FortiOS 6 – FortiClient Compliance Profiles

FortiClient Compliance Profiles

This section describes the FortiClient Compliance Profiles endpoint protection features and configuration.

FortiClient Compliance Profiles are used primarily to make sure connected devices are compliant with Endpoint Control and to protect against vulnerabilities. Both Endpoint Vulnerability Scan on Client and System compliance are enabled by default, while other settings are disabled by default. This allows FortiClient to work as part of a Security Fabric.

FortiClient Profiles was renamed FortiClient Compliance Profiles to clarify that this profile only creates “compliance rules” and cannot be used to “provision FortiClient endpoints”.

You must first enable this feature. Go to System > Feature Visibility and enable Endpoint Control. This will reveal the Security Profiles > FortiClient Compliance menu item.

The following topics are included in this section:

Endpoint protection overview

Configuring endpoint protection

Configuring endpoint registration over a VPN

Assigning FortiClient Profiles using Microsoft AD user groups

Modifying the endpoint protection replacement messages Monitoring endpoints

Endpoint protection overview

Endpoint Protection enforces the use of up-to-date FortiClient Endpoint Security software on endpoints (workstation computers and mobile devices). It pushes a FortiClient profile to the FortiClient application, specifying security settings, including:

  • Real-time antivirus protection – on or off l FortiClient web category filtering based on web filters defined in a FortiGate Web Filter profile
  • FortiClient Application Control (application firewall) using application sensors defined in the FortiGate Application Control profile

The FortiClient profile can also:

  • Create VPN configurations l Install CA certificates l Upload logs to FortiAnalyzer or FortiManager l Enable use of FortiManager for client software/signature update l Enable a dashboard banner l Enable client-based logging while on-net l Output a mobile configuration profile (.mobileconfig file for iOS) Endpoint protection overview

User experience

When using a web browser, the user of a non-compliant endpoint receives a replacement message HTML page from the FortiGate unit. The message explains that the user needs to install FortiClient Endpoint Security and provides a link to do so. The user cannot continue until the FortiClient software is installed.

For information about modifying the replacement message, see Modifying the endpoint protection replacement messages on page 195.

Default FortiClient non-compliance message for Windows

After installing FortiClient Endpoint Security, you will receive an invitation to register with the FortiGate unit. If you accept the invitation, the FortiClient profile is sent to the device’s FortiClient application. Now the device is compliant and can connect to the network. FortiClient Endpoint Security registered with a FortiGate unit does not need to be separately licensed with FortiGuard.

The FortiGate unit can also register endpoints connecting over the Internet through a VPN. See Configuring endpoint registration over a VPN on page 191.

Licensing and FortiGate endpoint registration limits

To view the number of endpoints that are registered and the total that can be registered, go to Dashboard. Under Licenses, find FortiClient. You will see text like “4 /10”. This means that there are four registered endpoints and a total of ten are allowed.

When the registration limit is reached, the next FortiClient-compatible device will not be able to register with the FortiGate unit. A message appears in the FortiClient application. The FortiClient profile is not sent to client and the client cannot connect through the FortiGate unit.

For all FortiGate models, the maximum number of registered endpoints is ten. For all models except 20C, you can purchase an endpoint license to increase this capacity:

To add an endpoint license – GUI

  1. Go to Dashboard.
  2. In the Licenses widget, click on FortiClient, select Enter License.
  3. Enter the license key in the window that sllides in from the right, and select OK.

Maximum registered endpoints with endpoint license

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum ( Phone support is only available for paid licenses.

Model(s) Maximum Client Limit
VM00 200
FGT/FWF 30 to 90 series 200
FGT 100 to 400 series 600
FGT 500 to 900 series, VM01, VM02 2,000
FGT 1000 to 2900 series 20,000
FGT 3000 to 3600 series, VM04 50,000
FGT 3700D and above, VM08 and above 100,000

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiOS 6 – FortiClient Compliance Profiles

  1. German Taboadela

    Hey! Great article. Do you know if this feature was removed in FortiOS 6.2.3? I’ve already enabled Endpoint Control feature buth the “FortiClient Compliance” menu is still missing… perhaps they moved that functionality to EMS completely? Ijust can’t find a way to log forticlient data without EMS.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.