VPN | Configure remote gateway and authentication settings for IPsec VPN. |
| SSL-VPN | Configure remote gateway and access settings for SSL VPN. |
| Auto-connect when Off-Net | Turn on the automatically connect when Off-Net, then configure the following: l VPN Name: Select a VPN from the list.
l Prevent VPN Disconnect: Turn on to not allow users to disconnect when the VPN is connected. l Captive Portal Support: Turn on the enable support for captive portals. |
| VPN before Windows logon | Enable VPN connection before Windows log on. |
The FortiGate will send the FortiClient Profile configuration update to registered clients.
When registered to a FortiGate, VPN settings are enabled and configured in the FortiClient Profile.
Alternatively, you can provision a client VPN using the advanced VPN FortiClient Profile options in FortiGate. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.
Provision a client VPN in the FortiClient Profile:
Provision client VPN connections
| Allow Personal VPN | Select to enable personal VPN connections |
| Disable
Connect/Disconnect |
Select to disable not allowing users to disconnect when the VPN is connected. |
| Show VPN Before Logon | Enable VPN connection before Windows log on, and select from the following options:
l Use Legacy VPN Before Logon l Use Windows Credentials |
| Local Computer Windows
Store Certificates (IPSec only) |
Select to enable local Windows store certificates (IPsec only). |
| Current User Windows Store Certificates (IPSec only) | Select to enable current user Windows store certificates (IPsec only). |
| Auto-connect only when
Off-Net |
Turn on the automatically connect only when Off-Net. |
| Add VPN Tunnel | Select to add a VPN tunnel, then enter the following information: l VPN Name: Enter the VPN name.
l Type: Select the type of VPN tunnel, either SSL VPN or IPsec VPN. l Remote Gateway: Enter the remote gateway IP address or hostname. l Require Certificate: Turn on to require a certificate (SSL VPN only). l Access Port: Enter the access port number (SSL VPN only). l Authentication Method: Select the authentication method, wither Pre-shared Key or Certificate (IPsec VPN only). l Pre-Shared Key: Enter the pre-shared key (IPsec VPN with preshared key only). l Advanced Configuration: |
To connect to a VPN, select the VPN connection from the drop-down menu. Enter your username, password, and select the Connect button.
Optionally, you can click on the system tray, right-click the FortiClient icon and select the VPN connection you want to connect to.
You can also select to edit an existing VPN connection and delete an existing VPN connection using the dropdown menu.
When connected, the console will display the connection status, duration, and other relevant information. You can now browse your remote network. Select the Disconnect button when you are ready to terminate the VPN session.
Save Password, Auto Connect, and Always Up
When configuring a FortiClient IPsec or SSL VPN connection on your FortiGate/EMS, you can select to enable the following features:
When enabled in the FortiGate configuration, once the FortiClient is connected to the FortiGate, the client will receive these configuration options.
For FortiClient VPN configurations, once these features are enabled they may only be edited from the command line. Use the following FortiOS CLI commands to disable these features:
config vpn ipsec phase1-interface edit [vpn name] set save-password disable set client-auto-negotiate disable set client-keep-alive disable
end
end
You can use FortiToken with FortiClient for two-factor authentication. See the FortiOS Handbook for information on configuring FortiToken, user groups, VPN, and two-factor authentication on your FortiGate device for
Advanced features (Microsoft Windows)
FortiClient VPN connections.
When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.
When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.
To make this change, proceed as follows:
In FortiClient:
On the Microsoft Windows system,
The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.
Advanced features (Microsoft Windows)
<forticlient_configuration>
<vpn>
<options>
<show_vpn_before_logon>1</show_vpn_before_logon>
<use_windows_credentials>1</use_windows_credentials> </options>
</vpn>
</forticlient_configuration>
To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options> …
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …
</ike_settings>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.
SSL VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
Advanced features (Mac OS X)
<enabled>1</enabled> …
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.
For SSL VPN, all FortiGate/EMS must use the same TCP port.
When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.
To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options> …
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …
</ike_settings>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
VPN tunnel & script
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.
SSL VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled> …
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.
For SSL VPN, all FortiGate/EMS must use the same TCP port.
This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on FortiGate/EMS’s XML format FortiClient Profile. The profile will be pushed down to FortiClient from FortiGate/EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.
tunnel & script
The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>
</script>
</script>
</script>
</on_connect>
The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[ net use x: /DELETE ]]>
</script>
</script>
</script>
</on_disconnect>
The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>mac</os>
<script>
/bin/mkdir /Volumes/installers
/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt
/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers
/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt
/bin/mkdir /Users/admin/Desktop/dropbox/dir
/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/.
</script>
</script>
</on_connect>
VPN tunnel & script
The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>mac</os>
<script>
/sbin/umount /Volumes/installers
/bin/rm -fr /Users/admin/Desktop/dropbox/*
</script>
</script>
</on_disconnect>
Application Firewall
FortiClient can recognize the traffic generated by a large number of applications. You can create rules to block or allow this traffic per category, or application.
In FortiClient, the application firewall feature is enabled in the FortiClient Profile. The profile includes application firewall configuration.
The FortiClient Endpoint Control feature enables the site administrator to distribute an Application Control sensor from FortiGate/EMS.
On the FortiGate, the process is as follows:
l Create an Application Sensor and Application Filter on the FortiGate, l Add the Application Sensor to the FortiClient Profile on the FortiGate.
On EMS, the application firewall is part of the endpoint profile.
Step 1: Create a custom Application Control Sensor
Application Firewall
| Name | Enter a unique name for the application sensor. | |
| Comments | Enter an option comment for the application sensor. | |
| Categories | Select categories to allow or block. | |
| Allow | The application category or application signature will be allowed in FortiClient Application Firewall. | |
| Monitor | The application category or application signature will be allowed in FortiClient Application Firewall.
FortiClient will allow application traffic but will not monitor. |
|
| Block | The application category or application signature will be blocked in FortiClient Application Firewall. |
Application Firewall
| View Signatures | Select to view signatures and add filters to the category. |
| Application Overrides | Select Add Signatures to add application signatures and set the category. An application which belongs to a blocked category can be set to allow. |
| Filter Overrides | Select Add Filter to add filters to the sensor. |
| Options | The options set in the FortiOS application sensor are ignored by FortiClient application firewall. |
Step 2: Add the Application Control Sensor to the FortiClient Profile
The FortiGate will send the FortiClient Profile configuration update to registered clients.
The Application Firewall tab is now available in FortiClient.
To add application firewall to an endpoint profile:
Application Firewall
To view the application firewall profile, select Show all.
Application Firewall
To view blocked applications, select the Applications Blocked link in the FortiClient console. This page lists all applications blocked in the past seven days, including the count and time of last occurrence.