Monitor FortiClient connections

Monitor FortiClient connections

The following FortiOS CLI command lists information about connected clients. This includes domain-related details for the client (if any).

diagnose endpoint record-list Record #1:

IP_Address = 172.172.172.111(1)

MAC_Address = b0:ac:6f:70:e0:a0

Host MAC_Address = b0:ac:6f:70:e0:a0

MAC list = b0-ac-6f-70-e0-a0;

VDOM = root

Registration status: Forticlient installed but not registered

Online status: offline

DHCP on-net status: off-net

DHCP server: None

FCC connection handle: 6

FortiClient version: 5.1.29

AVDB version: 22.137

FortiClient app signature version: 3.0

FortiClient vulnerability scan engine version: 1.258

FortiClient feature version status: 0

FortiClient UID: BE6B76C509DB4CF3A8CB942AED2064A0 (0)

FortiClient config dirty: 1:1:1

FortiClient KA interval dirty: 0

FortiClient Full KA interval dirty: 0

FortiClient server config: d9f86534f03fbed109676ee49f6cfc09:: FortiClient config: 1

FortiClient iOS server mconf:

FortiClient iOS mconf:

FortiClient iOS server ipsec_vpn mconf: FortiClient iOS ipsec_vpn mconf:

Endpoint Profile: Documentation

Reg record pos: 0 Auth_AD_groups:

Auth_group:

Auth_user:

Host_Name:

OS_Version: Microsoft Windows 7 , 64-bit Service Pack 1 (build 7601) Host_Description: AT/AT COMPATIBLE Domain:

Last_Login_User: FortiClient_User_Name Host_Model: Studio 1558 Host_Manufacturer: Dell Inc.

CPU_Model: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz

Memory_Size: 6144

Installed features: 55 Enabled features: 21

online records: 0; offline records: 1

status — none: 0; uninstalled: 0; unregistered: 1; registered: 0; blocked: 0

Roaming clients (multiple redundant gateways)


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configure FortiClient Telemetry connections with AD user groups

Configure FortiClient Telemetry connections with AD user groups

When FortiClient Telemetry connects to FortiGate/EMS, the user’s AD domain name and group are both sent to FortiGate/EMS. Administrators may configure the FortiGate/EMS to deploy endpoint and/or firewall profiles based on the end user’s AD domain group. The following steps are discussed in more details:

l Configure users and groups on AD servers l Configure FortiAuthenticator l Configure FortiGate/EMS l Connect FortiClient Telemetry to FortiGate/EMS l Monitor FortiClient connections

Configure users and groups on AD servers

Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.

Configure FortiAuthenticator

Configure FortiAuthenticator to use the AD server that you created. For more information see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

Configure FortiGate/EMS

FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

  1. Go to User& Device > Single Sign-On.
  2. Select Create New in the toolbar. The New Single Sign-On Server window opens.
  3. In the type field, select Fortinet Single-Sign-On Agent.

 

Telemetry connections with AD user groups

  1. Enter the information required for the agent. This includes the name, primary and secondary IP addresses, and passwords. Select an LDAP server in the drop-down list if applicable. Select More FSSO agents to add up to three additional agents.
  2. Select OK to save the agent configuration.

Create a user group:

  1. Go to User& Device > UserGroups.
  2. Select Create New in the toolbar. The New UserGroup window opens.
  3. In the type field, select Fortinet Single-Sign-On (FSSO).
  4. Select members from the drop-down list.
  5. Select OK to save the group configuration.

Configure the FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select Create New in the toolbar. The New FortiClient Profile window opens.
  3. Enter a profile name and optional comments.
  4. In the Assign Profile To drop-down list select the FSSO user group(s).
  5. Configure FortiClient configuration as required.
  6. Select OK to save the new FortiClient profile.

Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who connect successfully, but have no matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy as described in Configure firewall policies on page 35. Ensure that Compliant with FortiClient Profile is selected in the policy.

EMS

Add a new domain:

  1. Under the Endpoints heading, in the Domains section, select Add a new domain. The Domain Settings window opens.
  2. Enter the domain information as required.
  3. Select Test to confirm functionality, then, if successful, select Save to add the domain.

The domain’s organizational units (OUs) will automatically be populated in the Domains section under the Endpoints heading. For more information, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Connect FortiClient Telemetry to FortiGate/EMS

The Microsoft Windows system on which FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain user name.

Configure FortiClient Telemetry connections with AD user groups

Following this, FortiClient endpoint connections will send the logged-in user’s name and domain to the FortiGate/EMS. The FortiGate/EMS will assign the appropriate profiles based on the configurations.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configure FortiClient profiles

Configure FortiClient profiles

FortiGate includes a default FortiClient profile. You can edit the default profile or create a new profile. FortiClient profiles are used to communicate compliance rules to FortiClient endpoints.

The option to assign the profile to device groups, user groups, and users is available only when you create a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication.

For more information about creating FortiClient profiles by using FortiGate, see the FortiOS Handbook-Security Profiles.

Configure FortiGate

To configure FortiClient profiles:

  1. Go to Security Profiles > FortiClient Profiles. You can edit the default profile or create a new FortiClient profile.
  2. Set the following options:
Profile Name Type a name for the profile.
Comments Type comments about the profile.
Assign Profile To Click to specify which devices, users, and addresses will receive the FortiClient profile. This options is available only when enable multiple security profiles and you create a new profile.
FortiClient endpoint compliance Use the options in this section to specify how to handle FortiClient endpoints that fail to meet the compliance rules.
Non-compliance action Select either Block, Warning, Auto-update. See also Non-compliance action on page 29.
Endpoint Vulnerability Scan on Client You can enable or disable Endpoint Vulnerability Scan on Client. When enabled, FortiClient is required to have Vulnerability Scan enabled. When Non-compliance action is set to Auto-update, you can enable and configure Endpoint Vulnerability Scan on Client by using only FortiGate.
System Compliance You can enable or disable System Compliance. When enabled, a minimum

FortiClient version is required on endpoints.

When Non-compliance action is set to Auto-update, you can enable and configure Minimum FortiClient version by using only FortiGate.

You can also enable logging to FortiAnalyzer, and select what types of logs to send to FortiAnalyzer.

AntiVirus You can enable or disable AntiVirus. When enabled, FortiClient console is required to have Antivirus enabled.

When Non-compliance action is set to Auto-update, you can enable and configure AntiVirus by using only FortiGate.

Web Filter You can enable or disable Web Filter and select a profile. When enabled, FortiClient is required to have Web Filter enabled.

When Non-compliance action is set to Auto-update, you can enable and configure Web Filter by using only FortiGate.

Application Firewall You can enable or disable Application Firewall and select a profile. When enabled, FortiClient is required to have Application Firewall enabled. When Non-compliance action is set to Auto-update, you can enable and configure Application Firewall by using only FortiGate.
  1. Click OK.

Enable a key password for FortiTelemetry connection

You can configure a connection key password for FortiClient Telemetry connection to FortiGate devices. When connecting FortiClient Telemetry to FortiGate, the user must enter the connection key password in FortiClient console before the connection can be completed.

You must use the CLI to enable a key password.

To enable key password:

  1. On your FortiGate device, go to Dashboard > CLI Console, and enter the following CLI command: config endpoint-control settings set forticlient-key-enforce enable set forticlient-reg-key <password>

end

FortiClient users can select to remember the connection key password in the FortiClient console when they connect FortiClient Telemetry.

View connected FortiClient endpoints

You can view all connected FortiClient endpoints in FortiGate GUI. On FortiGate, each new connection is automatically added to the device table.

To view connected devices, go to Monitor > FortiClient Monitor.

Configure FortiClient Telemetry connections with AD user groups


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Use FortiClient console

Use FortiClient console

This section describes how a FortiClient endpoint user can use the FortiClient console when FortiClient is managed by FortiGate/EMS.

To use the FortiClient console:

  1. View FortiClient Telemetry connection status, last profile update, and the gateway IP list. See Compliance on page 54.

If FortiClient Telemetry is connected to FortiGate, you can also view compliance status and instructions for remaining compliant on the Compliance tab.

  1. View Antivirus threats. See Antivirus on page 65.
  2. View web filter results. See View violations on page 79.
  3. View application firewall results. See Application Firewall on page 81.
  4. Configure and use remote access. See IPsec VPN and SSL VPN on page 83.
  5. View vulnerability scan results. See Vulnerability Scan on page 92.
  6. View notifications. See View notifications on page 63.

Configure FortiGate

This section provides an overview of configuring FortiGate for endpoint control.

Get started

FortiGate endpoint control is configured by completing the following tasks:

  1. Enable the endpoint control feature. See Enable the Endpoint Control feature on page 34.
  2. Enable FortiTelemetry on an interface. See Enable FortiTelemetry on an interface on page 34.
  3. Configure firewall policies. See Configure firewall policies on page 35.
  4. Configure FortiClient profiles. See Configure FortiClient profiles on page 35.

Configure FortiGate

After FortiClient software is installed on endpoints, and the FortiClient endpoints connect FortiTelemetry to FortiGate, FortiClient downloads a FortiClient profile from FortiGate.

Additional configuration options are available, depending on the needs of your network.

Enable the Endpoint Control feature

When using the GUI for configuration, you must enable endpoint control on FortiGate devices to use the device for FortiClient endpoint management.

When using the CLI for configuration, you can skip this step.

To enable the endpoint control feature:

  1. Go to System > Feature Select.
  2. In the Security Features list, enable Endpoint Control.
  3. In the Additional Features list, enable Multiple Security Profiles.
  4. Click Apply.

Enable FortiTelemetry on an interface

You must configure FortiClient communication on a FortiGate interface by specifying an IP address and enabling FortiTelemetry communication.

The IP address for the interface defines the gateway IP address for the FortiGate that FortiClient endpoints will use to connect FortiClient Telemetry to FortiGate.

You can also add any devices that are exempt from requiring FortiClient software to an exemption list for the interface.

To enable FortiTelemetry on an interface:

  1. Go to Network > Interfaces.
  2. Select an interface, and click Edit.
  3. Set the following options:
Address In the IP/Network Mask, type the gateway IP address.
Restrict Access Beside Administrative Access, select the FortiTelemetry check box to enable endpoints to send FortiTelemetry to FortiGate.
Networked Devices Enable Device Detection to allow FortiGate to detect the operating system on connected endpoint devices.
Admission Control Enable Enforce FortiTelemetry forAll FortiClients to require endpoint compliance for all endpoints.
Click the Exempt Sources box, and add the devices that are exempt from requiring FortiClient software with a FortiClient Telemetry connection to the FortiGate, such as Linux PC. For example, FortiClient software currently does not support Linux operating system. You can add this type of device to the Exempt Sources list.
Click the Exempt Destinations/Services box, and add the destinations and services.
  1. Configure the remaining options as required.
  2. Click OK.

Configure firewall policies

You must configure a firewall policy for FortiClient access to the Internet. The firewall policy must include the incoming interface that is defined for FortiTelemetry communication, and the outgoing interfaces that you want FortiClient endpoints to use for accessing the Internet. Otherwise, endpoints will be unable to access the Internet.

To configure firewall policies:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Click Create New in the toolbar. The New Policy window is displayed.
  3. In the Name box, type a name for the firewall policy.
  4. In the Incoming Interface list, select the port defined for FortiTelemetry communication.
  5. In the Outgoing Interface, select the port(s) defined for outgoing traffic from FortiGate.
  6. Configure the remaining options as required.
  7. Click OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Telemetry Gateway IP Lists

Telemetry Gateway IP Lists

In managed mode, FortiClient can use a Telemetry Gateway IP List to automatically locate FortiGate/EMS for FortiClient Telemetry connection.

The Telemetry Gateway IP List is a list of gateway IP addresses that FortiClient can use to connect FortiClient Telemetry to FortiGate/EMS. After FortiClient installation completes on the endpoint device, FortiClient automatically launches and uses the Telemetry Gateway IP List to locate FortiGate/EMS for FortiClient Telemetry connection.

After FortiClient is installed on the endpoint and FortiClient Telemetry is connected to FortiGate/EMS, you can view the Telemetry Gateway IP List in the FortiClient console. See View gateway IP lists on page 59.

Configure Telemetry Gateway IP Lists (EMS)

FortiClient EMS includes the option to create one or more Telemetry Gateway IP Lists. The list can include IP addresses for EMS and for FortiGate. You can assign Telemetry Gateway IP Lists to domains and workgroups in EMS. You can also update the assigned Telemetry Gateway IP Lists after FortiClient is installed, and the updated lists are pushed to FortiClient endpoints. See the FortiClient EMS Administration Guide.

Configure Telemetry Gateway IP Lists (FortiGate)

If you are using FortiGate without EMS, you can add Telemetry Gateway IP addresses to the FortiClient installer by using the Configurator Tool. See Custom FortiClient Installations on page 110.

Get started

This section provides an overview of how to configure, provision, and use FortiClient in managed mode.

 

Get started

Configure endpoint management

Before you provision FortiClient in managed mode, you must configure FortiGate or EMS to manage FortiClient endpoints. You can use FortiGate, EMS, or both FortiGate/EMS to manage FortiClient endpoints. The configuration process depends on what product you will use to manage FortiClient endpoints.

When FortiGate is integrated with EMS, you can sometimes assign two profiles to FortiClient endpoints. Each profile has a different purpose. The purpose of the profile from FortiGate is to communicate the compliance rules to FortiClient endpoints. If the profile created by using FortiGate has non-compliance set to block or warn, you can optionally create a profile by using EMS to communicate configuration settings for FortiClient software on endpoints. For more information, see the FortiClient EMS Administration Guide.

If the compliance action is set to block or warn in the FortiClient profile created by using FortiGate, FortiGate does not provision the FortiClient endpoint, and you must manually configure FortiClient or configure FortiClient by using EMS. If the compliance action is set to auto-update, FortiGate makes a best effort to provision FortiClient endpoints to be compliant with the compliance rules.

To configure endpoint management:

  1. Configure the product or products that you will use to manage FortiClient endpoints. The following table identifies where to find instructions:
FortiGate Configure FortiGate endpoint control. See Configure FortiGate on page 33. For more information, see the FortiOS Handbook.
EMS See the FortiClient EMS Administration Guide.
FortiGate integrated with

EMS

For FortiGate, configure endpoint control. See Configure FortiGate on page 33. For more information, see the FortiOS Handbook.

For EMS, see the FortiClient EMS Administration Guide.

After you configure EMS, FortiGate, or both FortiGate/EMS to manage FortiClient endpoints, you are ready to provision FortiClient.

Provision FortiClient

This section provides an overview of how to provision FortiClient in managed mode.

To provision FortiClient:

  1. Ensure that you have configured EMS, FortiGate, or both FortiGate/EMS to manage FortiClient endpoints.
  2. Provision FortiClient on endpoint computers with Internet access. See FortiClient Provisioning on page 44. You can use one of the following methods:

l FortiClient EMS with a Microsoft Active Directory server l Microsoft Active Directory server

After FortiClient installs, FortiClient Telemetry attempts connection to FortiGate/EMS. For more information, see FortiClient Telemetry Connection on page 51.

After FortiClient Telemetry is connected to FortiGate/EMS, FortiClient downloads a profile from FortiGate/EMS. The computer with FortiClient installed and FortiClient Telemetry connected is now a managed endpoint.

  1. Use one or more of the following methods to monitor managed endpoints: l FortiGate l FortiClient EMS

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiClient profiles

FortiClient profiles

When FortiClient is in managed mode, a profile is used to communicate compliance rules and to configure FortiClient software on endpoints. FortiClient receives the profile after FortiClient Telemetry is connected to FortiGate/EMS. The contents of the profile depend on whether FortiGate or EMS provide the profile.

FortiGate and compliance rules

In FortiGate, a FortiClient profile is used to achieve the following goals:

l Define compliance rules for endpoint access to the network through FortiGate l Define the non-compliance action—that is, how endpoints are handled that fail to comply with compliance rules l (Optional) Define some configuration settings for FortiClient software on endpoints

Compliance rules

FortiGate compliance rules are used to define what configuration FortiClient software must have for the endpoint to maintain access to the network through FortiGate. Following is a sample of the compliance rules that you can define (enable or disable) by using the GUI:

  • Antivirus l Web filter l Application firewall l Vulnerability scan
  • FortiClient software specific version

You can also define additional compliance rules by using the FortiOS CLI.

Non-compliance action

You define how FortiClient endpoints are handled that fail to comply with the compliance rules. You can block, warn, or automatically update FortiClient endpoints. You set the rules by using FortiGate, and both FortiGate and FortiClient enforce the rules.

Both FortiGate and FortiClient enforce compliance rules for FortiClient 5.4.1 and later endpoints. FortiGate enforces compliance for FortiClient 5.4.0 and earlier endpoints, and for all versions of unregistered/unconnected FortiClient endpoints.

Following is a description of how each setting affects FortiClient endpoints:

  • Block

When FortiClient endpoints fail to comply with compliance rules, FortiClient blocks endpoint access to the network. Noncompliance information is displayed in the FortiClient console. The administrator or endpoint user is responsible for reading the noncompliance information and updating FortiClient software on the endpoint to adhere to the compliance rules. In this case, endpoint users can edit settings in the FortiClient console that are not controlled by the compliance rules or EMS.

  • Warn

When FortiClient endpoints fail to comply with compliance rules, FortiClient warns the endpoint users, but allows the endpoint user to access the network. Noncompliance information is displayed in the FortiClient console. The administrator or endpoint user is responsible for reading the noncompliance information and updating FortiClient software on the endpoint to adhere to the compliance rules. In this case, endpoint users can edit settings in the FortiClient console that are not controlled by the compliance rules or EMS. l Auto-update

FortiGate provides the compliance rules and some configuration information for FortiClient software that helps FortiClient and the endpoint remain compliant. However FortiClient endpoints can fail to comply with compliance rules because FortiGate cannot automatically update all aspects of the compliance rules, such as the required version of FortiClient or the operating system on the endpoint. FortiGate displays noncompliance information in the FortiOS GUI. The FortiGate administrator and endpoint user are responsible for reading the noncompliance information and keeping FortiClient endpoints compliant. In this case, most settings in FortiClient console are read-only. However, the endpoint user can edit some settings.

FortiClient configuration

When you use FortiGate to configure a FortiClient profile with a non-compliance setting of auto-update, the FortiClient profile can include configuration information for FortiClient software, which helps the FortiClient endpoint remain compliant with the compliance rules.

You can specify the following configuration information for FortiClient software:

l AntiVirus l Web Filter l Application Firewall l Vulnerability Scan l System Compliance

When the FortiClient endpoint receives the configuration information from FortiGate in the FortiClient profile, the settings in FortiClient console are automatically updated. Most settings in FortiClient console are read-only when FortiGate provides the configuration in a FortiClient profile. However, the endpoint user can change settings in FortiClient console that are not controlled by the FortiClient profile.

For more information about configuring FortiClient profiles by using FortiGate, see the FortiOS Handbook, available in the Fortinet Document Library.

FortiGate and EMS integration

When FortiGate is integrated with EMS, and the non-compliance action in FortiGate is set to block or warn, you can use EMS to assign a profile to endpoints. The profile from EMS is in addition to the compliance rules from FortiGate. When FortiClient receives compliance rules from FortiGate and a profile from EMS, settings in the FortiClient console are locked. Administrators can control the settings by updating the assigned profile in FortiGate/EMS.

CLI only

When using FortiGate to create FortiClient profiles, some settings can be configured only by using the

FortiOS CLI. You must use the CLI to configure the following options in FortiClient profiles provided by FortiGate: l Allowed operating system for FortiClient endpoints l Required third-party applications for FortiClient endpoints l Registry entries for FortiClient endpoints l File in the file system on FortiClient endpoints

Get started

For more information, see the CLI Reference forFortiOS.

EMS and profiles

In FortiClient EMS, a profile is used to install FortiClient on endpoint devices and/or define the configuration for FortiClient software on endpoint devices. The profile consists of the following sections:

  • FortiClient Installer l Antivirus l Web Filtering l Application Firewall
  • VPN
  • Vulnerability Scan l System Settings

When the FortiClient endpoint receives the configuration information in the FortiClient profile, the settings in FortiClient console are automatically updated. Settings in FortiClient console are locked and read-only when EMS provides the configuration in a profile.

For more information about configuring profiles by using FortiClient EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Standalone FortiClient

Standalone FortiClient

About standalone mode

In standalone mode, FortiClient software is installed to computers or devices that have Internet access and are running a supported operating system. After FortiClient is installed, FortiClient automatically connects to FortiGuard Center (http://www.fortiguard.com) to protect the computer or device.

Get started

In standalone mode, you can configure FortiClient settings by using the FortiClient console. This section provides an overview of provisioning, configuring, and using FortiClient in standalone mode.

Provision and configure

In standalone mode, you can install FortiClient software to computers or devices with Internet access and configure a number of settings.

To provision and configure FortiClient:

  1. Install FortiClient on computers or devices. See FortiClient Provisioning on page 44. FortiClient connects to the Fortinet FortiGuard server to protect the computer.
  2. Configure FortiClient settings. See Settings on page 99.
  3. Configure Antivirus settings. See Antivirus on page 65.
  4. (Optional) Configure remote access. See IPsec VPN and SSL VPN on page 83.

Use FortiClient console

In standalone mode, you can use the following tabs in FortiClient console:

l Antivirus l Web Security l Remote Access

The Compliance tab is used only when FortiClient is running in managed mode. See Managed FortiClient on page 25.

To use the FortiClient console:

  1. View Antivirus threats. See View scan results on page 71.
  2. View web security results. See View violations on page 79.
  3. Use remote access. See Add new connections on page 83.
  4. View notifications. See View notifications on page 63.

Managed FortiClient

About managed mode

In managed mode, FortiClient software is installed to computers or devices on your network that have Internet access and are running a supported operating system. The computers or devices are referred to as endpoints or FortiClient endpoints. After FortiClient software is installed on endpoint devices, FortiClient:

l Automatically connects to FortiGuard Center (http://www.fortiguard.com) to protect the endpoint l Automatically attempts to connect FortiClient Telemetry to FortiGate or EMS

The endpoint user confirms the request to complete the FortiClient Telemetry connection to FortiGate/EMS.

You can optionally configure a FortiClient Telemetry connection that requires no confirmation by the endpoint user. See Custom FortiClient Installations on page 110.

After FortiClient Telemetry is connected to FortiGate/EMS, FortiClient downloads a profile from FortiGate/EMS, and the endpoint is managed.

FortiClient Telemetry connection options

FortiClient Telemetry can be connected to EMS or FortiGate. When EMS and FortiGate are integrated, FortiClient Telemetry connects to FortiGate as well as EMS.

FortiGate and EMS are used for the following different purposes. FortiGate is used to ensure that FortiClient endpoints adhere to the compliance rules defined for network access. EMS is used to provision, configure, and monitor FortiClient on endpoints.

FortiClient EMS

In this configuration, FortiClient Telemetry is connected to EMS and sends notifications to EMS, and EMS pushes a profile to FortiClient. The profile contains the configuration information for FortiClient.

After receiving the profile, all settings in the FortiClient console are locked because they are controlled by the profile.

FortiGate

In this configuration, FortiClient Telemetry is connected to FortiGate, and FortiClient downloads a profile from FortiGate.

The profile contains the compliance rules and optionally some configuration information for FortiClient. The compliance rules are used to configure endpoints for Network Access Compliance (NAC) and to specify what happens when endpoints fail to meet compliance rules. Endpoint users can use FortiClient console to view compliance status, compliance rules, and the steps required to remain compliant. See also Non-compliance action on page 29.

After receiving the profile, some settings in the FortiClient console are locked because they are controlled by the compliance rules and configuration information in the profile. However, endpoint users can change settings in FortiClient console that are not controlled by the profile.

FortiGate and EMS integration

In this configuration, FortiClient Telemetry connects to FortiGate for NAC and EMS for configuration information and real-time monitoring. This configuration is sometimes called integrated mode.

When FortiClient Telemetry is connected to FortiGate, a profile is pushed to FortiClient. The contents of the profile depend on the non-compliance action in the profile.

Non-compliance set to auto-update

When you use FortiGate to configure a FortiClient profile that contains compliance rules with a non-compliance setting of auto-update, you can also include some configuration information.

When FortiClient Telemetry connects to FortiGate, FortiClient downloads the profile that contains compliance rules and some configuration information from FortiGate.

After receiving the profile, some settings in the FortiClient console are locked because they are controlled by the compliance rules and configuration information in the profile. However, endpoint users can change settings in FortiClient console that are not controlled by the profile.

 

About managed mode

Non-compliance action set to block or warn

When you use FortiGate to configure a FortiClient profile that contains compliance rules with a non-compliance action of warn or block, you must either use EMS to provision FortiClient endpoints, or you must manually configure FortiClient endpoints. In this configuration, FortiGate provides only the compliance rules; it does not provision the FortiClient endpoints.

When FortiClient Telemetry connects to FortiGate, FortiClient downloads the compliance rules from FortiGate, and EMS pushes the configuration information to FortiClient.

You should ensure that the configuration pushed from EMS matches the compliance rules set on FortiGate to avoid conflicting settings.

After receiving the compliance rules and profile, all settings in the FortiClient console are locked because they are controlled by the compliance rules and configuration information in the profile.

FortiGate network topologies and FortiClient

This section describes the supported FortiGate network topologies for FortiClient in managed mode. The following topologies are supported:

  1. FortiClient is directly connected to FortiGate; either to a physical port, switch port or WiFi network.
  2. FortiClient is connected to FortiGate, but is behind a router or NAT device.
  3. FortiClient is connected to FortiGate across a VPN connection.

On-net / off-net

The on-net feature requires a FortiGate to be used as a DHCP server. This is usually configured on the same FortiGate to which FortiClient is connected. When the device on which FortiClient is running has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off-net.

On the FortiGate, the DHCP server can be used, or several network subnets can be provided for the on-net feature. FortiClient is on-net if:

l FortiClient Telemetry is connected to FortiGate, l FortiClient belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

About managed mode


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Endpoint Control

Endpoint Control

Integration with the new FortiClient EMS

FortiClient Enterprise Management Server (EMS) is a new product from Fortinet for businesses to use to manage their computer endpoints. It runs on a Windows Server, not requiring a physical Fortinet device. Administrators may use it to gain insight into the status of their endpoints. The EMS supports devices running Microsoft Windows, Mac OS X, Android, and iOS.

FortiClient Endpoint Control (EC) protocol has been updated to seamlessly integrate with FortiClient EMS. Various changes were added to support EMS features, including:

l Deployment of FortiClient to new Microsoft Windows devices l Continuous monitoring of device statuses l AV engine and signature update status reports l AV scanning schedules and requests for AV scans l Notifications about protection statuses.

FortiGate Network Access Control when FortiClient is Deployed using EMS

The new EMS can be used to deploy FortiClient to a large number of Microsoft Windows endpoints. While creating a profile for FortiClient deployment, the EMS administrator can choose to configure the FortiClient to register to the same EMS, or to a FortiGate.

Changes in FortiClient 5.4.0 allow the EMS administrator to deploy FortiClient to endpoints, and configure it to register to a FortiGate, while simultaneously notifying the EMS of its registration status. The FortiClient EC registration to the FortiGate is required for Network Access Compliance (NAC). The administrator can configure the FortiGate to allow access to network resources only if the client is compliant with the appropriate interface EC profile.

EMS can only deploy FortiClient to endpoint devices that are running Microsoft Windows. This feature requires FortiOS 5.4.0 or newer.

Quarantine an Infected Endpoint from the FortiGate or EMS

A computer endpoint that is considered to be infected may be quarantined by the FortiGate or EMS administrator. FortiClient needs to be online, using FortiClient EC protocol, and registered to the FortiGate or EMS.

Once quarantined, all network traffic to or from the infected endpoint will be blocked locally. This allows time for remediation actions to be taken on the endpoint, such as scanning and cleaning the infected system, reverting to a known clean system restore point, or re-installing the operating system.

The administrator may un-quarantine the endpoint in the future from the same FortiGate or EMS.

Importing FortiGate CA Certificate after EC Registration

When the FortiGate is configured to use SSL deep inspection, users visiting encrypted websites will usually receive an invalid certificate warning. The certificate signed by the FortiGate does not have a Certificate Authority (CA) at the endpoint to verify it. Users can manually import the FortiGate CA certificate to stop the error from being displayed; however, all users will have to do the same.

When registering FortiClient to a FortiGate, the FortiClient will receive the FortiGate’s CA certificate and install it into the system store. If Firefox is installed on the endpoint, the FortiGate’s CA certificate will also be installed into the Firefox certificate store. This way the end user will no longer receive the invalid certificate error message when visiting encrypted websites.

Enhancement to On-net/Off-net Configuration

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided.

FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

FortiClient GUI

Antivirus Settings Page

With the introduction of botnet detection, and the integration with FortiSandbox with FortiClient (Windows), the AV settings page on the FortiClient GUI has been updated to allow configuration of the new features. The AV settings page is accessible from the FortiClient dashboard. Select the AV tab on the left pane. Then click the settings icon on Real-Time Protection in the right pane. The following may be selected on the AV settings page:

  • File scanning (previously, Real-Time Protection or RTP) l Scan unknown, supported files using FortiSandbox (Windows only) l Malicious website detection
  • Botnet detection (block known communication channels)

FortiClient Banner Design

If FortiClient (full version or VPN only) is running in standalone mode and not registered to a FortiGate or EMS, a single banner at the bottom of the GUI is displayed. When registered to a FortiGate or EMS, the banner is hidden by default. Similarly, when created from a FortiClient Configurator (Windows) or Repackager (OS X), no banner is displayed by default.

Logging

Enhancement to FortiClient logs

FortiClient will create a log entry to show just the URL visited by the user through a web browser. This is in addition to the network level logs generated by FortiClient.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!