Category Archives: FortiClient

FortiClient profiles

When FortiClient is in managed mode, a profile is used to communicate compliance rules and to configure FortiClient software on endpoints. FortiClient receives the profile after FortiClient Telemetry is connected to FortiGate/EMS. The contents of the profile depend on whether FortiGate or EMS provide the profile.

FortiGate and compliance rules

In FortiGate, a FortiClient profile is used to achieve the following goals:

l Define compliance rules for endpoint access to the network through FortiGate l Define the non-compliance action—that is, how endpoints are handled that fail to comply with compliance rules l (Optional) Define some configuration settings for FortiClient software on endpoints

Compliance rules

FortiGate compliance rules are used to define what configuration FortiClient software must have for the endpoint to maintain access to the network through FortiGate. Following is a sample of the compliance rules that you can define (enable or disable) by using the GUI:

Antivirus l Web filter l Application firewall l Vulnerability scan
FortiClient software specific version

You can also define additional compliance rules by using the FortiOS CLI.

Non-compliance action

You define how FortiClient endpoints are handled that fail to comply with the compliance rules. You can block, warn, or automatically update FortiClient endpoints. You set the rules by using FortiGate, and both FortiGate and FortiClient enforce the rules.

Both FortiGate and FortiClient enforce compliance rules for FortiClient 5.4.1 and later endpoints. FortiGate enforces compliance for FortiClient 5.4.0 and earlier endpoints, and for all versions of unregistered/unconnected FortiClient endpoints.

Following is a description of how each setting affects FortiClient endpoints:

Block

When FortiClient endpoints fail to comply with compliance rules, FortiClient blocks endpoint access to the network. Noncompliance information is displayed in the FortiClient console. The administrator or endpoint user is responsible for reading the noncompliance information and updating FortiClient software on the endpoint to adhere to the compliance rules. In this case, endpoint users can edit settings in the FortiClient console that are not controlled by the compliance rules or EMS.

Warn

When FortiClient endpoints fail to comply with compliance rules, FortiClient warns the endpoint users, but allows the endpoint user to access the network. Noncompliance information is displayed in the FortiClient console. The administrator or endpoint user is responsible for reading the noncompliance information and updating FortiClient software on the endpoint to adhere to the compliance rules. In this case, endpoint users can edit settings in the FortiClient console that are not controlled by the compliance rules or EMS. l Auto-update

FortiGate provides the compliance rules and some configuration information for FortiClient software that helps FortiClient and the endpoint remain compliant. However FortiClient endpoints can fail to comply with compliance rules because FortiGate cannot automatically update all aspects of the compliance rules, such as the required version of FortiClient or the operating system on the endpoint. FortiGate displays noncompliance information in the FortiOS GUI. The FortiGate administrator and endpoint user are responsible for reading the noncompliance information and keeping FortiClient endpoints compliant. In this case, most settings in FortiClient console are read-only. However, the endpoint user can edit some settings.

FortiClient configuration

When you use FortiGate to configure a FortiClient profile with a non-compliance setting of auto-update, the FortiClient profile can include configuration information for FortiClient software, which helps the FortiClient endpoint remain compliant with the compliance rules.

You can specify the following configuration information for FortiClient software:

l AntiVirus l Web Filter l Application Firewall l Vulnerability Scan l System Compliance

When the FortiClient endpoint receives the configuration information from FortiGate in the FortiClient profile, the settings in FortiClient console are automatically updated. Most settings in FortiClient console are read-only when FortiGate provides the configuration in a FortiClient profile. However, the endpoint user can change settings in FortiClient console that are not controlled by the FortiClient profile.

For more information about configuring FortiClient profiles by using FortiGate, see the FortiOS Handbook, available in the Fortinet Document Library.

FortiGate and EMS integration

When FortiGate is integrated with EMS, and the non-compliance action in FortiGate is set to block or warn, you can use EMS to assign a profile to endpoints. The profile from EMS is in addition to the compliance rules from FortiGate. When FortiClient receives compliance rules from FortiGate and a profile from EMS, settings in the FortiClient console are locked. Administrators can control the settings by updating the assigned profile in FortiGate/EMS.

CLI only

When using FortiGate to create FortiClient profiles, some settings can be configured only by using the

FortiOS CLI. You must use the CLI to configure the following options in FortiClient profiles provided by FortiGate: l Allowed operating system for FortiClient endpoints l Required third-party applications for FortiClient endpoints l Registry entries for FortiClient endpoints l File in the file system on FortiClient endpoints

Get started

For more information, see the CLI Reference forFortiOS.

EMS and profiles

In FortiClient EMS, a profile is used to install FortiClient on endpoint devices and/or define the configuration for FortiClient software on endpoint devices. The profile consists of the following sections:

FortiClient Installer l Antivirus l Web Filtering l Application Firewall
VPN
Vulnerability Scan l System Settings

When the FortiClient endpoint receives the configuration information in the FortiClient profile, the settings in FortiClient console are automatically updated. Settings in FortiClient console are locked and read-only when EMS provides the configuration in a profile.

For more information about configuring profiles by using FortiClient EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Standalone FortiClient

3 Replies

Standalone FortiClient

About standalone mode

In standalone mode, FortiClient software is installed to computers or devices that have Internet access and are running a supported operating system. After FortiClient is installed, FortiClient automatically connects to FortiGuard Center (http://www.fortiguard.com) to protect the computer or device.

Get started

In standalone mode, you can configure FortiClient settings by using the FortiClient console. This section provides an overview of provisioning, configuring, and using FortiClient in standalone mode.

Provision and configure

In standalone mode, you can install FortiClient software to computers or devices with Internet access and configure a number of settings.

To provision and configure FortiClient:

Install FortiClient on computers or devices. See FortiClient Provisioning on page 44. FortiClient connects to the Fortinet FortiGuard server to protect the computer.
Configure FortiClient settings. See Settings on page 99.
Configure Antivirus settings. See Antivirus on page 65.
(Optional) Configure remote access. See IPsec VPN and SSL VPN on page 83.

Use FortiClient console

In standalone mode, you can use the following tabs in FortiClient console:

l Antivirus l Web Security l Remote Access

The Compliance tab is used only when FortiClient is running in managed mode. See Managed FortiClient on page 25.

To use the FortiClient console:

View Antivirus threats. See View scan results on page 71.
View web security results. See View violations on page 79.
Use remote access. See Add new connections on page 83.
View notifications. See View notifications on page 63.

Managed FortiClient

About managed mode

In managed mode, FortiClient software is installed to computers or devices on your network that have Internet access and are running a supported operating system. The computers or devices are referred to as endpoints or FortiClient endpoints. After FortiClient software is installed on endpoint devices, FortiClient:

l Automatically connects to FortiGuard Center (http://www.fortiguard.com) to protect the endpoint l Automatically attempts to connect FortiClient Telemetry to FortiGate or EMS

The endpoint user confirms the request to complete the FortiClient Telemetry connection to FortiGate/EMS.

You can optionally configure a FortiClient Telemetry connection that requires no confirmation by the endpoint user. See Custom FortiClient Installations on page 110.

After FortiClient Telemetry is connected to FortiGate/EMS, FortiClient downloads a profile from FortiGate/EMS, and the endpoint is managed.

FortiClient Telemetry connection options

FortiClient Telemetry can be connected to EMS or FortiGate. When EMS and FortiGate are integrated, FortiClient Telemetry connects to FortiGate as well as EMS.

FortiGate and EMS are used for the following different purposes. FortiGate is used to ensure that FortiClient endpoints adhere to the compliance rules defined for network access. EMS is used to provision, configure, and monitor FortiClient on endpoints.

FortiClient EMS

In this configuration, FortiClient Telemetry is connected to EMS and sends notifications to EMS, and EMS pushes a profile to FortiClient. The profile contains the configuration information for FortiClient.

After receiving the profile, all settings in the FortiClient console are locked because they are controlled by the profile.

FortiGate

In this configuration, FortiClient Telemetry is connected to FortiGate, and FortiClient downloads a profile from FortiGate.

The profile contains the compliance rules and optionally some configuration information for FortiClient. The compliance rules are used to configure endpoints for Network Access Compliance (NAC) and to specify what happens when endpoints fail to meet compliance rules. Endpoint users can use FortiClient console to view compliance status, compliance rules, and the steps required to remain compliant. See also Non-compliance action on page 29.

After receiving the profile, some settings in the FortiClient console are locked because they are controlled by the compliance rules and configuration information in the profile. However, endpoint users can change settings in FortiClient console that are not controlled by the profile.

FortiGate and EMS integration

In this configuration, FortiClient Telemetry connects to FortiGate for NAC and EMS for configuration information and real-time monitoring. This configuration is sometimes called integrated mode.

When FortiClient Telemetry is connected to FortiGate, a profile is pushed to FortiClient. The contents of the profile depend on the non-compliance action in the profile.

Non-compliance set to auto-update

When you use FortiGate to configure a FortiClient profile that contains compliance rules with a non-compliance setting of auto-update, you can also include some configuration information.

When FortiClient Telemetry connects to FortiGate, FortiClient downloads the profile that contains compliance rules and some configuration information from FortiGate.

About managed mode

Non-compliance action set to block or warn

When you use FortiGate to configure a FortiClient profile that contains compliance rules with a non-compliance action of warn or block, you must either use EMS to provision FortiClient endpoints, or you must manually configure FortiClient endpoints. In this configuration, FortiGate provides only the compliance rules; it does not provision the FortiClient endpoints.

When FortiClient Telemetry connects to FortiGate, FortiClient downloads the compliance rules from FortiGate, and EMS pushes the configuration information to FortiClient.

You should ensure that the configuration pushed from EMS matches the compliance rules set on FortiGate to avoid conflicting settings.

After receiving the compliance rules and profile, all settings in the FortiClient console are locked because they are controlled by the compliance rules and configuration information in the profile.

FortiGate network topologies and FortiClient

This section describes the supported FortiGate network topologies for FortiClient in managed mode. The following topologies are supported:

FortiClient is directly connected to FortiGate; either to a physical port, switch port or WiFi network.
FortiClient is connected to FortiGate, but is behind a router or NAT device.
FortiClient is connected to FortiGate across a VPN connection.

On-net / off-net

The on-net feature requires a FortiGate to be used as a DHCP server. This is usually configured on the same FortiGate to which FortiClient is connected. When the device on which FortiClient is running has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off-net.

On the FortiGate, the DHCP server can be used, or several network subnets can be provided for the on-net feature. FortiClient is on-net if:

l FortiClient Telemetry is connected to FortiGate, l FortiClient belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

About managed mode

Endpoint Control

Leave a reply

Endpoint Control

Integration with the new FortiClient EMS

FortiClient Enterprise Management Server (EMS) is a new product from Fortinet for businesses to use to manage their computer endpoints. It runs on a Windows Server, not requiring a physical Fortinet device. Administrators may use it to gain insight into the status of their endpoints. The EMS supports devices running Microsoft Windows, Mac OS X, Android, and iOS.

FortiClient Endpoint Control (EC) protocol has been updated to seamlessly integrate with FortiClient EMS. Various changes were added to support EMS features, including:

l Deployment of FortiClient to new Microsoft Windows devices l Continuous monitoring of device statuses l AV engine and signature update status reports l AV scanning schedules and requests for AV scans l Notifications about protection statuses.

FortiGate Network Access Control when FortiClient is Deployed using EMS

The new EMS can be used to deploy FortiClient to a large number of Microsoft Windows endpoints. While creating a profile for FortiClient deployment, the EMS administrator can choose to configure the FortiClient to register to the same EMS, or to a FortiGate.

Changes in FortiClient 5.4.0 allow the EMS administrator to deploy FortiClient to endpoints, and configure it to register to a FortiGate, while simultaneously notifying the EMS of its registration status. The FortiClient EC registration to the FortiGate is required for Network Access Compliance (NAC). The administrator can configure the FortiGate to allow access to network resources only if the client is compliant with the appropriate interface EC profile.

EMS can only deploy FortiClient to endpoint devices that are running Microsoft Windows. This feature requires FortiOS 5.4.0 or newer.

Quarantine an Infected Endpoint from the FortiGate or EMS

A computer endpoint that is considered to be infected may be quarantined by the FortiGate or EMS administrator. FortiClient needs to be online, using FortiClient EC protocol, and registered to the FortiGate or EMS.

Once quarantined, all network traffic to or from the infected endpoint will be blocked locally. This allows time for remediation actions to be taken on the endpoint, such as scanning and cleaning the infected system, reverting to a known clean system restore point, or re-installing the operating system.

The administrator may un-quarantine the endpoint in the future from the same FortiGate or EMS.

Importing FortiGate CA Certificate after EC Registration

When the FortiGate is configured to use SSL deep inspection, users visiting encrypted websites will usually receive an invalid certificate warning. The certificate signed by the FortiGate does not have a Certificate Authority (CA) at the endpoint to verify it. Users can manually import the FortiGate CA certificate to stop the error from being displayed; however, all users will have to do the same.

When registering FortiClient to a FortiGate, the FortiClient will receive the FortiGate’s CA certificate and install it into the system store. If Firefox is installed on the endpoint, the FortiGate’s CA certificate will also be installed into the Firefox certificate store. This way the end user will no longer receive the invalid certificate error message when visiting encrypted websites.

Enhancement to On-net/Off-net Configuration

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided.

FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

FortiClient GUI

Antivirus Settings Page

With the introduction of botnet detection, and the integration with FortiSandbox with FortiClient (Windows), the AV settings page on the FortiClient GUI has been updated to allow configuration of the new features. The AV settings page is accessible from the FortiClient dashboard. Select the AV tab on the left pane. Then click the settings icon on Real-Time Protection in the right pane. The following may be selected on the AV settings page:

File scanning (previously, Real-Time Protection or RTP) l Scan unknown, supported files using FortiSandbox (Windows only) l Malicious website detection
Botnet detection (block known communication channels)

FortiClient Banner Design

If FortiClient (full version or VPN only) is running in standalone mode and not registered to a FortiGate or EMS, a single banner at the bottom of the GUI is displayed. When registered to a FortiGate or EMS, the banner is hidden by default. Similarly, when created from a FortiClient Configurator (Windows) or Repackager (OS X), no banner is displayed by default.

Logging

Enhancement to FortiClient logs

FortiClient will create a log entry to show just the URL visited by the user through a web browser. This is in addition to the network level logs generated by FortiClient.

What’s New in FortiClient 5.4

Leave a reply

What’s New in FortiClient 5.4

The following is a list of new features and enhancements in FortiClient 5.4.

This document was written for FortiClient (Windows) 5.4.1. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.1.

FortiClient 5.4.1

The following is a list of new features in FortiClient version 5.4.1.

Endpoint control

FortiClient Telemetry

FortiClient Telemetry is the new name of the connection between FortiClient and FortiGate/EMS. You no longer register FortiClient endpoints to FortiGate/EMS, but connect FortiClient Telemetry to FortiGate/EMS. See FortiClient Telemetry Connection on page 51.

Endpoint compliance

FortiClient includes a Compliance tab that communicates whether FortiClient is connected to FortiGate or EMS and whether the endpoint is compliant.

When connected to FortiGate, the Compliance tab communicates whether FortiClient and the endpoint device are compliant with the compliance rules defined by FortiGate. Endpoint users can view the Compliance tab to review compliance rules and status. Endpoint users can also view information about steps required to remain compliant with the network access rules. See Compliance on page 54.

Picture of endpoint user

FortiClient can now display a small picture of the endpoint user on the Compliance tab. This feature is available when FortiClient is used with EMS, and the feature is enabled in EMS. When enabled, FortiClient uses the picture defined in the Windows operating system on the endpoint device. FortiClient displays no picture when no picture is found in the Windows operating system.

FortiClient Telemetry can also send the picture to FortiGate and EMS.

FortiGate endpoint control

FortiGate 5.4.1 has changed how it manages FortiClient endpoints. Now FortiGate is used to define the compliance rules for NAC in a FortiClient profile, and FortiClient helps to enforce the rules on endpoints. When you use FortiGate to create a FortiClient profile, you define the compliance rules, and you specify how to handle non-compliant FortiClient endpoints. Non-compliant endpoints can be blocked from network access, warned about non-compliance while maintaining network access, or automatically updated to maintain network access.

See About managed mode on page 25.

Improved installation process for FortiClient (Windows)

An upgrade schedule dialog box is displayed in advance when deploying FortiClient from EMS to endpoints running Windows operating system. If no FortiClient is installed on the endpoint, no reboot is required for the installation, and no upgrade schedule dialog box is displayed. The user can postpone the reboot for a maximum of 24 hours. Before the mandatory reboot occurs, a FortiClient dialog box is displayed with a 15 minute warning.

Vulnerability scan

The Vulnerability scan feature requires specific versions of products. If you are using FortiGate, FortiOS 5.4.1 is required. If you are using FortiClient EMS, version 1.0.1 is required.

Vulnerability scan enhancements

Vulnerability scan feature in FortiClient (Windows) can perform a full scan of the endpoint to find any OS,

Microsoft Office, browser and third-party vulnerabilities. FortiClient can then report the vulnerabilities to FortiAnalyzer and Central Management in FortiGate or FortiClient EMS, depending on whether FortiClient is connected to FortiGate or FortiClient EMS. See Vulnerability Scan on page 92.

Vulnerability auto-patching

FortiClient (Windows) supports automatic patching of vulnerabilities where FortiClient will initiate and apply any updates required to resolve detected vulnerabilities and return endpoints to a secure state. See Vulnerability Scan on page 92.

FortiSandbox support for removable media

Files on removable media can now be sent for on-demand FortiSandbox scanning. You can configure FortiSandbox to scan files on removable media by using FortiClient XML. For more information, see the FortiClient XML Reference.

Configurator tool

You can now use the FortiClient Configurator tool to add a Telemetry Gateway IP List to a custom FortiClient installer. See Custom FortiClient Installations on page 110.

FortiClient 5.4.0

The following is a list of new features in FortiClient version 5.4.0.

Antivirus

Advanced Persistent Threats

FortiClient 5.4.0 has enhanced capabilities for the detection of Advanced Persistent Threats (APT). There are two changes added in this respect:

l Botnet Command and Control Communications Detection l FortiSandbox integration (Windows only)

Botnet Communication Detection

Botnets running on compromised systems usually generate outbound network traffic directed towards Command and Control (C&C) servers of their respective owners. The servers may provide updates for the botnet, or commands on actions to execute locally, or on other accessible, remote systems. When the new botnet feature is enabled, FortiClient monitors and compares network traffic with a list of known Command and Control servers. Any such network traffic will be blocked.

FortiSandbox Integration

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run (sandboxed) in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

Enhanced Real-Time Protection Implementation

The Real-Time Protection (RTP) or on-access feature in FortiClient uses tight integration with Microsoft Windows to monitor files locally, or over a network file system, as they are being downloaded, saved, run, copied, renamed, opened, or written to. The FortiClient driver coupling with Windows has been re-written to use modern APIs provided by Microsoft. All basic features remain the same, with a few minor differences in behavior. Some noticeable performance enhancements could be observed in various use case scenarios.

Web Filtering

Web Browser Usage and Duration

If configured, FortiClient will record detailed information about the user’s web browser activities, such as:

l A history of websites visited by the user (as shown in regular web browser history) l An estimate of the duration or length of stay on the website.

These logs are sent to FortiAnalyzer, if configured. With FortiAnalyzer 5.4.0 or newer, the FortiClient logs sent from various endpoints may be viewed in FortiView.

VPN

Authorized Machine Detection

For enterprises where new computers may be brought into the organization by employees, FortiClient can be configured to check or identify the computer before allowing it to establish IPsec VPN or SSL VPN connections to the FortiGate. The administrator may configure restrictions with one or more of the following:

l Registry check: Ensure a specific registry path contains a predetermined value l File check: Verify the existence of a specific file at a specified location l Application check: Ensure that a specific application is installed and running

The verification criteria can be configured using advanced FortiClient XML configurations on the FortiGate or FortiClient Enterprise Management Server (EMS).

New SSL VPN Windows driver

The FortiClient SSL VPN driver pppop.sys was re-written to use the latest Microsoft recommended CoNDIS WAN driver model. The new driver is selected when FortiClient is installed on Windows 7 or newer. The SSL VPN driver included in the previous versions of FortiClient will still be maintained.

New IPsec VPN Windows drivers

FortiClient IPsec VPN drivers have been updated to support Microsoft Windows NDIS 6.3 specification. The new drivers are compatible with Microsoft Windows 8.1 or newer.

Support for DTLS

FortiClient SSL VPN connections to FortiGate now support Datagram Transport Layer Security (DTLS) by using User Datagram Protocol (UDP) as the transport protocol. Previously FortiClient SSL VPN connections supported only Transport Control Protocol (TCP). You can now use FortiGate to configure SSL VPN connections that use DTLS. You cannot use FortiClient to configure SSL VPN connections that use DTLS. When FortiClient endpoints use a DTLS-enabled SSL VPN connection with FortiGate, and FortiGate communicates DTLS support, FortiClient uses DTLS via UDP. If DTLS fails, FortiClient will fall back to use TLS to establish an SSL VPN connection.

Installation requirements

2 Replies

Installation requirements

The following table lists operating system support and the minimum system requirements.

Operating System Support

Minimum System Requirements

l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows 8.1 (32-bit and 64-bit) l Microsoft Windows 10 (32-bit and 64-bit)

l Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l Compatible operating system and minimum

512MB RAM

l 600MB free hard disk space l Native Microsoft TCP/IP communication protocol l Native Microsoft PPP dialer for dial-up connections l Ethernet NIC for network connections l Wireless adapter for wireless network connections l Adobe Acrobat Reader for documentation l MSI installer 3.0 or later.

l Microsoft Windows Server 2008 R2 l Microsoft Windows Server 2012 l Microsoft Windows Server 2012 R2

l Microsoft Internet Explorer version 8 or later l Microsoft Windows compatible computer with Intel

processor or equivalent

l Compatible operating system and minimum

512MB RAM

Firmware images and tools

Operating System Support	Minimum System Requirements
l Mac OS X v10.8 Mountain Lion l Mac OS X v10.9 Mavericks l Mac OS X v10.10 Yosemite l Mac OS X v10.11 El Capitan	l Apple Mac computer with an Intel processor l 256MB of RAM l 20MB of hard disk drive (HDD) space l TCP/IP communication protocol l Ethernet NIC for network connections l Wireless adapter for wireless network connections

Windows XP (32-bit) is supported when FortiClient software updates are disabled. You can disable FortiClient software updates by using EMS or FortiClient XML. Signature updates remain supported when FortiClient software updates are disabled.

Firmware images and tools

Microsoft Windows

The following files are available in the firmware image file folder:

4.xx.xxxx.exe

Standard installer for Microsoft Windows (32-bit).

4.xx.xxxx.zip
- zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
4.xx.xxxx_x64.exe

Standard installer for Microsoft Windows (64-bit).

4.xx.xxxx_x64.zip
- zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some properties of the MSI package can be customized with FortiClient Configurator tool.
4.xx.xxxx.zip
- zip package containing miscellaneous tools including the FortiClient Configurator tool and VPN Automation files:

The following tools and files are available in the FortiClientTools_5.4.xx.xxxx.zip file:

FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

FortiClientVirusCleaner A virus cleaner.
OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

SSLVPNcmdline

Firmware images and tools

Command line SSL VPN client.

SupportUtils

Includes diagnostic, uninstallation, and reinstallation tools. l VPNAutomation

VPN automation tool.

When creating a custom FortiClient 5.4 installer by using the FortiClient Configurator tool, you can choose which features to install. You can also select to enable or disable software updates, configure SSO, and rebrand FortiClient.

Mac OS X

The following files are available in the firmware image file folder:

4.x.xxx_macosx.dmg Standard installer or Mac OS X.
4.x.xxx_macosx.tar

FortiClient includes various utility tools and files to help with installations.

The following tools and files are available in the FortiClientTools .tar file:

OnlineInstaller

This file downloads and installs the latest FortiClient file from the public FDS.

FortiClientConfigurator

An installer repackaging tool that is used to create customized installation packages.

RebrandingResources

Rebranding resources used by the FortiClient Configurator tool.

When creating a custom FortiClient 5.4.1 installer by using the FortiClient Repackager tool, you can choose to install Everything, VPN Only, or SSO only. You can also select to enable or disable software updates and rebrand

FortiClient.

FortiClient 5.4 cannot use FortiClient version 5.0 licenses. To use FortiClient Configurator, you need to use the FortiClient version 5.4 license file.

Fortinet Product Support For FortiClient

Leave a reply

Fortinet product support for FortiClient

The following Fortinet products work together to support FortiClient in managed mode:

l FortiClient EMS l FortiManager l FortiGate l FortiAnalyzer l FortiSandbox Fortinet product support for FortiClient

FortiClient EMS

FortiClient EMS runs on a Windows server. EMS deploys FortiClient (Windows) and profiles to endpoints, and the endpoints can connect FortiClient Telemetry to FortiGate or EMS. When FortiClient endpoints are connected to FortiGate or EMS, you can use EMS to monitor FortiClient endpoints in real time.

For information on EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document

Library.

FortiManager

FortiManager provides central FortiClient management for FortiGate devices that are managed by FortiManager. In FortiManager, you can create one or more FortiClient profiles that you can assign to multiple FortiGate devices. You can also import FortiClient profiles from one FortiGate device and assign the FortiClient profile to other FortiGate devices. When FortiClient endpoints are connected to managed FortiGate devices, you can use FortiManager to monitor FortiClient endpoints from multiple FortiGate devices.

For information on FortiManager, see the FortiManagerAdministration Guide, available in the Fortinet Document Library.

Licensing

FortiGate

FortiGate provides network security. FortiGate devices define compliance rules for NAC (network access control) for connected FortiClient endpoints, and FortiClient communicates the compliance rules to endpoints. FortiGate devices communicate between FortiClient endpoints, EMS, and FortiManager, when FortiManager is used.

For information on FortiGate, see the FortiOS Handbook, available in the Fortinet Document Library.

FortiAnalyzer

FortiAnalyzer can receive logs from FortiClient endpoints that are connected to FortiGate or EMS, and you can use FortiAnalyzer to analyze the logs and run reports. FortiAnalyzer receives logs directly from FortiClient. However, in FortiAnalyzer, you view FortiClient logs under the device to which the FortiClient endpoint is connected. For example, when FortiClient endpoints are connected to FortiGate devices, you must add the FortiGate devices to FortiAnalyzer to view FortiClient logs for the FortiClient endpoints that are connected to FortiGates.

For information on FortiAnalyzer, see the FortiAnalyzerAdministration Guide, available in the Fortinet Document Library.

FortiSandbox

FortiSandbox offers the capabilities to analyze new, previously unknown, and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files from removable media or the network to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file can be blocked until the scanning result is returned.

For more information, see the FortiSandbox Administration Guide, available in the Fortinet Document Library.

Licensing

FortiClient managed mode requires a license. In managed mode, FortiClient licensing is applied to FortiGate or EMS.

Installation requirements

FortiClient licenses for FortiGate

FortiGate 30 series and higher models include a FortiClient license for ten (10) free, connected FortiClient endpoints. For additional connected endpoints, you must purchase a FortiClient license subscription. Contact your Fortinet sales representative for information about FortiClient licenses.

FortiClient licenses for EMS

EMS includes a FortiClient license for ten (10) free, connected FortiClient endpoints for evaluation. For additional connected endpoints, you must purchase a FortiClient license subscription. Contact your Fortinet sales representative for information about FortiClient licenses.

FortiClient 5.4.1 Administration Guide

Leave a reply

Introduction

FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security combines strong prevention with detection and mitigation is critical.

Standalone FortiClient (Free)	Managed FortiClient (Licensed)
Installation Options l Complete: All Endpoint Security and VPN components will be installed. l VPN Only: only VPN components (IPsec and SSL) will be installed.	Installation Options l Complete: All Endpoint Security and VPN components will be installed. l VPN Only: only VPN components (IPsec and SSL) will be installed. l Create a custom FortiClient installer using the FortiClient Configurator tool.
Threat Protection l Real-time Antivirus Protection l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware)	Threat Protection l Real-time Antivirus Protection l FortiSandbox support l Antirootkit/Antimalware l Grayware Blocking (Adware/Riskware) l Cloud-Based Behavior Scanning
Web Content l Web Filtering l YouTube Education Filter	Web Content l Web Filtering l YouTube Education Filter

This document was written for FortiClient (Windows) 5.4.1. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.1.

FortiClient modes and features

FortiClient offers two licensing modes: Standalone mode and Managed mode. The standalone mode is free, and the managed mode is licensed. In managed mode, FortiClient is used with FortiGate, FortiClient Enterprise Management Server (EMS), or both FortiGate and EMS.

The following table provides a feature comparison between standalone FortiClient (free version) and managed FortiClient (licensed version).

FortiClient modes and features

Standalone FortiClient (Free)	Managed FortiClient (Licensed)
VPN l SSL VPN l IPsec VPN l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication	VPN l SSL VPN l IPsec VPN l Client Certificate Support l X.509 Certificate Support l Elliptical Curve Certificate Support l Two-Factor Authentication
Logging l VPN, Antivirus, Web Security, and Update Logging l View logs locally	Logging l VPN, Application Firewall, Antivirus, Web Filter, Update, and Vulnerability Scan Logging l View logs locally
	Network Access Compliance l Compliance l Define and enforce enterprise security policies when FortiClient used with FortiGate.
	Application Control l Application Firewall l Block Specific Application Traffic
	Vulnerability Management l Vulnerability Scan l Link to FortiGuard with information on the impact and recommended actions l Receive remediation instructions for addressing endpoint vulnerabilities, including access to software patches
	Central Management l Centralized Client Management and monitoring l Centralized configuration provisioning and deployment
	Central Logging l Upload logs to FortiAnalyzer or FortiManager. FortiClient must connect to FortiGate or EMS to upload logs to FortiAnalyzer or FortiManager.

Fortinet product support for FortiClient

Standalone mode

In standalone mode, FortiClient is not connected to a FortiGate or EMS. In this mode, FortiClient is free both for private individuals and commercial businesses to use; no license is required. See Standalone FortiClient on page 24.

Support for FortiClient in standalone mode is provided on the Fortinet Forums (for um.fortinet.com). Phone support is not provided.

Managed mode

Companies with large installations of FortiClient usually need a means to manage their endpoints. EMS can be used to provision and centrally manage FortiClient endpoints, and FortiGate can be used with FortiClient endpoints for network security. Each FortiClient endpoint can register to a FortiGate or an EMS. In this mode, FortiClient licensing is applied to the FortiGate or EMS. No separate license is required on FortiClient itself. See Managed FortiClient on page 25.

FortiClient banner and modes

If FortiClient (full version or VPN only) is running in standalone mode and not connected to a FortiGate or EMS, a single banner at the bottom of the FortiClient console is displayed. When FortiClient is running in managed mode and connected to a FortiGate or EMS, the banner is hidden by default. Similarly, when you create a FortiClient installer by using FortiClient Configurator (Windows) or Repackager (OS X), no banner is displayed by default.

Custom FortiClient Installations

1 Reply

Custom FortiClient Installations

The FortiClient Configurator tool FortiClient is the recommended method of creating customized FortiClient installation files.

You can also customize which modules are displayed in the FortiClient dashboard in the FortiClient Profile. This will allow you to activate any of the modules at a later date without needing to re-install FortiClient. Any changes made to the FortiClient Profile are pushed to registered clients.

When creating VPN only installation files, you cannot enable other modules in the FortiClient Profile as only the VPN module is installed.

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

The FortiClient Configurator tool is included with the FortiClient Tools file in FortiClient 5.2. This file is only available on the Customer Service & Support portal and is located in the same file directory as the FortiClient images.

The Configurator tool requires activation with a license file. Ensure that you have completed the following steps prior to logging in to your FortiCare product web portal:

Purchased FortiClient Registration License l Activated the FortiClient license on a FortiGate

This video explains how to purchase and apply a FortiClient License: http://www.youtube.com/watch?feature=player_embedded&v=sIkWaUXK0Ok This chapter contains the following sections:

Download the license file l Create a custom installer l Custom installation packages l Advanced FortiClient profiles

Download the license file

To retrieve your license file:

Go to https://support.fortinet.com and log in to your FortiCare account.
Under Asset select Manage/View Products. Select the FortiGate device that has the FortiClient registration license activated. You will see the Get the Key File link in the Available Key(s)
Click the link and download license file to your management computer. This file will be needed each time you use the FortiClient Configurator tool.

Create a custom installer

Fortinet offers a repacking tool for both Microsoft Windows and Mac OS X operating systems. The following section provides instructions on creating a custom installer file using the FortiClient Configurator tool.

When selecting to install custom features, only modules selected are installed. To enable other features you will need to uninstall FortiClient, and reinstall an MSI file with these features included in the installer.

FortiClient (Windows) Configurator tool

To create a custom installer using the FortiClient Configurator tool:

Unzip the FortiClientTools file, select the FortiClientConfigurator file folder, and double-click the exe application file to launch the tool.

The tool opens at the Welcome page.

Licensed	Licensed mode requires a FortiClient license file.
Trial	In FortiClient 5.4, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment.

Browse and select the FortiClient Configurator Activation Key file (.lic) on your management computer.
After entering the FortiClient Configurator license, select Next. The Configuration File page is displayed.

Select Config File (optional)	The configuration file (.conf, .sconf) settings will be included in the installer file.
Password	If the configuration file is encrypted (.sconf), enter the password used to encrypt the file.

You can use an XML editor to make changes to the FortiClient configuration file. For more information on FortiClient XML configuration, see the FortiClient XML Reference in the Fortinet Document Library, http://docs.fortinet.com.

Browse and select the FortiClient configuration file on your management computer. This is an optional step. If you do not want to import settings from a configuration file, select Skip to continue. The Settings page is displayed.

The following options are available for custom installations:

Features to Install
Everything	All Security and VPN components will be installed.
Client security only	Only AntiVirus, Web Filtering, and Application Firewall will be installed.
VPN only	Only VPN components (IPsec and SSL) will be installed.
Other	Select one of the following from the drop-down list: l AntiVirus & Web Filtering only l Web Filtering only l Application Firewall only l Application Firewall & Web Filtering only l Web Filtering, VPN and Application Firewall l Single Sign-On mobility agent only
Options
Desktop Shortcut	Select to create a FortiClient desktop icon.
Start Menu	Select to add FortiClient to the start menu.
Enable Software Update	Select to enable software updates. This option is disabled when Rebrand FortiClient is selected. This option is also disabled when using Trial mode.
Configure Single Sign-On mobility agent	Select to configure Singe Sign-On mobility agent for use with FortiAuthenticator.
Features to Install
Rebrand FortiClient	Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137.

Select the features to install and options and select Next to continue.

If you selected to configure the single sign-on mobility agent, the Single Sign-On Mobility Agent Settings page is displayed.

Configure the following settings:

Server IP/FQDN	Enter the IP address or FQDN of the FortiAuthenticator server.
Port Number	Enter the port number. The default port is 8001.
Pre-Shared Key	Enter the FortiAuthenticator pre-shared key.
Confirm Pre-Shared Key	Enter the FortiAuthenticator pre-shared key confirmation.

Select Next to continue. If you selected to rebrand FortiClient, the Rebranding page is displayed.
Rebrand FortiClient elements as required. The resources folder contains graphical elements. For more information, see Appendix C – Rebranding FortiClient on page 137.
Select Next to continue. The Package Signing page is displayed.
Configure the following settings:

Select Code Signing Certificate (optional)	If you have a code signing certificate, you can use it to digitally sign the installer package this tool generates.
Password	If the certificate file is password protected, enter the password.

Browse and select the code signing certificate on your management computer. This is an optional step. If you do not want to digitally sign the installer package, select Skip to continue. The Execution page is displayed.

This page provides details of the installer file creation and the location of files for Active Directory deployment and manual distribution. The tool creates files for both 32-bit (x86) and 64-bit (x64) operating systems.

When you select Finish, if Browse to output MSI file upon exit is selected, the folder containing the newly created MSI file will open.

Before deploying the custom MSI files, it is recommended that you test the packages to confirm that they install correctly. In FortiClient 5.2.0 and later, an .exe installation file is created for manual distribution.

Installation files are organized in folders within the FortiClientTools > FortiClient Configurator > FortiClient repackaged folder. Folder names identify the type of installation files that were created and the creation date.

FortiClient (Mac OS X) Configurator tool

To create a custom installer using the FortiClient Configurator tool:

Unzip the FortiClientTools file, select the Configurator file folder, and double-click the

FortiClientConfigurator.dmg application file, and double-click the FCTConfigurator icon to launch the tool. The Configurator tool opens.

Configure the following settings:

Licensed \| Trial	Licensed mode requires a FortiClient 5.2 license file. In FortiClient v5.2, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment.
Source	Select the FortiClient Installer file on your management computer. You must use the full installer file, otherwise FortiClient Configurator will fail to create a custom installation file. The FortiClient Installer version and FortiClient Configurator version must match, otherwise the Configurator will fail to create a custom installation file.
Destination	Enter a name for the custom installation file and select a destination to save the file on your management computer.
Features to Install	Select to install all FortiClient modules, VPN only, or SSO only. If SSO only is selected, you must configure the SSO settings in the attached configuration file.
Server IP/FQDN	Enter the IP address or FQDN of the FortiAuthenticator server. This option is available when selecting SSO only for features to install.
Port Number	Enter the port number. The default port is 8001. This option is available when selecting SSO only for features to install.
Pre-Shared Key	Enter the FortiAuthenticator pre-shared key. This option is available when selecting SSO only for features to install.
Confirm Pre-Shared Key	Enter the FortiAuthenticator pre-shared key confirmation. This option is available when selecting SSO only for features to install.

Custom installation packages

Config file	Optionally, select a pre-configured FortiClient backup configuration file. If you selected Everything or VPN only for features to install, you must use a configuration file to configure the related settings.
Software Update	Select to enable or disable software updates.
Rebrand	Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137.
Rebranding resources	Select the FortiClient resources file on your management computer.

Select the Start button to create the custom FortiClient installation file.
You can now deploy the repackaged FortiClient .dmg file to your Mac OS X systems.

Custom installation packages

Advanced FortiClient profiles

FortiClient (Windows)

After the configurator tool generates the custom installation packages, it can be used to deploy the FortiClient software either manually, or using Active Directory. Both options can be found in the …/FortiClient_packaged directory. Files are created for both x86 (32-bit) and x64 (64-bit) operating systems.

If Active Directory is being used to deploy FortiClient, you can use the custom installer with the MST file found in the …/ActiveDirectory folder.

For manual distribution, use the .exe file in the …/ManualDistribution folder.

Advanced FortiClient profiles

When creating custom FortiClient MSI files for deployment, you will need to configure advanced FortiClient profiles on the FortiGate/EMS to ensure that settings in the FortiClient profile do not overwrite your custom XML settings. You can configure the FortiClient profile to deliver the full XML configuration, VPN only, or specific FortiClient XML configurations. For more information on customizing the FortiClient XML configuration file, see the Appendix C – Rebranding FortiClient on page 137.

Fortinet recommends creating OS specific endpoint profiles when provisioning XML settings. When creating a new FortiClient profile, select the device group as either Windows PC or Mac. If a FortiClient (Windows) XML configuration is pushed to a FortiClient (Mac OS X) system, FortiClient (Mac OS X) will ignore settings which are not supported.

Provision a full XML configuration file

You can deploy the full XML configuration file from the CLI or GUI.

To deploy the full XML configuration via the CLI:

Log in to the FortiGate Command-line Interface.
Enter the following CLI commands: config endpoint-control profile edit <profile_name>

config forticlient-winmac-settings set forticlient-advanced-cfg enable

set forticlient-advanced-cfg-buffer “Copy & Paste your FortiClient XML configuration here”

Advanced FortiClient profiles

Copy directly from your XML editor, preserving the XML file format. Copy all information from the <?xml version=”1.0″ encoding=”UTF-8″ ?> start of syntax to the </forticlient_configuration> end of syntax XML tags. Add double quotes at the start and end of the XML syntax statements.

To deploy the full XML configuration via the FortiGate GUI:

Go to Security Profiles > FortiClient Profiles.
Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page is displayed.
Configure the following settings:

Profile Name	Enter a unique name to identify the FortiClient profile.
Comments	Optionally, enter a comment.
Assign Profile To	For more information on configuring device groups, user groups, and users, see the FortiOS Handbook. These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN. FortiClient does not support nested groups in FortiOS.
XML text window	Copy and paste the FortiClient XML configuration file in the text window. The XML syntax must be preserved.

Select Apply to save the FortiClient profile settings.

To deploy the full XML configuration via EMS:

Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
Select the Advanced option to the right of the profile name.
Select Yes in the confirmation dialog box.
Copy and paste the XML configuration file text into the text box.
Select Save to save the FortiClient profile settings.

Partial configuration

The current buffer size is 32kB. This may not be large enough to accommodate your FortiClient XML configuration. As a workaround, you can use the FortiClient Configurator tool to create a custom MSI installation file using a .confFortiClient backup configuration that contains static custom configurations. You can then include a partial configuration in the advanced FortiClient profile. This will push the partial configuration when the client registers with the FortiGate. The partial configuration will be merged with the existing XML configuration on the client.

To provision specific FortiClient XML configuration while preserving custom XML configurations in your MSI file, cut & paste the specific XML configuration into the FortiClient Profile in the following format:

<?xml version=”1.0″ encoding=”UTF-8″ ?>

Advanced FortiClient profiles

<forticlient_configuration>

<partial_configuration>1</partial_configuration>

<ui>

<default_tab>VPN</default_tab>

<flashing_system_tray_icon>0</flashing_system_tray_icon>

<hide_system_tray_icon>0</hide_system_tray_icon>

<suppress_admin_prompt>0</suppress_admin_prompt>

<culture_code>os-default</culture_code>

</ui>

<use_custom_server>0</use_custom_server>

<fail_over_to_fdn>1</fail_over_to_fdn>

<scheduled_update>

<type>interval</type>

<daily_at>03:00</daily_at>

<update_interval_in_hours>3</update_interval_in_hours>

</scheduled_update>

</update>

</system>

</forticlient_configuration>

Ensure that the <partial_configuration>1</partial_configuration> tag is set to 1 to indicate that this partial configuration will be deployed upon registration with the FortiGate. All other XML configuration will be preserved.

Advanced VPN provisioning

You need to enable VPN provisioning and advanced VPN from the FortiOS CLI to import the FortiClient XML VPN configuration syntax. You can import the XML VPN configuration in the CLI or the GUI.

Import XML VPN configuration into the FortiClient Profile via the CLI:

Log in to your FortiGate command-line interface.
Enter the following CLI commands: config endpoint-control profile edit <profile_name>

config forticlient-winmac-settings set forticlient-vpn-provisioning enable set forticlient-advanced-vpn enable set auto-vpn-when-off-net enable set auto-vpn-name <VPN name to connect to automatically when off-net> set forticlient-advanced-vpn-buffer <Copy & paste the advanced VPN configuration>

end

After the forticlient-vpn-provisioning and forticlient-advancedvpn CLI commands are enabled, the forticlient-advanced-vpn-buffer CLI command is available from the CLI.

Advanced FortiClient profiles

Copy directly from your XML editor, preserving the XML file format. Copy all information from the <vpn> start of syntax to the </vpn> end of syntax XML tags. Add double quotes before the <vpn> tag and after the </vpn> tag.

You can also choose to copy & paste the XML content in the GUI, go to Security Profiles > FortiClient Profiles and select the VPN
Configure the following settings:

Profile Name	Enter a unique name to identify the FortiClient profile.
Comments	Optionally, enter a comment.
Assign Profile To	For more information on configuring device groups, user groups, and users, see the FortiOS Handbook. These options are only available when creating a new endpoint profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN. FortiClient does not support nested groups in FortiOS.
VPN	Enable Client VPN Provisioning. Cut and paste the FortiClient XML configuration <vpn> to </vpn> tags in the text window. The XML syntax must be preserved. Enable Auto-connect when Off-Net and select a VPN name from the dropdown list.

Select Apply to save the FortiClient profile settings.

For more information, see Appendix A – Deployment Scenarios on page 127.