Compliance

Compliance

The Compliance tab displays whether FortiClient Telemetry is connected to FortiGate or EMS.

When FortiClient Telemetry is connected to FortiGate, the Compliance tab displays whether FortiClient and the endpoint device are compliant with the compliance rules defined by FortiGate. When FortiClient and/or the endpoint device are not compliant, the Compliance tab displays information about how FortiClient and the endpoint device can be returned to a status of compliant.

You can also use the Compliance tab to connect FortiClient Telemetry to FortiGate/EMS and disconnect FortiClient Telemetry from FortiGate/EMS.

Enable compliance

For FortiClient in standalone mode, the Compliance tab is not used.

For FortiClient in managed mode, an administrator enables and disables endpoint compliance by using

FortiGate. When endpoint compliance is enabled, FortiClient must be installed on endpoint devices, and FortiClient Telemetry must be connected to FortiGate. When FortiClient Telemetry is connected, the FortiClient endpoint receives a profile from FortiGate that contains the compliance rules and optionally some FortiClient configuration information.

If FortiGate is integrated with EMS, the FortiClient endpoint might also receive a profile from EMS that contains FortiClient configuration information.

Connect FortiClient Telemetry manually

On endpoints, FortiClient Telemetry must be connected to FortiGate to use the compliance feature. Alternately, FortiClient Telemetry can be connected to EMS, but you cannot use the compliance feature when FortiClient Telemetry is connected to EMS.

If FortiClient Telemetry was not automatically connected after FortiClient installation, you can manually connect FortiClient Telemetry to FortiGate/EMS.

To manually connect FortiClient Telemetry:

  1. Go to the Compliance
  2. In the FortiGate IP box, type the IP address or URL of FortiGate or EMS, and click Connect.

FortiClient Telemetry connects to FortiGate/EMS, FortiClient downloads a profile from FortiGate/EMS.

Disconnect FortiClient Telemetry

You must disconnect FortiClient Telemetry from FortiGate/EMS to connect to another FortiGate/EMS or to uninstall FortiClient.

To disconnect FortiClient Telemetry:

  1. On the Compliance tab, click the Click to Disconnect A confirmation dialog box is displayed.
  2. Click Yes to disconnect FortiClient from FortiGate/EMS.

After you disconnect FortiClient Telemetry from FortiGate/EMS, FortiClient Telemetry automatically connects with the FortiGate/EMS when you re-join the network. See also Forget gateway IP addresses on page 60.

View compliance status

Information available on the Compliance tab depends on whether FortiClient is running in standalone mode or managed mode. In managed mode, the information displayed on the Compliance tab also depends on whether FortiClient Telemetry is connected to FortiGate or FortiClient EMS.

When FortiClient Telemetry is connected to EMS and the feature is enabled in EMS, a picture of the endpoint user might display on the Compliance tab. FortiClient displays the picture that is defined for the Windows operating system on the endpoint device. If FortiClient cannot find a picture defined for the Windows operating system on the endpoint device, no picture is displayed on the Compliance tab.

Standalone mode

When FortiClient is running in standalone mode, the Compliance tab is not used. The Compliance tab is labeled Not Participating. The unlocked icon at the bottom left of the screen indicates that settings in FortiClient console are unlocked, and the endpoint user can change them.

If you want to use the compliance feature, you must connect FortiClient Telemetry to FortiGate.

View compliance

The Compliance tab displays the following information:

FortiGate IP Type the IP address or URL of FortiGate/EMS, and click Connect to connect FortiClient Telemetry.
Unlocked icon Indicates that the settings in FortiClient console are unlocked and can be changed.

FortiClient Telemetry connected to EMS

When FortiClient Telemetry is connected to EMS, compliance is not enforced. The Compliance tab is labeled Connected to EMS. The locked icon at the bottom left of the screen indicates that settings in the FortiClient console are locked by EMS. EMS controls the settings by pushing a profile to FortiClient.

The Compliance tab displays the following information:

Compliance status Indicates that the compliance enforcement feature requires FortiClient Telemetry connection to FortiGate.
FortiClient EMS information Displays the name and IP address of the EMS to which FortiClient Telemetry is connected. You can disconnect by clicking the Click to Disconnect link, view details about the endpoint device by clicking the View Details link, and view the gateway IP list that FortiClient is using for FortiClient Telemetry connection by clicking the Show IP List That This FortiClient is Sending Telemetry Data to link.
FortiClient Telemetry information Displays how often FortiClient Telemetry communicates with FortiClient EMS and when the next communication will occur. FortiClient Telemetry also downloads FortiClient configuration information from EMS.
Locked icon Indicates that the settings in FortiClient console are locked by EMS. You can change the settings by using a profile in EMS.

FortiClient Telemetry connected to FortiGate

When FortiClient Telemetry is connected to FortiGate, network access compliance is enforced. The locked icon at the bottom left of the screen indicates one of the following statuses:

  • The settings in the FortiClient console are locked by the profile from EMS. In this case, FortiGate is integrated with EMS, and the non-compliance action in FortiGate is set to block or warn. FortiGate provides the compliance rules, and EMS provides the profile of FortiClient settings.
  • The settings in the FortiClient console are unlocked. In this case, FortiGate provides the compliance rules, and the non-compliance action in FortiGate is set to auto-update. You can change the FortiClient settings unrelated to the compliance rules.

In the following example, FortiClient Telemetry is connected to FortiGate, but EMS provides the profile of FortiClient settings. The settings are locked by EMS.

In the following example, FortiClient Telemetry is connected to FortiGate, and a profile is not provided by EMS. The settings are locked by FortiGate.

View compliance

The Compliance tab displays the following information:

Compliance status Displays the compliance status of the computer on which FortiClient is installed. The computer is either in compliance or not compliant with FortiGate.
FortiGate information Displays the name and IP address of the FortiGate to which FortiClient Telemetry is connected. You can perform the following actions:

l  Disconnect FortiClient Telemetry by clicking the Click to Disconnect link l View details about the endpoint device by clicking the View Details link

l  View compliance rules from FortiGate by clicking the Show Compliance Rules From

<FortiGate> link l View the gateway IP list being used for FortiClient Telemetry connection by clicking the Show IP List That This FortiClient is Sending Telemetry Data to link.

FortiClient Telemetry information Displays how often FortiClient Telemetry communicates with FortiGate and when the next communication will occur. FortiClient Telemetry communicates information between FortiClient and FortiGate, sending status information to FortiGate and receiving network-access rules and possibly some FortiClient configuration information from FortiGate. When

FortiGate is integrated with EMS, notification information is also sent to EMS. Depending on the FortiGate settings, EMS might also send FortiClient configuration information to FortiClient.

Monitoring Displays whether the endpoint is monitored by EMS.
Locked or unlocked icon Indicates whether the settings in FortiClient console are locked or unlocked.

View user details

You can view user details when FortiClient is compliant with FortiGate rules. You cannot view user details when FortiClient is not compliant with FortiGate rules.

To view user details:

  1. On the Compliance tab, view the name of the user beside the View Details
  2. Click the View Details link to view the following information:
Online/offline Displays whether the endpoint device is online or offline. A green icon indicates the endpoint is online.
Off-Net/On-Net Displays whether the endpoint device is on-net or off-net. A green On-Net icon indicates the endpoint is on-net.
Username Displays the name of the user logged into FortiClient on the endpoint.
Hostname Displays the name of the device on which FortiClient is installed.
Domain Displays the name of the domain to which the endpoint device is connected, if applicable.
  1. Click the X to close the dialog box.

View gateway IP lists

You can view the following gateway IP lists in FortiClient:

  • Gateway IP List

The Gateway IP list is created by administrators. Endpoint users cannot change the list. For more information, see Telemetry Gateway IP Lists on page 31.

  • Local Gateway IP List

The Local Gateway IP list is created by endpoint users. It is the list of remembered FortiGate/EMS devices. When FortiClient Telemetry is connected for the first time, you can choose to remember the gateway IP address. See Remember gateway IP addresses on page 52.

The gateway IP lists are used to automatically connect FortiClient Telemetry to FortiGate/EMS.

To view gateway IP lists:

  1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to

The Gateway IP List and the Local Gateway IP List are displayed.

Fix not compliant

  1. Click X to close the list.

Forget gateway IP addresses

When you instruct FortiClient to forget an IP address for FortiGate/EMS, FortiClient Telemetry will not use the IP address to automatically connect to FortiGate/EMS when re-joining the network.

To forget FortiGate/EMS:

  1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to
  2. In the Local Gateway IP List, click Forget beside the gateway IP addresses that you no longer want FortiClient to remember.
  3. Click X to close the list.

Fix not compliant status

You can maintain compliance by ensuring that FortiClient software is configured to meet the requirements specified in the compliance rules defined by the FortiGate to which FortiClient Telemetry is connected. FortiGate might also require the endpoint device to run a specific version of FortiClient or operating system software.

When FortiClient displays a status of Not-Compliant, you can take actions that will make FortiClient compliant with FortiGate again.

View not-compliant status

When a FortiClient endpoint does not comply with the FortiGate compliance rules, the Compliance tab displays a status of Not-Compliant.

 

Fix not compliant

The following information is displayed on the Compliance tab:

This computer is Not Compliant with Displays the name and IP address of the FortiGate to which FortiClient Telemetry is connected. You can view the compliance rules by clicking the Show Compliance Rules from <FortiGate> link.
Vulnerability Scan Displays critical vulnerabilities found for the endpoint when detected. You must fix the critical vulnerabilities to return to compliant status by clicking Fix Now. You can also click the Details link to view details about the vulnerabilities.
Software Out of Date Displays whether FortiClient software is outdated. You must upgrade to the specified FortiClient version to return to compliant status by clicking Update Now.
System Compliant Displays whether the operating system of the endpoint complies with FortiGate rules. You must use the specified operating system to return to compliant status. You can view the allowed operating systems by clicking the Details link.
Fix All Click to fix all reported issues. This option is available when the non-compliance setting in FortiGate is set to block or warn, and EMS has not provided a profile to the FortiClient endpoint. This option is not available when the non-compliance setting in FortiGate is set to auto-update.

If the Fix All link is not displayed, contact your administrator to help adjust the FortiClient Console and computer settings to remain in compliance with FortiGate.

View compliance rules

When FortiClient Telemetry is connected to FortiGate, you can view the compliance rules from FortiGate. The compliance rules communicate the settings required on FortiClient console for the FortiClient endpoint to remain compliant.

Fix not compliant

To view compliance rules:

  1. On the Compliance tab, click the Show Compliance Rules From <FortiGate>

The compliance rules from FortiGate are displayed.

  1. Click Close to return to the Compliance

Fix now

Issues that caused a not-compliant status can be fixed to return FortiClient endpoints to a compliant status. When available, you can click the Update Now, Fix Now, or Fix All links on the Compliance tab to return FortiClient endpoints to compliant status.

When FortiClient has a not compliant status and the Update Now, Fix Now, or Fix All links are not displayed, endpoint users should contact their system administrator for help with configuring the endpoint and FortiClient Console to remain in compliance with FortiGate.

What links are available depend on the configuration of FortiGate and EMS. The following table summarizes when links are available:

Configuration Compliance Rules FortiClient

Configuration

Options
FortiGate Yes No FortiClient settings are unlocked. Click Update Now, Fix Now, and Fix All links when available.

View notifications

Configuration Compliance Rules FortiClient

Configuration

Options
FortiGate integrated with EMS Yes No FortiClient settings are unlocked. Click Update Now, Fix Now, and Fix All links when available.
Yes Yes FortiClient settings are locked by EMS. Use EMS to update the profile that contains the FortiClient configuration to meet the requirements of the compliance rules.

To fix now:

  1. On the Compliance tab, perform one of the following options:

l Click Fix All. l Click Update Now. l Click Fix Now.

The non-compliance issues are fixed, and the FortiClient endpoint returns to a status of compliant.

  1. If the Fix All, Update Now, or Fix Now links are not displayed on the Compliance tab, contact your system administrator for help with changing the endpoint and FortiClient Console settings.

Examples of blocked FortiClient endpoints

FortiClient endpoint access to the network can be blocked a number of ways. The following table provides examples of how FortiClient endpoints can be blocked from accessing the network and how to regain access.

Configuration Failure Blocked By Solution
Endpoint control is enabled on FortiGate. FortiClient Telemetry is connected to FortiGate. FortiClient configuration fails to meet the com-

pliance rules specified by FortiGate

FortiClient View the Compliance tab in

FortiClient console, and follow the instructions to configure FortiClient to meet the compliance rules specified by FortiGate.

Endpoint control is enabled on FortiGate. FortiClient Telemetry is not connected to FortiGate. FortiClient Telemetry is not connected FortiGate In FortiClient console, connect FortiClient Telemetry to FortiGate.

View notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

 

View notifications

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

To view notifications:

  1. In FortiClient Console, click the Notifications icon in the top-right corner. The list of notifications is displayed.
  2. Click Close to close the list.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiClient and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.