Monthly Archives: May 2016

Web Security / Web Filter – FortiClient 5.4

8 Replies

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When FortiClient is not registered to FortiGate, you can enable or disable the Web Security feature. You can define what sites are allowed, blocked, or monitored and view violations.

Enable/Disable Web Security

To enable or disable FortiClient Web Security, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

Enable/Disable Select to enable or disable Web Security.
X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Web Security profile

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories. Select the settings icon, then select the site category. Select the action icon, then select the action in the drop-down menu for each category or sub-category.

Web Security exclusion list

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

Web Security exclusion list

To manage the exclusion list, select the settings icon then select Exclusion List from the menu. You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt. Use the add icon to add URLs to the exclusion list. If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

Web Security settings

Configure the following settings:

Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression
Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

Web Security settings

To configure web security settings, select the settings icon then select Settings from the menu.

View violations

Configure the following settings:

Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.

View violations

To view Web Security violations, either select the settings icon then select Violations from the menu, or select X Violations (In the Last 7 Days).

 

Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.

Web Filter

When FortiClient is registered to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

The FortiClient Endpoint Control feature enables the site administrator to distribute a Web Filter profile from a FortiGate or add web filtering to an endpoint profile on EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.

Filter

FortiGate

Step 1: Create a Web Filter Profile on the FortiGate

Use the following steps to create a custom Web Filter profile on the FortiGate:

  1. Go to Security Profiles > Web Filter.
  2. To create a new profile, click the create new icon in the toolbar. The New Web FilterProfile page opens.
  3. Configure the following settings:

 

Name Enter a name for the Web Filter profile.
Comments Enter a description in the comments field. (optional)
Inspection Mode This setting is not applicable to FortiClient.
FortiGuard Categories Select category and sub-category actions.

l  In FortiClient5.4.0, the Security Risk category is part of the AntiVirus module. The Local Categories category is not applicable to FortiClient. The Authenticate and Disable actions are not applicable to FortiClient.

l  When FortiGuard Categories is disabled, FortiClient will be protected by the Exclusion List configured in the URL in the

FortiClient profile.
Categories Usage Quota This setting is not applicable to FortiClient.
Allow users to override blocked categories This setting is not applicable to FortiClient.
Search Engines  
Enforce ‘Safe Search’ Select to enable search engine Safe Search on Google, Yahoo!, Bing, and Yandex.
YouTube

Education Filter

 Select to enable the YouTube educational filter and enter your filter code. The filter blocks non-educational content as per your YouTube filter code.
Log all search keywords This setting is not applicable to FortiClient.
Static URL Filter  
Block invalid

URLs

 This setting is not applicable to FortiClient.
URL Filter Select to enable URL filter. Select Create New to add a URL to the list. For Type, select one of Simple, Reg. Expression, or Wildcard. For Action, select one of Exempt, Block, Allow, or Monitor. For Status, select either Enable or Disable.

FortiClient does not support the Exempt action. Any URLs in the URL filter with an exempt action will be added to the FortiClient Exclusion List with an allow action.
Block malicious URLs discovered by FortiSandbox Select to block URLs that have been marked as malicious by FortiSandbox. A FortiSandbox device or cloud must be configured.

Filter

Web Content

Filter

 This setting is not applicable to FortiClient.
Rating Options These settings are not applicable to FortiClient.
Proxy Options These settings are not applicable to FortiClient.
  1. Select OK to save the profile.

Step 2: Add the Web Filter profile to the FortiClient Profile

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile then select Edit. The Edit FortiClient Profile page is displayed.
  3. Enable Web Filter, then select the Web Filter profile from the drop-down list.
  4. Optionally, select to enable Client Side when On-Net.
  5. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

The Web Filtering module is now available in FortiClient.

EMS

To add web filtering to an endpoint profile:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Web Filter
  3. Select the on/off button to add web filtering to the profile.
  4. Adjust the web filter settings as required, then select Save to save your changes.

 

Antivirus

Leave a reply

Antivirus

This chapter includes the following sections:

l FortiClient Antivirus l Antivirus logging l Antivirus options l Endpoint control

FortiClient Antivirus

FortiClient includes an antivirus module to scan system files, executable files, removable media, dynamic-link library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, File Based Malware, Malicious Websites, Phishing, and Spam URL protection is part of the antivirus module. Scanning can also be extended using FortiSandbox.

This section describes how to enable and configure antivirus options.

Enable or disable antivirus

To enable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Disabled. The real-time protection settings page will open.
  2. Select Scan files as they are downloaded orcopied to my system.
  3. Select OK.

If you have another antivirus program installed on your system, FortiClient will show a warning that your system may lock up due to conflicts between different antivirus products.

To disable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Enable. The real-time protection settings page will open.
  2. Deselect Scan files as they are downloaded orcopied to my system.
  3. Select OK.

Conflicting antivirus warning

FortiSandbox

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

This option cannot be configured on a registered endpoint, and must instead be configured on the FortiGate/EMS.

To extend scanning using FortiSandbox:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Extend scanning using FortiSandbox.
  3. Enter the FortiSandbox IP address, then select Test to ensure that the connection is correct.
  4. Optionally, select Identify malware & exploits using signatures received from FortiSandbox.
  5. Select OK to apply your changes.

Blocking access and communication channels

To block access to malicious websites and known communication channels used by attackers:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Block all access to malicious websites and Block known communication channels used by attackers.
  3. Select OK to apply your changes.

Notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

Scan now

To perform on-demand antivirus scanning, select the Scan Now button in the FortiClient console. Use the dropmenu to select Custom Scan, Full Scan, Quick Scan, or Removable media Scan. The console displays the date of the last scan to the left of the button.

  • Custom Scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.
  • Full Scan runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan including all files, executable files, DLLs, and drivers for threats.
  • Quick System Scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, and drivers that are currently running for threats.
  • Removable media Scan runs the rootkit detection engine to detect and remove rootkits. It scans all connected removable media, such as USB drives.

Scan a file or folder on your workstation

To perform a virus scan a specific file or folder on your workstation, right-click the file or folder and select Scan with FortiClient AntiVirus from the menu.

Submit a file for analysis

You can select to send up to 5 files a day to FortiGuard for analysis. To submit a file, right-click a file or executable and select Submit foranalysis from the menu. A dialog box will be displayed which allows you to see the number of files you have submitted. Confirm the location of the file you want to submit then select the Submit button.

View FortiClient engine and signature versions

To view the current FortiClient version, engine, and signature information, select Help in the toolbar, and select About in the menu. Hover the mouse over the status field to see the date and time that FortiClient last updated the selected item.

When FortiClient is registered to FortiGate for endpoint control, you can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device. You can select to failover to FDN when FortiManager is not available.

Schedule antivirus scanning

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Scheduled Scan tab to schedule antivirus scanning.

Scans cannot be scheduled on registered endpoint.

Configure the following settings:

Schedule Type Select Daily, Weekly, or Monthly from the drop-down list.
Scan On For Weekly scheduled scan, select the day of the week in the drop-down list.

For Monthly scheduled scan, select the day of the month in the drop-down list.
Start Select the time of day that the scan starts. The time format uses a 24-hour clock.
Scan Type Select the scan type:

Quick system scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, drivers that are currently running for threats.

Full system scan runs the rootkit detection engine to detect and remove rootkits. It then performs a full system scan including all files, executable files, DLLs, and drivers for threats.

Custom scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.

You cannot schedule a removable media scan. A full scan will scan removable media.
Disable Scheduled Scan Select to disable scheduled scan.

Select OK to save the setting and return to the main FortiClient console page.

If you configure monthly scans to occur on the 31st of each month, the scan will occur on the first day of the month for those months with less than 31 days.

Add files/folders to an exclusion list

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Exclusion List tab.

To add files/folders to the antivirus exclusion list, select the add icon and then select Add file or Add folder from the drop-down list. Any files or folders in this exclusion list will not be scanned. Select the minus icon to remove files or folders from the list.

Select OK to save the setting and return to the FortiClient console page.

View quarantined threats

To view quarantined threats, select the X Threats Detected link in the FortiClient console, then select the Quarantined Files tab. In this page you can view, restore, or delete the quarantined file. You can also view the original file location, the virus name, submit the suspicious file to FortiGuard, and view logs.

This page displays the following:

File Name The name of the file.
Date Quarantined The date and time that the file was quarantined by FortiClient.
Refresh Select to refresh the quarantined files list.
Details Select a file from the list to view detailed information including the file name, original location, date and time that the virus was quarantined, the submitted status, status, virus name, and quarantined file name.
Logs Select to view FortiClient log data.
Refresh Select to refresh the list.
Submit Select to submit the quarantined file to FortiGuard. Press and hold the control key to submit multiple entries.
Restore Select to restore the quarantined file. A confirmation dialog box will be displayed. You can select Yes to add this file/folder to the exclusion list, No to restore the file, or

Cancel to exit the operation. Press and hold the control key to restore multiple entries.
Delete Select to delete the quarantined file. A confirmation dialog box will be displayed, select Yes to continue. Press and hold the control key to delete multiple entries.
Close Select to close the page and return to the FortiClient console.

View site violations

To view site violations, select the X Threats Detected link in the FortiClient console, then select the Site Violations tab. On this page you can view site violations and submit sites to be re-categorized.

This page displays the following:

Website Displays the name of the website.
Time Displays the date and time of the site violation.
Refresh Select to refresh the site violation list.
Details Select an entry in the list to view site violation details including the website name, category, date and time, user name, and status.

Select the category link to request to have the site category re-evaluated.

View alerts dialog box

When FortiClient antivirus detects a virus while attempting to download a file via a web-browser, you will receive a warning dialog message.

Select View recently detected virus(es) to collapse the virus list. Select a file in the list and right-click to access the context menu.

Delete Select to delete a quarantined or restored file.
Quarantine Select to quarantine a restored file.
Restore Select to restore a quarantined file.
Submit Suspicious File Select to submit a file to FortiGuard as a suspicious file.
Submit as False Positive Select to submit a quarantined file to FortiGuard as a false positive.
Add to Exclusion List Select to add a restored file to the exclusion list. Any files in the exclusion list will not be scanned.
Open File Location Select to open the file location on your workstation.

When Alert when viruses are detected under AntiVirus Options on the Settings page is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.

Realtime Protection events

When an antivirus real-time protection event has occurred you can select to view these events in the FortiClient console. From the AntiVirus tab, select X Threats Detected, then select Real-time Protection events (x) in the left pane. The realtime_scan.log will open in the default viewer.

Example log output:

Realtime scan result: time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com

 

logging

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com.txt

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicarcom2.zip

time: 09/29/15 10:46:08, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar_com.zip

time: 09/29/15 10:46:39, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\3g_bl8y9.com.part

time: 03/18/15 10:48:13, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\xntwh8q1.zip.part

Antivirus logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

Configure the following settings:

Enable logging for these features Select antivirus to enable logging for this feature.
Log Level Select the level of logging:

Emergency: The system becomes unstable. l Alert: Immediate action is required. l Critical: Functionality is affected. l Error: An error condition exists and functionality could be affected. l Warning: Functionality could be affected. l Notice: Information about normal events.

Information: General information about system operations. l Debug: Debug FortiClient.
Log file  
Export logs Select to export logs to your local hard disk drive (HDD) in .log format.
Clear logs Select to clear all logs. You will be presented a confirmation window, select Yes to proceed.

Antivirus options

For information on configuring antivirus options, see Antivirus options on page 109.

Endpoint control

Endpoint control

When FortiClient is registered to FortiGate/EMS for endpoint control, FortiClient receives configuration and settings via the FortiClient Profile configured on the device.

To enable antivirus protection on FortiGate:

  1. Log in to your FortiGate.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. In the right pane, in the Edit FortiClient Profile page, in the Security tab, enable AntiVirus.
  4. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

To enable antivirus protection on EMS:

  1. Log in to the EMS.
  2. Go to Endpoint Profiles and select a profile to edit.
  3. In the right pane, select AntiVirus Protection to enable antivirus protection and configure as needed.
  4. Select Save to save the profile.

The EMS will send the FortiClient Profile configuration update to registered clients.

Antivirus profile settings

FortiGate and EMS share similar settings for antivirus profiles. EMS also includes advanced options.

Endpoint control

After enabling antivirus protection on FortiGate/EMS, the following settings can be configured:

Scan Downloads Scan files as they are downloaded or copied to my system.
Scan with FortiSandbox Extended scanning using FortiSandbox.

FortiClient will send supported files downloaded over the internet to

FortiSandbox if they cannot be detected by the local, real-time scanning
FortiSandbox IP address The IP address of the FortiSandbox device.
Wait for

FortiSandbox results

 Wait for FortiSandbox results before allowing file access.
Use FortiSandbox signatures Identify malware & exploits using signatures or URLs received from FortiSandbox.

Endpoint control

Block malicious websites Block all access to malicious websites.

EMS also has the option of using the exclusion list defined in the web filter profile.
Block attack channels Block known communcation channels used by attackers.
Alert when viruses are detected This option is EMS only.
Schedule Scan Schedule automatic scans daily, weekly, or monthly at a specific time of day. Quick, Full, and Custom scans can be run automatically.
Excluded Paths Files or folders that are not scanned.

Advanced options available on EMS only include:

Scan Downloads Files that are scanned as they are downloaded or copied to the system can be treated in one of the following ways:

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files l Deny access to infected files
Scan with FortiSandbox If waiting for FortiSandbox results is enabled, access to downloaded files can be denied if FortiSandbox is offline.
Scan compresses files Scan compressed files that are up to a specified size (default: 10Mb).
Scan email Scan email messages and attachments.
User process scanning l Scan files when processes read or write them l Scan files when processes read them l Scan files when processes write them
Scan network files Scan network files.
System process scanning l Scan files when system processes read or write them l Scan files when system processes read them l Scan files when system processes write them l Do not scan files when system processes read or write them

Endpoint control

On demand scanning Configure on-demand file scan options.

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files
Integrate FortiClient into Windows Explorer’s mouse menu Add the options to Scan with FortiClient AntiVirus and Submit foranalysis to the Windows Explorer right-click menu.
Pause scanning when running on battery power Pause a scanning process when the computer is running on battery power.
Automatically submit suspicious files to FortiGuard for analysis Submit all files to FortiGuard for analysis.
Scan compresses

files

 Scan compressed files that are up to a specified size (default: 10Mb, 0 means unlimited)
Maximize scan speed Select the amount of memory a computer must have before FortiClient maximizes its scan speed. One of: 4MB, 6MB, 8MB, 12MB, 16MB.
More Options Enable or disable various other options, including:

l Scan for rootkits l Scan for adware l Scan for riskware l Enable advanced heuristics l Scan removable media on insertion l Scan mime files (inbox files) l Enable FortiGuard Analytics l Notify logged in users if their AntiVirus signatures expire

 

End Point Management

2 Replies

Endpoint Management

The purpose of this section is to provide basic instructions on how to configure, deploy, and manage FortiClient configurations from your FortiGate device or EMS.

Configure endpoint management

With FortiClient 5.4 and newer, configuration and management of endpoints can be handled by a FortiGate device or FortiClient EMS.

You can configure your FortiGate device or EMS to discover new devices on the network, enforce FortiClient registration, and deploy pre-configured profiles to connected devices. Multiple profiles can be configured.

The FortiClient profile consists of the following sections:

  • Antivirus Protection l Web Category Filtering

You can select the web filtering security profile to associate with the FortiClient profile. You can also select to enable Web Filtering when the client is protected by the FortiGate/EMS (On-Net).

  • VPN

Select to enable client VPN provisioning. You can specify the VPN name, type, gateway and other settings the client will use to connect to your FortiGate device via the VPN connection. Two-factor authentication is configured in the FortiGate VPN configuration.

  • Application Firewall

You can select the application control sensor to associate with the FortiClient profile.

  • Endpoint Vulnerability on Client

You can select to scan daily, weekly or monthly. You can also select to scan the client after registration with your FortiGate device. Vulnerability Scan must be enabled via the CLI in order for it to be displayed in the FortiClient Profile.

  • Upload logs to FortiAnalyzer/FortiManager

You can select to use the same IP address as the FortiGate device or specify a different device IP address. You can specify the frequency of the log upload. FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer/FortiManager.

  • Use FortiManager for client software/signature update

Select to enable this feature and enter the IP address of your FortiManager device. You can select to failover over to the FortiGuard Distribution Network (FDN) when the FortiManager is not available.

  • Dashboard Banner

You can select to display or hide the FortiClient advertisement banner. FortiClient ads are downloaded from the FortiGuard Distribution Servers.

Select if profile details may be displayed before endpoint control registration is completed.

  • Client-based Logging when On-Net

Select to enable client-based logging when protected by the FortiGate/EMS (On-Net).

See the FortiOS Handbook or the FortiClient EMS Administration Guide for more information on configuring your device, .

FortiGate

Configure endpoint management on the FortiGate device:

  1. Enable device management and broadcast discovery messages.
    1. Go to Network > Interfaces, select the applicable interface, then select Edit in the toolbar.
    2. On the Edit Interface page you can select to enable Detect and Identify Devices.
    3. To enable Broadcast Discovery Messages (optional) you must first enable FCT-Access under Administrative Access.
    4. Select OK to save the setting.

Broadcast Discovery Messages is an optional configuration. When enabled, the FortiGate will broadcast messages to your network, allowing client connections to discover the FortiGate for FortiClient registration. Without this feature enabled, the user will enter the IP address or URL of the FortiGate to complete registration.

  1. Configure the following settings:
Administrative Access Select the checkbox for FCT-Access. This option is available for both IPv4 and IPv6 Administrative Access.
Security Mode Select None or Captive Portal. When selecting Captive Portal, users are forwarded to a captive portal where they need to enter their username and password to authenticate with the FortiGate. You can customize the portal message and specify user groups.

This option is available when Addressing mode is set to Manual.
Device Management  
Detect and

Identify Devices

 Select to detect and identify devices on the selected interface.
Broadcast

Discovery

Messages

 Once enabled, the FortiGate unit broadcasts a discovery message that includes the IP address of the interface and listening port number to the local network. All PCs running FortiClient on that network listen for this discovery message.

This option is available when FCT-Access is enabled.
  1. When configuring FortiClient access on an internal interface, you can select to send users to a captive portal.
Security Mode Select Captive Portal from the drop-down list
Authentication Portal Select either Local or External. When selecting External, you can specify the link path.
User Groups Select user groups from the drop-down list.

FortiClient does not support nested groups in FortiOS.
Exempt List Select an exempt list from the drop-down list.
Customize Portal Messages Enable and select the edit icon to edit the portal replacement message.

Configure the FortiClient profile:

  1. To configure the FortiClient profile, go to Security Profiles > FortiClient Profiles. You can edit the default profile or create a new FortiClient profile.
  2. Configure the following settings:

 

Toolbar Options FortiClient Profile page

Select Create New to create a new FortiClient profile. Select a profile in the list and select Edit to edit the FortiClient Profile. Select a profile in the list and select Delete to delete the

FortiClient Profile.

Edit FortiClient Profile page

Select the create new icon to create a new FortiClient profile. Select the clone icon to create a clone of an existing FortiClient profile. Select the view list icon to view FortiClient profiles and assignment.
Profile Name When editing the default profile, the name cannot be changed. When creating a new FortiClient profile, XSS vulnerability characters are not allowed.

Enter a name for the new FortiClient profile.
Comments Enter a profile description. (optional)
Assign to Profile To: l Device Groups: Select device groups in the drop-down list. Use the add icon to assign multiple device groups to the FortiClient profile, for example Mac and Windows PC. l User Groups: Select user groups in the drop-down list. l Users: Select users in the drop-down list. l Source Address: Select source addresses.

These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.
On-Net Detection By Address Select addresses from the drop-down list to enable On-Net detection on them.
Security  
AntiVirus Toggle the button on or off to enable or disable this feature.
Web Filter Toggle the button on or off to enable or disable this feature.

When enabled, you can select a web filter profile in the drop-down list. Select the checkbox to disable web category filtering on the client when protected by the FortiGate (On-net).
Application Firewall Toggle the button on or off to enable or disable this feature.

When enabled, you can select an application control sensor in the dropdown list.
VPN Toggle the button on or off to enable or disable this feature.

Select the checkbox for Client VPN Provisioning. When enabled, you can configure multiple IPsec VPN and SSL VPN connections.

Use the add icon to add additional VPN connections. Enter the VPN name, type, remote gateway, and authentication method information.

Select the checkbox to auto connect to a VPN when the client is Off-Net.

Select a VPN from the drop-down list.
Advanced  
Install CA Certificates Select to install CA certificates.
Disable

Unregister

Option

 Select to disable the option of unregistering from the FortiGate.
Upload Logs to

FortiAnalyzer

 Toggle the button on or off to enable or disable this feature.

When enabled, you can select to use the same FortiAnalyzer/FortiManager used by the FortiGate or select Specify to enter a different device IP address. You can set the schedule to hourly or daily. The FortiClient upload logs to the FortiAnalyzer/FortiManager only when it is able to connect to the device on the specified IP address.

FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer/FortiManager.

When upgrading from FortiOS 5.2 to 5.4, a FortiClient 5.4 license must be applied against the FortiGate for this option to be available in the FortiClient Profile. Optionally, you can enable this setting in the FortiOS CLI.
FortiManager updates Toggle the button on or off to enable or disable this feature.

When enabled, you can specify the IP address of the FortiManager. Select the checkbox to failover to the FortiGuard Distribution Network when the FortiManager is not available.
Dashboard Banner Toggle the button on or off to enable or disable this feature.
Client-based Logging when Toggle the button on or off to enable or disable this feature.
  1. Select Apply to save the FortiClient profile setting.

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

For information on configuring firewall policies for Endpoint Management, see the FortiOS Handbook -The Complete Guide forFortiOS.

Configure firewall policies (Optional):

  1. To configure a firewall policy for Endpoint Management, go to Policy & Objects > IPv4 Policy and select Create New in the toolbar. The New Policy window is displayed.
  2. Configure the policy as required. Select the source user(s) and source device types from the drop-down list.
  3. Toggle Compliant with FortiClient Profile to ON. Users will be redirected (via a web browser) to a dedicated portal where they can download the client. Once registered to the FortiGate, the FortiClient profile will be assigned.
  4. Select OK to save the rule.

After the FortiGate configuration has been completed, you can proceed with FortiClient configuration. Configure your Windows PC on the corporate network with the default gateway set to the IP address of the FortiGate.

FortiClient endpoint network topologies

The following FortiClient Profile topologies are supported:

  1. Client is directly connected to FortiGate; either to a physical port, switch port or WiFi SSID.

This topology supports client registration, configuration sync, and FortiClient profile enforcement.

  1. Client is connected to FortiGate, but is behind a router or NAT device. This topology supports client registration and configuration sync.
  2. Client is connected to FortiGate across a VPN connection.

This topology supports client registration, configuration sync, and FortiClient profile enforcement.

Network topologies

Configure FortiClient for endpoint management:

  1. Download and install the FortiClient software.

Open a web browser from your workstation and attempt to open a web page, the web page will be directed to the NAC Download Portal. Follow the instructions in the portal to download and install FortiClient.

To allow users to download FortiClient, you must enable this setting in the SSL VPN Portal on your FortiGate device. To enable this feature, go to VPN > SSL-VPN Portals and select Create New in the toolbar.

To configure NAC download portal endpoint control replacement messages, go to

System > Replacement Message. Select Extended View in the toolbar to display Endpoint Control replacement messages for Android, iOS, Mac, Windows, and other.

  1. Register FortiClient.

After FortiClient completes installation, FortiClient will automatically launch and search for a FortiGate device for registration.

There are four ways that the FortiClient/FortiGate communication is initiated:

l FortiClient will attempt to connect to the default gateway IP address; l FortiClient will attempt endpoint control registration over VPN (if configured on the FortiGate); l FortiClient will attempt to connect to a remembered FortiGate; l FortiClient will attempt to connect to a redundant FortiGate.

FortiClient will search for available FortiGate devices to complete registration. You can include the option to prompt the user to enter the FortiClient registration key password. Select the RegisterEndpoint button in the FortiClient console to retry the search.

If FortiClient is unable to detect a FortiGate device, enter the IP address or URL of the device and select the

Go icon. When FortiClient locates the FortiGate, you will be prompted to confirm the registration. Select the Accept button to complete registration. Upon successful registration, the FortiGate will send the FortiClient profile configuration.

  1. Deploy the FortiClient profile from the FortiGate device.

The FortiGate will deploy the FortiClient profile after registration is complete. This FortiClient profile will permit traffic through the FortiGate. A system tray bubble message will be displayed once update is complete.

The FortiClient console will display that it is successfully registered to the FortiGate. The FortiClient profile is installed on FortiClient.

Deploy the FortiClient profile to clients over a VPN connection:

  1. In the FortiClient console, select the RegisterEndpoint Enter the IP address and port number (if required) of the FortiGate’s internal interface and select the Go icon.
  2. Configure an IPsec VPN connection from FortiClient to the management FortiGate. For more information on configuring IPsec VPN see Create a new IPsec VPN connection on page 87.
  3. Connect to the VPN.
  4. You can now search for the FortiGate gateway. For more information see Register FortiClient.
  5. After registration, the client is able to receive the FortiClient profile.

When creating a new FortiClient VPN (IPsec) or SSL VPN tunnel configuration on your

FortiGate device, you must enable Endpoint Registration. See the IPsec VPN for FortiOS and SSL VPN forFortiOS sections of the FortiOS Handbook for more information.

Pages: 1 2

What’s New in FortiClient 5.4

1 Reply

What’s New in FortiClient 5.4

The following is a list of new features and enhancements in FortiClient 5.4.

This document was written for FortiClient (Windows) 5.4.0. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.0.

New features in FortiClient 5.4.0

The following is a list of new features in FortiClient version 5.4.0.

Antivirus

Advanced Persistent Threats

FortiClient 5.4.0 has enhanced capabilities for the detection of Advanced Persistent Threats (APT). There are two changes added in this respect:

l Botnet Command and Control Communications Detection l FortiSandbox integration (Windows only)

Botnet Communication Detection

Botnets running on compromised systems usually generate outbound network traffic directed towards Command and Control (C&C) servers of their respective owners. The servers may provide updates for the botnet, or commands on actions to execute locally, or on other accessible, remote systems. When the new botnet feature is enabled, FortiClient monitors and compare network traffic with a list of known Command and Control servers. Any such network traffic will be blocked.

FortiSandbox Integration

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run (sandboxed) in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

What’s New in FortiClient 5.4                                                                     New features in FortiClient 5.4.0

Enhanced Real-Time Protection Implementation

The Real-Time Protection (RTP) or on-access feature in FortiClient uses tight integration with Microsoft Windows to monitor files locally, or over a network file system, as they are being downloaded, saved, run, copied, renamed, opened, or written to. The FortiClient driver coupling with Windows has been re-written to use modern APIs provided by Microsoft. All basic features remain the same, with a few minor differences in behavior. Some noticeable performance enhancements could be observed in various use case scenarios.

Web Filtering

Web Browser Usage and Duration

If configured, FortiClient will record detailed information about the user’s web browser activities, such as:

l A history of websites visited by the user (as shown in regular web browser history) l An estimate of the duration or length of stay on the website.

These logs are sent to FortiAnalyzer, if configured. With FortiAnalyzer 5.4.0 or newer, the FortiClient logs sent from various endpoints may be viewed in FortiView.

VPN

Authorized Machine Detection

For enterprises where new computers may be brought into the organization by employees, FortiClient can be configured to check or identify the computer before allowing it to establish IPsec VPN or SSL VPN connections to the FortiGate. The administrator may configure restrictions with one or more of the following:

l Registry check: Ensure a specific registry path contains a predetermined value l File check: Verify the existence of a specific file at a specified location l Application check: Ensure that a specific application is installed and running

The verification criteria can be configured using advanced FortiClient XML configurations on the FortiGate or Enterprise Management Server (EMS).

New features in FortiClient 5.4.0                                                                     What’s New in FortiClient 5.4

New SSL VPN Windows driver

The FortiClient SSL VPN driver pppop.sys was re-written to use the latest Microsoft recommended CoNDIS WAN driver model. The new driver is selected when FortiClient is installed on Windows 7 or newer. The SSL VPN driver included in the previous versions of FortiClient will still be maintained.

New IPsec VPN Windows drivers

FortiClient IPsec VPN drivers have been updated to support Microsoft Windows NDIS 6.3 specification. The new drivers are compatible with Microsoft Windows 8.1 or newer.

Support for DTLS

FortiClient SSL VPN connections to FortiGate now support Datagram Transport Layer Security (DTLS) by using User Datagram Protocol (UDP) as the transport protocol. Previously FortiClient SSL VPN connections supported only Transport Control Protocol (TCP). You can now use FortiGate to configure SSL VPN connections that use DTLS. You cannot use FortiClient to configure SSL VPN connections that use DTLS. When FortiClient endpoints use a DTLS-enabled SSL VPN connection with FortiGate, and FortiGate communicates DTLS support, FortiClient uses DTLS via UDP. If DTLS fails, FortiClient will fall back to use TLS to establish an SSL VPN connection.

Endpoint Control

Integration with the new Enterprise Management Server

The Enterprise Management Server (EMS) is a new product from Fortinet for businesses to use to manage their computer endpoints. It runs on a Windows Server, not requiring a physical Fortinet device. Administrators may use it to gain insight into the status of their endpoints. The EMS supports devices running Microsoft Windows, Mac OS X, Android, and iOS.

FortiClient Endpoint Control (EC) protocol has been updated to seamlessly integrate with the EMS. Various changes were added to support EMS features, including:

l Deployment of FortiClient to new Microsoft Windows devices l Continuous monitoring of device statuses l AV engine and signature update status reports l AV scanning schedules and requests for AV scans l Notifications about protection statuses.

What’s New in FortiClient 5.4                                                                     New features in FortiClient 5.4.0

FortiGate Network Access Control when FortiClient is Deployed using EMS

The new EMS can be used to deploy FortiClient to a large number of Microsoft Windows endpoints. While creating a profile for FortiClient deployment, the EMS administrator can choose to configure the FortiClient to register to the same EMS, or to a FortiGate.

Changes in FortiClient 5.4.0 allow the EMS administrator to deploy FortiClient to endpoints, and configure it to register to a FortiGate, while simultaneously notifying the EMS of its registration status. The FortiClient EC registration to the FortiGate is required for Network Access Compliance (NAC). The administrator can configure the FortiGate to allow access to network resources only if the client is compliant with the appropriate interface EC profile.

Quarantine an Infected Endpoint from the FortiGate or EMS

A computer endpoint that is considered to be infected may be quarantined by the FortiGate or EMS administrator. FortiClient needs to be online, using EC, and registered to the FortiGate or EMS.

Once quarantined, all network traffic to or from the infected endpoint will be blocked locally. This allows time for remediation actions to be taken on the endpoint, such as scanning and cleaning the infected system, reverting to a known clean system restore point, or re-installing the operating system.

The administrator may un-quarantine the endpoint in the future from the same FortiGate or EMS.

Importing FortiGate CA Certificate after EC Registration

When the FortiGate is configured to use SSL deep inspection, users visiting encrypted websites will usually receive an invalid certificate warning. The certificate signed by the FortiGate does not have a Certificate Authority (CA) at the endpoint to verify it. Users can manually import the FortiGate CA certificate to stop the error from being displayed, however, all users will have to do the same.

When registering EC to a FortiGate, the FortiClient will receive the FortiGate’s CA certificate and install it into the system store. If Firefox is installed on the endpoint, the FortiGate’s CA certificate will also be installed into the Firefox certificate store. This way the end user will no longer receive the invalid certificate error message when visiting encrypted websites.

Enhancement to On-net/Off-net Configuration

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

New features in FortiClient 5.4.0                                                                     What’s New in FortiClient 5.4

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided.

FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

FortiClient GUI

Antivirus Settings Page

With the introduction of botnet detection, and the integration with FortiSandbox with FortiClient (Windows), the AV settings page on the FortiClient GUI has been updated to allow configuration of the new features. The AV settings page is accessible from the FortiClient dashboard. Select the AV tab on the left pane. Then click the settings icon on Real-Time Protection in the right pane. The following may be selected on the AV settings page:

  • File scanning (previously, Real-Time Protection or RTP) l Scan unknown, supported files using FortiSandbox (Windows only) l Malicious website detection
  • Botnet detection (block known communication channels)

FortiClient Banner Design

If FortiClient (full version or VPN only) is running in standalone mode and not registered to a FortiGate or EMS, a single banner at the bottom of the GUI is displayed. When registered to a FortiGate or EMS, the banner is hidden by default. Similarly, when created from a FortiClient Configurator (Windows) or Repackager (OS X), no banner is displayed by default.

Logging

Enhancement to FortiClient logs

FortiClient will create a log entry to show just the URL visited by the user through a web browser. This is in addition to the network level logs generated by FortiClient.

Pages: 1 2 3 4

FortiClient 5.4.0 Administration Guide – Introduction

Leave a reply

Introduction

FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security combines strong prevention with detection and mitigation is critical.

This document provides an overview of FortiClient 5.4.0.

This document was written for FortiClient (Windows) 5.4.0. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.0.

FortiClient features

FortiClient offers two licensing modes: Standalone mode and Managed mode. It can also be integrated with FortiSandbox.

The following table provides a feature comparison between the standalone client (free version) and the managed client (licensed version).

Standalone Client (Free Version) Managed Client (Licensed Version)
Installation Options l Complete: All Endpoint Security and VPN components will be installed.

l  VPN Only: only VPN components (IPsec and

SSL) will be installed.

l  Create a custom FortiClient installer using the FortiClient Configurator tool using the trial mode. In trial mode, all online updates are disabled.

 Installation Options l Complete: All Endpoint Security and VPN components will be installed.

l VPN Only: only VPN components (IPsec and

SSL) will be installed. l Create a custom FortiClient installer using the FortiClient Configurator tool.
Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) l Cloud Based Behavior Scanning
Web Content l Web Filtering l YouTube Education Filter Web Content l Web Filtering l YouTube Education Filter

FortiClient features

Standalone Client (Free Version) Managed Client (Licensed Version)
VPN l SSL VPN l IPsec VPN

l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication

 VPN l SSL VPN l IPsec VPN

l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication
Logging l VPN, Antivirus, Web Security, and Update

Logging l View logs locally

 Logging l VPN, Application Firewall, Antivirus, Web

Filter, Update, and Vulnerability Scan

Logging l View logs locally
  Application Control l Application Firewall l Block Specific Application Traffic
  Vulnerability Management l Vulnerability Scan l Link to FortiGuard with information on the impact and recommended actions
  Central Management l Centralized Client Management and monitoring

l Centralized configuration provisioning and deployment l Enforcement of enterprise security policies.
  Central Logging l Upload logs to a FortiAnalyzer or

FortiManager. FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer or FortiManager.

Standalone mode

In standalone mode, FortiClient is not registered to a FortiGate or Enterprise Management Server (EMS). In this mode, FortiClient is free both for private individuals and commercial businesses to use; no license is required. All features and functions are activated.

 

FortiClient features

Managed mode

Companies with large installations of FortiClient usually need a method to manage their endpoints. This is accomplished by registering each FortiClient to a FortiGate or an Enterprise Management Server (EMS). In this mode, FortiClient licensing is applied to the FortiGate or EMS. No separate license is required on FortiClient itself.

FortiSandbox

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file can be blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

For more information, see the FortiSandbox Administration Guide, available in the Fortinet Document Library.

On-Net / Off-Net

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided. FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

Licensing

Licensing

Licensing on the FortiGate is based on the number of registered clients. FortiGate 30 series and higher models support ten (10) free managed FortiClient licenses. For additional managed clients, a FortiClient license subscription must be purchased. The maximum number of managed clients varies per device model.

The VPN on-net, off-net feature in Endpoint Control will be activated only when the FortiGate, to which FortiClient is registered, is running FortiOS 5.2 or 5.4 with a FortiClient 5.2 or 5.4 license.

FortiGate Client limits

The following table shows client limits per FortiGate model series.

FortiGate Series Free Registrations FortiClient License Upgrade
FortiGate/FortiWiFi 30 to 90 series 10 1 year FortiClient license subscription for up to 200 clients
FortiGate 100 to 300 series 10 1 year FortiClient license subscription for up to 600 clients
FortiGate 500 to 800 series, FortiGate

VM01, FortiGate VM02

 10 1 year FortiClient license subscription for up to 2000 clients
FortiGate 1000 series, FortiGate VM04 10 1 year FortiClient license subscription for up to 8000 clients
FortiGate 3000 to 5000 series,

FortiGate VM08

 10 1 year FortiClient license subscription for up to 20 000 clients

Installation information

EMS client limits

A newly installed EMS offers 20 000 trial client licenses over a period of 60 days from the day of installation. After the trail period lapses, the number of client licenses will be 10, same as for a new FortiGate to which no FortiClient license has been applied.

A license may be applied to the EMS at any time during or after the trial period. Licenses are available in multiples of 100 seats, with a minimum of 100 seats.

Installation information

The following table lists operating system support and the minimum system requirements.

Operating System Support Minimum System Requirements
l Microsoft Windows XP (32-bit) l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows 8.1 (32-bit and 64-bit) l Microsoft Windows 10 (32-bit and 64-bit) l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.
l Microsoft Windows Server 2008 R2 l Microsoft Windows Server 2012 l Microsoft Windows Server 2012 R2 l  Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l  Compatible operating system and minimum

512MB RAM

l  600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

Firmware images and tools

Operating System Support Minimum System Requirements
l Mac OS X v10.8 Mountain Lion l Mac OS X v10.9 Mavericks l Mac OS X v10.10 Yosemite l Mac OS X v10.11 El Capitan l Apple Mac computer with an Intel processor l 256MB of RAM l 20MB of hard disk drive (HDD) space l TCP/IP communication protocol l Ethernet NIC for network connections l Wireless adapter for wireless network connections

Firmware images and tools

Microsoft Windows

The following files are available in the firmware image file folder:

  • 4.xx.xxxx.exe

Standard installer for Microsoft Windows (32-bit).

  • 4.xx.xxxx.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx_x64.exe

Standard installer for Microsoft Windows (64-bit).

  • 4.xx.xxxx_x64.zip
    • zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
  • 4.xx.xxxx.zip
    • zip package containing miscellaneous tools including the FortiClient Configurator tool and VPN Automation files:
  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • FortiClientVirusCleaner A virus cleaner.
  • SSLVPNcmdline

Command line SSL VPN client.

  • SupportUtils

Includes diagnostic, uninstallation, and reinstallation tools.

Language support

  • VPNAutomation

A VPN automation tool.

When creating a custom FortiClient 5.4 installer using the FortiClient Configurator tool, you can choose which features to install. You can also select to enable or disable software updates, configure SSO, and rebrand FortiClient

Mac OS X

The following files are available in the firmware image file folder:

  • 4.x.xxx_macosx.dmg Standard installer or Mac OS X.
  • 4.x.xxx_macosx.tar

FortiClient includes various utility tools and files to help with installations. The following tools and files are available in the FortiClientTools .tar file:

  • OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

  • FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

  • RebrandingResources

Rebranding resources used by the FortiClient Configurator tool.

When creating a custom FortiClient 5.4.0 installer using the FortiClient Repackager tool, you can choose to install Everything, VPN Only, or SSO only. You can also select to enable or disable software updates and rebrand

FortiClient.

FortiClient 5.4 cannot use FortiClient version 5.0 licenses. To use FortiClient Configurator, you need to use the FortiClient version 5.4 license file.

Language support

The following table lists FortiClient language support information.

Language Graphical User Interface XML Configuration Documentation
English (United States) ü ü ü
Chinese (Simplified) ü
Chinese (Traditional) ü

Language support

Language Graphical User Interface XML Configuration Documentation
French (France) ü
German ü
Japanese ü
Korean ü
Portuguese (Brazil) ü
Spanish (Spain) ü

 

FortiCache 4.0.1 Administration Guide

Leave a reply

Introduction

FortiCache high performance web caching appliances address bandwidth saturation, high latency, and poor performance caused by caching popular internet content locally for carriers, service providers, enterprises, and educational networks. FortiCache appliances reduce the cost and impact of cached content on the network while increasing performance and the end-user experience by improving the speed of delivery of popular repeated content.

About this document

This document contains the following sections:

  • Introduction l Concepts l System Administration l Policy & Objects l Objects l Security Profiles l User Authentication l WAN Optimization and Web Caching
  • WCCP
  • Logging

Concepts

FortiCache web caching is a form of object caching that accelerates web applications and web servers by reducing bandwidth usage, server load, and perceived latency.

Web caching involves storing HTML pages, images, videos, servlet responses, and other web-based objects for later retrieval. These objects are stored in the web cache storage location defined by the config wanopt storage command. You can also go to System > Config > Disk to view the storage locations on the FortiCache unit hard disks.

There are three significant advantages to using web caching to improve HTTP performance:

  • reduced bandwidth consumption because fewer requests and responses go over the WAN or Internet l reduced web server load because there are fewer requests for web servers to handle l reduced latency because responses for cached requests are available from a local FortiCache unit instead of from across the WAN or Internet.

When enabled in a web caching policy, the FortiCache unit caches HTTP traffic processed by that policy. A web caching policy specifies the source and destination addresses and destination ports of the traffic to be cached.

Web caching caches compressed and non-compressed versions of the same file separately. If the HTTP protocol considers the compressed and uncompressed versions of a file the same object, only the compressed or uncompressed file will be cached.

You can also configure a FortiCache unit to operate as a Web Cache Communication Protocol (WCCP) client. WCCP provides the ability to offload web caching to one or more redundant web caching servers.

This chapter describes:

  • Web caching topologies l WCCP topologies l Content Analysis Service

Web caching topologies

FortiCache web caching involves one or more FortiCache units installed between users and web servers. The FortiCache unit can operate in both Network Address Translator (NAT) and transparent modes. The FortiCache unit intercepts web page requests accepted by web cache policies, requests web pages from the web servers, caches the web page contents, and returns the web page contents to the users. When the FortiCache unit intercepts subsequent requests for cached web pages, the FortiGate unit contacts the destination web server just to check for changes.

Most commonly the topology uses a router to route HTTP and HTTPS traffic to be cached to one or more FortiCache units. Traffic that should not be cached bypasses the FortiCache units. This is a scalable topology that allows you to add more FortiCache units if usage increases.

Web caching topologies                                                                                                                      Concepts

Web caching topology with web traffic routed to FortiCache units

You can also configure reverse proxy web-caching. In this configuration, users on the Internet browse to a web server installed behind a FortiCache unit. The FortiCache unit intercepts the web traffic (HTTP and HTTPS) and caches pages from the web server. Reverse proxy web caching on the FortiGate unit reduces the number of requests that the web server must handle, leaving it free to process new requests that it has not serviced before. Since all traffic is to be cached the FortiCache unit can be installed in Transparent mode directly between the web server and the Internet.

Reverse proxy web caching topology

The reverse proxy configuration can also include a router to route web traffic to a group of FortiCache units operating in Transparent Mode. This is also a scalable solution for reverse proxy web caching.

Reverse proxy web caching topology with web traffic routed to FortiCache unit

When web objects and video are cached on the FortiCache hard disk, the FortiCache unit returns traffic back to client using cached object from cache storage. The clients do not connect directly to the server.

When web objects and video are not available in the FortiCache hard disk, the FortiCache unit forwards the request to original server. If the HTTP response indicates it is a cacheable object, the object is forwarded to cache storage and the HTTP request is served from cache storage. Any other HTTP request for the same object will be served from cache storage as well.

The FortiCache unit forwards HTTP responses that cannot be cached from the server back to the client that originated the HTTP request.

 

Concepts                                                                                                                                 WCCP topologies

All non-HTTP traffic and HTTP traffic that is not cached by FortiCache will pass through the unit. HTTP traffic is not cached by the FortiCache unit if a web cache policy has not been added for it.

WCCP topologies

You can operate a FortiCache unit as a WCCP cache engine. As a cache engine, the FortiCache unit returns the required cached content to the client web browser. If the cache server does not have the required content, it accesses the content, caches it, and returns the content to the client web browser.

WCCP topology

WCCP is transparent to client web browsers. The web browsers do not have to be configured to use a web proxy.

Content Analysis Service

FortiGuard Content Analysis Service is a licensed feature for the real-time analysis of images in order to detect adult content. Detection of adult content in images uses various patented techniques (not just color-based), including limb and body part detection, body position, etc.

Once detected, such content can be optionally blocked or reported.

Please contact your Fortinet Account Manager should you require a trial of this service. You can purchase this service from support.fortinet.com.

For configuration information, see Content Analysis on page 101.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

FortiBridge 4.0 Administration Guide

Leave a reply

Introduction

FortiBridge enables you to add traffic monitoring and security devices to your network, without any loss in network integrity.

FortiBridge supports two normal modes of operation: inline mode and TAP mode. Inline mode supports network

configurations that require in-line monitoring/security devices. TAP mode supports various traffic TAP configurations, where the main network path is mirrored to the monitoring devices.

The FortiBridge product provides monitoring features to ensure that any inline or TAP devices do not impact network integrity and availability. For example, FortiBridge runs a heartbeat probe for in-line configurations, and automatically switches to Bypass mode if the heartbeat fails.

Bypass mode provides active and passive bypass circuitry. Active bypass restores the traffic path between network ports, if the monitoring path fails. If the FortiBridge suffers a catastrophic failure such as power loss, it automatically reverts to Passive Bypass mode, so that traffic flow is not interrupted.

Hardware Configurations

The FortiBridge consists of a host system (a 1U chassis), which houses up to three bypass modules.

A bypass module supports one or more network segments. A network segment provides one inline or bypass traffic path. Each segment provides two network ports (NET0 and NET1) and two monitoring ports (MON1 and MON2).

The following bypass modules are available:

  • 40G bypass module l Supports one bypass segment.
  • Supports 40G Single mode fiber (40GBase-SR4) network standards l Provides MPO/LC ports for the network ports.
  • Provides QSFP+ ports for the monitor ports.
  • Dual-rate 1/10G bypass module l Supports two bypass segments l Supports dual rate 1/10G Multimode Fiber (10GBase-SR , 1000Base-SX) network standards l Supports dual rate 1/10G Single mode fiber (10GBase-LR, 1000Base-LX) network standards l Provides MPO/LC Duplex ports for the network ports. l Provides SFP+ ports for the monitor ports.

The network ports have built-in transceivers. The monitor ports require plug-in optical transceivers. The correct transceivers are delivered (pre-installed) with your FortiBridge product.

Product Overview

Modes of Operation

Each FortiBridge segment operates in one of the following modes:

  • Inline mode l The system diverts all incoming network traffic to the monitoring ports. No traffic flows directly between the network ports.
  • The inline network element must bridge the traffic between the monitoring ports. l The system monitors the inline traffic path using a heartbeat probe.
  • In the event of a fault, the segment transitions to one of the bypass modes (Bypass, TAP or Fail-cutoff mode, depending on configuration values).
  • When the fault condition clears, the segment can automatically transition back to Inline mode (the exact behavior is defined by configuration values). The segment transitions to Inline mode only after it detects that the heartbeat probe is working again
  • TAP mode l The system sends traffic between the network ports, and incoming traffic is mirrored to the monitoring ports.
  • The system does not provide a heartbeat probe on the mirrored path (because the network path is the primary traffic path).
  • If the system loses power, the traffic path is maintained between the network ports (the segment transitions to passive bypass mode).
  • Bypass mode l The system sends traffic only between the network ports, and not to the monitoring ports.
  • Fail-cutoff mode l The system disables the links on the network ports, to simulate cable disconnection between the network devices.
Pages: 1 2 3 4 5 6 7