Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

FortiCarrier Web Based Manager Settings

Leave a reply

Carrier web-based manager settings

The Carrier menu provides settings for configuring FortiOS Carrier features within the Security Profiles menu. These features include MMS and GTP profiles.

In Security Profiles > Carrier, you can configure profiles and settings for MMS and GTP. In the Carrier menu, you can configure an MMS profile and then apply it to a security policy. You can also configure GTP profiles and apply those to security policies as well.

This topic includes the following:

MMS profiles

Since MMS profiles can be used by more than one security policy, you can configure one profile for the traffic types handled by a set of security policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

If the security policy requires authentication, do not select the MMS profile in the security policy. This type of profile is specific to the authenticating user group. For details on configuring the profile associated with the user group, see User Groups in the Authentication guide.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

Once you have configured the MMS profile, you can then apply the profile to MMS traffic by applying it to a security policy.

MMS profiles can contain settings relevant to many different services. Each security policy uses the subset of the MMS profile settings that apply to the sessions accepted by the security policy. In this way, you might define just one MMS profile that can be used by many security policies, each policy using a different or overlapping subset of the MMS profile.

The MMS Profile page contains options for each of the following:

l MMS scanning l MMS Bulk Email Filtering Detection l MMS Address Translation l MMS Notifications l DLP Archive l Logging

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14

FortiCarrier Introduction

Leave a reply

Introduction

FortiOS Carrier provides all the features found on FortiGate units plus added features specific to carrier networks. These features are explained in this document and include dynamic profiles and groups, Multimedia messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP) protection.

This chapter contains the following sections:

  • Before you begin l How this guide is organized

Before you begin

Before you begin ensure that:

  • You have administrative access to the web-based manager and/or CLI. l The Carrier-enabled FortiGate unit is integrated into your network. l The operation mode has been configured.

How this guide is organized

This FortiOS Handbook chapter contains the following sections:

Overview of FortiOS Carrier features provides an overview of the three major topics for FortiOS Carrier — Dynamic Profiles, MMS, and GTP.

Carrier web-based manager settings describes the web-based manager interface of FortiOS Carrier specific features.

MMS Security features describes FortiOS security features as they apply to MMS including MMS virus scanning, MMS file filtering, MMS content-based Antispam protection, and MMS DLP archiving.

Message flood protection describes setting thresholds to protect your MMS servers from receiving too many messages from the same sender.

Duplicate message protection describes setting thresholds to protect your MMS servers from receiving the same message from more than one sender.

Configuring GTP on FortiOS Carrier explains configuration of the more basic FortiOS Carrier GTP features.

GTP message type filtering explains this feature, and how to configure it on FortiOS Carrier.

GTP identity filtering explains this feature, and how to configure it on FortiOS Carrier.

Troubleshooting provides answer to common FortiOS Carrier GTP issues.

Overview

Overview of FortiOS Carrier features

FortiOS Carrier specific features include Multimedia messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP) protection.

All FortiGate units, carrier-enabled or not, are capable of handling Stream Control Transmission Protocol (SCTP) traffic, which is a protocol designed for and primarily used in Carrier networks.

This section includes:

Overview

Registering FortiOS Carrier

MMS background

How FortiOS Carrier processes MMS messages

MMS protection profiles

Bypassing MMS protection profile filtering based on carrier endpoints

Applying MMS protection profiles to MMS traffic

GTP basic concepts

GPRS network common interfaces

Packet flow through the GPRS network SCTP

Pages: 1 2 3 4 5 6 7 8 9 10 11 12

I really despise Sonic Wall

Leave a reply

Sometimes, after a long day of work, the need to vent is so powerful that you can’t overcome it. Well, today is one of those days so I figured I would bless you guys with a little bit of information. If you use a Dell Sonic Wall…..I pity you for you know not what you do….These devices are horrible. Absolutely horrible. Go buy a FortiGate, or hell, a Palo Alto even just to stay away from these things. I seriously almost shot one today with a Springfield Armory XDS 45 ACP. It would have caused and incredibly warm feeling, like that of morphine flowing through your veins, to be experienced by myself. Speaking of which, I will be filming myself shooting AND blowing up some competitor hardware as I remove them from the client’s offices. I thought you guys might get a kick out of that and lets face it, as soon as I figure out the logistics with doing it legally, I too, will enjoy it. Keep your eyes open for some Fortinet GURU how to videos. Going to start with videos based on the Cook Book, but with better explanations than what Fortinet provided and then I will move on to tasks and encounters I have seen in the field.

Remember kids, friends don’t let friends buy SonicWall.

FortiOS54 Basic FortiGate Config

FortiGate Cookbook – Basic FortiGate Configuration FortiOS 5.4

Leave a reply

This video shows you the basic configuration of a FortiGate that is running FortiOS 5.4. This version of the firmware makes the device run so much better in my experience. I am sure you guys will love it.

Custom FortiClient Installations

1 Reply

Custom FortiClient Installations

The FortiClient Configurator tool FortiClient is the recommended method of creating customized FortiClient installation files.

You can also customize which modules are displayed in the FortiClient dashboard in the FortiClient Profile. This will allow you to activate any of the modules at a later date without needing to re-install FortiClient. Any changes made to the FortiClient Profile are pushed to registered clients.

When creating VPN only installation files, you cannot enable other modules in the FortiClient Profile as only the VPN module is installed.

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

The FortiClient Configurator tool is included with the FortiClient Tools file in FortiClient 5.2. This file is only available on the Customer Service & Support portal and is located in the same file directory as the FortiClient images.

The Configurator tool requires activation with a license file. Ensure that you have completed the following steps prior to logging in to your FortiCare product web portal:

  • Purchased FortiClient Registration License l Activated the FortiClient license on a FortiGate

This video explains how to purchase and apply a FortiClient License: http://www.youtube.com/watch?feature=player_embedded&v=sIkWaUXK0Ok This chapter contains the following sections:

  • Download the license file l Create a custom installer l Custom installation packages l Advanced FortiClient profiles

Download the license file

To retrieve your license file:

  1. Go to https://support.fortinet.com and log in to your FortiCare account.
  2. Under Asset select Manage/View Products. Select the FortiGate device that has the FortiClient registration license activated. You will see the Get the Key File link in the Available Key(s)
  3. Click the link and download license file to your management computer. This file will be needed each time you use the FortiClient Configurator tool.

Create a custom installer

Fortinet offers a repacking tool for both Microsoft Windows and Mac OS X operating systems. The following section provides instructions on creating a custom installer file using the FortiClient Configurator tool.

When selecting to install custom features, only modules selected are installed. To enable other features you will need to uninstall FortiClient, and reinstall an MSI file with these features included in the installer.

FortiClient (Windows) Configurator tool

To create a custom installer using the FortiClient Configurator tool:

  1. Unzip the FortiClientTools file, select the FortiClientConfigurator file folder, and double-click the exe application file to launch the tool.

The tool opens at the Welcome page.

Licensed Licensed mode requires a FortiClient license file.
Trial In FortiClient 5.4, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment.
  1. Browse and select the FortiClient Configurator Activation Key file (.lic) on your management computer.
  2. After entering the FortiClient Configurator license, select Next. The Configuration File page is displayed.
Select Config File (optional) The configuration file (.conf, .sconf) settings will be included in the installer file.
Password If the configuration file is encrypted (.sconf), enter the password used to encrypt the file.

You can use an XML editor to make changes to the FortiClient configuration file. For more information on FortiClient XML configuration, see the FortiClient XML Reference in the Fortinet Document Library, http://docs.fortinet.com.

  1. Browse and select the FortiClient configuration file on your management computer. This is an optional step. If you do not want to import settings from a configuration file, select Skip to continue. The Settings page is displayed.

The following options are available for custom installations:

Features to Install  
Everything All Security and VPN components will be installed.
Client security only Only AntiVirus, Web Filtering, and Application Firewall will be installed.
VPN only Only VPN components (IPsec and SSL) will be installed.
Other Select one of the following from the drop-down list:

l AntiVirus & Web Filtering only l Web Filtering only l Application Firewall only l Application Firewall & Web Filtering only l Web Filtering, VPN and Application Firewall l Single Sign-On mobility agent only
Options  
Desktop Shortcut Select to create a FortiClient desktop icon.
Start Menu Select to add FortiClient to the start menu.
Enable Software Update Select to enable software updates. This option is disabled when Rebrand

FortiClient is selected. This option is also disabled when using Trial mode.
Configure Single Sign-On mobility agent Select to configure Singe Sign-On mobility agent for use with FortiAuthenticator.
Features to Install  
Rebrand

FortiClient

 Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137.
  1. Select the features to install and options and select Next to continue.

If you selected to configure the single sign-on mobility agent, the Single Sign-On Mobility Agent Settings page is displayed.

  1. Configure the following settings:
Server IP/FQDN Enter the IP address or FQDN of the FortiAuthenticator server.
Port Number Enter the port number. The default port is 8001.
Pre-Shared Key Enter the FortiAuthenticator pre-shared key.
Confirm Pre-Shared Key Enter the FortiAuthenticator pre-shared key confirmation.
  1. Select Next to continue. If you selected to rebrand FortiClient, the Rebranding page is displayed.
  2. Rebrand FortiClient elements as required. The resources folder contains graphical elements. For more information, see Appendix C – Rebranding FortiClient on page 137.
  3. Select Next to continue. The Package Signing page is displayed.
  4. Configure the following settings:
Select Code Signing Certificate (optional) If you have a code signing certificate, you can use it to digitally sign the installer package this tool generates.
Password If the certificate file is password protected, enter the password.
  1. Browse and select the code signing certificate on your management computer. This is an optional step. If you do not want to digitally sign the installer package, select Skip to continue. The Execution page is displayed.

This page provides details of the installer file creation and the location of files for Active Directory deployment and manual distribution. The tool creates files for both 32-bit (x86) and 64-bit (x64) operating systems.

  1. When you select Finish, if Browse to output MSI file upon exit is selected, the folder containing the newly created MSI file will open.

Before deploying the custom MSI files, it is recommended that you test the packages to confirm that they install correctly. In FortiClient 5.2.0 and later, an .exe installation file is created for manual distribution.

Installation files are organized in folders within the FortiClientTools > FortiClient Configurator > FortiClient repackaged folder. Folder names identify the type of installation files that were created and the creation date.

FortiClient (Mac OS X) Configurator tool

To create a custom installer using the FortiClient Configurator tool:

  1. Unzip the FortiClientTools file, select the Configurator file folder, and double-click the

FortiClientConfigurator.dmg application file, and double-click the FCTConfigurator icon to launch the tool. The Configurator tool opens.

  1. Configure the following settings:
Licensed | Trial Licensed mode requires a FortiClient 5.2 license file. In FortiClient v5.2, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment.
Source Select the FortiClient Installer file on your management computer. You must use the full installer file, otherwise FortiClient Configurator will fail to create a custom installation file.

The FortiClient Installer version and FortiClient Configurator version must match, otherwise the Configurator will fail to create a custom installation file.
Destination Enter a name for the custom installation file and select a destination to save the file on your management computer.
Features to Install Select to install all FortiClient modules, VPN only, or SSO only. If SSO only is selected, you must configure the SSO settings in the attached configuration file.
Server IP/FQDN Enter the IP address or FQDN of the FortiAuthenticator server.

This option is available when selecting SSO only for features to install.
Port Number Enter the port number. The default port is 8001.

This option is available when selecting SSO only for features to install.
Pre-Shared Key Enter the FortiAuthenticator pre-shared key.

This option is available when selecting SSO only for features to install.
Confirm Pre-Shared Key Enter the FortiAuthenticator pre-shared key confirmation.

This option is available when selecting SSO only for features to install.

 

Custom installation packages

Config file Optionally, select a pre-configured FortiClient backup configuration file. If you selected Everything or VPN only for features to install, you must use a configuration file to configure the related settings.
Software Update Select to enable or disable software updates.
Rebrand Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137.
Rebranding resources Select the FortiClient resources file on your management computer.
  1. Select the Start button to create the custom FortiClient installation file.
  2. You can now deploy the repackaged FortiClient .dmg file to your Mac OS X systems.

Custom installation packages

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

Advanced FortiClient profiles

FortiClient (Windows)

After the configurator tool generates the custom installation packages, it can be used to deploy the FortiClient software either manually, or using Active Directory. Both options can be found in the …/FortiClient_packaged directory. Files are created for both x86 (32-bit) and x64 (64-bit) operating systems.

If Active Directory is being used to deploy FortiClient, you can use the custom installer with the MST file found in the …/ActiveDirectory folder.

For manual distribution, use the .exe file in the …/ManualDistribution folder.

Advanced FortiClient profiles

When creating custom FortiClient MSI files for deployment, you will need to configure advanced FortiClient profiles on the FortiGate/EMS to ensure that settings in the FortiClient profile do not overwrite your custom XML settings. You can configure the FortiClient profile to deliver the full XML configuration, VPN only, or specific FortiClient XML configurations. For more information on customizing the FortiClient XML configuration file, see the Appendix C – Rebranding FortiClient on page 137.

Fortinet recommends creating OS specific endpoint profiles when provisioning XML settings. When creating a new FortiClient profile, select the device group as either  Windows PC or Mac. If a FortiClient (Windows) XML configuration is pushed to a FortiClient (Mac OS X) system, FortiClient (Mac OS X) will ignore settings which are not supported.

Provision a full XML configuration file

You can deploy the full XML configuration file from the CLI or GUI.

To deploy the full XML configuration via the CLI:

  1. Log in to the FortiGate Command-line Interface.
  2. Enter the following CLI commands: config endpoint-control profile edit <profile_name>

config forticlient-winmac-settings set forticlient-advanced-cfg enable

set forticlient-advanced-cfg-buffer “Copy & Paste your FortiClient XML configuration here”

Advanced FortiClient profiles

Copy directly from your XML editor, preserving the XML file format. Copy all information from the <?xml version=”1.0″ encoding=”UTF-8″ ?> start of syntax to the </forticlient_configuration> end of syntax XML tags. Add double quotes at the start and end of the XML syntax statements.

To deploy the full XML configuration via the FortiGate GUI:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page is displayed.
  3. Configure the following settings:
Profile Name Enter a unique name to identify the FortiClient profile.
Comments Optionally, enter a comment.
Assign Profile To For more information on configuring device groups, user groups, and users, see the FortiOS Handbook.

These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.
XML text window Copy and paste the FortiClient XML configuration file in the text window. The XML syntax must be preserved.
  1. Select Apply to save the FortiClient profile settings.

To deploy the full XML configuration via EMS:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Advanced option to the right of the profile name.
  3. Select Yes in the confirmation dialog box.
  4. Copy and paste the XML configuration file text into the text box.
  5. Select Save to save the FortiClient profile settings.

Partial configuration

The current buffer size is 32kB. This may not be large enough to accommodate your FortiClient XML configuration. As a workaround, you can use the FortiClient Configurator tool to create a custom MSI installation file using a .confFortiClient backup configuration that contains static custom configurations. You can then include a partial configuration in the advanced FortiClient profile. This will push the partial configuration when the client registers with the FortiGate. The partial configuration will be merged with the existing XML configuration on the client.

To provision specific FortiClient XML configuration while preserving custom XML configurations in your MSI file, cut & paste the specific XML configuration into the FortiClient Profile in the following format:

<?xml version=”1.0″ encoding=”UTF-8″ ?>

Advanced FortiClient profiles

<forticlient_configuration>

<partial_configuration>1</partial_configuration>

<system>

<ui>

<ads>0</ads>

<default_tab>VPN</default_tab>

<flashing_system_tray_icon>0</flashing_system_tray_icon>

<hide_system_tray_icon>0</hide_system_tray_icon>

<suppress_admin_prompt>0</suppress_admin_prompt>

<culture_code>os-default</culture_code>

</ui>

<update>

<use_custom_server>0</use_custom_server>

<port>80</port>

<timeout>60</timeout>

<failoverport>8000</failoverport>

<fail_over_to_fdn>1</fail_over_to_fdn>

<scheduled_update>

<enabled>0</enabled>

<type>interval</type>

<daily_at>03:00</daily_at>

<update_interval_in_hours>3</update_interval_in_hours>

</scheduled_update>

</update>

</system>

</forticlient_configuration>

Ensure that the <partial_configuration>1</partial_configuration> tag is set to 1 to indicate that this partial configuration will be deployed upon registration with the FortiGate. All other XML configuration will be preserved.

Advanced VPN provisioning

You need to enable VPN provisioning and advanced VPN from the FortiOS CLI to import the FortiClient XML VPN configuration syntax. You can import the XML VPN configuration in the CLI or the GUI.

Import XML VPN configuration into the FortiClient Profile via the CLI:

  1. Log in to your FortiGate command-line interface.
  2. Enter the following CLI commands: config endpoint-control profile edit <profile_name>

config forticlient-winmac-settings set forticlient-vpn-provisioning enable set forticlient-advanced-vpn enable set auto-vpn-when-off-net enable set auto-vpn-name <VPN name to connect to automatically when off-net> set forticlient-advanced-vpn-buffer <Copy & paste the advanced VPN configuration>

end

end

After the forticlient-vpn-provisioning and forticlient-advancedvpn CLI commands are enabled, the forticlient-advanced-vpn-buffer CLI command is available from the CLI.

Advanced FortiClient profiles

Copy directly from your XML editor, preserving the XML file format. Copy all information from the <vpn> start of syntax to the </vpn> end of syntax XML tags. Add double quotes before the <vpn> tag and after the </vpn> tag.

  1. You can also choose to copy & paste the XML content in the GUI, go to Security Profiles > FortiClient Profiles and select the VPN
  2. Configure the following settings:
Profile Name Enter a unique name to identify the FortiClient profile.
Comments Optionally, enter a comment.
Assign Profile To For more information on configuring device groups, user groups, and users, see the FortiOS Handbook.

These options are only available when creating a new endpoint profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.
VPN Enable Client VPN Provisioning.

Cut and paste the FortiClient XML configuration <vpn> to </vpn> tags in the text window. The XML syntax must be preserved.

Enable Auto-connect when Off-Net and select a VPN name from the dropdown list.
  1. Select Apply to save the FortiClient profile settings.

For more information, see Appendix A – Deployment Scenarios on page 127.

 

FortiClient Settings

9 Replies

Settings

This sections describe the available options in the settings menu.

Backup or restore full configuration

To backup or restore the full configuration file, select File > Settings from the toolbar. Expand the System section, then select Backup or Restore as needed. Restore is only available when operating in standalone mode.

When performing a backup you can select the file destination, password requirements, and add comments as needed.

Logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

VPN VPN logging is available when in standalone mode or when registered to FortiGate/EMS.
Application Firewall Application Firewall logging is available when registered to FortiGate/EMS.
AntiVirus Antivirus activity logging is available when in standalone mode or when registered to FortiGate/EMS.
Web Filter Web Filter logging is available when in standalone mode (Web Security) or when registered to FortiGate/EMS.
Update Update logging is available when in standalone mode or when registered to FortiGate/EMS.
Vulnerability Scan Vulnerability Scan logging is available when registered to FortiGate/EMS.

 

Logging

Log Level This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured).
Log File The option to export the log file (.log) is available when in standalone mode or when registered to FortiGate/EMS. The option to clear logs is only available when in standalone mode.

The following table lists the logging levels and description:

Logging Level   Description
Emergency   The system becomes unstable.
Alert   Immediate action is required.
Critical   Functionality is affected.
Error   An error condition exists and functionality could be affected.
Warning   Functionality could be affected.
Notice   Information about normal events.
Information   General information about system operations.
Debug   Debug FortiClient.

It is recommended to use the debug logging level only when needed. Do not leave the debug logging level permanently enabled in a production environment to avoid unnecessarily consuming disk space.

Configure logging to FortiAnalyzer or FortiManager

To configure FortiClient to log to your FortiAnalyzer or FortiManager you require the following:

l FortiClient 5.2.0 or later l A FortiGate device running FortiOS 5.2.0 or later, or EMS 1.0 l A FortiAnalyzer or FortiManager device running 5.0.7 or later

The registered FortiClient device will send traffic logs, vulnerability scan logs, and event logs to the log device on port 514 TCP.

Logging

Enable logging on the FortiGate device:

  1. On your FortiGate device, select Log & Report > Log Settings. The Log Settings window opens.
  2. Enable Send Logs to FortiAnalyzer/FortiManager.
  3. Enter the IP address of your log device in the IP Address You can select Test Connectivity to ensure your FortiGate is able to communicate with the log device on this IP address.
  4. Select Apply to save the setting.

Enable logging in the FortiGate FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page opens.
  3. In the Advanced tab, enable Upload Logs to FortiAnalyzer.
  4. Select either Same as System to send the logs to the FortiAnalyzer or FortiManager configured in the Log Settings, or Specify to enter a different IP address.
  5. In the Schedule field, select to upload logs wither Hourly or Daily.
  6. Select Apply to save the settings.

Once the FortiClient Profile change is synchronized with the client, you will start receiving logs from registered clients on your FortiAnalyzer/FortiManager system.

Alternatively, you can configure logging in the command line interface. Go to System > Dashboard > Status. In the CLI Console widget, enter the following CLI commands:

config endpoint-control profile edit <profile-name>

config forticlient-winmac-settings set forticlient-log-upload enable set forticlient-log-upload-server <IP address> set forticlient-log-upload-schedule {hourly | daily} set forticlient-log-ssl-upload {enable | disable} set client-log-when-on-net {enable | disable}

end

end

To download the FortiClient log files on the FortiAnalyzer go to the Log View tab, select the ADOM, and select the FortiClient menu object.

Updates

Enable logging in the EMS endpoint profile:

  1. On EMS, select an endpoint profile, then go to the System Settings
  2. Enable Upload Logs to FortiAnalyzer/FortiManager.
  3. Enter the IP address or hostname, schedule upload (in minutes), and log generation timeout (in seconds).
  4. Select Save to save the settings.

Updates

To configure updates, select File > Settings from the toolbar, then expand the System section.

Select to either automatically download and install updates when they are available on the FortiGuard Distribution Servers, or to send an alert when updates are available.

This setting can only be configured when in standalone mode.

You can select to use a FortiManager device for signature updates. When configuring the endpoint profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device.

To configure FortiClient to use FortiManager for signature updates (FortiGate):

  1. On your FortiOS device, select Security Profiles > FortiClient Profiles.
  2. On the Advanced tab, enable FortiManagerupdates.
  3. Specify the IP address or domain name of the FortiManager device.
  4. Select Failoverto FDN to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
  5. Select Apply to save the settings.

To configure FortiClient to use FortiManager for signature updates (EMS):

  1. On EMS, select an endpoint profile, then go to the System Settings
  2. Toggle the Use FortiManagerforclient software/signature update option to ON.
  3. Specify the IP address or hostname of the FortiManager device.
  4. Select Failoverto FDN when FortiManageris not available to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
  5. Select Save to save the settings.

VPN options

To configure VPN options, select File > Settings from the toolbar and expand the VPN section. Select Enable VPN before logon to enable VPN before log on.

This setting can only be configured when in standalone mode.

Certificate management

Certificate management

To configure VPN certificates, select File > Settings from the toolbar and expand the Certificate Management section. Select Use local certificate uploads (IPsec only) to configure IPsec VPN to use local certificates and import certificates to FortiClient.

This setting can only be configured when in standalone mode.

Antivirus options

To configure antivirus options, select File > Settings from the toolbar and expand the Antivirus Options section.

These settings can only be configured when in standalone mode.

Configure the following settings:

Grayware Options Grayware is an umbrella term applied to a wide range of malicious applications such as spyware, adware and key loggers that are often secretly installed on a user’s computer to track and/or report certain information back to an external source without the user’s permission or knowledge.
Adware Select to enable adware detection and quarantine during the antivirus scan.
Riskware Select to enable riskware detection and quarantine during the antivirus scan.
Scan removable media on

insertion

 Select to scan removable media when it is inserted.
Alert when viruses are detected Select to have FortiClient provide a notification alert when a threat is detected on your personal computer. When Alert when viruses are detected under AntiVirus Options is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.
Pause background scanning on battery power Select to pause background scanning when your computer is operating on battery power.

Advanced options

Enable FortiGuard Ana-

lytics

 Select to automatically send suspicious files to the FortiGuard Network for analysis.

When registered to FortiGate, you can select to enable or disable FortiClient Antivirus Protection in the FortiClient Profile.

Advanced options

To configure advanced options, select File > Settings from the toolbar and expand the Advance section.

These settings can only be configured when in standalone mode. When registered to FortiGate/EMS, these settings are set by the XML configuration (if configured).

Configure the following settings:

Enable WAN Optimization Select to enable WAN Optimization. You should enable only if you have a FortiGate device and your FortiGate is configured for WAN Optimization.

This setting can be configured when in standalone mode.
Maximum Disk Cache Size Select to configure the maximum disk cache size. The default value is 512MB.
Enable Single Sign-On mobility agent Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device.

This setting can be configured when in standalone mode.
Server address Enter the FortiAuthenticator IP address.
Customize port Enter the port number. The default port is 8001.
Pre-shared Key Enter the pre-shared key. The pre-shared key should match the key configured on your FortiAuthenticator device.

Single Sign-On mobility agent

Disable proxy (troubleshooting only) Select to disable proxy when troubleshooting FortiClient.

This setting can be configured when in standalone mode.
Default tab Select the default tab to be displayed when opening FortiClient. This setting can be configured when in standalone mode.

Single Sign-On mobility agent

The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates with FortiAuthenticator with user logon and network information.

FortiClient/FortiAuthenticator protocol

The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator, which replies with an acknowledgment packet.

FortiClient/FortiAuthenticator communication requires the following:

l The IP address should be unique in the entire network. l The FortiAuthenticator should be accessible from clients in all locations. l The FortiAuthenticator should be accessible by all FortiGates.

FortiClient Single Sign-On Mobility Agent requires a FortiAuthenticator running 2.0.0 or later, or v3.0.0 or later. Enter the FortiAuthenticator (server) IP address, port number, and the pre-shared key configured on the FortiAuthenticator.

Enable Single Sign-On mobility agent on FortiClient:

  1. Select File in the toolbar and select Settings in the drop-down menu.
  2. Select Advanced to view the drop-down menu.
  3. Select to Enable Single Sign-On mobility agent.
  4. Enter the FortiAuthenticator server address and the pre-shared key.

This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured).

Enable FortiClient SSO mobility agent service on the FortiAuthenticator:

  1. Select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
  2. Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
  3. Select Enable authentication and enter a secret key or password.
  4. Select OK to save the setting.

Configuration lock

To enable FortiClient FSSO services on the interface:

  1. Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network Interface window opens.
  2. Select the checkbox to enable FortiClient FSSO.
  3. Select OK to save the setting.

To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you must first apply the applicable FortiClient license for FortiAuthenticator. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

For information on purchasing a FortiClient license for FortiAuthenticator, please contact your authorized Fortinet reseller.

Configuration lock

To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked, configuration changes are restricted and FortiClient cannot be shutdown or uninstalled.

When the configuration is locked you can perform the following actions:

  • Antivirus l Complete an antivirus scan, view threats found, and view logs l Select Update Now to update signatures l Web Security

FortiTray

  • View violations
  • Application Firewall l View applications blocked
  • Remote Access l Configure, edit, or delete an IPsec VPN or SSL VPN connection l Connect to a VPN connection
  • Vulnerability Scan l Complete a vulnerability scan of the system l View vulnerabilities found
  • Register and unregister FortiClient for Endpoint Control l Settings l Export FortiClient logs l Backup the FortiClient configuration

To perform configuration changes or to shut down FortiClient, select the lock icon and enter the password used to lock the configuration.

FortiTray

When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is closed.

  • Default menu options l Open FortiClient console l Shutdown FortiClient
  • Dynamic menu options depending on configuration l Connect to a configured IPsec VPN or SSL VPN connection l Display the antivirus scan window (if a scheduled scan is currently running) l Display the Vulnerability scan window (if a vulnerability scan is running)

If you hover the mouse cursor over the FortiTray icon, you will receive various notifications including the version, antivirus signature, and antivirus engine.

Connect to a VPN connection

To connect to a VPN connection from FortiTray, select the Windows System Tray and right-click in the FortiTray icon. Select the connection you wish to connect to, enter your username and password in the authentication window, then select OK to connect.