FortiClient Compliance Profiles
This section describes the FortiClient Compliance Profiles endpoint protection features and configuration.
FortiClient Compliance Profiles are used primarily to make sure connected devices are compliant with Endpoint Control and to protect against vulnerabilities. Both Endpoint Vulnerability Scan on Client and System compliance are enabled by default, while other settings are disabled by default. This allows FortiClient to work as part of a Security Fabric.
FortiClient Profiles was renamed FortiClient Compliance Profiles to clarify that this profile only creates “compliance rules” and cannot be used to “provision FortiClient endpoints”.
You must first enable this feature. Go to System > Feature Visibility and enable Endpoint Control. This will reveal the Security Profiles > FortiClient Compliance menu item.
The following topics are included in this section:
Endpoint protection overview
Configuring endpoint protection
Configuring endpoint registration over a VPN
Assigning FortiClient Profiles using Microsoft AD user groups
Modifying the endpoint protection replacement messages Monitoring endpoints
Endpoint protection overview
Endpoint Protection enforces the use of up-to-date FortiClient Endpoint Security software on endpoints (workstation computers and mobile devices). It pushes a FortiClient profile to the FortiClient application, specifying security settings, including:
- Real-time antivirus protection – on or off l FortiClient web category filtering based on web filters defined in a FortiGate Web Filter profile
- FortiClient Application Control (application firewall) using application sensors defined in the FortiGate Application Control profile
The FortiClient profile can also:
- Create VPN configurations l Install CA certificates l Upload logs to FortiAnalyzer or FortiManager l Enable use of FortiManager for client software/signature update l Enable a dashboard banner l Enable client-based logging while on-net l Output a mobile configuration profile (.mobileconfig file for iOS) Endpoint protection overview
When using a web browser, the user of a non-compliant endpoint receives a replacement message HTML page from the FortiGate unit. The message explains that the user needs to install FortiClient Endpoint Security and provides a link to do so. The user cannot continue until the FortiClient software is installed.
For information about modifying the replacement message, see Modifying the endpoint protection replacement messages on page 195.
Default FortiClient non-compliance message for Windows
After installing FortiClient Endpoint Security, you will receive an invitation to register with the FortiGate unit. If you accept the invitation, the FortiClient profile is sent to the device’s FortiClient application. Now the device is compliant and can connect to the network. FortiClient Endpoint Security registered with a FortiGate unit does not need to be separately licensed with FortiGuard.
The FortiGate unit can also register endpoints connecting over the Internet through a VPN. See Configuring endpoint registration over a VPN on page 191.
Licensing and FortiGate endpoint registration limits
To view the number of endpoints that are registered and the total that can be registered, go to Dashboard. Under Licenses, find FortiClient. You will see text like “4 /10”. This means that there are four registered endpoints and a total of ten are allowed.
When the registration limit is reached, the next FortiClient-compatible device will not be able to register with the FortiGate unit. A message appears in the FortiClient application. The FortiClient profile is not sent to client and the client cannot connect through the FortiGate unit.
For all FortiGate models, the maximum number of registered endpoints is ten. For all models except 20C, you can purchase an endpoint license to increase this capacity:
To add an endpoint license – GUI
- Go to Dashboard.
- In the Licenses widget, click on FortiClient, select Enter License.
- Enter the license key in the window that sllides in from the right, and select OK.
Maximum registered endpoints with endpoint license
FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.
|Model(s)||Maximum Client Limit|
|FGT/FWF 30 to 90 series||200|
|FGT 100 to 400 series||600|
|FGT 500 to 900 series, VM01, VM02||2,000|
|FGT 1000 to 2900 series||20,000|
|FGT 3000 to 3600 series, VM04||50,000|
|FGT 3700D and above, VM08 and above||100,000|
Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!