Category Archives: Administration Guides

Custom FortiClient Installations

1 Reply

Custom FortiClient Installations

The FortiClient Configurator tool FortiClient is the recommended method of creating customized FortiClient installation files.

You can also customize which modules are displayed in the FortiClient dashboard in the FortiClient Profile. This will allow you to activate any of the modules at a later date without needing to re-install FortiClient. Any changes made to the FortiClient Profile are pushed to registered clients.

When creating VPN only installation files, you cannot enable other modules in the FortiClient Profile as only the VPN module is installed.

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

The FortiClient Configurator tool is included with the FortiClient Tools file in FortiClient 5.2. This file is only available on the Customer Service & Support portal and is located in the same file directory as the FortiClient images.

The Configurator tool requires activation with a license file. Ensure that you have completed the following steps prior to logging in to your FortiCare product web portal:

  • Purchased FortiClient Registration License l Activated the FortiClient license on a FortiGate

This video explains how to purchase and apply a FortiClient License: http://www.youtube.com/watch?feature=player_embedded&v=sIkWaUXK0Ok This chapter contains the following sections:

  • Download the license file l Create a custom installer l Custom installation packages l Advanced FortiClient profiles

Download the license file

To retrieve your license file:

  1. Go to https://support.fortinet.com and log in to your FortiCare account.
  2. Under Asset select Manage/View Products. Select the FortiGate device that has the FortiClient registration license activated. You will see the Get the Key File link in the Available Key(s)
  3. Click the link and download license file to your management computer. This file will be needed each time you use the FortiClient Configurator tool.

Create a custom installer

Fortinet offers a repacking tool for both Microsoft Windows and Mac OS X operating systems. The following section provides instructions on creating a custom installer file using the FortiClient Configurator tool.

When selecting to install custom features, only modules selected are installed. To enable other features you will need to uninstall FortiClient, and reinstall an MSI file with these features included in the installer.

FortiClient (Windows) Configurator tool

To create a custom installer using the FortiClient Configurator tool:

  1. Unzip the FortiClientTools file, select the FortiClientConfigurator file folder, and double-click the exe application file to launch the tool.

The tool opens at the Welcome page.

Licensed Licensed mode requires a FortiClient license file.
Trial In FortiClient 5.4, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment.
  1. Browse and select the FortiClient Configurator Activation Key file (.lic) on your management computer.
  2. After entering the FortiClient Configurator license, select Next. The Configuration File page is displayed.
Select Config File (optional) The configuration file (.conf, .sconf) settings will be included in the installer file.
Password If the configuration file is encrypted (.sconf), enter the password used to encrypt the file.

You can use an XML editor to make changes to the FortiClient configuration file. For more information on FortiClient XML configuration, see the FortiClient XML Reference in the Fortinet Document Library, http://docs.fortinet.com.

  1. Browse and select the FortiClient configuration file on your management computer. This is an optional step. If you do not want to import settings from a configuration file, select Skip to continue. The Settings page is displayed.

The following options are available for custom installations:

Features to Install  
Everything All Security and VPN components will be installed.
Client security only Only AntiVirus, Web Filtering, and Application Firewall will be installed.
VPN only Only VPN components (IPsec and SSL) will be installed.
Other Select one of the following from the drop-down list:

l AntiVirus & Web Filtering only l Web Filtering only l Application Firewall only l Application Firewall & Web Filtering only l Web Filtering, VPN and Application Firewall l Single Sign-On mobility agent only
Options  
Desktop Shortcut Select to create a FortiClient desktop icon.
Start Menu Select to add FortiClient to the start menu.
Enable Software Update Select to enable software updates. This option is disabled when Rebrand

FortiClient is selected. This option is also disabled when using Trial mode.
Configure Single Sign-On mobility agent Select to configure Singe Sign-On mobility agent for use with FortiAuthenticator.
Features to Install  
Rebrand

FortiClient

 Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137.
  1. Select the features to install and options and select Next to continue.

If you selected to configure the single sign-on mobility agent, the Single Sign-On Mobility Agent Settings page is displayed.

  1. Configure the following settings:
Server IP/FQDN Enter the IP address or FQDN of the FortiAuthenticator server.
Port Number Enter the port number. The default port is 8001.
Pre-Shared Key Enter the FortiAuthenticator pre-shared key.
Confirm Pre-Shared Key Enter the FortiAuthenticator pre-shared key confirmation.
  1. Select Next to continue. If you selected to rebrand FortiClient, the Rebranding page is displayed.
  2. Rebrand FortiClient elements as required. The resources folder contains graphical elements. For more information, see Appendix C – Rebranding FortiClient on page 137.
  3. Select Next to continue. The Package Signing page is displayed.
  4. Configure the following settings:
Select Code Signing Certificate (optional) If you have a code signing certificate, you can use it to digitally sign the installer package this tool generates.
Password If the certificate file is password protected, enter the password.
  1. Browse and select the code signing certificate on your management computer. This is an optional step. If you do not want to digitally sign the installer package, select Skip to continue. The Execution page is displayed.

This page provides details of the installer file creation and the location of files for Active Directory deployment and manual distribution. The tool creates files for both 32-bit (x86) and 64-bit (x64) operating systems.

  1. When you select Finish, if Browse to output MSI file upon exit is selected, the folder containing the newly created MSI file will open.

Before deploying the custom MSI files, it is recommended that you test the packages to confirm that they install correctly. In FortiClient 5.2.0 and later, an .exe installation file is created for manual distribution.

Installation files are organized in folders within the FortiClientTools > FortiClient Configurator > FortiClient repackaged folder. Folder names identify the type of installation files that were created and the creation date.

FortiClient (Mac OS X) Configurator tool

To create a custom installer using the FortiClient Configurator tool:

  1. Unzip the FortiClientTools file, select the Configurator file folder, and double-click the

FortiClientConfigurator.dmg application file, and double-click the FCTConfigurator icon to launch the tool. The Configurator tool opens.

  1. Configure the following settings:
Licensed | Trial Licensed mode requires a FortiClient 5.2 license file. In FortiClient v5.2, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment.
Source Select the FortiClient Installer file on your management computer. You must use the full installer file, otherwise FortiClient Configurator will fail to create a custom installation file.

The FortiClient Installer version and FortiClient Configurator version must match, otherwise the Configurator will fail to create a custom installation file.
Destination Enter a name for the custom installation file and select a destination to save the file on your management computer.
Features to Install Select to install all FortiClient modules, VPN only, or SSO only. If SSO only is selected, you must configure the SSO settings in the attached configuration file.
Server IP/FQDN Enter the IP address or FQDN of the FortiAuthenticator server.

This option is available when selecting SSO only for features to install.
Port Number Enter the port number. The default port is 8001.

This option is available when selecting SSO only for features to install.
Pre-Shared Key Enter the FortiAuthenticator pre-shared key.

This option is available when selecting SSO only for features to install.
Confirm Pre-Shared Key Enter the FortiAuthenticator pre-shared key confirmation.

This option is available when selecting SSO only for features to install.

 

Custom installation packages

Config file Optionally, select a pre-configured FortiClient backup configuration file. If you selected Everything or VPN only for features to install, you must use a configuration file to configure the related settings.
Software Update Select to enable or disable software updates.
Rebrand Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137.
Rebranding resources Select the FortiClient resources file on your management computer.
  1. Select the Start button to create the custom FortiClient installation file.
  2. You can now deploy the repackaged FortiClient .dmg file to your Mac OS X systems.

Custom installation packages

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

Advanced FortiClient profiles

FortiClient (Windows)

After the configurator tool generates the custom installation packages, it can be used to deploy the FortiClient software either manually, or using Active Directory. Both options can be found in the …/FortiClient_packaged directory. Files are created for both x86 (32-bit) and x64 (64-bit) operating systems.

If Active Directory is being used to deploy FortiClient, you can use the custom installer with the MST file found in the …/ActiveDirectory folder.

For manual distribution, use the .exe file in the …/ManualDistribution folder.

Advanced FortiClient profiles

When creating custom FortiClient MSI files for deployment, you will need to configure advanced FortiClient profiles on the FortiGate/EMS to ensure that settings in the FortiClient profile do not overwrite your custom XML settings. You can configure the FortiClient profile to deliver the full XML configuration, VPN only, or specific FortiClient XML configurations. For more information on customizing the FortiClient XML configuration file, see the Appendix C – Rebranding FortiClient on page 137.

Fortinet recommends creating OS specific endpoint profiles when provisioning XML settings. When creating a new FortiClient profile, select the device group as either  Windows PC or Mac. If a FortiClient (Windows) XML configuration is pushed to a FortiClient (Mac OS X) system, FortiClient (Mac OS X) will ignore settings which are not supported.

Provision a full XML configuration file

You can deploy the full XML configuration file from the CLI or GUI.

To deploy the full XML configuration via the CLI:

  1. Log in to the FortiGate Command-line Interface.
  2. Enter the following CLI commands: config endpoint-control profile edit <profile_name>

config forticlient-winmac-settings set forticlient-advanced-cfg enable

set forticlient-advanced-cfg-buffer “Copy & Paste your FortiClient XML configuration here”

Advanced FortiClient profiles

Copy directly from your XML editor, preserving the XML file format. Copy all information from the <?xml version=”1.0″ encoding=”UTF-8″ ?> start of syntax to the </forticlient_configuration> end of syntax XML tags. Add double quotes at the start and end of the XML syntax statements.

To deploy the full XML configuration via the FortiGate GUI:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page is displayed.
  3. Configure the following settings:
Profile Name Enter a unique name to identify the FortiClient profile.
Comments Optionally, enter a comment.
Assign Profile To For more information on configuring device groups, user groups, and users, see the FortiOS Handbook.

These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.
XML text window Copy and paste the FortiClient XML configuration file in the text window. The XML syntax must be preserved.
  1. Select Apply to save the FortiClient profile settings.

To deploy the full XML configuration via EMS:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Advanced option to the right of the profile name.
  3. Select Yes in the confirmation dialog box.
  4. Copy and paste the XML configuration file text into the text box.
  5. Select Save to save the FortiClient profile settings.

Partial configuration

The current buffer size is 32kB. This may not be large enough to accommodate your FortiClient XML configuration. As a workaround, you can use the FortiClient Configurator tool to create a custom MSI installation file using a .confFortiClient backup configuration that contains static custom configurations. You can then include a partial configuration in the advanced FortiClient profile. This will push the partial configuration when the client registers with the FortiGate. The partial configuration will be merged with the existing XML configuration on the client.

To provision specific FortiClient XML configuration while preserving custom XML configurations in your MSI file, cut & paste the specific XML configuration into the FortiClient Profile in the following format:

<?xml version=”1.0″ encoding=”UTF-8″ ?>

Advanced FortiClient profiles

<forticlient_configuration>

<partial_configuration>1</partial_configuration>

<system>

<ui>

<ads>0</ads>

<default_tab>VPN</default_tab>

<flashing_system_tray_icon>0</flashing_system_tray_icon>

<hide_system_tray_icon>0</hide_system_tray_icon>

<suppress_admin_prompt>0</suppress_admin_prompt>

<culture_code>os-default</culture_code>

</ui>

<update>

<use_custom_server>0</use_custom_server>

<port>80</port>

<timeout>60</timeout>

<failoverport>8000</failoverport>

<fail_over_to_fdn>1</fail_over_to_fdn>

<scheduled_update>

<enabled>0</enabled>

<type>interval</type>

<daily_at>03:00</daily_at>

<update_interval_in_hours>3</update_interval_in_hours>

</scheduled_update>

</update>

</system>

</forticlient_configuration>

Ensure that the <partial_configuration>1</partial_configuration> tag is set to 1 to indicate that this partial configuration will be deployed upon registration with the FortiGate. All other XML configuration will be preserved.

Advanced VPN provisioning

You need to enable VPN provisioning and advanced VPN from the FortiOS CLI to import the FortiClient XML VPN configuration syntax. You can import the XML VPN configuration in the CLI or the GUI.

Import XML VPN configuration into the FortiClient Profile via the CLI:

  1. Log in to your FortiGate command-line interface.
  2. Enter the following CLI commands: config endpoint-control profile edit <profile_name>

config forticlient-winmac-settings set forticlient-vpn-provisioning enable set forticlient-advanced-vpn enable set auto-vpn-when-off-net enable set auto-vpn-name <VPN name to connect to automatically when off-net> set forticlient-advanced-vpn-buffer <Copy & paste the advanced VPN configuration>

end

end

After the forticlient-vpn-provisioning and forticlient-advancedvpn CLI commands are enabled, the forticlient-advanced-vpn-buffer CLI command is available from the CLI.

Advanced FortiClient profiles

Copy directly from your XML editor, preserving the XML file format. Copy all information from the <vpn> start of syntax to the </vpn> end of syntax XML tags. Add double quotes before the <vpn> tag and after the </vpn> tag.

  1. You can also choose to copy & paste the XML content in the GUI, go to Security Profiles > FortiClient Profiles and select the VPN
  2. Configure the following settings:
Profile Name Enter a unique name to identify the FortiClient profile.
Comments Optionally, enter a comment.
Assign Profile To For more information on configuring device groups, user groups, and users, see the FortiOS Handbook.

These options are only available when creating a new endpoint profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.
VPN Enable Client VPN Provisioning.

Cut and paste the FortiClient XML configuration <vpn> to </vpn> tags in the text window. The XML syntax must be preserved.

Enable Auto-connect when Off-Net and select a VPN name from the dropdown list.
  1. Select Apply to save the FortiClient profile settings.

For more information, see Appendix A – Deployment Scenarios on page 127.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiClient Settings

9 Replies

Settings

This sections describe the available options in the settings menu.

Backup or restore full configuration

To backup or restore the full configuration file, select File > Settings from the toolbar. Expand the System section, then select Backup or Restore as needed. Restore is only available when operating in standalone mode.

When performing a backup you can select the file destination, password requirements, and add comments as needed.

Logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

VPN VPN logging is available when in standalone mode or when registered to FortiGate/EMS.
Application Firewall Application Firewall logging is available when registered to FortiGate/EMS.
AntiVirus Antivirus activity logging is available when in standalone mode or when registered to FortiGate/EMS.
Web Filter Web Filter logging is available when in standalone mode (Web Security) or when registered to FortiGate/EMS.
Update Update logging is available when in standalone mode or when registered to FortiGate/EMS.
Vulnerability Scan Vulnerability Scan logging is available when registered to FortiGate/EMS.

 

Logging

Log Level This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured).
Log File The option to export the log file (.log) is available when in standalone mode or when registered to FortiGate/EMS. The option to clear logs is only available when in standalone mode.

The following table lists the logging levels and description:

Logging Level   Description
Emergency   The system becomes unstable.
Alert   Immediate action is required.
Critical   Functionality is affected.
Error   An error condition exists and functionality could be affected.
Warning   Functionality could be affected.
Notice   Information about normal events.
Information   General information about system operations.
Debug   Debug FortiClient.

It is recommended to use the debug logging level only when needed. Do not leave the debug logging level permanently enabled in a production environment to avoid unnecessarily consuming disk space.

Configure logging to FortiAnalyzer or FortiManager

To configure FortiClient to log to your FortiAnalyzer or FortiManager you require the following:

l FortiClient 5.2.0 or later l A FortiGate device running FortiOS 5.2.0 or later, or EMS 1.0 l A FortiAnalyzer or FortiManager device running 5.0.7 or later

The registered FortiClient device will send traffic logs, vulnerability scan logs, and event logs to the log device on port 514 TCP.

Logging

Enable logging on the FortiGate device:

  1. On your FortiGate device, select Log & Report > Log Settings. The Log Settings window opens.
  2. Enable Send Logs to FortiAnalyzer/FortiManager.
  3. Enter the IP address of your log device in the IP Address You can select Test Connectivity to ensure your FortiGate is able to communicate with the log device on this IP address.
  4. Select Apply to save the setting.

Enable logging in the FortiGate FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page opens.
  3. In the Advanced tab, enable Upload Logs to FortiAnalyzer.
  4. Select either Same as System to send the logs to the FortiAnalyzer or FortiManager configured in the Log Settings, or Specify to enter a different IP address.
  5. In the Schedule field, select to upload logs wither Hourly or Daily.
  6. Select Apply to save the settings.

Once the FortiClient Profile change is synchronized with the client, you will start receiving logs from registered clients on your FortiAnalyzer/FortiManager system.

Alternatively, you can configure logging in the command line interface. Go to System > Dashboard > Status. In the CLI Console widget, enter the following CLI commands:

config endpoint-control profile edit <profile-name>

config forticlient-winmac-settings set forticlient-log-upload enable set forticlient-log-upload-server <IP address> set forticlient-log-upload-schedule {hourly | daily} set forticlient-log-ssl-upload {enable | disable} set client-log-when-on-net {enable | disable}

end

end

To download the FortiClient log files on the FortiAnalyzer go to the Log View tab, select the ADOM, and select the FortiClient menu object.

Updates

Enable logging in the EMS endpoint profile:

  1. On EMS, select an endpoint profile, then go to the System Settings
  2. Enable Upload Logs to FortiAnalyzer/FortiManager.
  3. Enter the IP address or hostname, schedule upload (in minutes), and log generation timeout (in seconds).
  4. Select Save to save the settings.

Updates

To configure updates, select File > Settings from the toolbar, then expand the System section.

Select to either automatically download and install updates when they are available on the FortiGuard Distribution Servers, or to send an alert when updates are available.

This setting can only be configured when in standalone mode.

You can select to use a FortiManager device for signature updates. When configuring the endpoint profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device.

To configure FortiClient to use FortiManager for signature updates (FortiGate):

  1. On your FortiOS device, select Security Profiles > FortiClient Profiles.
  2. On the Advanced tab, enable FortiManagerupdates.
  3. Specify the IP address or domain name of the FortiManager device.
  4. Select Failoverto FDN to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
  5. Select Apply to save the settings.

To configure FortiClient to use FortiManager for signature updates (EMS):

  1. On EMS, select an endpoint profile, then go to the System Settings
  2. Toggle the Use FortiManagerforclient software/signature update option to ON.
  3. Specify the IP address or hostname of the FortiManager device.
  4. Select Failoverto FDN when FortiManageris not available to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
  5. Select Save to save the settings.

VPN options

To configure VPN options, select File > Settings from the toolbar and expand the VPN section. Select Enable VPN before logon to enable VPN before log on.

This setting can only be configured when in standalone mode.

Certificate management

Certificate management

To configure VPN certificates, select File > Settings from the toolbar and expand the Certificate Management section. Select Use local certificate uploads (IPsec only) to configure IPsec VPN to use local certificates and import certificates to FortiClient.

This setting can only be configured when in standalone mode.

Antivirus options

To configure antivirus options, select File > Settings from the toolbar and expand the Antivirus Options section.

These settings can only be configured when in standalone mode.

Configure the following settings:

Grayware Options Grayware is an umbrella term applied to a wide range of malicious applications such as spyware, adware and key loggers that are often secretly installed on a user’s computer to track and/or report certain information back to an external source without the user’s permission or knowledge.
Adware Select to enable adware detection and quarantine during the antivirus scan.
Riskware Select to enable riskware detection and quarantine during the antivirus scan.
Scan removable media on

insertion

 Select to scan removable media when it is inserted.
Alert when viruses are detected Select to have FortiClient provide a notification alert when a threat is detected on your personal computer. When Alert when viruses are detected under AntiVirus Options is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.
Pause background scanning on battery power Select to pause background scanning when your computer is operating on battery power.

Advanced options

Enable FortiGuard Ana-

lytics

 Select to automatically send suspicious files to the FortiGuard Network for analysis.

When registered to FortiGate, you can select to enable or disable FortiClient Antivirus Protection in the FortiClient Profile.

Advanced options

To configure advanced options, select File > Settings from the toolbar and expand the Advance section.

These settings can only be configured when in standalone mode. When registered to FortiGate/EMS, these settings are set by the XML configuration (if configured).

Configure the following settings:

Enable WAN Optimization Select to enable WAN Optimization. You should enable only if you have a FortiGate device and your FortiGate is configured for WAN Optimization.

This setting can be configured when in standalone mode.
Maximum Disk Cache Size Select to configure the maximum disk cache size. The default value is 512MB.
Enable Single Sign-On mobility agent Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device.

This setting can be configured when in standalone mode.
Server address Enter the FortiAuthenticator IP address.
Customize port Enter the port number. The default port is 8001.
Pre-shared Key Enter the pre-shared key. The pre-shared key should match the key configured on your FortiAuthenticator device.

Single Sign-On mobility agent

Disable proxy (troubleshooting only) Select to disable proxy when troubleshooting FortiClient.

This setting can be configured when in standalone mode.
Default tab Select the default tab to be displayed when opening FortiClient. This setting can be configured when in standalone mode.

Single Sign-On mobility agent

The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates with FortiAuthenticator with user logon and network information.

FortiClient/FortiAuthenticator protocol

The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator, which replies with an acknowledgment packet.

FortiClient/FortiAuthenticator communication requires the following:

l The IP address should be unique in the entire network. l The FortiAuthenticator should be accessible from clients in all locations. l The FortiAuthenticator should be accessible by all FortiGates.

FortiClient Single Sign-On Mobility Agent requires a FortiAuthenticator running 2.0.0 or later, or v3.0.0 or later. Enter the FortiAuthenticator (server) IP address, port number, and the pre-shared key configured on the FortiAuthenticator.

Enable Single Sign-On mobility agent on FortiClient:

  1. Select File in the toolbar and select Settings in the drop-down menu.
  2. Select Advanced to view the drop-down menu.
  3. Select to Enable Single Sign-On mobility agent.
  4. Enter the FortiAuthenticator server address and the pre-shared key.

This setting can be configured when in standalone mode. When registered to FortiGate, this setting is set by the XML configuration (if configured).

Enable FortiClient SSO mobility agent service on the FortiAuthenticator:

  1. Select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
  2. Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
  3. Select Enable authentication and enter a secret key or password.
  4. Select OK to save the setting.

Configuration lock

To enable FortiClient FSSO services on the interface:

  1. Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network Interface window opens.
  2. Select the checkbox to enable FortiClient FSSO.
  3. Select OK to save the setting.

To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you must first apply the applicable FortiClient license for FortiAuthenticator. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

For information on purchasing a FortiClient license for FortiAuthenticator, please contact your authorized Fortinet reseller.

Configuration lock

To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked, configuration changes are restricted and FortiClient cannot be shutdown or uninstalled.

When the configuration is locked you can perform the following actions:

  • Antivirus l Complete an antivirus scan, view threats found, and view logs l Select Update Now to update signatures l Web Security

FortiTray

  • View violations
  • Application Firewall l View applications blocked
  • Remote Access l Configure, edit, or delete an IPsec VPN or SSL VPN connection l Connect to a VPN connection
  • Vulnerability Scan l Complete a vulnerability scan of the system l View vulnerabilities found
  • Register and unregister FortiClient for Endpoint Control l Settings l Export FortiClient logs l Backup the FortiClient configuration

To perform configuration changes or to shut down FortiClient, select the lock icon and enter the password used to lock the configuration.

FortiTray

When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is closed.

  • Default menu options l Open FortiClient console l Shutdown FortiClient
  • Dynamic menu options depending on configuration l Connect to a configured IPsec VPN or SSL VPN connection l Display the antivirus scan window (if a scheduled scan is currently running) l Display the Vulnerability scan window (if a vulnerability scan is running)

If you hover the mouse cursor over the FortiTray icon, you will receive various notifications including the version, antivirus signature, and antivirus engine.

Connect to a VPN connection

To connect to a VPN connection from FortiTray, select the Windows System Tray and right-click in the FortiTray icon. Select the connection you wish to connect to, enter your username and password in the authentication window, then select OK to connect.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Vulnerability Scan

7 Replies

Vulnerability Scan

FortiClient includes an Vulnerability Scan module to check your workstation for known system vulnerabilities. You can scan on-demand or on a scheduled basis. This feature is disabled by default and the tab is hidden for standalone clients. For users who are registered to a FortiGate using endpoint control, the FortiGate administrator may choose to enable this feature. Vulnerability Scan is enabled via the FortiGate Command Line Interface (CLI) only. Once enabled, the Endpoint Vulnerability Scan on Client setting is available in the FortiClient Profile.

Enable vulnerability scan

This section describes how to enable Vulnerability Scan in the FortiClient Profile via the FortiGate CLI and configuration options.

  1. Enable Vulnerability Scan in the FortiClient Profile:
  2. Log in to your FortiGate CLI.
  3. Enter the following CLI commands: config endpoint-control profile edit <profile-name> config forticlient-winmac-settings set forticlient-vuln-scan enable set forticlient-vuln-scan-schedule {daily | weekly | monthly} set forticlient-vuln-scan-on-registration {enable | disable} set forticlient-ui-options {av | wf | af | vpn | vs}

end end

<profile-name>          Enter the name of the FortiClient Profile.
forticlient-vuln-scan Enable or disable the Vulnerability Scan module. {enable | disable}
forticlient-vuln-  Configure a daily, weekly, or monthly vulnerability scan on the client scan-schedule    workstation.

{daily | weekly |

monthly}
forticlient-vuln-      Enable or disable vulnerability scan on client registration to FortiGate.

scan-on-registration {enable | disable}

 

Scan now                                                                                                                               Vulnerability Scan

forticlient-uioptions {av | wf | af | vpn | vs} Set the FortiClient components that will be available to the client upon registration with FortiGate. l av: Antivirus l wf: Web Filter l af: Application Firewall l vpn: Remote Access l vs: Vulnerability Scan
  1. The FortiGate will send the FortiClient Profile configuration update to registered clients. The Vulnerability Scan tab is now accessible in FortiClient.

Scan now

To perform a vulnerability scan, select the Scan Now button in the FortiClient console. FortiClient will scan your workstation for known vulnerabilities. The console displays the date of the last scan above the button.

You can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient Profile, select Use FortiManagerforclient software/signature update to enable the feature and enter the IP address of your FortiManager device.

View vulnerabilities

When the scan is complete, FortiClient will display the number of vulnerabilities found in the FortiClient console.

Select the Vulnerabilities Detected link to view a list of vulnerabilities detected on your system. Conversely, select Detected: X on the Vulnerability Scan tab to view the vulnerabilities.

Vulnerability Scan                                                                                                               View vulnerabilities

This page displays the following:

Vulnerability Name The name of the vulnerability
Severity The severity level assigned to the vulnerability: Critical, High, Medium, Low, or Info.
Details FortiClient vulnerability scan lists a Bugtraq (BID) number under the details column. You can select the BID to view details of the vulnerability on the FortiGuard site, or search the web using this BID number.
Close Close the window and return to the FortiClient console.

Select the Details ID number from the list to view information on the selected vulnerability on the FortiGuard site.

The site details the release date, severity, impact, description, affected products, and recommended actions.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPsec VPN and SSL VPN

Leave a reply

IPsec VPN and SSL VPN

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. You can provision client VPN connections in the FortiClient Profile or configure new connections in the FortiClient console.

This section describes how to configure remote access.

Add a new connection

Select Configure VPN in the FortiClient console to add a new VPN configuration.

Create a new SSL VPN connection

To create a new SSL VPN connection, select Configure VPNor use the drop-down menu in the FortiClient console.

Select SSL-VPN, then configure the following settings:

Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)
Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Customize port Select to change the port. The default port is 443.

Add a new connection

Authentication Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled.
Username If you selected to save login, enter the username in the dialog box.
Client Certificate Select to enable client certificates, then select the certificate from the dropdown list.
Do not Warn Invalid Server

Certificate

 Select if you do not want to warned if the server presents an invalid certificate.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.
Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)

Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.

Create a new IPsec VPN connection

To create a new IPsec VPN connection, select Configure VPN or use the drop-down menu in the FortiClient console.

Select IPsec VPN, then configure the following settings:

Add a new connection

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Authentication Method Select either X.509 Certificate or Pre-shared Key in the dropdown menu.
Authentication (XAuth) Select to prompt on login, save login, or disable.
Username If you selected save login, enter the username in the dialog box.
Advanced Settings Configure VPN settings, Phase 1, and Phase 2 settings.
VPN Settings  
Mode Select one of the following:

Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted. Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).
Options Select one of the following:

Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.

DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling.

Add a new connection

Phase 1   Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.
  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.
  DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.
  Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
  Local ID Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.
  Dead Peer Detection Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
  NAT Traversal Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Phase 2   Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.

 

Key Life The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
Enable Perfect

Forward Secrecy

(PFS)

 Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
DH Group Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.

Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.

Provision client VPN connections

You can provision client VPN connections in the FortiClient Profile for registered clients.

FortiGate VPN provisioning

Provision a client VPN in the FortiClient Profile:

  1. Log in to your FortiGate device.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. Select the FortiClient profile and select Edit from the toolbar.
  4. Select the VPN

Provision client VPN connections

  1. Turn on VPN and Client VPN Provisioning.
  2. Configure the following:
IPsec VPN Configure remote gateway and authentication settings for IPsec VPN.
SSL-VPN Configure remote gateway and access settings for SSL VPN.
Auto-connect when Off-Net Turn on the automatically connect when Off-Net, then configure the following: l VPN Name: Select a VPN from the list.

Prevent VPN Disconnect: Turn on to not allow users to disconnect when the VPN is connected.

Captive Portal Support: Turn on the enable support for captive portals.
VPN before Windows logon Enable VPN connection before Windows log on.
  1. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

When registered to a FortiGate, VPN settings are enabled and configured in the FortiClient Profile.

Alternatively, you can provision a client VPN using the advanced VPN FortiClient Profile options in FortiGate. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

EMS VPN provisioning

Provision a client VPN in the FortiClient Profile:

  1. Log in to EMS.
  2. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  3. Select the VPN
  4. Select the on/off button to enable VPN.

Provision client VPN connections

  1. Configure the following settings:
Allow Personal VPN Select to enable personal VPN connections
Disable

Connect/Disconnect

 Select to disable not allowing users to disconnect when the VPN is connected.
Show VPN Before Logon  Enable VPN connection before Windows log on, and select from the following options:

l Use Legacy VPN Before Logon l Use Windows Credentials
Local Computer Windows

Store Certificates (IPSec only)

 Select to enable local Windows store certificates (IPsec only).
Current User Windows Store Certificates (IPSec only) Select to enable current user Windows store certificates (IPsec only).
Auto-connect only when

Off-Net

 Turn on the automatically connect only when Off-Net.
Add VPN Tunnel Select to add a VPN tunnel, then enter the following information: l VPN Name: Enter the VPN name.

l  Type: Select the type of VPN tunnel, either SSL VPN or IPsec VPN.

l  Remote Gateway: Enter the remote gateway IP address or hostname.

l  Require Certificate: Turn on to require a certificate (SSL VPN only). l Access Port: Enter the access port number (SSL VPN only).

l  Authentication Method: Select the authentication method, wither Pre-shared Key or Certificate (IPsec VPN only).

l  Pre-Shared Key: Enter the pre-shared key (IPsec VPN with preshared key only).

l  Advanced Configuration:
  1. Select Save to save your changes.

Connect to a VPN

To connect to a VPN, select the VPN connection from the drop-down menu. Enter your username, password, and select the Connect button.

Optionally, you can click on the system tray, right-click the FortiClient icon and select the VPN connection you want to connect to.

You can also select to edit an existing VPN connection and delete an existing VPN connection using the dropdown menu.

When connected, the console will display the connection status, duration, and other relevant information. You can now browse your remote network. Select the Disconnect button when you are ready to terminate the VPN session.

Save Password, Auto Connect, and Always Up

Save Password, Auto Connect, and Always Up

When configuring a FortiClient IPsec or SSL VPN connection on your FortiGate/EMS, you can select to enable the following features:

  • Save Password: Allows the user to save the VPN connection password in the console. l Auto Connect: When FortiClient is launched, the VPN connection will automatically connect.
  • Always Up (Keep Alive): When selected, the VPN connection is always up even when no data is being processed. If the connection fails, keep alive packets sent to the FortiGate will sense when the VPN connection is available and re-connect.

When enabled in the FortiGate configuration, once the FortiClient is connected to the FortiGate, the client will receive these configuration options.

For FortiClient VPN configurations, once these features are enabled they may only be edited from the command line. Use the following FortiOS CLI commands to disable these features:

config vpn ipsec phase1-interface edit [vpn name] set save-password disable set client-auto-negotiate disable set client-keep-alive disable

end

end

FortiToken and FortiClient VPN

You can use FortiToken with FortiClient for two-factor authentication. See the FortiOS Handbook for information on configuring FortiToken, user groups, VPN, and two-factor authentication on your FortiGate device for

 

Advanced features (Microsoft Windows)

FortiClient VPN connections.

Advanced features (Microsoft Windows)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.

Activating VPN before Windows Log on

When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.

To make this change, proceed as follows:

In FortiClient:

  1. Create the VPN tunnels of interest or use Endpoint Control to register to a FortiGate/EMS which provides the VPN list of interest
  2. Enable VPN before log on on the FortiClient Settings page, see VPN options on page 108.

On the Microsoft Windows system,

  1. Start an elevated command line prompt.
  2. Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
  3. Check the check box for Users must entera username and password to use this computer.
  4. Click OK to save the setting.

Connect VPN before log on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.

Advanced features (Microsoft Windows)

<forticlient_configuration>

<vpn>

<options>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials> </options>

</vpn>

</forticlient_configuration>

Create a redundant IPsec VPN

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Priority based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

Advanced features (Mac OS X)

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

Advanced features (Mac OS X)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.

Create a redundant IPsec VPN

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

VPN tunnel & script

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Priority based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

VPN tunnel & script

This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on FortiGate/EMS’s XML format FortiClient Profile. The profile will be pushed down to FortiClient from FortiGate/EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.

 

tunnel & script

Windows

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>

</script>

</script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: /DELETE ]]>

</script>

</script>

</script>

</on_disconnect>

OS X

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>mac</os>

<script>

/bin/mkdir /Volumes/installers

/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt

/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers

/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt

/bin/mkdir /Users/admin/Desktop/dropbox/dir

/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/.

</script>

</script>

</on_connect>

VPN tunnel & script

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>mac</os>

<script>

/sbin/umount /Volumes/installers

/bin/rm -fr /Users/admin/Desktop/dropbox/*

</script>

</script>

</on_disconnect>


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Application Firewall

Leave a reply

Application Firewall

FortiClient can recognize the traffic generated by a large number of applications. You can create rules to block or allow this traffic per category, or application.

In FortiClient, the application firewall feature is enabled in the FortiClient Profile. The profile includes application firewall configuration.

The FortiClient Endpoint Control feature enables the site administrator to distribute an Application Control sensor from FortiGate/EMS.

On the FortiGate, the process is as follows:

l Create an Application Sensor and Application Filter on the FortiGate, l Add the Application Sensor to the FortiClient Profile on the FortiGate.

On EMS, the application firewall is part of the endpoint profile.

FortiGate

Step 1: Create a custom Application Control Sensor

  1. Log in to your FortiGate.
  2. In the left tree menu, select Security Profiles > Application Control.
  3. To create a new sensor, click the Create New icon in the toolbar. The New Application Sensor page is displayed.

Application Firewall

  1. Configure the following options:
Name   Enter a unique name for the application sensor.
Comments   Enter an option comment for the application sensor.
Categories   Select categories to allow or block.
Allow   The application category or application signature will be allowed in FortiClient Application Firewall.
Monitor   The application category or application signature will be allowed in FortiClient Application Firewall.

FortiClient will allow application traffic but will not monitor.
Block   The application category or application signature will be blocked in FortiClient Application Firewall.

Application Firewall

View Signatures Select to view signatures and add filters to the category.
Application Overrides Select Add Signatures to add application signatures and set the category. An application which belongs to a blocked category can be set to allow.
Filter Overrides Select Add Filter to add filters to the sensor.
Options The options set in the FortiOS application sensor are ignored by FortiClient application firewall.
  1. Select OK to save the sensor.

Step 2: Add the Application Control Sensor to the FortiClient Profile

  1. In the left tree menu, select Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile and select Edit in the toolbar. The Edit FortiClient Profile page is displayed.
  3. In the right pane, turn on the Application Firewall, then select an Application Sensor from the Application Control list drop-down list.
  4. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

The Application Firewall tab is now available in FortiClient.

EMS

To add application firewall to an endpoint profile:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Application Firewall

Application Firewall

  1. Select the on/off button to add application firewall to the profile.
  2. Adjust the settings as required, then select Save to save your changes.

View application firewall profile

To view the application firewall profile, select Show all.

Application Firewall

View blocked applications

To view blocked applications, select the Applications Blocked link in the FortiClient console. This page lists all applications blocked in the past seven days, including the count and time of last occurrence.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Web Security / Web Filter – FortiClient 5.4

8 Replies

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When FortiClient is not registered to FortiGate, you can enable or disable the Web Security feature. You can define what sites are allowed, blocked, or monitored and view violations.

Enable/Disable Web Security

To enable or disable FortiClient Web Security, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

Enable/Disable Select to enable or disable Web Security.
X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Web Security profile

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories. Select the settings icon, then select the site category. Select the action icon, then select the action in the drop-down menu for each category or sub-category.

Web Security exclusion list

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

Web Security exclusion list

To manage the exclusion list, select the settings icon then select Exclusion List from the menu. You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt. Use the add icon to add URLs to the exclusion list. If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

Web Security settings

Configure the following settings:

Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression
Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

Web Security settings

To configure web security settings, select the settings icon then select Settings from the menu.

View violations

Configure the following settings:

Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.

View violations

To view Web Security violations, either select the settings icon then select Violations from the menu, or select X Violations (In the Last 7 Days).

 

Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.

Web Filter

When FortiClient is registered to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

The FortiClient Endpoint Control feature enables the site administrator to distribute a Web Filter profile from a FortiGate or add web filtering to an endpoint profile on EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.

Filter

FortiGate

Step 1: Create a Web Filter Profile on the FortiGate

Use the following steps to create a custom Web Filter profile on the FortiGate:

  1. Go to Security Profiles > Web Filter.
  2. To create a new profile, click the create new icon in the toolbar. The New Web FilterProfile page opens.
  3. Configure the following settings:

 

Name Enter a name for the Web Filter profile.
Comments Enter a description in the comments field. (optional)
Inspection Mode This setting is not applicable to FortiClient.
FortiGuard Categories Select category and sub-category actions.

l  In FortiClient5.4.0, the Security Risk category is part of the AntiVirus module. The Local Categories category is not applicable to FortiClient. The Authenticate and Disable actions are not applicable to FortiClient.

l  When FortiGuard Categories is disabled, FortiClient will be protected by the Exclusion List configured in the URL in the

FortiClient profile.
Categories Usage Quota This setting is not applicable to FortiClient.
Allow users to override blocked categories This setting is not applicable to FortiClient.
Search Engines  
Enforce ‘Safe Search’ Select to enable search engine Safe Search on Google, Yahoo!, Bing, and Yandex.
YouTube

Education Filter

 Select to enable the YouTube educational filter and enter your filter code. The filter blocks non-educational content as per your YouTube filter code.
Log all search keywords This setting is not applicable to FortiClient.
Static URL Filter  
Block invalid

URLs

 This setting is not applicable to FortiClient.
URL Filter Select to enable URL filter. Select Create New to add a URL to the list. For Type, select one of Simple, Reg. Expression, or Wildcard. For Action, select one of Exempt, Block, Allow, or Monitor. For Status, select either Enable or Disable.

FortiClient does not support the Exempt action. Any URLs in the URL filter with an exempt action will be added to the FortiClient Exclusion List with an allow action.
Block malicious URLs discovered by FortiSandbox Select to block URLs that have been marked as malicious by FortiSandbox. A FortiSandbox device or cloud must be configured.

Filter

Web Content

Filter

 This setting is not applicable to FortiClient.
Rating Options These settings are not applicable to FortiClient.
Proxy Options These settings are not applicable to FortiClient.
  1. Select OK to save the profile.

Step 2: Add the Web Filter profile to the FortiClient Profile

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile then select Edit. The Edit FortiClient Profile page is displayed.
  3. Enable Web Filter, then select the Web Filter profile from the drop-down list.
  4. Optionally, select to enable Client Side when On-Net.
  5. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

The Web Filtering module is now available in FortiClient.

EMS

To add web filtering to an endpoint profile:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Web Filter
  3. Select the on/off button to add web filtering to the profile.
  4. Adjust the web filter settings as required, then select Save to save your changes.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Antivirus

Leave a reply

Antivirus

This chapter includes the following sections:

l FortiClient Antivirus l Antivirus logging l Antivirus options l Endpoint control

FortiClient Antivirus

FortiClient includes an antivirus module to scan system files, executable files, removable media, dynamic-link library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, File Based Malware, Malicious Websites, Phishing, and Spam URL protection is part of the antivirus module. Scanning can also be extended using FortiSandbox.

This section describes how to enable and configure antivirus options.

Enable or disable antivirus

To enable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Disabled. The real-time protection settings page will open.
  2. Select Scan files as they are downloaded orcopied to my system.
  3. Select OK.

If you have another antivirus program installed on your system, FortiClient will show a warning that your system may lock up due to conflicts between different antivirus products.

To disable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Enable. The real-time protection settings page will open.
  2. Deselect Scan files as they are downloaded orcopied to my system.
  3. Select OK.

Conflicting antivirus warning

FortiSandbox

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

This option cannot be configured on a registered endpoint, and must instead be configured on the FortiGate/EMS.

To extend scanning using FortiSandbox:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Extend scanning using FortiSandbox.
  3. Enter the FortiSandbox IP address, then select Test to ensure that the connection is correct.
  4. Optionally, select Identify malware & exploits using signatures received from FortiSandbox.
  5. Select OK to apply your changes.

Blocking access and communication channels

To block access to malicious websites and known communication channels used by attackers:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Block all access to malicious websites and Block known communication channels used by attackers.
  3. Select OK to apply your changes.

Notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

Scan now

To perform on-demand antivirus scanning, select the Scan Now button in the FortiClient console. Use the dropmenu to select Custom Scan, Full Scan, Quick Scan, or Removable media Scan. The console displays the date of the last scan to the left of the button.

  • Custom Scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.
  • Full Scan runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan including all files, executable files, DLLs, and drivers for threats.
  • Quick System Scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, and drivers that are currently running for threats.
  • Removable media Scan runs the rootkit detection engine to detect and remove rootkits. It scans all connected removable media, such as USB drives.

Scan a file or folder on your workstation

To perform a virus scan a specific file or folder on your workstation, right-click the file or folder and select Scan with FortiClient AntiVirus from the menu.

Submit a file for analysis

You can select to send up to 5 files a day to FortiGuard for analysis. To submit a file, right-click a file or executable and select Submit foranalysis from the menu. A dialog box will be displayed which allows you to see the number of files you have submitted. Confirm the location of the file you want to submit then select the Submit button.

View FortiClient engine and signature versions

To view the current FortiClient version, engine, and signature information, select Help in the toolbar, and select About in the menu. Hover the mouse over the status field to see the date and time that FortiClient last updated the selected item.

When FortiClient is registered to FortiGate for endpoint control, you can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device. You can select to failover to FDN when FortiManager is not available.

Schedule antivirus scanning

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Scheduled Scan tab to schedule antivirus scanning.

Scans cannot be scheduled on registered endpoint.

Configure the following settings:

Schedule Type Select Daily, Weekly, or Monthly from the drop-down list.
Scan On For Weekly scheduled scan, select the day of the week in the drop-down list.

For Monthly scheduled scan, select the day of the month in the drop-down list.
Start Select the time of day that the scan starts. The time format uses a 24-hour clock.
Scan Type Select the scan type:

Quick system scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, drivers that are currently running for threats.

Full system scan runs the rootkit detection engine to detect and remove rootkits. It then performs a full system scan including all files, executable files, DLLs, and drivers for threats.

Custom scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.

You cannot schedule a removable media scan. A full scan will scan removable media.
Disable Scheduled Scan Select to disable scheduled scan.

Select OK to save the setting and return to the main FortiClient console page.

If you configure monthly scans to occur on the 31st of each month, the scan will occur on the first day of the month for those months with less than 31 days.

Add files/folders to an exclusion list

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Exclusion List tab.

To add files/folders to the antivirus exclusion list, select the add icon and then select Add file or Add folder from the drop-down list. Any files or folders in this exclusion list will not be scanned. Select the minus icon to remove files or folders from the list.

Select OK to save the setting and return to the FortiClient console page.

View quarantined threats

To view quarantined threats, select the X Threats Detected link in the FortiClient console, then select the Quarantined Files tab. In this page you can view, restore, or delete the quarantined file. You can also view the original file location, the virus name, submit the suspicious file to FortiGuard, and view logs.

This page displays the following:

File Name The name of the file.
Date Quarantined The date and time that the file was quarantined by FortiClient.
Refresh Select to refresh the quarantined files list.
Details Select a file from the list to view detailed information including the file name, original location, date and time that the virus was quarantined, the submitted status, status, virus name, and quarantined file name.
Logs Select to view FortiClient log data.
Refresh Select to refresh the list.
Submit Select to submit the quarantined file to FortiGuard. Press and hold the control key to submit multiple entries.
Restore Select to restore the quarantined file. A confirmation dialog box will be displayed. You can select Yes to add this file/folder to the exclusion list, No to restore the file, or

Cancel to exit the operation. Press and hold the control key to restore multiple entries.
Delete Select to delete the quarantined file. A confirmation dialog box will be displayed, select Yes to continue. Press and hold the control key to delete multiple entries.
Close Select to close the page and return to the FortiClient console.

View site violations

To view site violations, select the X Threats Detected link in the FortiClient console, then select the Site Violations tab. On this page you can view site violations and submit sites to be re-categorized.

This page displays the following:

Website Displays the name of the website.
Time Displays the date and time of the site violation.
Refresh Select to refresh the site violation list.
Details Select an entry in the list to view site violation details including the website name, category, date and time, user name, and status.

Select the category link to request to have the site category re-evaluated.

View alerts dialog box

When FortiClient antivirus detects a virus while attempting to download a file via a web-browser, you will receive a warning dialog message.

Select View recently detected virus(es) to collapse the virus list. Select a file in the list and right-click to access the context menu.

Delete Select to delete a quarantined or restored file.
Quarantine Select to quarantine a restored file.
Restore Select to restore a quarantined file.
Submit Suspicious File Select to submit a file to FortiGuard as a suspicious file.
Submit as False Positive Select to submit a quarantined file to FortiGuard as a false positive.
Add to Exclusion List Select to add a restored file to the exclusion list. Any files in the exclusion list will not be scanned.
Open File Location Select to open the file location on your workstation.

When Alert when viruses are detected under AntiVirus Options on the Settings page is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.

Realtime Protection events

When an antivirus real-time protection event has occurred you can select to view these events in the FortiClient console. From the AntiVirus tab, select X Threats Detected, then select Real-time Protection events (x) in the left pane. The realtime_scan.log will open in the default viewer.

Example log output:

Realtime scan result: time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com

 

logging

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com.txt

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicarcom2.zip

time: 09/29/15 10:46:08, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar_com.zip

time: 09/29/15 10:46:39, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\3g_bl8y9.com.part

time: 03/18/15 10:48:13, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\xntwh8q1.zip.part

Antivirus logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

Configure the following settings:

Enable logging for these features Select antivirus to enable logging for this feature.
Log Level Select the level of logging:

Emergency: The system becomes unstable. l Alert: Immediate action is required. l Critical: Functionality is affected. l Error: An error condition exists and functionality could be affected. l Warning: Functionality could be affected. l Notice: Information about normal events.

Information: General information about system operations. l Debug: Debug FortiClient.
Log file  
Export logs Select to export logs to your local hard disk drive (HDD) in .log format.
Clear logs Select to clear all logs. You will be presented a confirmation window, select Yes to proceed.

Antivirus options

For information on configuring antivirus options, see Antivirus options on page 109.

Endpoint control

Endpoint control

When FortiClient is registered to FortiGate/EMS for endpoint control, FortiClient receives configuration and settings via the FortiClient Profile configured on the device.

To enable antivirus protection on FortiGate:

  1. Log in to your FortiGate.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. In the right pane, in the Edit FortiClient Profile page, in the Security tab, enable AntiVirus.
  4. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

To enable antivirus protection on EMS:

  1. Log in to the EMS.
  2. Go to Endpoint Profiles and select a profile to edit.
  3. In the right pane, select AntiVirus Protection to enable antivirus protection and configure as needed.
  4. Select Save to save the profile.

The EMS will send the FortiClient Profile configuration update to registered clients.

Antivirus profile settings

FortiGate and EMS share similar settings for antivirus profiles. EMS also includes advanced options.

Endpoint control

After enabling antivirus protection on FortiGate/EMS, the following settings can be configured:

Scan Downloads Scan files as they are downloaded or copied to my system.
Scan with FortiSandbox Extended scanning using FortiSandbox.

FortiClient will send supported files downloaded over the internet to

FortiSandbox if they cannot be detected by the local, real-time scanning
FortiSandbox IP address The IP address of the FortiSandbox device.
Wait for

FortiSandbox results

 Wait for FortiSandbox results before allowing file access.
Use FortiSandbox signatures Identify malware & exploits using signatures or URLs received from FortiSandbox.

Endpoint control

Block malicious websites Block all access to malicious websites.

EMS also has the option of using the exclusion list defined in the web filter profile.
Block attack channels Block known communcation channels used by attackers.
Alert when viruses are detected This option is EMS only.
Schedule Scan Schedule automatic scans daily, weekly, or monthly at a specific time of day. Quick, Full, and Custom scans can be run automatically.
Excluded Paths Files or folders that are not scanned.

Advanced options available on EMS only include:

Scan Downloads Files that are scanned as they are downloaded or copied to the system can be treated in one of the following ways:

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files l Deny access to infected files
Scan with FortiSandbox If waiting for FortiSandbox results is enabled, access to downloaded files can be denied if FortiSandbox is offline.
Scan compresses files Scan compressed files that are up to a specified size (default: 10Mb).
Scan email Scan email messages and attachments.
User process scanning l Scan files when processes read or write them l Scan files when processes read them l Scan files when processes write them
Scan network files Scan network files.
System process scanning l Scan files when system processes read or write them l Scan files when system processes read them l Scan files when system processes write them l Do not scan files when system processes read or write them

Endpoint control

On demand scanning Configure on-demand file scan options.

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files
Integrate FortiClient into Windows Explorer’s mouse menu Add the options to Scan with FortiClient AntiVirus and Submit foranalysis to the Windows Explorer right-click menu.
Pause scanning when running on battery power Pause a scanning process when the computer is running on battery power.
Automatically submit suspicious files to FortiGuard for analysis Submit all files to FortiGuard for analysis.
Scan compresses

files

 Scan compressed files that are up to a specified size (default: 10Mb, 0 means unlimited)
Maximize scan speed Select the amount of memory a computer must have before FortiClient maximizes its scan speed. One of: 4MB, 6MB, 8MB, 12MB, 16MB.
More Options Enable or disable various other options, including:

l Scan for rootkits l Scan for adware l Scan for riskware l Enable advanced heuristics l Scan removable media on insertion l Scan mime files (inbox files) l Enable FortiGuard Analytics l Notify logged in users if their AntiVirus signatures expire

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

End Point Management

2 Replies

Endpoint Management

The purpose of this section is to provide basic instructions on how to configure, deploy, and manage FortiClient configurations from your FortiGate device or EMS.

Configure endpoint management

With FortiClient 5.4 and newer, configuration and management of endpoints can be handled by a FortiGate device or FortiClient EMS.

You can configure your FortiGate device or EMS to discover new devices on the network, enforce FortiClient registration, and deploy pre-configured profiles to connected devices. Multiple profiles can be configured.

The FortiClient profile consists of the following sections:

  • Antivirus Protection l Web Category Filtering

You can select the web filtering security profile to associate with the FortiClient profile. You can also select to enable Web Filtering when the client is protected by the FortiGate/EMS (On-Net).

  • VPN

Select to enable client VPN provisioning. You can specify the VPN name, type, gateway and other settings the client will use to connect to your FortiGate device via the VPN connection. Two-factor authentication is configured in the FortiGate VPN configuration.

  • Application Firewall

You can select the application control sensor to associate with the FortiClient profile.

  • Endpoint Vulnerability on Client

You can select to scan daily, weekly or monthly. You can also select to scan the client after registration with your FortiGate device. Vulnerability Scan must be enabled via the CLI in order for it to be displayed in the FortiClient Profile.

  • Upload logs to FortiAnalyzer/FortiManager

You can select to use the same IP address as the FortiGate device or specify a different device IP address. You can specify the frequency of the log upload. FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer/FortiManager.

  • Use FortiManager for client software/signature update

Select to enable this feature and enter the IP address of your FortiManager device. You can select to failover over to the FortiGuard Distribution Network (FDN) when the FortiManager is not available.

  • Dashboard Banner

You can select to display or hide the FortiClient advertisement banner. FortiClient ads are downloaded from the FortiGuard Distribution Servers.

Select if profile details may be displayed before endpoint control registration is completed.

  • Client-based Logging when On-Net

Select to enable client-based logging when protected by the FortiGate/EMS (On-Net).

See the FortiOS Handbook or the FortiClient EMS Administration Guide for more information on configuring your device, .

FortiGate

Configure endpoint management on the FortiGate device:

  1. Enable device management and broadcast discovery messages.
    1. Go to Network > Interfaces, select the applicable interface, then select Edit in the toolbar.
    2. On the Edit Interface page you can select to enable Detect and Identify Devices.
    3. To enable Broadcast Discovery Messages (optional) you must first enable FCT-Access under Administrative Access.
    4. Select OK to save the setting.

Broadcast Discovery Messages is an optional configuration. When enabled, the FortiGate will broadcast messages to your network, allowing client connections to discover the FortiGate for FortiClient registration. Without this feature enabled, the user will enter the IP address or URL of the FortiGate to complete registration.

  1. Configure the following settings:
Administrative Access Select the checkbox for FCT-Access. This option is available for both IPv4 and IPv6 Administrative Access.
Security Mode Select None or Captive Portal. When selecting Captive Portal, users are forwarded to a captive portal where they need to enter their username and password to authenticate with the FortiGate. You can customize the portal message and specify user groups.

This option is available when Addressing mode is set to Manual.
Device Management  
Detect and

Identify Devices

 Select to detect and identify devices on the selected interface.
Broadcast

Discovery

Messages

 Once enabled, the FortiGate unit broadcasts a discovery message that includes the IP address of the interface and listening port number to the local network. All PCs running FortiClient on that network listen for this discovery message.

This option is available when FCT-Access is enabled.
  1. When configuring FortiClient access on an internal interface, you can select to send users to a captive portal.
Security Mode Select Captive Portal from the drop-down list
Authentication Portal Select either Local or External. When selecting External, you can specify the link path.
User Groups Select user groups from the drop-down list.

FortiClient does not support nested groups in FortiOS.
Exempt List Select an exempt list from the drop-down list.
Customize Portal Messages Enable and select the edit icon to edit the portal replacement message.

Configure the FortiClient profile:

  1. To configure the FortiClient profile, go to Security Profiles > FortiClient Profiles. You can edit the default profile or create a new FortiClient profile.
  2. Configure the following settings:

 

Toolbar Options FortiClient Profile page

Select Create New to create a new FortiClient profile. Select a profile in the list and select Edit to edit the FortiClient Profile. Select a profile in the list and select Delete to delete the

FortiClient Profile.

Edit FortiClient Profile page

Select the create new icon to create a new FortiClient profile. Select the clone icon to create a clone of an existing FortiClient profile. Select the view list icon to view FortiClient profiles and assignment.
Profile Name When editing the default profile, the name cannot be changed. When creating a new FortiClient profile, XSS vulnerability characters are not allowed.

Enter a name for the new FortiClient profile.
Comments Enter a profile description. (optional)
Assign to Profile To: l Device Groups: Select device groups in the drop-down list. Use the add icon to assign multiple device groups to the FortiClient profile, for example Mac and Windows PC. l User Groups: Select user groups in the drop-down list. l Users: Select users in the drop-down list. l Source Address: Select source addresses.

These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.
On-Net Detection By Address Select addresses from the drop-down list to enable On-Net detection on them.
Security  
AntiVirus Toggle the button on or off to enable or disable this feature.
Web Filter Toggle the button on or off to enable or disable this feature.

When enabled, you can select a web filter profile in the drop-down list. Select the checkbox to disable web category filtering on the client when protected by the FortiGate (On-net).
Application Firewall Toggle the button on or off to enable or disable this feature.

When enabled, you can select an application control sensor in the dropdown list.
VPN Toggle the button on or off to enable or disable this feature.

Select the checkbox for Client VPN Provisioning. When enabled, you can configure multiple IPsec VPN and SSL VPN connections.

Use the add icon to add additional VPN connections. Enter the VPN name, type, remote gateway, and authentication method information.

Select the checkbox to auto connect to a VPN when the client is Off-Net.

Select a VPN from the drop-down list.
Advanced  
Install CA Certificates Select to install CA certificates.
Disable

Unregister

Option

 Select to disable the option of unregistering from the FortiGate.
Upload Logs to

FortiAnalyzer

 Toggle the button on or off to enable or disable this feature.

When enabled, you can select to use the same FortiAnalyzer/FortiManager used by the FortiGate or select Specify to enter a different device IP address. You can set the schedule to hourly or daily. The FortiClient upload logs to the FortiAnalyzer/FortiManager only when it is able to connect to the device on the specified IP address.

FortiClient must be registered to FortiGate to upload logs to FortiAnalyzer/FortiManager.

When upgrading from FortiOS 5.2 to 5.4, a FortiClient 5.4 license must be applied against the FortiGate for this option to be available in the FortiClient Profile. Optionally, you can enable this setting in the FortiOS CLI.
FortiManager updates Toggle the button on or off to enable or disable this feature.

When enabled, you can specify the IP address of the FortiManager. Select the checkbox to failover to the FortiGuard Distribution Network when the FortiManager is not available.
Dashboard Banner Toggle the button on or off to enable or disable this feature.
Client-based Logging when Toggle the button on or off to enable or disable this feature.
  1. Select Apply to save the FortiClient profile setting.

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

For information on configuring firewall policies for Endpoint Management, see the FortiOS Handbook -The Complete Guide forFortiOS.

Configure firewall policies (Optional):

  1. To configure a firewall policy for Endpoint Management, go to Policy & Objects > IPv4 Policy and select Create New in the toolbar. The New Policy window is displayed.
  2. Configure the policy as required. Select the source user(s) and source device types from the drop-down list.
  3. Toggle Compliant with FortiClient Profile to ON. Users will be redirected (via a web browser) to a dedicated portal where they can download the client. Once registered to the FortiGate, the FortiClient profile will be assigned.
  4. Select OK to save the rule.

After the FortiGate configuration has been completed, you can proceed with FortiClient configuration. Configure your Windows PC on the corporate network with the default gateway set to the IP address of the FortiGate.

FortiClient endpoint network topologies

The following FortiClient Profile topologies are supported:

  1. Client is directly connected to FortiGate; either to a physical port, switch port or WiFi SSID.

This topology supports client registration, configuration sync, and FortiClient profile enforcement.

  1. Client is connected to FortiGate, but is behind a router or NAT device. This topology supports client registration and configuration sync.
  2. Client is connected to FortiGate across a VPN connection.

This topology supports client registration, configuration sync, and FortiClient profile enforcement.

Network topologies

Configure FortiClient for endpoint management:

  1. Download and install the FortiClient software.

Open a web browser from your workstation and attempt to open a web page, the web page will be directed to the NAC Download Portal. Follow the instructions in the portal to download and install FortiClient.

To allow users to download FortiClient, you must enable this setting in the SSL VPN Portal on your FortiGate device. To enable this feature, go to VPN > SSL-VPN Portals and select Create New in the toolbar.

To configure NAC download portal endpoint control replacement messages, go to

System > Replacement Message. Select Extended View in the toolbar to display Endpoint Control replacement messages for Android, iOS, Mac, Windows, and other.

  1. Register FortiClient.

After FortiClient completes installation, FortiClient will automatically launch and search for a FortiGate device for registration.

There are four ways that the FortiClient/FortiGate communication is initiated:

l FortiClient will attempt to connect to the default gateway IP address; l FortiClient will attempt endpoint control registration over VPN (if configured on the FortiGate); l FortiClient will attempt to connect to a remembered FortiGate; l FortiClient will attempt to connect to a redundant FortiGate.

FortiClient will search for available FortiGate devices to complete registration. You can include the option to prompt the user to enter the FortiClient registration key password. Select the RegisterEndpoint button in the FortiClient console to retry the search.

If FortiClient is unable to detect a FortiGate device, enter the IP address or URL of the device and select the

Go icon. When FortiClient locates the FortiGate, you will be prompted to confirm the registration. Select the Accept button to complete registration. Upon successful registration, the FortiGate will send the FortiClient profile configuration.

  1. Deploy the FortiClient profile from the FortiGate device.

The FortiGate will deploy the FortiClient profile after registration is complete. This FortiClient profile will permit traffic through the FortiGate. A system tray bubble message will be displayed once update is complete.

The FortiClient console will display that it is successfully registered to the FortiGate. The FortiClient profile is installed on FortiClient.

Deploy the FortiClient profile to clients over a VPN connection:

  1. In the FortiClient console, select the RegisterEndpoint Enter the IP address and port number (if required) of the FortiGate’s internal interface and select the Go icon.
  2. Configure an IPsec VPN connection from FortiClient to the management FortiGate. For more information on configuring IPsec VPN see Create a new IPsec VPN connection on page 87.
  3. Connect to the VPN.
  4. You can now search for the FortiGate gateway. For more information see Register FortiClient.
  5. After registration, the client is able to receive the FortiClient profile.

When creating a new FortiClient VPN (IPsec) or SSL VPN tunnel configuration on your

FortiGate device, you must enable Endpoint Registration. See the IPsec VPN for FortiOS and SSL VPN forFortiOS sections of the FortiOS Handbook for more information.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2