Tag Archives: fortinet forticlient

Custom FortiClient Installations

Custom FortiClient Installations

The FortiClient Configurator tool FortiClient is the recommended method of creating customized FortiClient installation files.

You can also customize which modules are displayed in the FortiClient dashboard in the FortiClient Profile. This will allow you to activate any of the modules at a later date without needing to re-install FortiClient. Any changes made to the FortiClient Profile are pushed to registered clients.

When creating VPN only installation files, you cannot enable other modules in the FortiClient Profile as only the VPN module is installed.

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

The FortiClient Configurator tool is included with the FortiClient Tools file in FortiClient 5.2. This file is only available on the Customer Service & Support portal and is located in the same file directory as the FortiClient images.

The Configurator tool requires activation with a license file. Ensure that you have completed the following steps prior to logging in to your FortiCare product web portal:

  • Purchased FortiClient Registration License l Activated the FortiClient license on a FortiGate

This video explains how to purchase and apply a FortiClient License: http://www.youtube.com/watch?feature=player_embedded&v=sIkWaUXK0Ok This chapter contains the following sections:

  • Download the license file l Create a custom installer l Custom installation packages l Advanced FortiClient profiles

Download the license file

To retrieve your license file:

  1. Go to https://support.fortinet.com and log in to your FortiCare account.
  2. Under Asset select Manage/View Products. Select the FortiGate device that has the FortiClient registration license activated. You will see the Get the Key File link in the Available Key(s)
  3. Click the link and download license file to your management computer. This file will be needed each time you use the FortiClient Configurator tool.

Create a custom installer

Fortinet offers a repacking tool for both Microsoft Windows and Mac OS X operating systems. The following section provides instructions on creating a custom installer file using the FortiClient Configurator tool.

When selecting to install custom features, only modules selected are installed. To enable other features you will need to uninstall FortiClient, and reinstall an MSI file with these features included in the installer.

FortiClient (Windows) Configurator tool

To create a custom installer using the FortiClient Configurator tool:

  1. Unzip the FortiClientTools file, select the FortiClientConfigurator file folder, and double-click the exe application file to launch the tool.

The tool opens at the Welcome page.

Licensed Licensed mode requires a FortiClient license file.
Trial In FortiClient 5.4, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment.
  1. Browse and select the FortiClient Configurator Activation Key file (.lic) on your management computer.
  2. After entering the FortiClient Configurator license, select Next. The Configuration File page is displayed.
Select Config File (optional) The configuration file (.conf, .sconf) settings will be included in the installer file.
Password If the configuration file is encrypted (.sconf), enter the password used to encrypt the file.

You can use an XML editor to make changes to the FortiClient configuration file. For more information on FortiClient XML configuration, see the FortiClient XML Reference in the Fortinet Document Library, http://docs.fortinet.com.

  1. Browse and select the FortiClient configuration file on your management computer. This is an optional step. If you do not want to import settings from a configuration file, select Skip to continue. The Settings page is displayed.

The following options are available for custom installations:

Features to Install  
Everything All Security and VPN components will be installed.
Client security only Only AntiVirus, Web Filtering, and Application Firewall will be installed.
VPN only Only VPN components (IPsec and SSL) will be installed.
Other Select one of the following from the drop-down list:

l AntiVirus & Web Filtering only l Web Filtering only l Application Firewall only l Application Firewall & Web Filtering only l Web Filtering, VPN and Application Firewall l Single Sign-On mobility agent only

Options  
Desktop Shortcut Select to create a FortiClient desktop icon.
Start Menu Select to add FortiClient to the start menu.
Enable Software Update Select to enable software updates. This option is disabled when Rebrand

FortiClient is selected. This option is also disabled when using Trial mode.

Configure Single Sign-On mobility agent Select to configure Singe Sign-On mobility agent for use with FortiAuthenticator.
Features to Install  
Rebrand

FortiClient

Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137.
  1. Select the features to install and options and select Next to continue.

If you selected to configure the single sign-on mobility agent, the Single Sign-On Mobility Agent Settings page is displayed.

  1. Configure the following settings:
Server IP/FQDN Enter the IP address or FQDN of the FortiAuthenticator server.
Port Number Enter the port number. The default port is 8001.
Pre-Shared Key Enter the FortiAuthenticator pre-shared key.
Confirm Pre-Shared Key Enter the FortiAuthenticator pre-shared key confirmation.
  1. Select Next to continue. If you selected to rebrand FortiClient, the Rebranding page is displayed.
  2. Rebrand FortiClient elements as required. The resources folder contains graphical elements. For more information, see Appendix C – Rebranding FortiClient on page 137.
  3. Select Next to continue. The Package Signing page is displayed.
  4. Configure the following settings:
Select Code Signing Certificate (optional) If you have a code signing certificate, you can use it to digitally sign the installer package this tool generates.
Password If the certificate file is password protected, enter the password.
  1. Browse and select the code signing certificate on your management computer. This is an optional step. If you do not want to digitally sign the installer package, select Skip to continue. The Execution page is displayed.

This page provides details of the installer file creation and the location of files for Active Directory deployment and manual distribution. The tool creates files for both 32-bit (x86) and 64-bit (x64) operating systems.

  1. When you select Finish, if Browse to output MSI file upon exit is selected, the folder containing the newly created MSI file will open.

Before deploying the custom MSI files, it is recommended that you test the packages to confirm that they install correctly. In FortiClient 5.2.0 and later, an .exe installation file is created for manual distribution.

Installation files are organized in folders within the FortiClientTools > FortiClient Configurator > FortiClient repackaged folder. Folder names identify the type of installation files that were created and the creation date.

FortiClient (Mac OS X) Configurator tool

To create a custom installer using the FortiClient Configurator tool:

  1. Unzip the FortiClientTools file, select the Configurator file folder, and double-click the

FortiClientConfigurator.dmg application file, and double-click the FCTConfigurator icon to launch the tool. The Configurator tool opens.

  1. Configure the following settings:
Licensed | Trial Licensed mode requires a FortiClient 5.2 license file. In FortiClient v5.2, the FortiClient Configurator tool can be used in trial mode. In trial mode, all online updates are disabled. The trial installer is intended to be deployed in a test environment.
Source Select the FortiClient Installer file on your management computer. You must use the full installer file, otherwise FortiClient Configurator will fail to create a custom installation file.

The FortiClient Installer version and FortiClient Configurator version must match, otherwise the Configurator will fail to create a custom installation file.

Destination Enter a name for the custom installation file and select a destination to save the file on your management computer.
Features to Install Select to install all FortiClient modules, VPN only, or SSO only. If SSO only is selected, you must configure the SSO settings in the attached configuration file.
Server IP/FQDN Enter the IP address or FQDN of the FortiAuthenticator server.

This option is available when selecting SSO only for features to install.

Port Number Enter the port number. The default port is 8001.

This option is available when selecting SSO only for features to install.

Pre-Shared Key Enter the FortiAuthenticator pre-shared key.

This option is available when selecting SSO only for features to install.

Confirm Pre-Shared Key Enter the FortiAuthenticator pre-shared key confirmation.

This option is available when selecting SSO only for features to install.

 

Custom installation packages

Config file Optionally, select a pre-configured FortiClient backup configuration file. If you selected Everything or VPN only for features to install, you must use a configuration file to configure the related settings.
Software Update Select to enable or disable software updates.
Rebrand Select to rebrand FortiClient. When selected, the option to enable software update is not available. For more information on rebranding FortiClient, see Appendix C – Rebranding FortiClient on page 137.
Rebranding resources Select the FortiClient resources file on your management computer.
  1. Select the Start button to create the custom FortiClient installation file.
  2. You can now deploy the repackaged FortiClient .dmg file to your Mac OS X systems.

Custom installation packages

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

Advanced FortiClient profiles

FortiClient (Windows)

After the configurator tool generates the custom installation packages, it can be used to deploy the FortiClient software either manually, or using Active Directory. Both options can be found in the …/FortiClient_packaged directory. Files are created for both x86 (32-bit) and x64 (64-bit) operating systems.

If Active Directory is being used to deploy FortiClient, you can use the custom installer with the MST file found in the …/ActiveDirectory folder.

For manual distribution, use the .exe file in the …/ManualDistribution folder.

Advanced FortiClient profiles

When creating custom FortiClient MSI files for deployment, you will need to configure advanced FortiClient profiles on the FortiGate/EMS to ensure that settings in the FortiClient profile do not overwrite your custom XML settings. You can configure the FortiClient profile to deliver the full XML configuration, VPN only, or specific FortiClient XML configurations. For more information on customizing the FortiClient XML configuration file, see the Appendix C – Rebranding FortiClient on page 137.

Fortinet recommends creating OS specific endpoint profiles when provisioning XML settings. When creating a new FortiClient profile, select the device group as either  Windows PC or Mac. If a FortiClient (Windows) XML configuration is pushed to a FortiClient (Mac OS X) system, FortiClient (Mac OS X) will ignore settings which are not supported.

Provision a full XML configuration file

You can deploy the full XML configuration file from the CLI or GUI.

To deploy the full XML configuration via the CLI:

  1. Log in to the FortiGate Command-line Interface.
  2. Enter the following CLI commands: config endpoint-control profile edit <profile_name>

config forticlient-winmac-settings set forticlient-advanced-cfg enable

set forticlient-advanced-cfg-buffer “Copy & Paste your FortiClient XML configuration here”

Advanced FortiClient profiles

Copy directly from your XML editor, preserving the XML file format. Copy all information from the <?xml version=”1.0″ encoding=”UTF-8″ ?> start of syntax to the </forticlient_configuration> end of syntax XML tags. Add double quotes at the start and end of the XML syntax statements.

To deploy the full XML configuration via the FortiGate GUI:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page is displayed.
  3. Configure the following settings:
Profile Name Enter a unique name to identify the FortiClient profile.
Comments Optionally, enter a comment.
Assign Profile To For more information on configuring device groups, user groups, and users, see the FortiOS Handbook.

These options are only available when creating a new FortiClient profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.

XML text window Copy and paste the FortiClient XML configuration file in the text window. The XML syntax must be preserved.
  1. Select Apply to save the FortiClient profile settings.

To deploy the full XML configuration via EMS:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Advanced option to the right of the profile name.
  3. Select Yes in the confirmation dialog box.
  4. Copy and paste the XML configuration file text into the text box.
  5. Select Save to save the FortiClient profile settings.

Partial configuration

The current buffer size is 32kB. This may not be large enough to accommodate your FortiClient XML configuration. As a workaround, you can use the FortiClient Configurator tool to create a custom MSI installation file using a .confFortiClient backup configuration that contains static custom configurations. You can then include a partial configuration in the advanced FortiClient profile. This will push the partial configuration when the client registers with the FortiGate. The partial configuration will be merged with the existing XML configuration on the client.

To provision specific FortiClient XML configuration while preserving custom XML configurations in your MSI file, cut & paste the specific XML configuration into the FortiClient Profile in the following format:

<?xml version=”1.0″ encoding=”UTF-8″ ?>

Advanced FortiClient profiles

<forticlient_configuration>

<partial_configuration>1</partial_configuration>

<system>

<ui>

<ads>0</ads>

<default_tab>VPN</default_tab>

<flashing_system_tray_icon>0</flashing_system_tray_icon>

<hide_system_tray_icon>0</hide_system_tray_icon>

<suppress_admin_prompt>0</suppress_admin_prompt>

<culture_code>os-default</culture_code>

</ui>

<update>

<use_custom_server>0</use_custom_server>

<port>80</port>

<timeout>60</timeout>

<failoverport>8000</failoverport>

<fail_over_to_fdn>1</fail_over_to_fdn>

<scheduled_update>

<enabled>0</enabled>

<type>interval</type>

<daily_at>03:00</daily_at>

<update_interval_in_hours>3</update_interval_in_hours>

</scheduled_update>

</update>

</system>

</forticlient_configuration>

Ensure that the <partial_configuration>1</partial_configuration> tag is set to 1 to indicate that this partial configuration will be deployed upon registration with the FortiGate. All other XML configuration will be preserved.

Advanced VPN provisioning

You need to enable VPN provisioning and advanced VPN from the FortiOS CLI to import the FortiClient XML VPN configuration syntax. You can import the XML VPN configuration in the CLI or the GUI.

Import XML VPN configuration into the FortiClient Profile via the CLI:

  1. Log in to your FortiGate command-line interface.
  2. Enter the following CLI commands: config endpoint-control profile edit <profile_name>

config forticlient-winmac-settings set forticlient-vpn-provisioning enable set forticlient-advanced-vpn enable set auto-vpn-when-off-net enable set auto-vpn-name <VPN name to connect to automatically when off-net> set forticlient-advanced-vpn-buffer <Copy & paste the advanced VPN configuration>

end

end

After the forticlient-vpn-provisioning and forticlient-advancedvpn CLI commands are enabled, the forticlient-advanced-vpn-buffer CLI command is available from the CLI.

Advanced FortiClient profiles

Copy directly from your XML editor, preserving the XML file format. Copy all information from the <vpn> start of syntax to the </vpn> end of syntax XML tags. Add double quotes before the <vpn> tag and after the </vpn> tag.

  1. You can also choose to copy & paste the XML content in the GUI, go to Security Profiles > FortiClient Profiles and select the VPN
  2. Configure the following settings:
Profile Name Enter a unique name to identify the FortiClient profile.
Comments Optionally, enter a comment.
Assign Profile To For more information on configuring device groups, user groups, and users, see the FortiOS Handbook.

These options are only available when creating a new endpoint profile. You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

FortiClient does not support nested groups in FortiOS.

VPN Enable Client VPN Provisioning.

Cut and paste the FortiClient XML configuration <vpn> to </vpn> tags in the text window. The XML syntax must be preserved.

Enable Auto-connect when Off-Net and select a VPN name from the dropdown list.

  1. Select Apply to save the FortiClient profile settings.

For more information, see Appendix A – Deployment Scenarios on page 127.

 

Vulnerability Scan

Vulnerability Scan

FortiClient includes an Vulnerability Scan module to check your workstation for known system vulnerabilities. You can scan on-demand or on a scheduled basis. This feature is disabled by default and the tab is hidden for standalone clients. For users who are registered to a FortiGate using endpoint control, the FortiGate administrator may choose to enable this feature. Vulnerability Scan is enabled via the FortiGate Command Line Interface (CLI) only. Once enabled, the Endpoint Vulnerability Scan on Client setting is available in the FortiClient Profile.

Enable vulnerability scan

This section describes how to enable Vulnerability Scan in the FortiClient Profile via the FortiGate CLI and configuration options.

  1. Enable Vulnerability Scan in the FortiClient Profile:
  2. Log in to your FortiGate CLI.
  3. Enter the following CLI commands: config endpoint-control profile edit <profile-name> config forticlient-winmac-settings set forticlient-vuln-scan enable set forticlient-vuln-scan-schedule {daily | weekly | monthly} set forticlient-vuln-scan-on-registration {enable | disable} set forticlient-ui-options {av | wf | af | vpn | vs}

end end

<profile-name>          Enter the name of the FortiClient Profile.
forticlient-vuln-scan Enable or disable the Vulnerability Scan module. {enable | disable}
forticlient-vuln-  Configure a daily, weekly, or monthly vulnerability scan on the client scan-schedule    workstation.

{daily | weekly |

monthly}

forticlient-vuln-      Enable or disable vulnerability scan on client registration to FortiGate.

scan-on-registration {enable | disable}

 

Scan now                                                                                                                               Vulnerability Scan

forticlient-uioptions {av | wf | af | vpn | vs} Set the FortiClient components that will be available to the client upon registration with FortiGate. l av: Antivirus l wf: Web Filter l af: Application Firewall l vpn: Remote Access l vs: Vulnerability Scan
  1. The FortiGate will send the FortiClient Profile configuration update to registered clients. The Vulnerability Scan tab is now accessible in FortiClient.

Scan now

To perform a vulnerability scan, select the Scan Now button in the FortiClient console. FortiClient will scan your workstation for known vulnerabilities. The console displays the date of the last scan above the button.

You can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient Profile, select Use FortiManagerforclient software/signature update to enable the feature and enter the IP address of your FortiManager device.

View vulnerabilities

When the scan is complete, FortiClient will display the number of vulnerabilities found in the FortiClient console.

Select the Vulnerabilities Detected link to view a list of vulnerabilities detected on your system. Conversely, select Detected: X on the Vulnerability Scan tab to view the vulnerabilities.

Vulnerability Scan                                                                                                               View vulnerabilities

This page displays the following:

Vulnerability Name The name of the vulnerability
Severity The severity level assigned to the vulnerability: Critical, High, Medium, Low, or Info.
Details FortiClient vulnerability scan lists a Bugtraq (BID) number under the details column. You can select the BID to view details of the vulnerability on the FortiGuard site, or search the web using this BID number.
Close Close the window and return to the FortiClient console.

Select the Details ID number from the list to view information on the selected vulnerability on the FortiGuard site.

The site details the release date, severity, impact, description, affected products, and recommended actions.

IPsec VPN and SSL VPN

IPsec VPN and SSL VPN

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. You can provision client VPN connections in the FortiClient Profile or configure new connections in the FortiClient console.

This section describes how to configure remote access.

Add a new connection

Select Configure VPN in the FortiClient console to add a new VPN configuration.

Create a new SSL VPN connection

To create a new SSL VPN connection, select Configure VPNor use the drop-down menu in the FortiClient console.

Select SSL-VPN, then configure the following settings:

Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)
Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Customize port Select to change the port. The default port is 443.

Add a new connection

Authentication Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled.
Username If you selected to save login, enter the username in the dialog box.
Client Certificate Select to enable client certificates, then select the certificate from the dropdown list.
Do not Warn Invalid Server

Certificate

Select if you do not want to warned if the server presents an invalid certificate.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.
Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)

Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.

Create a new IPsec VPN connection

To create a new IPsec VPN connection, select Configure VPN or use the drop-down menu in the FortiClient console.

Select IPsec VPN, then configure the following settings:

Add a new connection

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Authentication Method Select either X.509 Certificate or Pre-shared Key in the dropdown menu.
Authentication (XAuth) Select to prompt on login, save login, or disable.
Username If you selected save login, enter the username in the dialog box.
Advanced Settings Configure VPN settings, Phase 1, and Phase 2 settings.
VPN Settings  
Mode Select one of the following:

Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted. Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

Options Select one of the following:

Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.

DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling.

Add a new connection

Phase 1   Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.
  DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.
  Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
  Local ID Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.
  Dead Peer Detection Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
  NAT Traversal Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Phase 2   Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.

 

Key Life The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
Enable Perfect

Forward Secrecy

(PFS)

Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
DH Group Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.

Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.

Provision client VPN connections

You can provision client VPN connections in the FortiClient Profile for registered clients.

FortiGate VPN provisioning

Provision a client VPN in the FortiClient Profile:

  1. Log in to your FortiGate device.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. Select the FortiClient profile and select Edit from the toolbar.
  4. Select the VPN

Provision client VPN connections

  1. Turn on VPN and Client VPN Provisioning.
  2. Configure the following:
IPsec VPN Configure remote gateway and authentication settings for IPsec VPN.
SSL-VPN Configure remote gateway and access settings for SSL VPN.
Auto-connect when Off-Net Turn on the automatically connect when Off-Net, then configure the following: l VPN Name: Select a VPN from the list.

Prevent VPN Disconnect: Turn on to not allow users to disconnect when the VPN is connected.

Captive Portal Support: Turn on the enable support for captive portals.

VPN before Windows logon Enable VPN connection before Windows log on.
  1. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

When registered to a FortiGate, VPN settings are enabled and configured in the FortiClient Profile.

Alternatively, you can provision a client VPN using the advanced VPN FortiClient Profile options in FortiGate. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.

EMS VPN provisioning

Provision a client VPN in the FortiClient Profile:

  1. Log in to EMS.
  2. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  3. Select the VPN
  4. Select the on/off button to enable VPN.

Provision client VPN connections

  1. Configure the following settings:
Allow Personal VPN Select to enable personal VPN connections
Disable

Connect/Disconnect

Select to disable not allowing users to disconnect when the VPN is connected.
Show VPN Before Logon  Enable VPN connection before Windows log on, and select from the following options:

l Use Legacy VPN Before Logon l Use Windows Credentials

Local Computer Windows

Store Certificates (IPSec only)

Select to enable local Windows store certificates (IPsec only).
Current User Windows Store Certificates (IPSec only) Select to enable current user Windows store certificates (IPsec only).
Auto-connect only when

Off-Net

Turn on the automatically connect only when Off-Net.
Add VPN Tunnel Select to add a VPN tunnel, then enter the following information: l VPN Name: Enter the VPN name.

l  Type: Select the type of VPN tunnel, either SSL VPN or IPsec VPN.

l  Remote Gateway: Enter the remote gateway IP address or hostname.

l  Require Certificate: Turn on to require a certificate (SSL VPN only). l Access Port: Enter the access port number (SSL VPN only).

l  Authentication Method: Select the authentication method, wither Pre-shared Key or Certificate (IPsec VPN only).

l  Pre-Shared Key: Enter the pre-shared key (IPsec VPN with preshared key only).

l  Advanced Configuration:

  1. Select Save to save your changes.

Connect to a VPN

To connect to a VPN, select the VPN connection from the drop-down menu. Enter your username, password, and select the Connect button.

Optionally, you can click on the system tray, right-click the FortiClient icon and select the VPN connection you want to connect to.

You can also select to edit an existing VPN connection and delete an existing VPN connection using the dropdown menu.

When connected, the console will display the connection status, duration, and other relevant information. You can now browse your remote network. Select the Disconnect button when you are ready to terminate the VPN session.

Save Password, Auto Connect, and Always Up

Save Password, Auto Connect, and Always Up

When configuring a FortiClient IPsec or SSL VPN connection on your FortiGate/EMS, you can select to enable the following features:

  • Save Password: Allows the user to save the VPN connection password in the console. l Auto Connect: When FortiClient is launched, the VPN connection will automatically connect.
  • Always Up (Keep Alive): When selected, the VPN connection is always up even when no data is being processed. If the connection fails, keep alive packets sent to the FortiGate will sense when the VPN connection is available and re-connect.

When enabled in the FortiGate configuration, once the FortiClient is connected to the FortiGate, the client will receive these configuration options.

For FortiClient VPN configurations, once these features are enabled they may only be edited from the command line. Use the following FortiOS CLI commands to disable these features:

config vpn ipsec phase1-interface edit [vpn name] set save-password disable set client-auto-negotiate disable set client-keep-alive disable

end

end

FortiToken and FortiClient VPN

You can use FortiToken with FortiClient for two-factor authentication. See the FortiOS Handbook for information on configuring FortiToken, user groups, VPN, and two-factor authentication on your FortiGate device for

 

Advanced features (Microsoft Windows)

FortiClient VPN connections.

Advanced features (Microsoft Windows)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.

Activating VPN before Windows Log on

When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.

To make this change, proceed as follows:

In FortiClient:

  1. Create the VPN tunnels of interest or use Endpoint Control to register to a FortiGate/EMS which provides the VPN list of interest
  2. Enable VPN before log on on the FortiClient Settings page, see VPN options on page 108.

On the Microsoft Windows system,

  1. Start an elevated command line prompt.
  2. Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
  3. Check the check box for Users must entera username and password to use this computer.
  4. Click OK to save the setting.

Connect VPN before log on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.

Advanced features (Microsoft Windows)

<forticlient_configuration>

<vpn>

<options>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials> </options>

</vpn>

</forticlient_configuration>

Create a redundant IPsec VPN

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Priority based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

Advanced features (Mac OS X)

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

Advanced features (Mac OS X)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.

Create a redundant IPsec VPN

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

VPN tunnel & script

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Priority based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

VPN tunnel & script

This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on FortiGate/EMS’s XML format FortiClient Profile. The profile will be pushed down to FortiClient from FortiGate/EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.

 

tunnel & script

Windows

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>

</script>

</script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: /DELETE ]]>

</script>

</script>

</script>

</on_disconnect>

OS X

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>mac</os>

<script>

/bin/mkdir /Volumes/installers

/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt

/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers

/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt

/bin/mkdir /Users/admin/Desktop/dropbox/dir

/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/.

</script>

</script>

</on_connect>

VPN tunnel & script

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>mac</os>

<script>

/sbin/umount /Volumes/installers

/bin/rm -fr /Users/admin/Desktop/dropbox/*

</script>

</script>

</on_disconnect>

Web Security / Web Filter – FortiClient 5.4

Web Security/Web Filter

Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create a custom URL filter exclusion list which overrides the FDN category.

When FortiClient is not registered to FortiGate, you can enable or disable the Web Security feature. You can define what sites are allowed, blocked, or monitored and view violations.

Enable/Disable Web Security

To enable or disable FortiClient Web Security, toggle the Enable/Disable link in the FortiClient console. Web Security is enabled by default.

Enable/Disable Select to enable or disable Web Security.
X Violations (In the Last 7 Days) Select to view Web Security log entries of the violations that have occurred in the last 7 days.
Settings Select to configure the Web Security profile, exclusion list, and settings, and to view violations.

Web Security profile

You can configure a Web Security profile to allow, block, warn, or monitor web traffic based on website categories and sub-categories. Select the settings icon, then select the site category. Select the action icon, then select the action in the drop-down menu for each category or sub-category.

Web Security exclusion list

Allow Set the category or sub-category to Allow to allow access.
Block Set the category or sub-category to Block to block access. The user will receive a Web Page Blocked message in the web browser.
Warn Set the category or sub-category to Warn to block access. The user will receive a Web Page Blocked message in the web browser. The user can select to proceed or go back to the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.

You can select to enable or disable Site Categories in the Web Security settings page. When site categories are disabled, FortiClient is protected by the exclusion list.

Web Security exclusion list

To manage the exclusion list, select the settings icon then select Exclusion List from the menu. You can add websites to the exclusion list and set the permission to allow, block, monitor, or exempt. Use the add icon to add URLs to the exclusion list. If the website is part of a blocked category, an allow permission in the Exclusion List would allow the user to access the specific URL.

Web Security settings

Configure the following settings:

Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add icon to add URLs and the delete icon to delete URLs from the list. Select a URL and select the edit icon to edit the selection.
URL Enter a URL or IP address.
Type Select one of the following pattern types from the drop-down list:

l Simple l Wildcard l RegularExpression

Actions Select one of the following actions from the drop-down list:

Block: Block access to the web site regardless of the URL category or sub-category action.

Allow: Allow access to the web site regardless of the URL category or sub-category action.

Monitor: Allow access to the web site regardless of the URL category or sub-category action. A log message will be generated each time a matching traffic session is established.

Web Security settings

To configure web security settings, select the settings icon then select Settings from the menu.

View violations

Configure the following settings:

Enable Site Categories Select to enable Site Categories. When site categories are disabled, FortiClient is protected by the exclusion list.
Log all URLs Select to log all URLs.
Identify user initiated web browsing Select to identify web browser that is user initiated.

View violations

To view Web Security violations, either select the settings icon then select Violations from the menu, or select X Violations (In the Last 7 Days).

 

Website The website name or IP address.
Category The website sub-category.
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to view the complete entry in the pop-up bubble message.

Web Filter

When FortiClient is registered to a FortiGate/EMS, the Web Security tab will become the Web Filter tab.

The FortiClient Endpoint Control feature enables the site administrator to distribute a Web Filter profile from a FortiGate or add web filtering to an endpoint profile on EMS.

On a FortiGate device, the overall process is as follows:

l Create a Web Filter profile on the FortiGate, l Add the Web Filter profile to the FortiClient Profile on the FortiGate.

On EMS, web filtering is part of the endpoint profile.

Filter

FortiGate

Step 1: Create a Web Filter Profile on the FortiGate

Use the following steps to create a custom Web Filter profile on the FortiGate:

  1. Go to Security Profiles > Web Filter.
  2. To create a new profile, click the create new icon in the toolbar. The New Web FilterProfile page opens.
  3. Configure the following settings:

 

Name Enter a name for the Web Filter profile.
Comments Enter a description in the comments field. (optional)
Inspection Mode This setting is not applicable to FortiClient.
FortiGuard Categories Select category and sub-category actions.

l  In FortiClient5.4.0, the Security Risk category is part of the AntiVirus module. The Local Categories category is not applicable to FortiClient. The Authenticate and Disable actions are not applicable to FortiClient.

l  When FortiGuard Categories is disabled, FortiClient will be protected by the Exclusion List configured in the URL in the

FortiClient profile.

Categories Usage Quota This setting is not applicable to FortiClient.
Allow users to override blocked categories This setting is not applicable to FortiClient.
Search Engines  
Enforce ‘Safe Search’ Select to enable search engine Safe Search on Google, Yahoo!, Bing, and Yandex.
YouTube

Education Filter

Select to enable the YouTube educational filter and enter your filter code. The filter blocks non-educational content as per your YouTube filter code.
Log all search keywords This setting is not applicable to FortiClient.
Static URL Filter  
Block invalid

URLs

This setting is not applicable to FortiClient.
URL Filter Select to enable URL filter. Select Create New to add a URL to the list. For Type, select one of Simple, Reg. Expression, or Wildcard. For Action, select one of Exempt, Block, Allow, or Monitor. For Status, select either Enable or Disable.

FortiClient does not support the Exempt action. Any URLs in the URL filter with an exempt action will be added to the FortiClient Exclusion List with an allow action.

Block malicious URLs discovered by FortiSandbox Select to block URLs that have been marked as malicious by FortiSandbox. A FortiSandbox device or cloud must be configured.

Filter

Web Content

Filter

This setting is not applicable to FortiClient.
Rating Options These settings are not applicable to FortiClient.
Proxy Options These settings are not applicable to FortiClient.
  1. Select OK to save the profile.

Step 2: Add the Web Filter profile to the FortiClient Profile

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select the FortiClient Profile then select Edit. The Edit FortiClient Profile page is displayed.
  3. Enable Web Filter, then select the Web Filter profile from the drop-down list.
  4. Optionally, select to enable Client Side when On-Net.
  5. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

The Web Filtering module is now available in FortiClient.

EMS

To add web filtering to an endpoint profile:

  1. Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
  2. Select the Web Filter
  3. Select the on/off button to add web filtering to the profile.
  4. Adjust the web filter settings as required, then select Save to save your changes.

 

Antivirus

Antivirus

This chapter includes the following sections:

l FortiClient Antivirus l Antivirus logging l Antivirus options l Endpoint control

FortiClient Antivirus

FortiClient includes an antivirus module to scan system files, executable files, removable media, dynamic-link library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, File Based Malware, Malicious Websites, Phishing, and Spam URL protection is part of the antivirus module. Scanning can also be extended using FortiSandbox.

This section describes how to enable and configure antivirus options.

Enable or disable antivirus

To enable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Disabled. The real-time protection settings page will open.
  2. Select Scan files as they are downloaded orcopied to my system.
  3. Select OK.

If you have another antivirus program installed on your system, FortiClient will show a warning that your system may lock up due to conflicts between different antivirus products.

To disable real-time protection:

  1. On the AntiVirus tab, select the settings icon next to Realtime Protection Enable. The real-time protection settings page will open.
  2. Deselect Scan files as they are downloaded orcopied to my system.
  3. Select OK.

Conflicting antivirus warning

FortiSandbox

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

This option cannot be configured on a registered endpoint, and must instead be configured on the FortiGate/EMS.

To extend scanning using FortiSandbox:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Extend scanning using FortiSandbox.
  3. Enter the FortiSandbox IP address, then select Test to ensure that the connection is correct.
  4. Optionally, select Identify malware & exploits using signatures received from FortiSandbox.
  5. Select OK to apply your changes.

Blocking access and communication channels

To block access to malicious websites and known communication channels used by attackers:

  1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
  2. Select Block all access to malicious websites and Block known communication channels used by attackers.
  3. Select OK to apply your changes.

Notifications

Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the notifications icon will change from gray to yellow.

Event notifications include:

  • Antivirus events including scheduled scans and detected malware. l Endpoint Control events including configuration updates received from FortiGate.
  • WebFilter events including blocked web site access attempts. l System events including signature and engine updates and software upgrades.

Select the Threat Detected link to view quarantined files, site violations, and real-time protection events.

Scan now

To perform on-demand antivirus scanning, select the Scan Now button in the FortiClient console. Use the dropmenu to select Custom Scan, Full Scan, Quick Scan, or Removable media Scan. The console displays the date of the last scan to the left of the button.

  • Custom Scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.
  • Full Scan runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan including all files, executable files, DLLs, and drivers for threats.
  • Quick System Scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, and drivers that are currently running for threats.
  • Removable media Scan runs the rootkit detection engine to detect and remove rootkits. It scans all connected removable media, such as USB drives.

Scan a file or folder on your workstation

To perform a virus scan a specific file or folder on your workstation, right-click the file or folder and select Scan with FortiClient AntiVirus from the menu.

Submit a file for analysis

You can select to send up to 5 files a day to FortiGuard for analysis. To submit a file, right-click a file or executable and select Submit foranalysis from the menu. A dialog box will be displayed which allows you to see the number of files you have submitted. Confirm the location of the file you want to submit then select the Submit button.

View FortiClient engine and signature versions

To view the current FortiClient version, engine, and signature information, select Help in the toolbar, and select About in the menu. Hover the mouse over the status field to see the date and time that FortiClient last updated the selected item.

When FortiClient is registered to FortiGate for endpoint control, you can select to use a FortiManager device for client software and signature updates. When configuring the FortiClient profile, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device. You can select to failover to FDN when FortiManager is not available.

Schedule antivirus scanning

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Scheduled Scan tab to schedule antivirus scanning.

Scans cannot be scheduled on registered endpoint.

Configure the following settings:

Schedule Type Select Daily, Weekly, or Monthly from the drop-down list.
Scan On For Weekly scheduled scan, select the day of the week in the drop-down list.

For Monthly scheduled scan, select the day of the month in the drop-down list.

Start Select the time of day that the scan starts. The time format uses a 24-hour clock.
Scan Type Select the scan type:

Quick system scan runs the rootkit detection engine to detect and remove rootkits. It only scans executable files, DLLs, drivers that are currently running for threats.

Full system scan runs the rootkit detection engine to detect and remove rootkits. It then performs a full system scan including all files, executable files, DLLs, and drivers for threats.

Custom scan runs the rootkit detection engine to detect and remove rootkits. It allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.

You cannot schedule a removable media scan. A full scan will scan removable media.

Disable Scheduled Scan Select to disable scheduled scan.

Select OK to save the setting and return to the main FortiClient console page.

If you configure monthly scans to occur on the 31st of each month, the scan will occur on the first day of the month for those months with less than 31 days.

Add files/folders to an exclusion list

Select the settings icon beside Realtime Protection in the FortiClient console to open the antivirus settings page, then select the Exclusion List tab.

To add files/folders to the antivirus exclusion list, select the add icon and then select Add file or Add folder from the drop-down list. Any files or folders in this exclusion list will not be scanned. Select the minus icon to remove files or folders from the list.

Select OK to save the setting and return to the FortiClient console page.

View quarantined threats

To view quarantined threats, select the X Threats Detected link in the FortiClient console, then select the Quarantined Files tab. In this page you can view, restore, or delete the quarantined file. You can also view the original file location, the virus name, submit the suspicious file to FortiGuard, and view logs.

This page displays the following:

File Name The name of the file.
Date Quarantined The date and time that the file was quarantined by FortiClient.
Refresh Select to refresh the quarantined files list.
Details Select a file from the list to view detailed information including the file name, original location, date and time that the virus was quarantined, the submitted status, status, virus name, and quarantined file name.
Logs Select to view FortiClient log data.
Refresh Select to refresh the list.
Submit Select to submit the quarantined file to FortiGuard. Press and hold the control key to submit multiple entries.
Restore Select to restore the quarantined file. A confirmation dialog box will be displayed. You can select Yes to add this file/folder to the exclusion list, No to restore the file, or

Cancel to exit the operation. Press and hold the control key to restore multiple entries.

Delete Select to delete the quarantined file. A confirmation dialog box will be displayed, select Yes to continue. Press and hold the control key to delete multiple entries.
Close Select to close the page and return to the FortiClient console.

View site violations

To view site violations, select the X Threats Detected link in the FortiClient console, then select the Site Violations tab. On this page you can view site violations and submit sites to be re-categorized.

This page displays the following:

Website Displays the name of the website.
Time Displays the date and time of the site violation.
Refresh Select to refresh the site violation list.
Details Select an entry in the list to view site violation details including the website name, category, date and time, user name, and status.

Select the category link to request to have the site category re-evaluated.

View alerts dialog box

When FortiClient antivirus detects a virus while attempting to download a file via a web-browser, you will receive a warning dialog message.

Select View recently detected virus(es) to collapse the virus list. Select a file in the list and right-click to access the context menu.

Delete Select to delete a quarantined or restored file.
Quarantine Select to quarantine a restored file.
Restore Select to restore a quarantined file.
Submit Suspicious File Select to submit a file to FortiGuard as a suspicious file.
Submit as False Positive Select to submit a quarantined file to FortiGuard as a false positive.
Add to Exclusion List Select to add a restored file to the exclusion list. Any files in the exclusion list will not be scanned.
Open File Location Select to open the file location on your workstation.

When Alert when viruses are detected under AntiVirus Options on the Settings page is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser.

Realtime Protection events

When an antivirus real-time protection event has occurred you can select to view these events in the FortiClient console. From the AntiVirus tab, select X Threats Detected, then select Real-time Protection events (x) in the left pane. The realtime_scan.log will open in the default viewer.

Example log output:

Realtime scan result: time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com

 

logging

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar.com.txt

time: 09/29/15 10:46:07, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicarcom2.zip

time: 09/29/15 10:46:08, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\desktop\eicar_com.zip

time: 09/29/15 10:46:39, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\3g_bl8y9.com.part

time: 03/18/15 10:48:13, virus found: EICAR_TEST_FILE, action: Quarantined, c:\users\user\appdata\local\temp\xntwh8q1.zip.part

Antivirus logging

To configure logging, select File > Settings from the toolbar then expand the Logging section.

Configure the following settings:

Enable logging for these features Select antivirus to enable logging for this feature.
Log Level Select the level of logging:

Emergency: The system becomes unstable. l Alert: Immediate action is required. l Critical: Functionality is affected. l Error: An error condition exists and functionality could be affected. l Warning: Functionality could be affected. l Notice: Information about normal events.

Information: General information about system operations. l Debug: Debug FortiClient.

Log file  
Export logs Select to export logs to your local hard disk drive (HDD) in .log format.
Clear logs Select to clear all logs. You will be presented a confirmation window, select Yes to proceed.

Antivirus options

For information on configuring antivirus options, see Antivirus options on page 109.

Endpoint control

Endpoint control

When FortiClient is registered to FortiGate/EMS for endpoint control, FortiClient receives configuration and settings via the FortiClient Profile configured on the device.

To enable antivirus protection on FortiGate:

  1. Log in to your FortiGate.
  2. In the left tree menu, select Security Profiles > FortiClient Profiles.
  3. In the right pane, in the Edit FortiClient Profile page, in the Security tab, enable AntiVirus.
  4. Select Apply to save the profile.

The FortiGate will send the FortiClient Profile configuration update to registered clients.

To enable antivirus protection on EMS:

  1. Log in to the EMS.
  2. Go to Endpoint Profiles and select a profile to edit.
  3. In the right pane, select AntiVirus Protection to enable antivirus protection and configure as needed.
  4. Select Save to save the profile.

The EMS will send the FortiClient Profile configuration update to registered clients.

Antivirus profile settings

FortiGate and EMS share similar settings for antivirus profiles. EMS also includes advanced options.

Endpoint control

After enabling antivirus protection on FortiGate/EMS, the following settings can be configured:

Scan Downloads Scan files as they are downloaded or copied to my system.
Scan with FortiSandbox Extended scanning using FortiSandbox.

FortiClient will send supported files downloaded over the internet to

FortiSandbox if they cannot be detected by the local, real-time scanning

FortiSandbox IP address The IP address of the FortiSandbox device.
Wait for

FortiSandbox results

Wait for FortiSandbox results before allowing file access.
Use FortiSandbox signatures Identify malware & exploits using signatures or URLs received from FortiSandbox.

Endpoint control

Block malicious websites Block all access to malicious websites.

EMS also has the option of using the exclusion list defined in the web filter profile.

Block attack channels Block known communcation channels used by attackers.
Alert when viruses are detected This option is EMS only.
Schedule Scan Schedule automatic scans daily, weekly, or monthly at a specific time of day. Quick, Full, and Custom scans can be run automatically.
Excluded Paths Files or folders that are not scanned.

Advanced options available on EMS only include:

Scan Downloads Files that are scanned as they are downloaded or copied to the system can be treated in one of the following ways:

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files l Deny access to infected files

Scan with FortiSandbox If waiting for FortiSandbox results is enabled, access to downloaded files can be denied if FortiSandbox is offline.
Scan compresses files Scan compressed files that are up to a specified size (default: 10Mb).
Scan email Scan email messages and attachments.
User process scanning l Scan files when processes read or write them l Scan files when processes read them l Scan files when processes write them
Scan network files Scan network files.
System process scanning l Scan files when system processes read or write them l Scan files when system processes read them l Scan files when system processes write them l Do not scan files when system processes read or write them

Endpoint control

On demand scanning Configure on-demand file scan options.

l Clean infected files (quarantine if cannot clean) l Repair infected files (quarantine if cannot clean) l Warn the user if a process attempts to access infected files l Quarantine infected files

Integrate FortiClient into Windows Explorer’s mouse menu Add the options to Scan with FortiClient AntiVirus and Submit foranalysis to the Windows Explorer right-click menu.
Pause scanning when running on battery power Pause a scanning process when the computer is running on battery power.
Automatically submit suspicious files to FortiGuard for analysis Submit all files to FortiGuard for analysis.
Scan compresses

files

Scan compressed files that are up to a specified size (default: 10Mb, 0 means unlimited)
Maximize scan speed Select the amount of memory a computer must have before FortiClient maximizes its scan speed. One of: 4MB, 6MB, 8MB, 12MB, 16MB.
More Options Enable or disable various other options, including:

l Scan for rootkits l Scan for adware l Scan for riskware l Enable advanced heuristics l Scan removable media on insertion l Scan mime files (inbox files) l Enable FortiGuard Analytics l Notify logged in users if their AntiVirus signatures expire

 

What’s New in FortiClient 5.4

What’s New in FortiClient 5.4

The following is a list of new features and enhancements in FortiClient 5.4.

This document was written for FortiClient (Windows) 5.4.0. Not all features described in this document are supported for FortiClient (Mac OS X) 5.4.0.

New features in FortiClient 5.4.0

The following is a list of new features in FortiClient version 5.4.0.

Antivirus

Advanced Persistent Threats

FortiClient 5.4.0 has enhanced capabilities for the detection of Advanced Persistent Threats (APT). There are two changes added in this respect:

l Botnet Command and Control Communications Detection l FortiSandbox integration (Windows only)

Botnet Communication Detection

Botnets running on compromised systems usually generate outbound network traffic directed towards Command and Control (C&C) servers of their respective owners. The servers may provide updates for the botnet, or commands on actions to execute locally, or on other accessible, remote systems. When the new botnet feature is enabled, FortiClient monitors and compare network traffic with a list of known Command and Control servers. Any such network traffic will be blocked.

FortiSandbox Integration

FortiSandbox offers the capabilities to analyze new, previously unknown and undetected virus samples in realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on the FortiOS and FortiClient. If the file is not detected but is an executable file, it is run (sandboxed) in a Microsoft Windows virtual machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient integration with FortiSandbox allows users to submit files to FortiSandbox for automatic scanning. When configured, FortiClient will send supported files downloaded over the internet to FortiSandbox if they cannot be detected by the local, real-time scanning. Access to the downloaded file is blocked until the scanning result is returned.

As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.

What’s New in FortiClient 5.4                                                                     New features in FortiClient 5.4.0

Enhanced Real-Time Protection Implementation

The Real-Time Protection (RTP) or on-access feature in FortiClient uses tight integration with Microsoft Windows to monitor files locally, or over a network file system, as they are being downloaded, saved, run, copied, renamed, opened, or written to. The FortiClient driver coupling with Windows has been re-written to use modern APIs provided by Microsoft. All basic features remain the same, with a few minor differences in behavior. Some noticeable performance enhancements could be observed in various use case scenarios.

Web Filtering

Web Browser Usage and Duration

If configured, FortiClient will record detailed information about the user’s web browser activities, such as:

l A history of websites visited by the user (as shown in regular web browser history) l An estimate of the duration or length of stay on the website.

These logs are sent to FortiAnalyzer, if configured. With FortiAnalyzer 5.4.0 or newer, the FortiClient logs sent from various endpoints may be viewed in FortiView.

VPN

Authorized Machine Detection

For enterprises where new computers may be brought into the organization by employees, FortiClient can be configured to check or identify the computer before allowing it to establish IPsec VPN or SSL VPN connections to the FortiGate. The administrator may configure restrictions with one or more of the following:

l Registry check: Ensure a specific registry path contains a predetermined value l File check: Verify the existence of a specific file at a specified location l Application check: Ensure that a specific application is installed and running

The verification criteria can be configured using advanced FortiClient XML configurations on the FortiGate or Enterprise Management Server (EMS).

New features in FortiClient 5.4.0                                                                     What’s New in FortiClient 5.4

New SSL VPN Windows driver

The FortiClient SSL VPN driver pppop.sys was re-written to use the latest Microsoft recommended CoNDIS WAN driver model. The new driver is selected when FortiClient is installed on Windows 7 or newer. The SSL VPN driver included in the previous versions of FortiClient will still be maintained.

New IPsec VPN Windows drivers

FortiClient IPsec VPN drivers have been updated to support Microsoft Windows NDIS 6.3 specification. The new drivers are compatible with Microsoft Windows 8.1 or newer.

Support for DTLS

FortiClient SSL VPN connections to FortiGate now support Datagram Transport Layer Security (DTLS) by using User Datagram Protocol (UDP) as the transport protocol. Previously FortiClient SSL VPN connections supported only Transport Control Protocol (TCP). You can now use FortiGate to configure SSL VPN connections that use DTLS. You cannot use FortiClient to configure SSL VPN connections that use DTLS. When FortiClient endpoints use a DTLS-enabled SSL VPN connection with FortiGate, and FortiGate communicates DTLS support, FortiClient uses DTLS via UDP. If DTLS fails, FortiClient will fall back to use TLS to establish an SSL VPN connection.

Endpoint Control

Integration with the new Enterprise Management Server

The Enterprise Management Server (EMS) is a new product from Fortinet for businesses to use to manage their computer endpoints. It runs on a Windows Server, not requiring a physical Fortinet device. Administrators may use it to gain insight into the status of their endpoints. The EMS supports devices running Microsoft Windows, Mac OS X, Android, and iOS.

FortiClient Endpoint Control (EC) protocol has been updated to seamlessly integrate with the EMS. Various changes were added to support EMS features, including:

l Deployment of FortiClient to new Microsoft Windows devices l Continuous monitoring of device statuses l AV engine and signature update status reports l AV scanning schedules and requests for AV scans l Notifications about protection statuses.

What’s New in FortiClient 5.4                                                                     New features in FortiClient 5.4.0

FortiGate Network Access Control when FortiClient is Deployed using EMS

The new EMS can be used to deploy FortiClient to a large number of Microsoft Windows endpoints. While creating a profile for FortiClient deployment, the EMS administrator can choose to configure the FortiClient to register to the same EMS, or to a FortiGate.

Changes in FortiClient 5.4.0 allow the EMS administrator to deploy FortiClient to endpoints, and configure it to register to a FortiGate, while simultaneously notifying the EMS of its registration status. The FortiClient EC registration to the FortiGate is required for Network Access Compliance (NAC). The administrator can configure the FortiGate to allow access to network resources only if the client is compliant with the appropriate interface EC profile.

Quarantine an Infected Endpoint from the FortiGate or EMS

A computer endpoint that is considered to be infected may be quarantined by the FortiGate or EMS administrator. FortiClient needs to be online, using EC, and registered to the FortiGate or EMS.

Once quarantined, all network traffic to or from the infected endpoint will be blocked locally. This allows time for remediation actions to be taken on the endpoint, such as scanning and cleaning the infected system, reverting to a known clean system restore point, or re-installing the operating system.

The administrator may un-quarantine the endpoint in the future from the same FortiGate or EMS.

Importing FortiGate CA Certificate after EC Registration

When the FortiGate is configured to use SSL deep inspection, users visiting encrypted websites will usually receive an invalid certificate warning. The certificate signed by the FortiGate does not have a Certificate Authority (CA) at the endpoint to verify it. Users can manually import the FortiGate CA certificate to stop the error from being displayed, however, all users will have to do the same.

When registering EC to a FortiGate, the FortiClient will receive the FortiGate’s CA certificate and install it into the system store. If Firefox is installed on the endpoint, the FortiGate’s CA certificate will also be installed into the Firefox certificate store. This way the end user will no longer receive the invalid certificate error message when visiting encrypted websites.

Enhancement to On-net/Off-net Configuration

The on-net feature requires the use of a FortiGate as a DHCP server. This is usually configured on the same FortiGate that the FortiClient will be registered. When the device that FortiClient is running on has an IP address from the FortiGate’s DHCP server, it is on-net. For any other IP addresses, it is off- net.

New features in FortiClient 5.4.0                                                                     What’s New in FortiClient 5.4

There is a new way to configure the on-net feature. On the FortiGate, the DHCP server can be used, or several network subnets can be provided.

FortiClient will be on-net if:

l It is registered using EC to the FortiGate, l It belongs to one of the pre-configured on-net subnets, or l It provides the DHCP for on-net properties.

Otherwise, FortiClient will be off-net.

FortiClient GUI

Antivirus Settings Page

With the introduction of botnet detection, and the integration with FortiSandbox with FortiClient (Windows), the AV settings page on the FortiClient GUI has been updated to allow configuration of the new features. The AV settings page is accessible from the FortiClient dashboard. Select the AV tab on the left pane. Then click the settings icon on Real-Time Protection in the right pane. The following may be selected on the AV settings page:

  • File scanning (previously, Real-Time Protection or RTP) l Scan unknown, supported files using FortiSandbox (Windows only) l Malicious website detection
  • Botnet detection (block known communication channels)

FortiClient Banner Design

If FortiClient (full version or VPN only) is running in standalone mode and not registered to a FortiGate or EMS, a single banner at the bottom of the GUI is displayed. When registered to a FortiGate or EMS, the banner is hidden by default. Similarly, when created from a FortiClient Configurator (Windows) or Repackager (OS X), no banner is displayed by default.

Logging

Enhancement to FortiClient logs

FortiClient will create a log entry to show just the URL visited by the user through a web browser. This is in addition to the network level logs generated by FortiClient.