FortiClient 5.6.0 Administration Guide
FortiClient 5.6.0 Administration Guide
VERSION5.6.0
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
FEEDBACK
Email: [email protected]
04-560-400716-20170913
TABLEOFCONTENTS
Change Log 9
Introduction 10
FortiClient modes and features 10
Standalone mode 10
Managed mode 10
Feature comparison of standalone and managed modes 11
Fortinet product support for FortiClient 12
FortiClient EMS 13
FortiManager 13
FortiGate 13
FortiAnalyzer 14
FortiSandbox 14
Whats New in FortiClient 5.6 15
FortiClient 5.6.0 15
FortiClient install option 15
Improved FortiClient compliance feature 15
Vulnerability scan now supports FortiClient (Mac OSX) 15
Vulnerability Scan GUI 15
User Avatar retrieval from cloud applications 15
User Avatar sent to FortiAnalyzer 15
Improved remote logging to FortiAnalyzer 16
Sandbox detection for FortiClient (Windows) 16
New SSL VPN Windows Driver for FortiClient (Windows) 16
VPN Auto-Reconnect improvement 16
Configurator and Rebranding Tools 16
Get Started 17
Get started with standalone mode 17
Get started with managed mode 18
Managed mode concepts 19
FortiGate and FortiClient profiles 19
EMSand endpoint profiles 20
Telemetry connection options 21
Telemetry Gateway IPLists 23
EMSand automatic upgrade of FortiClient 23
Provisioning Preparation 24
Installation requirements 24
Licensing 25
FortiClient licenses for FortiGate 25
FortiClient licenses for EMS 25
FortiClient setup types and modules 26
EMSand FortiClient setups 26
FortiGate compliance and FortiClient setups 27
Firmware images and tools 27
Microsoft Windows 27
Mac OS X 28
Where to download FortiClient installation files 28
Custom FortiClient installation files and rebranding 28
Provisioning 30
Install FortiClient on computers 30
Microsoft Windows computer 30
Microsoft Server 32
Mac OS X computer 32
Install FortiClient on infected systems 33
Install FortiClient as part of cloned disk images 34
Deploy FortiClient using Microsoft ADservers 34
Deploy FortiClient using Microsoft AD user groups 35
Configure users and groups on AD servers 36
Configure FortiAuthenticator 36
Configure FortiGate 36
Connect FortiClient Telemetry to FortiGate 37
Monitor FortiClient connections 37
Upgrade FortiClient 38
FortiClient Telemetry 39
Telemetry data 39
How FortiClient locates FortiGate or EMS 39
Connect FortiClient Telemetry after installation 40
Remember gateway IP addresses 41
Compliance 43
Enable compliance 43
Connect FortiClient Telemetry manually 43
Disconnect FortiClient Telemetry 44
View compliance status 44
Standalone mode 44
Managed mode with EMS 45
Managed mode with FortiGate 46
Access endpoint details 48
View user details 48
Specify user picture 48
View FortiGate compliance rules 50
View gateway IP lists 50
Forget gateway IPaddresses 51
On-net / off-net status with FortiGate and EMS 51
Fix not compliant (blocked) 53
View unmet compliance rules 54
Fix Not-Compliant Settings 55
Patch software vulnerabilities 56
Examples of blocked network access 56
Fix not compliant (warning) 57
Quarantined endpoints 59
Sandbox Detection 60
Enable Sandbox Detection 60
Disable Sandbox Detection 61
Configure Sandbox Detection 62
Configure submission, access, and remediation 62
Configure exceptions 64
Manage the Sandbox Detection exclusion list 64
Scan with FortiSandbox on demand 65
View Sandbox Detection results 65
View FortiSandbox scan results 66
View quarantined files 66
Submit quarantined files for scanning 68
Restore quarantined files 68
Delete quarantined files 68
Use the pop-up window 69
View notifications 70
Antivirus 72
Enable realtime protection 72
Third-party antivirus software and realtime protection 72
Disable realtime protection 73
Configure AntiVirus 73
Block access and communication channels 73
Update Antivirus database 74
Schedule antivirus scanning 74
Manage the AntiVirus exclusion list 75
Configure additional Antivirus options 77
Scan with AntiVirus on demand 77
Scan now 77
Scan files or folders 78
Submit files to FortiGuard for analysis 78
View AntiVirus scan results 78
View quarantined threats 78
View site violations 80
View alerts 81
View realtime protection events 81
View FortiClient engine and signature versions 82
Web Security/Web Filter 83
Web Security 83
Enable Web Security 83
Disable Web Security 84
Web Filter 84
Enable Web Filter 84
Disable Web Filter 85
Configure web filtering 85
Configure site categories 85
Manage the Web Filter/Web Security exclusion list 86
Configure settings 88
View violations 89
Application Firewall 90
Enable Application Firewall 90
Disable Application Firewall 91
View blocked applications 91
View application firewall profiles 91
Remote Access 93
Enable remote access 93
Configure VPNconnections 93
Configure SSL VPN connections 93
Configure IPsec VPN connections 94
Connect VPNs 97
Connect SSLand IPsec VPNs 97
Connect VPNs with FortiToken Mobile 98
Save password, auto connect, and always up 99
Access to certificates in Windows Certificates Stores 100
Advanced features (Microsoft Windows) 101
Activate VPN before Windows Log on 102
Connect VPNs before logging on (AD environments) 102
Create redundant IPsec VPNs 102
Create priority-based SSL VPN connections 103
Advanced features (Mac OS X) 103
Create redundant IPsec VPNs 104
Create priority-based SSL VPN connections 104
VPN tunnel & script 105
Windows 105
OS X 106
Vulnerability Scan 107
Compliance and vulnerability scanning 107
Enable vulnerability scan 107
Scan now 107
Cancel scan 109
Automatically fix detected vulnerabilities 109
Review detected vulnerabilities before fixing 110
Manually fix detected vulnerabilities 111
View details about vulnerabilities 112
View vulnerability scan history 113
Settings 114
System 114
Backup or restore full configuration 114
Logging 114
Enable logging for features 114
Send logs to FortiAnalyzer or FortiManager 115
Export the log file 116
Clear entries in the log file 116
VPN options 116
Antivirus options 117
Advanced options 117
Single Sign-On mobility agent 118
FortiClient/FortiAuthenticator protocol 118
Configuration lock 120
FortiTray 120
Establishing VPN connections from FortiTray 120
Diagnostic Tool 121
Appendix A - FortiClient API 123
Overview 123
API reference 123
Appendix B- FortiClient Log Messages 125
Appendix C - Vulnerability Patches 126
FortiClient (Windows) 126
Automatic vulnerability patching 126
Manual vulnerability patching 126
FortiClient (OSX) 127
Automatic vulnerability patching 127
Manual vulnerability patching 127
Appendix D - FortiClient Processes 128
FortiClient (Windows) processes 128
FortiClient (OS X) processes 129
Change Log
Change Log
2017-08-04 Added information about Vulnerability Scan and obsolete applications. See Manually
fix detected vulnerabilities on page 111.
2017-08-08 Add information about FortiSandbox settings. See Configure submission, access, and
remediation on page 62.
2017-08-29 Clarified that the FortiClient Configurator Tool is free and available for download from
the Personal Toolkit section of FNDN.
2017-09-13 Clarified that AntiVirus exclusion lists support wildcards and variables.
9 Administration Guide
Fortinet Technologies Inc.
Introduction
FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinets
Advanced Threat Protection (ATP) to end user devices. As the endpoint is the ultimate destination for malware
that is seeking credentials, network access, and sensitive information, ensuring that your endpoint security
combines strong prevention with detection and mitigation is critical.
This document is written for FortiClient (Windows) 5.6.0. Not all features described in
this document are supported for FortiClient (OS X) 5.6.0.
FortiClient is available in the following modes: Standalone mode and Managed mode.
Standalone mode
In standalone mode, FortiClient is not connected to FortiGate or EMS. In this mode, FortiClient is free both for
private individuals and commercial businesses to use; no license is required. See also Get started with
standalone mode on page 17.
Support for FortiClient in standalone mode is provided on the Fortinet Forums (for-
um.fortinet.com).Phone support is not provided.
Managed mode
In managed mode, FortiClient is connected to EMSor FortiGate. Another option is to connect FortiClient to
EMSand FortiGate. In managed mode, FortiClient licensing is applied to FortiGate or EMS. No separate license
is required for FortiClient itself.
When connected only to EMS, FortiClient is managed by EMS. However, FortiClient cannot participate in
network compliance or Fortinet's Security Fabric.
When connected to FortiGate, FortiClient integrates with Security Fabric to provide endpoint awareness,
compliance, and enforcement by sharing endpoint telemetry irregardless of device location, such as, corporate
headquarters or a caf. At its core, FortiClient automates prevention of known and unknown threats through its
built-in host-based security stack and integration with FortiSandbox. FortiClient also provides secure remote
access to corporate assets via VPN with native Two-Factor Authentication coupled with Single Sign On.
FortiClient works cooperatively with Fortinets Security Fabric. This is done by extending it down to the endpoints
to secure them via security profiles, by sharing endpoint telemetry to increase awareness of where systems, users
and data reside within an organization and by enabling the implementation of proper segmentation to protect
these endpoints.
Administration Guide 10
Fortinet Technologies Inc.
Introduction FortiClient modes and features
At regular intervals, FortiClient sends telemetry data to the nearest associated FortiGate. This visibility coupled
with built-in controls from FortiGate allows the security administrator to construct a policy to deny access to
endpoints with known vulnerabilities or to quarantine compromised endpoints with a single click.
Both Modes (Free and Licensed) Only With Managed Mode (Licensed)
Web Security
l Web Filtering
l YouTube Education Filter
Application Control
l Application Firewall
l Block Specific Application Traffic
11 Administration Guide
Fortinet Technologies Inc.
Fortinet product support for FortiClient Introduction
Both Modes (Free and Licensed) Only With Managed Mode (Licensed)
Remote Access
l SSL VPN
l IPsec VPN
l Client Certificate Support
l X.509 Certificate Support
l Elliptical Curve Certificate Support
l Two-Factor Authentication
Vulnerability Management
l Vulnerability scanning
l Links to FortiGuard with information on the
impact and recommended actions
l Automatic software patching for identifies
vulnerabilities
l List of software that requires manual
installation of software patches
Logging
l VPN, Application Firewall, Antivirus, Web
Filter, Update, and Vulnerability Scan Logging
l View logs locally
The following Fortinet products work together to support FortiClient in managed mode:
l FortiClient EMS
l FortiManager
l FortiGate
l FortiAnalyzer
l FortiSandbox
Administration Guide 12
Fortinet Technologies Inc.
Introduction Fortinet product support for FortiClient
FortiClient EMS
FortiClient EMS runs on a Windows server. EMScan manage FortiClient endpoints by deploying FortiClient
(Windows) and profiles to endpoints, and the endpoints can connect FortiClient Telemetry to FortiGate or EMS.
FortiClient endpoints connect to FortiGate to participate in Security Fabric or compliance enforcement.
FortiClient endpoints connect to EMSto be managed in real time.
For information on EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document
Library.
FortiManager
FortiManager provides central FortiClient management for FortiGate devices that are managed by FortiManager.
In FortiManager, you can create one or more FortiClient profiles that you can assign to multiple FortiGate
devices. You can also import FortiClient profiles from one FortiGate device and assign the FortiClient profile to
other FortiGate devices. When endpoints are connected to managed FortiGate devices, you can use
FortiManager to monitor endpoints from multiple FortiGate devices.
For information on FortiManager, see the FortiManager Administration Guide, available in the Fortinet
Document Library.
FortiGate
FortiGate provides network security. FortiGate devices define compliance rules for NAC(network access
control)for connected endpoints, and FortiClient communicates the compliance rules from FortiGate to
endpoints. FortiGate devices communicate between endpoints, EMS, and FortiManager, when FortiManager is
used.
When FortiClient Telemetry is connected to FortiGate, endpoints can participate in Security Fabric or compliance
enforcement.
For information on FortiGate, see the FortiOS Handbook, available in the Fortinet Document Library.
13 Administration Guide
Fortinet Technologies Inc.
Fortinet product support for FortiClient Introduction
FortiAnalyzer
FortiAnalyzer can receive logs from endpoints that are connected to FortiGate or EMS, and you can use
FortiAnalyzer to analyze the logs and run reports. FortiAnalyzer receives logs directly from FortiClient.
For information on FortiAnalyzer, see the FortiAnalyzer Administration Guide, available in the Fortinet
Document Library.
FortiSandbox
FortiSandbox offers the capabilities to analyze new, previously unknown, and undetected virus samples in
realtime. Files sent to it are scanned first, using similar Antivirus (AV) engine and signatures as are available on
FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows virtual
machine (VM) and monitored. The file is given a rating or score based on its activities and behavior in the VM.
As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such
samples. FortiClient periodically downloads the latest AV signatures from the FortiSandbox, and applies them
locally to all real-time and on-demand AV scanning.
For more information, see the FortiSandbox Administration Guide, available in the Fortinet Document Library.
This feature requires a FortiSandbox running version 2.1 or newer and is only available
on FortiClient (Windows).
Administration Guide 14
Fortinet Technologies Inc.
Whats New in FortiClient 5.6
This document was written for FortiClient (Windows) 5.6.0. Not all features described
in this document are supported for FortiClient (Mac OS X) 5.6.0.
FortiClient 5.6.0
15 Administration Guide
Fortinet Technologies Inc.
FortiClient 5.6.0 Whats New in FortiClient 5.6
Administration Guide 16
Fortinet Technologies Inc.
Get Started
FortiClient can be used in standalone or managed mode. This section describes how to get started with each
mode. It also includes the key concepts that administrators and endpoint users should be aware of when using
FortiClient in managed mode.
In standalone mode, FortiClient software is installed to computers or devices that have Internet access and are
running a supported operating system. After FortiClient is installed, FortiClient automatically connects to
FortiGuard Center (http://www.fortiguard.com) to protect the computer or device.
2. Install FortiClient on computers or devices with internet access. See Provisioning on page 30.
3. Launch FortiClient console.
FortiClient connects to the Fortinet FortiGuard server to protect the computer.
l Sandbox Detection
l Antivirus
l Web Security
l Remote Access
l Vulnerability Scansee Vulnerability Scan on page 107
17 Administration Guide
Fortinet Technologies Inc.
Get started with managed mode Get Started
In managed mode, FortiClient software is used with FortiGate or EMS. Another option is integrated mode where
FortiGate and EMSare used together with FortiClient.
In managed mode, FortiClient software is installed to computers or devices on your network that have Internet
access and are running a supported operating system. The computers or devices are referred to as endpoints.
After FortiClient software is installed on endpoints, FortiClient performs the following actions:
After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient receives a profile from FortiGate and/or
EMS, and the endpoint is managed.
After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient receives a profile from FortiGate
and/or EMS. The computer with FortiClient installed and FortiClient Telemetry connected is now a managed
endpoint.
4. (Administrators) Manage endpoints by using EMS. Administrators can also use FortiOSto monitor endpoints.
5. (Endpoint Users)Configure the installed components by using FortiClient console.
Depending on what FortiClient modules were installed, whether FortiGate compliance rules are used, and
whether an EMSadministrator has locked settings, endpoint users can configure none or some of the
following modules:
l Sandbox Detection
l Antivirus
l Web Filter
Administration Guide 18
Fortinet Technologies Inc.
Get Started Managed mode concepts
l Application Firewall
l Remote Access
6. (Endpoint Users)Use the installed modules by using FortiClient console.
Depending on what modules were installed, one, more, or all of the following tabs are available in FortiClient
console:
l Compliance
l Sandbox Detection
l Antivirus
l Web Filter
l Application Firewall
l Remote Access
l Vulnerability Scan
This section introduces the following concepts related to administering FortiClient in managed mode:
l Defines compliance rules for endpoint access to the network through FortiGate
l Defines the non-compliance action for FortiGatethat is, how FortiGate handles endpoints that fail to comply with
compliance rules
Compliance rules
FortiGate compliance rules define what configuration FortiClient software and the endpoint must have for the
endpoint to maintain access to the network through FortiGate. The following is a sample of the compliance rules
that administrators can enable or disable in a FortiClient profile by using the FortiOS GUI:
l Telemetry data
l Endpoint vulnerability scan on client
l System compliance:
19 Administration Guide
Fortinet Technologies Inc.
Managed mode concepts Get Started
Although the compliance rules define what configuration FortiClient software and the
endpoint must have, the FortiClient profile from FortiGate does not include any con-
figuration information. The endpoint user or administrator is responsible for con-
figuring FortiClient console to adhere to the compliance rules. An administrator can
use EMSto configure FortiClient console.
Non-compliance action
In addition to compliance rules, the FortiClient profile also defines how FortiGate will handle endpoints with a
not-compliant status. FortiGate can block and quarantine endpoints, or FortiGate can warn endpoints about the
not-compliant status, but allow network access. Administrators set the rules and non-compliance action by using
FortiOS, and FortiGate enforces the rules.
FortiClient console displays compliant and not-compliant status as well as information about how endpoint users
can return not-compliant endpoints to a status of compliant. The administrator or endpoint user is responsible for
reading the information in FortiClient console and updating FortiClient software on the endpoint to adhere to the
compliance rules. Endpoint users can edit settings in the FortiClient console that are not controlled by the
compliance rules or EMS.
Administration Guide 20
Fortinet Technologies Inc.
Get Started Managed mode concepts
l FortiClient Installer
l Antivirus
l Sandbox
l Web Filter
l Firewall
l VPN
l Vulnerability Scan
l System Settings
When the endpoint receives the configuration information in the endpoint profile, the settings in FortiClient
console are automatically updated. Settings in FortiClient console are locked and read-only when EMS provides
the configuration in a profile.
For more information about configuring endpoint profiles by using EMS, see the FortiClient EMS Administration
Guide, available in the Fortinet Document Library.
EMS
In this configuration, FortiClient Telemetry connects to EMS, and FortiClient receives a profile from EMS. The
profile contains the configuration information for FortiClient, and EMSmanages FortiClient endpoints. Network
Access Control (NAC)and compliance are not supported.
FortiGate
In this configuration, FortiClient Telemetry is connected to FortiGate, and FortiClient receives a profile from
FortiGate. The profile contains the compliance rules for FortiClient, but not any configuration information for
FortiClient. NACand compliance can be supported.
21 Administration Guide
Fortinet Technologies Inc.
Managed mode concepts Get Started
FortiGate does not provide configuration information for FortiClient and the endpoint.
Endpoint users must manually configure FortiClient console, or an administrator must
configure FortiClient by using an EMS endpoint profile.
Following is a summary of how the FortiClient Telemetry connection works in integrated mode:
l FortiClient Telemetry connects to FortiGate. This is the primary FortiClient Telemetry connection.
l FortiClient Telemetry connects to EMS. This is the secondary FortiClient Telemetry connection.
l FortiClient receives a profile of compliance rules from FortiGate.
l FortiClient receives a profile of configuration information from EMS.
Administration Guide 22
Fortinet Technologies Inc.
Get Started Managed mode concepts
After FortiClient is installed on the endpoint and FortiClient Telemetry is connected to FortiGate and/or EMS,
endpoint users can view the Telemetry Gateway IPList in the FortiClient console. See View gateway IP lists on
page 50.
After the FortiClient installer with automatic upgrade enabled is deployed to endpoints, FortiClient is
automatically upgraded to the latest version when a new version of FortiClient is available via EMS. For more
information, see the FortiClient EMS Administration Guide.
23 Administration Guide
Fortinet Technologies Inc.
Provisioning Preparation
Before provisioning FortiClient, administrators and endpoint users should understand the installation
requirements and the FortiClient setup types available for installation. Administrators should also be aware of the
licensing requirements if you are installing FortiClient in managed mode.
This section also identifies what firmware images and tools are available for FortiClient and where you can
download the FortiClient installers.
Installation requirements
The following table lists operating system support and the minimum system requirements.
l Microsoft Windows 7 (32-bit and 64-bit) l Microsoft Internet Explorer version 8 or later
l Microsoft Windows 8 (32-bit and 64-bit) l Microsoft Windows compatible computer with Intel
l Microsoft Windows 8.1 (32-bit and 64-bit) processor or equivalent
l Microsoft Windows 10 (32-bit and 64-bit) l Compatible operating system and minimum
512MB RAM
FortiClient 5.6.0 does not support Microsoft l 600MB free hard disk space
Windows XPand Microsoft Windows Vista. l Native Microsoft TCP/IP communication protocol
l Native Microsoft PPP dialer for dial-up connections
l Ethernet NIC for network connections
l Wireless adapter for wireless network connections
l Adobe Acrobat Reader for documentation
l MSI installer 3.0 or later.
l Microsoft Windows Server 2008 R2 or newer l Microsoft Internet Explorer version 8 or later
l Microsoft Windows compatible computer with Intel
processor or equivalent
l Compatible operating system and minimum
512MB RAM
l 600MB free hard disk space
l Native Microsoft TCP/IP communication protocol
l Native Microsoft PPP dialer for dial-up connections
l Ethernet NIC for network connections
l Wireless adapter for wireless network connections
l Adobe Acrobat Reader for documentation
l MSI installer 3.0 or later.
Administration Guide 24
Fortinet Technologies Inc.
Provisioning Preparation Licensing
For Microsoft Windows servers, the AntiVirus and Vulnerability Scan features for
FortiClient are supported.
Licensing
FortiClient in managed mode requires a license. In managed mode, FortiClient licensing is applied to FortiGate
or EMS.
When using the ten (10) free licenses for FortiClient in managed mode, support is
provided on the Fortinet Forums (forum.fortinet.com).Phone support is not provided
when using the free licenses. Phone support is provided for paid licenses.
For a video about applying FortiClient licenses to FortiGate, see the How to Purchase
or Renew FortiClient Endpoint Subscription video at https://video.-
fortinet.com/product/forticlient.
For a video about applying FortiClient licenses to EMS, see the How to License
FortiClient EMS video at https://video.fortinet.com/product/forticlient-ems.
25 Administration Guide
Fortinet Technologies Inc.
FortiClient setup types and modules Provisioning Preparation
The Advanced Persistent Threat (APT) module is available only for FortiClient (Win-
dows).
When you install FortiClient, you can choose which setup type and modules to install:
Security Fabric Enabled by default, and you cannot disable Displays the following tabs:
Agent Security Fabric Agent. Installs components to l Compliance
Secure Remote Optional. Supports SSLand IPsec VPNaccess. Displays the Remote Access tab.
Access
Additional Security Optional. Supports AntiVirus, Web Filtering, Displays the following tabs when all
Features Application Firewall, and Single Sign On. You security features are selected:
can select one, more, or all security features. l AntiVirus
l Web Filtering
l Application Firewall
When Single Sign On is selected,
FortiClient supports the single sign
on feature.
When a security feature is not selec-
ted, the tab is hidden from view in
FortiClient console.
Administration Guide 26
Fortinet Technologies Inc.
Provisioning Preparation Firmware images and tools
For example, if you install FortiClient with APTcomponents selected, the Sandbox Detection tab is included in
FortiClient console, and you can use an EMSprofile to disable the Sandbox Detection tab. However, if you install
FortiClient with APT components cleared, the Sandbox Detection tab is excluded from FortiClient console, and
you cannot use an EMSprofile to enable the Sandbox Detection tab.
For example, if the FortiGate compliance rules require the Web Filter tab to be enabled in FortiClient console,
FortiClient must be installed with Additional Features and Web Filtering selected to meet the compliance rules.
If FortiClient is installed with an incorrect setup for the compliance rules, you must uninstall FortiClient and
reinstall FortiClient with the setup required by the compliance rules.
Firmware images and tools are available for Microsoft Windows and Mac OS X. See also Custom FortiClient
installation files and rebranding on page 28.
Microsoft Windows
The following files are available in the firmware image file folder:
l FortiClientSetup_5.6.xx.xxxx.exe
Standard installer for Microsoft Windows (32-bit).
l FortiClientSetup_5.6.xx.xxxx.zip
A zip package containing FortiClient.msi and language transforms for Microsoft Windows (32-bit). Some
properties of the MSI package can be customized with FortiClient Configurator tool.
l FortiClientSetup_5.6.xx.xxxx_x64.exe
Standard installer for Microsoft Windows (64-bit).
l FortiClientSetup_5.6.xx.xxxx_x64.zip
A zip package containing FortiClient.msi and language transforms for Microsoft Windows (64-bit). Some
properties of the MSI package can be customized with FortiClient Configurator tool.
l FortiClientTools_5.6.xx.xxxx.zip
A zip package containing miscellaneous tools, including VPN Automation files:
The following tools and files are available in the FortiClientTools_5.6.xx.xxxx.zip file:
l FortiClientVirusCleaner
A virus cleaner.
l OnlineInstaller
This file downloads and installs the latest FortiClient file from the public FDS.
l SSLVPNcmdline
27 Administration Guide
Fortinet Technologies Inc.
Where to download FortiClient installation files Provisioning Preparation
l SupportUtils
Includes diagnostic, uninstallation, and reinstallation tools.
l VPNAutomation
A VPN automation tool.
Mac OS X
The following files are available in the firmware image file folder:
l FortiClient_5.6.x.xxx_macosx.dmg
Standard installer or Mac OS X.
l FortiClientTools_5.6.x.xxx_macosx.tar
FortiClient includes various utility tools and files to help with installations.
The following tools and files are available in the FortiClientTools .tar file:
l OnlineInstaller
This file downloads and installs the latest FortiClient file from the public FDS.
You can download the FortiClient installation files from the following sites:
The following tools are available from Fortinet Developer Network(FNDN) at https://fndn.fortinet.net/:
You can use the free FortiClient Configurator Tool to create customized FortiClient installation files, and you can
use the licensed FortiClient Rebranding Tool to create customized FortiClient Installation file as well as rebrand
FortiClient.
Administration Guide 28
Fortinet Technologies Inc.
Provisioning Preparation Custom FortiClient installation files and rebranding
Starting with FortiClient 5.6.0, the FortiClient Configurator Tool is available for free
download from the Tools >Personal Toolkit section of FNDN
at https://fndn.fortinet.net/.
29 Administration Guide
Fortinet Technologies Inc.
Provisioning
FortiClient can be installed on a standalone computer by using the installation wizard or deployed to multiple
Microsoft Windows systems by using Microsoft Active Directory (AD).
You can use EMSto deploy FortiClient to multiple Microsoft Windows systems. For
information, see the FortiClient EMSAdministration Guide.
The following section describes how to install FortiClient on a computer that is running a Microsoft Windows or
Apple Mac operating system.
When installing FortiClient, it is recommended to use the FortiClientOnlineInstaller file. This file will launch the
FortiClient Virus Cleaner which will scan the target system prior to installing the FortiClient application. The
FortiClientOnlineInstaller file always installs the latest version of FortiClient that is available on FDN, not the
version of FortiClient referenced in the filename or listed on the Customer Service & Support site.
To check the digital signature of FortiClient, right-click on the installation file and select Properties. In this menu
you can set file attributes, run the compatibility troubleshooter, view the digital signature and certificate, install
the certificate, set file permissions, and view file details.
Administration Guide 30
Fortinet Technologies Inc.
Provisioning Install FortiClient on computers
2. In the Welcome to the FortiClient Setup Wizard screen, perform the following actions, and click Next:
l Click the License Agreement button, and read the license agreement. You have the option to print the EULA in
this License Agreement screen. Click Close to return to the installation wizard.
l Select the Yes, I have read and accept the license checkbox.
The Choose Setup Type screen is displayed.
l Security Fabric Agent: Endpoint telemetry, host vulnerability scanning and remediation
l Secure Remote Access: VPN components (IPsec and SSL) will be installed
l Advanced Persistent Threat (APT) Components:FortiSandbox detection and quarantine features
l Additional Security Features:AntiVirus, Web Filtering, Single Sign On, Application Firewall
4. Click Next to continue. The Destination Folder screen is displayed.
5. (Optional) Click Change to choose an alternate folder destination for installation.
6. Click Next to continue.
FortiClient will search the target system for other installed antivirus software. If found, FortiClient will display
the Conflicting Antivirus Software page. You can either exit the current installation and uninstall the
antivirus software, disable the antivirus feature of the conflicting software, or continue with the installation
with FortiClient real-time protection disabled.
This dialog box is displayed during a new installation of FortiClient and when
upgrading from an older version of FortiClient, which does not have the antivirus
feature installed.
31 Administration Guide
Fortinet Technologies Inc.
Install FortiClient on computers Provisioning
If you have any questions about connecting FortiClient Telemetry to FortiGate, please
contact your network administrator.
Microsoft Server
You can install FortiClient on a Microsoft Windows Server 2008 R2, 2012, or 2012 R2 server. You can use the
regular FortiClient Windows image for Server installations.
Please refer to the Microsoft knowledge base for caveats on installing antivirus soft-
ware in a server environment. See the Microsoft Anti-Virus exclusion list: http://so-
cial.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-
exclusion-list.aspx
Mac OS X computer
The following instructions will guide you though the installation of FortiClient on a Mac OS X computer. For more
information, see the FortiClient (Mac OS X) Release Notes.
1. Double-click the FortiClient .dmg installer file. The FortiClient for Mac OSX dialog box is displayed.
2. Double-click Install. The Welcome to the FortiClient Installer dialog box is displayed.
3. (Optional)Click the lock icon in the upper-right corner to view certificate details, and click OK to close the dialog
box.
Administration Guide 32
Fortinet Technologies Inc.
Provisioning Install FortiClient on infected systems
4. Click Continue.
5. Read the Software License Agreement, and click Continue.
You have the option to print or save the Software Agreement in this window. You will be prompted to Agree
with the terms of the license agreement.
6. If you agree with the terms of the license agreement, click Agree to continue the installation.
7. Perform one of the following actions:
l Click Install to perform a standard installation on this computer, which includes the following modules:Security
Fabric Agent and Secure Remote Access.
l Click Customize to choose which FortiClient modules to install. See FortiClient setup types and modules on
page 26.
8. Depending on your system, you may be prompted to enter your system password.
9. After the installation completes successfully, Click Close to exit the installer.
FortiClient has been saved to the Applications folder.
10. Double-click the FortiClient icon to launch the application. The application console loads to your desktop. Click the
lock icon in the FortiClient console to make changes to the FortiClient configuration.
The FortiClient installer always runs a quick antivirus scan on the target host system before proceeding with the
complete installation. If the system is clean, installation proceeds as usual.
Any virus found during this step is quarantined before installation continues.
In case a virus on an infected system prevents downloading of the new FortiClient package, use the following
process:
l Boot into safe mode with networking (which is required for the FortiClient installer to download the latest signature
packages from the Fortinet Distribution Network).
l Run the FortiClient installer.
33 Administration Guide
Fortinet Technologies Inc.
Install FortiClient as part of cloned disk images Provisioning
This scans the entire file system. A log file is generated in the logs sub-directory. If a virus is found, it will be
quarantined. When complete, reboot back into normal mode and run the FortiClient installer to complete the
installation.
Microsoft Windows will not allow FortiClient installation to complete in safe mode. An
error message will be generated. It is necessary to reboot back into normal mode to
complete the installation.
If you configure computers using a cloned hard disk image, you need to remove the unique identifier from the
FortiClient application. You will encounter problems with FortiGate if you deploy multiple FortiClient applications
with the same identifier.
This section describes how to include a custom FortiClient installation in a cloned hard disk image but remove its
unique identifier. On each computer configured with the cloned hard disk image, the FortiClient application will
generate its own unique identifier the first time the computer is started.
2. Right-click the FortiClient icon in the system tray and select Shutdown FortiClient.
3. From the folder where you expanded the FortiClientTools.zip file, run RemoveFCTID.exe. The RemoveFCTID
tool requires administrative rights.
Do not reboot the Windows operating system on the computer before you create the
hard disk image. The FortiClient identifier is created before you log on.
There are multiple ways to deploy FortiClient MSI packages to endpoint devices including using Microsoft Active
Directory (AD). See Firmware images and tools on page 27.
The following instructions are based from Microsoft Windows Server 2008. If you are
using a different version of Microsoft Server, your MMC or snap-in locations may be dif-
ferent.
Administration Guide 34
Fortinet Technologies Inc.
Provisioning Deploy FortiClient using Microsoft AD user groups
1. On your domain controller, select Start > Administrative Tools > Group Policy Management. The Group Policy
Management MMC Snap-in will open. Expand the Group Policy Objects container and right-click the Group Policy
Object you created to install FortiClient and select Edit. The Group Policy Management Editor will open.
2. Select Computer Configuration > Policy > Software Settings > Software Installation. You will now be able to see
the package that was used to install FortiClient.
3. Right-click the package, select All Tasks > Remove. Choose Immediately uninstall the software from users and
computers, or Allow users to continue to use the software but prevent new installations. Select OK. The package
will delete.
4. If you wish to expedite the uninstall process, on both the server and client computers, force a GPO update as
shown in the previous section. The software will be uninstalled on the client computers next reboot. You can also
wait for the client computer to poll the domain controller for GPO changes and uninstall the software then.
When FortiClient Telemetry connects to FortiGate, the user's AD domain name and group are both sent to
FortiGate. Administrators may configure FortiGate to deploy endpoint and/or firewall profiles based on the end
user's AD domain group.
35 Administration Guide
Fortinet Technologies Inc.
Deploy FortiClient using Microsoft AD user groups Provisioning
l Configure FortiGate
l Connect FortiClient Telemetry to FortiGate
l Monitor FortiClient connections
Configure FortiAuthenticator
Configure FortiAuthenticator to use the AD server that you created. For more information see the
FortiAuthenticator Administration Guide in the Fortinet Document Library.
Configure FortiGate
FortiGate
Administration Guide 36
Fortinet Technologies Inc.
Provisioning Deploy FortiClient using Microsoft AD user groups
Create any number of FortiClient profiles with different groups and different settings.
The default profile will be assigned to users who connect successfully, but have no
matching FortiClient profile.
Configure the firewall policy. Ensure that Compliant with FortiClient Profile is selected in the policy.
Following this, endpoint connections will send the logged-in user's name and domain to the FortiGate. The
FortiGate will assign the appropriate profiles based on the configurations.
37 Administration Guide
Fortinet Technologies Inc.
Upgrade FortiClient Provisioning
Upgrade FortiClient
For information about supported upgrade paths for FortiClient, see the FortiClient Release Notes.
For FortiClient in managed mode, an administrator might control FortiClient upgrades for you, and you might be
unable to manually upgrade FortiClient. See also EMSand automatic upgrade of FortiClient on page 23.
During a FortiClient upgrade to 5.6.0, FortiClient installs the same features that were previously installed. If you
want to install different features, you must uninstall the previous version of FortiClient, and install FortiClient
5.6.0 with the desired features.
To upgrade FortiClient:
Administration Guide 38
Fortinet Technologies Inc.
FortiClient Telemetry
In managed mode, FortiClient uses a gateway IPaddress to connect FortiClient Telemetry to FortiGate or EMS.
When your administrator has configured FortiGate for network access control (NAC), you must connect
FortiClient Telemetry to FortiGate to access the network, and you must also maintain a compliant status to retain
access to the network. See also Compliance on page 43.
For information about creating Telemetry gateway IPlists, see Telemetry Gateway IPLists on page 23.
Telemetry data
When FortiClient Telemetry is connected to FortiGate and/or EMS, the following data about the endpoint and its
workload is collected and sent to FortiGate and/or EMS:
FortiClient uses the following methods in the following order to locate FortiGate or EMSfor Telemetry
connection:
l Manual entering of the gateway IP address, which means that the endpoint user enters the gateway IPaddress of
FortiGate or EMS into FortiClient console. See Connect FortiClient Telemetry manually on page 43.
l Telemetry Gateway IPlist
FortiClient Telemetry searches for IPaddresses in its subnet in the Gateway IPlist. It connects to the
FortiGate in the list that is also in the same subnet as the host system.
If FortiClient cannot find any FortiGates in its subnet, it will attempt to connect to the first reachable FortiGate
in the list, starting from the top. The order of the list is maintained as it was configured in the Gateway IPlist.
39 Administration Guide
Fortinet Technologies Inc.
Connect FortiClient Telemetry after installation FortiClient Telemetry
FortiClient obtains the default gateway IPaddress from the operating system on the
endpoint device. The default gateway IP address of the endpoint device should be the
IP address for the FortiGate interface with Telemetry enabled.
l VPN
l Remembered gateway IPlist
You can configure FortiClient to remember gateway IPaddresses when you connect Telemetry to FortiGate or
EMS. Later FortiClient can use the remembered IPaddresses to automatically connect Telemetry to FortiGate
or EMS.
FortiClient uses the same process to connect Telemetry to FortiGate or EMSafter the
FortiClient endpoint reboots, rejoins the network, or encounters a network change.
After FortiClient software installation completes on an endpoint, FortiClient automatically launches and searches
for FortiGate or EMSto connect FortiClient Telemetry. See also How FortiClient locates FortiGate or EMS on
page 39.
1. When FortiClient locates a FortiGate or EMS, the FortiGate Detected or Enterprise Management Server
(EMS)Detected dialog box is displayed.
Following is an example of the FortiGate Detected dialog box:
Following is an example of the Enterprise Management Server (EMS) Detected dialog box:
Administration Guide 40
Fortinet Technologies Inc.
FortiClient Telemetry Remember gateway IP addresses
Endpoint User Displays the name of the endpoint user that is logged into the endpoint device.
Profile Details Available only when EMSis detected. Click to display details of the profile that
FortiClient will receive after you accept connection to EMS. See also EMSand
endpoint profiles on page 20.
Remember this FortiGate Available only when FortiGate is detected. Select for FortiClient to remember
the gateway IPaddress of the FortiGate to which you are connecting
Telemetry. See also Remember gateway IP addresses on page 41.
Remember this Server Available only when EMSis detected. Select for FortiClient to remember the
gateway IPaddress of the EMS to which you are connecting Telemetry. See
also Remember gateway IP addresses on page 41.
After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient receives compliance rules from
FortiGate and/or a profile from EMS. A system tray bubble message will be displayed once the download is
complete.
When you confirm Telemetry connection to FortiGate or EMS, you can instruct FortiClient to remember the
gateway IPaddress of the FortiGate or EMS. If a connection key is required, FortiClient remembers the
connection password too. FortiClient can remember up to 20 gateway IPaddresses for FortiGate and EMS.
The remembered IPaddresses display in the Local Gateway IPlist. FortiClient can use the remembered gateway
IPaddresses to automatically connect to FortiGate or EMS.
41 Administration Guide
Fortinet Technologies Inc.
Remember gateway IP addresses FortiClient Telemetry
1. In the FortiGate or EMS Detected dialog box, select the Remember this FortiGate or Remember this EMS (not
shown)check box.
2. Click Accept.
FortiClient remembers the IP address and password, if applicable.
Administration Guide 42
Fortinet Technologies Inc.
Compliance
The Compliance tab displays whether FortiClient Telemetry is connected to FortiGate or EMS. You can use the
Compliance tab to manually connect FortiClient Telemetry to FortiGate or EMS and to disconnect FortiClient
Telemetry from FortiGate or EMS.
When FortiClient Telemetry is connected to FortiGate, and endpoint control is enabled by the FortiGate
administrator, the Compliance tab displays whether FortiClient and the endpoint device are compliant with the
FortiGate compliance rules and provides information about maintaining a compliant endpoint.
Enable compliance
For FortiClient in standalone mode, the Compliance tab is visible, but not used.
For FortiClient in managed mode, an administrator enables and configures the Compliance tab by using
FortiOS.
If FortiClient Telemetry was not automatically connected after FortiClient installation, you can manually connect
FortiClient Telemetry to FortiGate or EMS.
43 Administration Guide
Fortinet Technologies Inc.
View compliance status Compliance
FortiClient Telemetry establishes the primary connection to FortiGate, and FortiClient receives a profile of
compliance rules from FortiGate. FortiClient Telemetry also automatically establishes a secondary
connection to EMS, and FortiClient receives a profile of configuration information from EMS.
1. On the Compliance tab, click the Click to Disconnect link. A confirmation dialog box is displayed.
After you disconnect FortiClient Telemetry from FortiGate or EMS, FortiClient Tele-
metry automatically connects with the FortiGate or EMSwhen you re-join the network.
See also Forget gateway IPaddresses on page 51.
Information available on the Compliance tab depends on whether FortiClient is running in standalone mode or
managed mode. In managed mode, the information displayed on the Compliance tab also depends on whether
FortiClient Telemetry is connected to FortiGate or EMS.
Standalone mode
When FortiClient is running in standalone mode, the Compliance tab is visible, but not used. The Compliance
tab is labeled Not Participating.
If you want to use the compliance feature, you must connect FortiClient Telemetry to FortiGate.
Administration Guide 44
Fortinet Technologies Inc.
Compliance View compliance status
FortiGate or EMS Type the IPaddress or URLof FortiGate or EMS, and click Connect to con-
nect FortiClient Telemetry.
Show IP List that Click the icon to display the list of gateway IPaddresses. You can click an
this FortiClient is IPaddress in the list to populate the FortiGate IPbox.
sending Tele-
metry data to
Unlocked icon View the unlocked icon to learn that the settings in FortiClient console are
unlocked, and endpoint users can change them.
45 Administration Guide
Fortinet Technologies Inc.
View compliance status Compliance
Compliance View the icon to learn that the compliance enforcement feature requires
information FortiClient Telemetry connection to FortiGate.
EMSinformation View the name and IPaddress of the EMSto which FortiClient Telemetry is
connected. You can disconnect by clicking the Click to Disconnect link.
View the name of the user logged into the endpoint. See also Access end-
point details on page 48.
Click the Show IPList That This FortiClient is Sending Telemetry Data To
link to view the gateway IPlist being used for FortiClient Telemetry con-
nection.
FortiClient Tele- View how often FortiClient Telemetry communicates with FortiClient EMS
metry information and when the next communication will occur. FortiClient Telemetry com-
municates information between FortiClient and EMS.
Locked icon View the locked icon to learn that the settings in FortiClient console are
locked by EMS, and endpoint users cannot change them.
When FortiClient Telemetry is connected to FortiGate, and the FortiGate administrator has enabled compliance,
NACis enforced, and you might be required to maintain a compliant status to access the network, depending on
how FortiGate enforces NAC.
If FortiGate is configured to block network access for endpoints with not-compliant status, the following
requirements must be met to maintain a compliant status and network access:
When FortiGate is integrated with EMS, the endpoint might also receive a profile from
EMSthat contains FortiClient configuration information.
If FortiGate is configured to warn endpoints about not-compliant status, you can acknowledge the status and
access the network without fixing the issues that are causing a not-compliant status.
Administration Guide 46
Fortinet Technologies Inc.
Compliance View compliance status
Compliance View the icon to learn that endpoint is in compliance with FortiGate com-
status pliance rules. See also Fix not compliant (blocked) on page 53 and Fix not
compliant (warning) on page 57.
FortiGate inform- View the name and IPaddress of the FortiGate to which FortiClient Tele-
ation metry is connected. You can disconnect by clicking the Click to Disconnect
link.
User information View the name of the user logged into the endpoint. See also Access end-
point details on page 48.
Click the Show Compliance Rules from <FortiGate> link to display the
compliance rules for FortiGate.
Click the Show IPList That This FortiClient is Sending Telemetry Data To
link to view the gateway IPlist being used for FortiClient Telemetry con-
nection.
FortiClient Tele- View how often FortiClient Telemetry communicates with FortiGate and
metry information when the next communication will occur. FortiClient Telemetry com-
municates information between FortiClient and FortiGate, sending status
information to FortiGate and receiving network-access rules from
FortiGate. When FortiGate is integrated with EMS, notification information
is also sent to EMS. EMSmight also send endpoint profiles of configuration
information to FortiClient.
Locked icon View the locked icon to learn that the settings in FortiClient console are
locked by EMS, and you cannot change them.
Unlocked icon View the unlocked icon to learn that the settings in FortiClient console are
unlocked, and endpoint users can change them.
47 Administration Guide
Fortinet Technologies Inc.
Access endpoint details Compliance
When FortiClient is in managed mode, you can access details on the Compliance tab about the logged in user,
the endpoint, and FortiGate or EMS.
1. On the Compliance tab, view the name of the user beside the View Details link.
2. Click the View Details link to view the following information:
Online/offline Displays whether the endpoint is online or offline. A green icon indicates the
endpoint is online.
Off-Net/On-Net Displays whether the endpoint is on-net or off-net. A green On-Net icon
indicates the endpoint is on-net. A gray off-net icon indicates the endpoint is
off-net. See also On-net / off-net status with FortiGate and EMS on page 51.
Username Displays the name of the user logged into FortiClient on the endpoint.
Hostname Displays the name of the endpoint device on which FortiClient is installed.
Domain Displays the name of the domain to which the endpoint is connected, if
applicable.
Retrieve user picture from Displays where FortiClient is automatically seeking to retrieve a picture for the
user, such as from Windows Login / AD, Linkedin Account, and so on.
Alternately you can specify a picture by clicking the Specify link. If FortiClient
cannot locate a picture, no picture is used.
Alternately, you can direct FortiClient to retrieve the picture from one of the following cloud applications, if you
have an account:
l Linkedin account
l Google account
l Salesforce account
You can also manually specify a picture for FortiClient to use.
Administration Guide 48
Fortinet Technologies Inc.
Compliance Access endpoint details
49 Administration Guide
Fortinet Technologies Inc.
Access endpoint details Compliance
When the endpoint has a not-compliant status, an exclamation mark indicates which compliance rules are not
met. See View unmet compliance rules on page 54.
1. On the Compliance tab, click the Show Compliance Rules From <FortiGate> link.
The compliance rules from FortiGate are displayed.
The gateway IPlists are used to automatically connect FortiClient Telemetry to FortiGate or EMS.
1. On the Compliance tab, click the Show IPList That This FortiClient is Sending Telemetry Data to link.
The Gateway IPList and the Local Gateway IPList are displayed.
Administration Guide 50
Fortinet Technologies Inc.
Compliance Access endpoint details
1. On the Compliance tab, click the Show IP List That This FortiClient is Sending Telemetry Data to link.
2. In the Remembered FortiGate List, click Forget beside the gateway IPaddresses that you no longer want
FortiClient to remember.
3. Click X to close the list.
The following rules identify when FortiGate, EMS,or FortiClient determine the status:
l When endpoints connect FortiClient Telemetry to FortiGate or EMS, FortiGate or EMSdetermines whether the
endpoint has an on-net or off-net status.
l When endpoints cannot connect FortiClient Telemetry to FortiGate or EMS, FortiClient determines the on-net or
off-net status, based on the on-net subnets.
When FortiGate and EMSare integrated, the primary FortiClient Telemetry con-
nection is to FortiGate, and FortiGate calculates the status.
FortiGate
The version of FortiClient and FortiOSdo not affect the on-net, off-net, or online status. The following examples
show how FortiGate determines the status for the endpoint:
l The endpoint has a status of on-net when the endpoint is behind a FortiGate, and the endpoint receives option 224
with the FortiGate serial number. In this case, FortiGate is the DHCPserver, and FortiGate checks that the serial
51 Administration Guide
Fortinet Technologies Inc.
Access endpoint details Compliance
EMS
The version of FortiClient and EMSdo not affect the on-net, off-net, or online status. The following table shows
how various configurations determine the status for the endpoint when FortiClient Telemetry is connected to
EMS:
EMS DHCP On-net / On-net Subnet Option 224 Serial Endpoint Status
Off-net Setting Number
The following examples show how EMSdetermines the status for the endpoint:
l The endpoint has a status of offline when the endpoint cannot connect FortiClient Telemetry to EMS, and the
endpoint is outside one of the on-net networks.
l The endpoint has a status of offline on-net when the endpoint cannot connect FortiClient Telemetry to EMS, but
the endpoint is inside one of the on-net networks.
On-net subnets have higher priority over other settings. In addition, EMS doesn't com-
pare the Option 224 serial number. As long as the endpoint has the serial number,
EMS assumes that the endpoint is behind a FortiGate and is on-net.
Administration Guide 52
Fortinet Technologies Inc.
Compliance Fix not compliant (blocked)
When an endpoint is not compliant with FortiGate compliance rules, and FortiGate is configured with a non-
compliance action of block, the endpoint is blocked from accessing the network, and the Compliance tab displays
a not-compliant status:
Compliance View the icon to learn that the endpoint is not-compliant with FortiGate
status compliance rules and might be blocked from accessing the network. You
have some time to fix the not-compliant issues before FortiGate blocks net-
work access. See also Compliance and vulnerability scanning on page 107.
Compliance rules View the compliance rules by clicking the Show Compliance Rules from
<FortiGate>link and see which rules are unmet.
IPlist for FortiCli- Click the Show IPList That This FortiClient is Sending Telemetry Data To
ent Telemetry link to view the gateway IPlist being used for FortiClient Telemetry con-
nection.
Fix non-com- Click the Fix Non-Compliant Settings button to try and return FortiClient to
pliance settings a compliant status. This option is not available when FortiClient settings
are locked by EMS.
You can take the following steps to fix the not-compliant status and return the endpoint to a compliant status:
l View which compliance rules are unmet. See View unmet compliance rules on page 54.
l Update the FortiClient configuration, if the option is available. See Fix Not-Compliant Settings on page 55.
l Fix detected vulnerabilities by using the automatic patching features. See Automatically fix detected vulnerabilities
on page 109.
l Manually install software patches, if required. See Manually fix detected vulnerabilities on page 111.
l Manually fix system compliance:
l Create or modify the requested registry
53 Administration Guide
Fortinet Technologies Inc.
Fix not compliant (blocked) Compliance
FortiClient must be installed with the correct setup to adhere to the compliance rules.
See also FortiClient setup types and modules on page 26.
1. On the Compliance tab, click the Show Compliance Rules From <FortiGate> link.
The compliance rules from FortiGate are displayed, and the exclamation mark indicates an unmet
compliance rule.
In the following example, the compliance rule states that Vulnerability Scan should be enabled, and
Endpoint should not have any High or Above Vulnerabilities. The exclamation mark indicates that
FortiClient or the endpoint are failing to meet the compliance rule.
2. Click the exclamation mark to view information about what is not compliant.
A pop-up bubble message is displayed that identifies what part of the FortiClient configuration is not-
compliant, for example, vulnerabilities were found for the Windows operating system.
Administration Guide 54
Fortinet Technologies Inc.
Compliance Fix not compliant (blocked)
When FortiClient has a not-compliant status, and the Fix Non-Compliant Settings link
is not displayed, endpoint users should contact their system administrator for help with
configuring the endpoint and FortiClient console to remain compliant with FortiGate.
The not-compliant settings are fixed, and the endpoint returns to a status of compliant.
55 Administration Guide
Fortinet Technologies Inc.
Fix not compliant (blocked) Compliance
No network access and no FortiClient is not installed, and FortiGate displays a portal in a web
FortiClient software installed FortiClient Telemetry is not con- browser, and the portal includes a
nected. link to the FortiClient installer. Down-
load and install FortiClient software,
and connect FortiClient Telemetry to
FortiGate. See Connect FortiClient
Telemetry after installation on page
40
No network access and a Not FortiClient Telemetry is not con- In FortiClient console, connect
Participating status on the Com- nected FortiClient Telemetry to FortiGate.
pliance tab in FortiClient console See Connect FortiClient Telemetry
manually on page 43.
No network access and Not Com- Endpoint software or FortiClient View unmet compliance rules and
pliant status on the Compliance configuration does not meet com- configure FortiClient to meet them.
tab in FortiClient console pliance rules. In some cases, you might need to
contact your system administrator
for help. See View unmet com-
pliance rules on page 54.
No network access and Com- FortiGate is configured to warn Click the I Agree button in the web
pliant status on the Compliance endpoint users about network portal browser displayed by
tab in FortiClient console access, and you haven't clicked FortiGate. See Fix not compliant
the I Agree button. (warning) on page 57.
Administration Guide 56
Fortinet Technologies Inc.
Compliance Fix not compliant (warning)
When an endpoint is not compliant with FortiGate compliance rules, and FortiGate is configured with a non-
compliance action of to warn, the Compliance tab displays the following information icon with not-compliant
status:
Compliance View the icon to learn that the endpoint is warned about the not-compliant
status status with FortiGate compliance rules. Access to the network is blocked
until the endpoint user acknowledges the warning by either clicking the Pro-
ceed Anyway button in FortiClient console or clicking the I Agree button in
the FortiGate web portal.
Compliance rules View the compliance rules by clicking the Show Compliance Rules from
<FortiGate>link and see which compliance rules are unmet.
IPlist for FortiCli- Click the Show IPList That This FortiClient is Sending Telemetry Data To
ent Telemetry link to view the gateway IPlist being used for FortiClient Telemetry con-
nection.
Fix Non-Com- Click the Fix Non-Compliant Settings button to try and return FortiClient to
pliant Settings a compliant status. This option is not available when FortiClient settings
are locked by EMS.
Proceed Anyway Click Proceed Anyway to acknowledge the not-compliant status and
access the network without fixing all reported issues.
FortiGate also displays a warning portal that includes an I Agree button at the bottom of the page:
57 Administration Guide
Fortinet Technologies Inc.
Fix not compliant (warning) Compliance
When FortiGate warns endpoints about a not-compliant status, you can choose one of the following actions:
l Fix the not-compliant issues and return the endpoint to a status of complaint, and then access the network with a
compliant status.
l Acknowledge the not-compliant status and access the network by clicking either Proceed Anyway in FortiClient
console or clicking I Understand in the warning portal.
If you choose to access the network without fixing the not-compliant issues, you must acknowledge the warning
before you can access the network.
You only need to click either Proceed Anyway in the FortiClient console or I Under-
stand in the warning portal. You do not need to click both buttons. After you click one
of the buttons, the software communicate with each other to relay the acknow-
ledgment. For example, if you click Proceed Anyway in the FortiClient console,
FortiClient communicates the acknowledgment to FortiGate, and you are not required
to click I Understand in the warning portal.
To proceed anyway:
Administration Guide 58
Fortinet Technologies Inc.
Compliance Quarantined endpoints
Quarantined endpoints
In certain situations, an administrator might quarantine an endpoint. When an endpoint is quarantined, the
following page is displayed, and the endpoint user loses network access. Contact your system administrator for
assistance.
59 Administration Guide
Fortinet Technologies Inc.
Sandbox Detection
FortiClient supports integration with FortiSandbox. When configured, FortiSandbox automatically scan files that
are executed on the endpoint or executed from removable media that are attached to the endpoint or mapped
network drives. FortiSandbox can also automatically scan files that are downloaded from the Internet or email to
the endpoint. Endpoint users can also manually submit files to FortiSandbox for scanning.
Access to files can be blocked until the FortiSandbox scanning result is returned.
When scanning is complete, FortiSandbox can quarantine infected files or alert and notify the endpoint user of
infected files without quarantining the files.
As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such
samples. FortiClient periodically downloads the latest AV signatures from FortiSandbox, and applies them locally
to all real-time and on-demand AntiVirus scanning.
You can enable FortiClient to work with FortiSandbox, if you have a FortiSandbox unit.
Administration Guide 60
Fortinet Technologies Inc.
Sandbox Detection Disable Sandbox Detection
2. Clear the Enable FortiSandbox Detection & Analysis check box, and click OK.
FortiSandbox Detection is disabled.
61 Administration Guide
Fortinet Technologies Inc.
Configure Sandbox Detection Sandbox Detection
You can configure what files are automatically submitted from the endpoint to FortiSandbox for scanning. You
can also configure whether FortiSandbox quarantines infected files and whether to exclude any files or folders
from FortiSandbox scanning.
Wait for Select to wait for FortiSandbox analysis results before files can be accessed.
FortiSandbox Clear the check box to allow file access before FortiSandbox results are
results known.
before
allowing file
access
Timeout Specify the timeout duration in seconds. After the time expires, file access is
seconds allowed, even if FortiSandbox hasn't returned results and if the Deny Access
to file if Sandbox unreachable option is disabled.
When set to 0, the downloaded file is always released and the pop-up window
is never displayed. See also Use the pop-up window on page 69.
Deny Access Select to deny access to files when FortiClient cannot reach FortiSandbox for
to file if file analysis. Clear the check box to allow file access if the FortiSandbox unit
Sandbox is cannot be reached for scanning. See also Examples of FortiSandbox
unreachable availability and scanning results on page 63.
Administration Guide 62
Fortinet Technologies Inc.
Sandbox Detection Configure Sandbox Detection
FortiSandbox Submission
Options
All files Select to submit all files that are executed on removable media, such as
executed USBdrives, to FortiSandbox for analysis. Clear the check box to disable this
from feature.
removable
media
All files Select to submit all files that are executed on mapped network drives to
executed FortiSandbox for analysis. Clear the check box to disable this feature.
from mapped
network
drives
All web Select to submit all web downloads on the endpoint to FortiSandbox for
downloads analysis. Clear the check box to disable this feature.
All email Select to submit all email downloads on the endpoint to FortiSandbox for
downloads analysis. Clear the check box to disable this feature.
Remediation Options
Alert & Notify Select to alert and notify the endpoint user about infected files, but not
only quarantine infected files.
63 Administration Guide
Fortinet Technologies Inc.
Configure Sandbox Detection Sandbox Detection
Configure exceptions
To configure exceptions:
Exceptions
Exclude files Select to exclude files from trusted sources from FortiSandbox analysis. Click
from trusted the i icon to view the list of trusted sources.. You cannot change the list of
sources trusted sources.
Exempt Select to exempt specified files and/or folders from FortiSandbox analysis.
specified files You must also create the exclusion list.
/ folders
3. If you selected the Exempt specified files /folders, you must create the exclusion list. See Manage the Sandbox
Detection exclusion list on page 64.
You can also remove files and folders from the exclusion list.
3. Click the + icon, and select either Add file or Add folder.
A Browse dialog box is displayed.
Administration Guide 64
Fortinet Technologies Inc.
Sandbox Detection Scan with FortiSandbox on demand
The file or folder is added to the exclusion list, and will not be scanned by FortiSandbox.
You can send files to FortiSandbox for scanning on demand when FortiSandbox is enabled and online.
1. Right-click a file and select Scan with FortiSandbox from the menu.
FortiSandbox scan results are displayed on the Sandbox Detection tab and in a pop-up window.
When a virus is detected, FortiClient creates a notification alert. See View notifications on page 70.
65 Administration Guide
Fortinet Technologies Inc.
View Sandbox Detection results Sandbox Detection
Files Submitted Displays the number of files submitted to FortiSandbox for scanning.
Malware Detected Displays the number of detected malware files. Click the <number>link beside
Malware Detected to view details about the files.
Clean Displays the number of files determined clean after FortiSandbox scanning.
Pending analysis Displays the number of files waiting for FortiSandbox scanning.
You cannot restore and delete quarantined files when FortiClient is in managed mode.
Administration Guide 66
Fortinet Technologies Inc.
Sandbox Detection View Sandbox Detection results
Summary
Date Quarantined Lists the date and time that the files were quarantined by FortiSandbox.
Quarantined Date and time that the file was quarantined by FortiSandbox.
Submitted Displays Not Submitted when the selected file has not been submitted to
FortiGuard for analysis by clicking the Submit button. Displays Submitted
after clicking the Submit button.
3. Select a file from the list to view detailed information about the file.
4. Click Close.
67 Administration Guide
Fortinet Technologies Inc.
View Sandbox Detection results Sandbox Detection
4. Click Yes to restore the file and add it to the exclusion list or No to restore the file without adding it to the
exclusion list.
5. If the Administrative privileges are required to change settings. Press Elevate to obtain these privileges.
message is displayed, click Elevate.
The file is restored.
Administration Guide 68
Fortinet Technologies Inc.
Sandbox Detection View Sandbox Detection results
4. Click Yes.
The file is deleted.
The settings for the Wait for FortiSandbox scan result before allowing file access
and Timeout seconds options affect when the pop-up window is displayed. See also
Configure Sandbox Detection on page 62.
As FortiSandbox scans and releases files, a pop-up window is displayed to inform you. You can view the recent
scans by clicking the View recent scans option.
When FortiSandbox detects a virus and quarantines a file, the Virus Alert window is displayed.
You can use the Virus Alert window to view information about the recently scanned files by clicking the View
recently detected virus(es) option.
69 Administration Guide
Fortinet Technologies Inc.
View notifications Sandbox Detection
With the information expanded, you can select a quarantined file and click the Restore button to restore the file.
Endpoint users can only restore quarantined files with FortiClient in standalone mode.
View notifications
Select the notifications icon in the FortiClient console to view notifications. When a virus has been detected, the
notifications icon will change from gray to yellow or red.
For FortiClient in standalone mode, you can also clear the entries by clicking the Clear button. This option is not
available for FortiClient in managed mode.
To view notifications:
1. In FortiClient Console, click the Notifications icon (an exclamation mark)in the top-right corner.
The list of notifications is displayed.
Administration Guide 70
Fortinet Technologies Inc.
Sandbox Detection View notifications
71 Administration Guide
Fortinet Technologies Inc.
Antivirus
FortiClient includes an antivirus component to scan system files, executable files, removable media, dynamic-link
library (DLL) files, and drivers. FortiClient will also scan for and remove rootkits. In FortiClient, file-based
malware, malicious websites, phishing, and spam URL protection are part of the antivirus component.
The AntiVirus tab is displayed in FortiClient console when FortiClient is installed with
Additional Security Features and AntiVirus selected.
For FortiClient in managed mode, when FortiClient Telemetry is connected to FortiGate or EMS, an
administrator might enable, configure, and lock realtime protection. You can enable realtime protection if the
FortiClient console is not locked by EMS,and realtime protection is excluded from FortiGate compliance rules.
2. Select the Scan files as they are downloaded or copied to my system check box.
3. Click OK.
If you have another antivirus program installed on your system, FortiClient displays a warning that your system
may lock up due to conflicts between different antivirus products. See Third-party antivirus software and realtime
protection on page 72.
In managed mode, when FortiClient Telemetry is connected to FortiGate, the FortiGate compliance rules might
allow third-party antivirus software to be used as part of the compliance rules. In this case, realtime protection in
FortiClient console should be disabled.
Administration Guide 72
Fortinet Technologies Inc.
Antivirus Disable realtime protection
When FortiClient Telemetry is connected to FortiGate or EMS, you might be unable to disable realtime
protection. You can disable realtime protection when the FortiClient console is not locked by EMS,and realtime
protection is excluded from FortiGate compliance rules.
2. Clear the Scan files as they are downloaded or copied to my system check box, and click OK.
Configure AntiVirus
You can block access and communication channels, update the antivirus database, schedule antivirus scanning,
add files or folders to exclusion lists, and configure additional antivirus options.
1. On the AntiVirus tab, select the settings icon to open the real-time protection settings page.
2. Select the Block all access to malicious websites check box.
3. Perform one of the following actions:
l Select the Use Web Filter exclusion list check box if you want to use the exclusion list for the Web
Security/Web Filter tab. See Manage the Web Filter/Web Security exclusion list on page 86.
l Clear the Use Web Filter exclusion list check box to use the exclusion list for the Antivirus tab. You must
define an exclusion list. See Manage the AntiVirus exclusion list on page 75.
4. Select the Block known communication channels used by attackers check box.
5. Click OK.
73 Administration Guide
Fortinet Technologies Inc.
Configure AntiVirus Antivirus
If you configure monthly scans to occur on the 31st of each month, the scan will occur
on the first day of the month for those months with less than 31 days.
1. On the AntiVirus tab, click the Settings icon beside Realtime Protection.
2. Click the Scheduled Scan tab.
Administration Guide 74
Fortinet Technologies Inc.
Antivirus Configure AntiVirus
Schedule Type Select Daily, Weekly, or Monthly from the drop-down list.
Scan On For Weekly scheduled scans, select the day of the week in the drop-down
list.
For Monthly scheduled scans, select the day of the month in the drop-down
list.
Start Select the time of day to start the scan. The time format uses a 24-hour
clock.
4. Click OK to save the setting and return to the main FortiClient console page.
75 Administration Guide
Fortinet Technologies Inc.
Configure AntiVirus Antivirus
l Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
l Using wildcards to exclude all files with a specified extension, such as *.jrs
l Path variable %windir%
l Path variable %allusersprofile%
l Path variable %systemroot%
l Path variable %systemdrive%
Combinations of wildcards and variables are not supported.
Administration Guide 76
Fortinet Technologies Inc.
Antivirus Scan with AntiVirus on demand
You can perform on-demand antivirus scanning. You can scan specific files or folders, and you can submit a file
for analysis.
Scan now
Custom Scan Runs the rootkit detection engine to detect and remove rootkits. It allows you
to select a specific file folder on your local hard disk drive (HDD) to scan for
threats.
Full Scan Runs the rootkit detection engine to detect and remove rootkits. Then it looks
for threats by performing a full system scan on all files, executable files, DLLs,
and drivers.
Quick Scan Runs the rootkit detection engine to detect and remove rootkits. It looks for
threats by scanning executable files, DLLs, and drivers that are currently
running.
Removable Media Scan Runs the rootkit detection engine to detect and remove rootkits. It scans all
connected removable media, such as USB drives.
77 Administration Guide
Fortinet Technologies Inc.
View AntiVirus scan results Antivirus
1. Right-click the file or folder and select Scan with FortiClient AntiVirus from the menu.
You do not receive feedback for files submitted for analysis. The FortiGuard team is
able to create signatures for any files that are submitted for analysis and determined
to be malicious.
1. On your workstation, right-click a file or executable, and select Submit for analysis from the menu.
A dialog box is displayed that identifies the number of files you have submitted.
2. Confirm the location of the file that you want to submit, and click the Submit button.
You can view quarantined threats, site violations, alerts, and realtime protection events when FortiClient is in
standalone or managed mode.
Administration Guide 78
Fortinet Technologies Inc.
Antivirus View AntiVirus scan results
Summary
Date Lists the date and time that the files were quarantined by FortiClient.
Quarantined
Submitted Displays Not Submitted when the selected file has not been submitted to
antivirus software for scanning by clicking the Submit button. Displays
Submitted after clicking the Submit button.
Submit Click to submit the quarantined file to FortiGuard. Press and hold the control
key to submit multiple entries.
79 Administration Guide
Fortinet Technologies Inc.
View AntiVirus scan results Antivirus
Restore Click to restore the quarantined file. A confirmation dialog box will be
displayed. You can select Yes to add this file/folder to the exclusion list, No
to restore the file, or Cancel to exit the operation. Press and hold the control
key to restore multiple entries.
Delete Click to delete the quarantined file. A confirmation dialog box will be
displayed. Select Yes to continue. Press and hold the control key to delete
multiple entries.
Close Click to close the page and return to the FortiClient console.
3. Click Close.
Details Select an entry in the list to view site violation details, including the website name,
category, date and time, user name, and status.
Select the category link to request to have the site category re-evaluated.
Administration Guide 80
Fortinet Technologies Inc.
Antivirus View AntiVirus scan results
3. Click Close.
View alerts
When FortiClient antivirus detects a virus while attempting to download a file via a web-browser, a warning is
displayed.
Select View recently detected virus(es) to collapse the virus list. Right-click a file in the list to access the
following context menu:
Submit as False Positive Select to submit a quarantined file to FortiGuard as a false positive.
Add to Exclusion List Select to add a restored file to the exclusion list. Any files in the exclusion
list will not be scanned.
Open File Location Select to open the file location on your workstation.
You must select Alert when viruses are detected under AntiVirus Options on the Set-
tings page to receive the virus alert dialog box when attempting to download a virus in
a web browser. If Alert when viruses are detected is disabled, the virus alert dialog
box is not displayed when you attempt to download a virus in a web browser.
81 Administration Guide
Fortinet Technologies Inc.
View FortiClient engine and signature versions Antivirus
You can view the current FortiClient version, engine, and signature information.
When EMSmanages FortiClient, you can select to use a FortiManager device for
FortiClient software and signature updates. When configuring the profile by using
EMS, select Use FortiManager for client software/signature updates to enable the
feature, and enter the IP address of your FortiManager device. You can select to fail-
over to FDN when FortiManager is not available.
1. Go to Help >About.
2. Hover the mouse over the Status field to see the date and time that FortiClient last updated the selected item.
3. Click Close.
Administration Guide 82
Fortinet Technologies Inc.
Web Security/Web Filter
Web Security/Web Filter allows you to block, allow, warn, and monitor web traffic based on URL category or
custom URL filters. URL categorization is handled by the FortiGuard Distribution Network (FDN). You can create
a custom URL filter exclusion list that overrides the FDN category.
When FortiClient is in standalone mode, the Web Security tab is displayed. When
FortiClient is in managed mode, and FortiClient Telemetry is connected to FortiGate
or EMS, the Web Security tab changes to the Web Filter tab.
Web Security
The Web Security tab is displayed in FortiClient console when FortiClient is installed
with Additional Security Features and Web Filtering selected, and FortiClient is run-
ning in standalone mode.
1. On the Web Security tab, click the Enable link in the FortiClient console.
83 Administration Guide
Fortinet Technologies Inc.
Web Filter Web Security/Web Filter
X Violations (In the Last 7 Select to view Web Security log entries of the violations that have occurred
Days) in the last 7 days.
Protection by Site Category Displays the settings as well as a Settings icon. Click the Settings icon to
configure the site categories, exclusion list, and settings. You can also view
violations.
1. On the Web Security tab, toggle the Disable link in the FortiClient console.
Web Filter
The Web Filter tab is displayed in FortiClient console when FortiClient is installed with
Additional Security Features and Web Filtering selected, and FortiClient Telemetry is
connected to FortiGate or EMS.
You can enable web filtering when the FortiClient console is not locked by EMS, and web filtering is excluded
from FortiGate compliance rules.
1. On the Web Filter tab, click the Enable link in the FortiClient console.
Administration Guide 84
Fortinet Technologies Inc.
Web Security/Web Filter Configure web filtering
X Violations (In the Last 7 Select to view Web Filter log entries of the violations that have occurred in
Days) the last 7 days.
Web Filter Profile Displays the Web Filter profile settings as well as a Settings icon. Click the
Settings icon to configure the site categories, exclusion list, and settings.
You can also view violations.
You can disable web filtering if the FortiClient console is not locked by EMS and web filtering is excluded from
FortiGate compliance rules.
You can configure web filtering settings, profiles, and exclusion lists.
When FortiClient Telemetry is connected to FortiGate or EMS, you might be unable to configure web filtering.
85 Administration Guide
Fortinet Technologies Inc.
Configure web filtering Web Security/Web Filter
Block Set the category or sub-category to Block to block access. The user will receive a Web Page
Blocked message in the web browser.
Warn Set the category or sub-category to Warn but allow access. The user will receive a Web
Page Warning message in the web browser. The user can select to proceed or go back to
the previous web page.
Monitor Set the category or sub-category to Monitor to allow access. The site will be logged.
You can select to enable or disable Site Categories in the Web Security/Web Filter
settings page. When site categories are disabled, FortiClient is protected by the
exclusion list.
4. Click OK.
For more information on URL formats, type, and action, see the FortiOS Handbook in
the Fortinet Document Library.
Administration Guide 86
Fortinet Technologies Inc.
Web Security/Web Filter Configure web filtering
Exclusion List Select to exclude URLs that are explicitly blocked or allowed. Use the add
icon to add URLs and the delete icon to delete URLs from the list. Select a
URL, and select the edit icon to edit the selection.
5. Click OK.
87 Administration Guide
Fortinet Technologies Inc.
Configure web filtering Web Security/Web Filter
Configure settings
To configure settings:
Enable Site Categories Select to enable Site Categories. When site categories are disabled,
FortiClient is protected by the exclusion list.
Identify user initiated web Select to identify web browsing that is user initiated.
browsing
4. Click OK.
Administration Guide 88
Fortinet Technologies Inc.
Web Security/Web Filter View violations
View violations
To view violations:
Time The date and time that the website was accessed.
User The name of the user generating the traffic. Hover the mouse cursor over the column to
view the complete entry in the pop-up bubble message.
3. Click Close.
89 Administration Guide
Fortinet Technologies Inc.
Application Firewall
FortiClient can recognize the traffic generated by a large number of applications. You can create rules to block or
allow traffic per category or application.
For FortiClient in managed mode, when FortiClient Telemetry is connected to FortiGate or EMS, an
administrator might enable, configure, and lock the application firewall settings. You can enable Application
Firewall when the settings are not locked by EMS.
Administration Guide 90
Fortinet Technologies Inc.
Application Firewall Disable Application Firewall
When FortiClient Telemetry is connected to FortiGate, you might be unable to disable application firewall. You
can disable Application Firewall when the settings are not locked by EMS.
1. On the Application Firewall tab, click the <number> Applications Blocked (In the Last 7 Days) link.
A page of all blocked applications blocked applications is displayed.
You can view the application firewall profile when FortiClient Telemetry is connected to EMS.
91 Administration Guide
Fortinet Technologies Inc.
View application firewall profiles Application Firewall
Administration Guide 92
Fortinet Technologies Inc.
Remote Access
FortiClient supports both IPsec and SSL VPN connections to your network for remote access. Administrators can
use EMS to provision VPN configurations for FortiClient console, and endpoint users can configure new
VPNconnections by using FortiClient console.
When FortiClient is in managed mode and managed by EMS, FortiClient might include VPNconnection
configurations for you to use.
Configure VPNconnections
You can configure SSL VPN connections and IPsec VPNconnections by using FortiClient console.
1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
93 Administration Guide
Fortinet Technologies Inc.
Configure VPNconnections Remote Access
Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote
gateways can be configured by separating each entry with a semicolon. If
one gateway is not available, the VPN will connect to the next configured
gateway.
Customize port Select to change the port. The default port is 443.
Authentication Select to Prompt on login or Save login. The Disable option is available
when Client Certificate is enabled.
Username If you selected Save login, type the username to save for the login.
Client Certificate Select to enable client certificates, then select either Prompt on connect or
the certificate from the drop-down list.
Do not Warn Invalid Server Select if you do not want to be warned if the server presents an invalid
Certificate certificate.
- Select a connection and then select the delete icon to delete a connection.
3. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.
1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
Administration Guide 94
Fortinet Technologies Inc.
Remote Access Configure VPNconnections
Authentication Method Select either X.509 Certificate or Pre-shared Key in the drop-
down menu. When you select x.509 Certificate, select either
Prompt on connect or a certificate from the list.
Username If you selected Save login, type the username to save for the
login.
VPN Settings
95 Administration Guide
Fortinet Technologies Inc.
Configure VPNconnections Remote Access
Key Life Enter the time (in seconds) that must pass before the IKE
encryption key expires. When the key expires, a new key is
generated without interrupting service. The key life can be from
120 to 172,800 seconds.
Local ID Enter the Local ID (optional). This Local ID value must match
the peer ID value given for the remote VPN peers Peer Options.
Dead Peer Select this check box to reestablish VPN tunnels on idle
Detection connections and clean up dead IKE peers if required.
NAT Traversal Select the check box if a NAT device exists between the client
and the local FortiGate unit. The client and the local FortiGate
unit must have the same NAT traversal setting (both selected or
both cleared) to connect reliably.
Key Life The Key Life setting sets a limit on the length of time that a
phase 2 key can be used. The default units are seconds.
Alternatively, you can set a limit on the number of kilobytes (KB)
of processed data, or both. If you select both, the key expires
when either the time has passed or the number of KB have been
processed. When the phase 2 key expires, a new key is
generated without interrupting service.
Enable Replay Replay detection enables the unit to check all IPsec packets to
Detection see if they have been received before. If any encrypted packets
arrive out of order, the unit discards them.
Administration Guide 96
Fortinet Technologies Inc.
Remote Access Connect VPNs
Enable Perfect Select the check box to enable Perfect forward secrecy (PFS).
Forward Secrecy PFS forces a new Diffie-Hellman exchange when the tunnel
(PFS) starts and whenever the phase 2 key life expires, causing a new
key to be generated each time.
DH Group Select one Diffie-Hellman (DH) group (1, 2, 5, 14, 15, 16, 17,
18, 19 or 20). This must match the DH Group that the remote
peer or dialup client uses.
3. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.
Connect VPNs
Microsoft Internet Explorer's SSL and TLS settings should be the same as those on the
FortiGate.
To connect to VPNs:
1. On the Remote Access tab, select the VPN connection from the drop-down menu.
Optionally, you can click the system tray, right-click the icon and select a VPN configuration to connect.
Provisioned VPN connections will be listed under Corporate VPN . Locally configured
VPN connections will be listed under Personal VPN .
97 Administration Guide
Fortinet Technologies Inc.
Connect VPNs Remote Access
Your administrator might have configure FortiClient to automatically locate a certificate for you.
FortiGate can be configured to let you push a token from FortiClient console to FortiGate to complete network
authentication when connecting VPNs. When configured, you can push the token by clicking the FTMPush
button in FortiClient console. The push token is sent to FortiGate, and you receive a notification of the
authentication request on your device that has FortiToken Mobile installed. On your device, you can tap the
notification and follow the instructions to allow or deny the authentication request.
If a push token is not configured, you must type a token code from FortiToken Mobile into FortiClient console
when connecting VPNs.
You must have available the device with FortiToken Mobile installed to complete this procedure.
1. On the Remote Access tab, select the VPN connection from the drop-down menu.
2. Enter your username and password, and click the Connect button.
The Click on 'FTM Push' or enter token code box is displayed.
Administration Guide 98
Fortinet Technologies Inc.
Remote Access Connect VPNs
4. On your device with FortiToken Mobile installed, tap the notification and follow the instructions to allow the
authentication request and complete network authentication without typing the token code.
You can also deny the authentication request, or do nothing and let the notification request expire.
1. On the Remote Access tab, select the VPN connection from the drop-down menu.
2. Enter your username and password, and click the Connect button.
The Enter token code box is displayed.
3. Type the token code from your FortiToken Mobile, and click OK to complete network authentication.
l Save Password: Allows the user to save the VPN connection password in the console.
l Auto Connect: When FortiClient is launched, the VPN connection will automatically connect.
l Always Up (Keep Alive): When selected, the VPN connection is always up, even when no data is being processed.
If the connection fails, keep alive packets sent to the FortiGate will sense when the VPN connection is available and
re-connect VPN.
After FortiClient Telemetry connects to FortiGate when FortiGate and EMS are integrated, FortiClient receives a
profile from EMS that contains IPsec and/or SSL VPN connections to FortiGate. The following example shows an
SSL VPNconnection named PM-SSL.
99 Administration Guide
Fortinet Technologies Inc.
Connect VPNs Remote Access
If the VPNconnection fails, a pop-up window is displayed to inform you about the connection failure while
FortiClient continues trying to reconnect VPN in the background.
Depending on the VPNconfiguration, the pop-up window might include a Cancel button. If you click the Cancel
button, FortiClient stops trying to reconnect VPN.
l My user account
l Service account
l Computer account
You can select one or more snap-in options, and they will display in the Certificates console. FortiClient typically
searches for certificates in one of the following accounts:
If the certificate is in the user account, FortiClient can access the certificate, if the user has already successfully
logged in, and the same user imported the certificate. In all other scenarios, FortiClient might be unable to
access the certificate.
The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate for users who
are logged into the endpoint and connecting VPN tunnels:
User account Yes, certificate found, if the cer- Yes, certificate found, if the cer-
tificate was imported by the same tificate was imported by the same
administrator user user
SmartCard Yes, certificate found, if same user Yes, certificate found, if same user
that was logged on at the time card that was logged on at the time card
was inserted was inserted
When a user imports a certificate into the user account, a different logged on user can-
not access the same certificate.
A certificate on a smart card is imported into the user account of the logged on user.
As a result, the same conditions apply as with the user account.
The following table summarizes when FortiClient can (yes) and cannot (no)locate the certificate before a user
logs into the endpoint:
When deploying a custom FortiClient XML configuration, use the advanced FortiClient
Profile options in EMS to ensure the FortiClient profile settings do not overwrite your
custom XML settings. For more information, see the FortiClient XML Reference.
In FortiClient:
1. Create the VPN tunnels of interest or connect to FortiClient EMS, which provides the VPN list of interest
2. Enable VPN before log on to the FortiClient Settings page, see VPN options on page 116.
On the Microsoft Windows system,
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important
elements to complete the IPsec VPN configuration are omitted.
RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate
which responds the fastest.
RedundantSortMethod = 0
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based
configurations will try to connect to the FortiGate starting with the first in the list.
For SSL VPN, all FortiGate must use the same TCP port.
When deploying a custom FortiClient XML configuration, use the advanced FortiClient
profile options in EMS to ensure the FortiClient Profile settings do not overwrite your
custom XML settings. For more information, see the FortiClient XML Reference.
RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate or
EMS which responds the fastest.
RedundantSortMethod = 0
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based
configurations will try to connect to the FortiGate or EMS starting with the first in the list.
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important
elements to complete the SSL VPN configuration are omitted.
For SSL VPN, all FortiGate or EMS must use the same TCP port.
This feature supports auto running a user-defined script after the configured VPN tunnel is connected or
disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of
a VPN tunnel configuration on EMS's XML format FortiClient profile. The profile will be pushed down to
FortiClient from EMS. When FortiClient's VPN tunnel is connected or disconnected, the respective script defined
under that tunnel will be executed.
Windows
OS X
FortiClient includes a Vulnerability Scan component to check endpoints for known vulnerabilities. The
vulnerability scan results can include:
Vulnerability scanning is enabled by default. You cannot disable or configure the vulnerability scan feature by
using the FortiClient console.
When FortiClient is in managed mode and managed by EMS, an administrator might configure and lock
vulnerability scanning for you. An administrator might also disable vulnerability scanning.
Scan now
You can scan on-demand. When the scan is complete, FortiClient displays a summary of vulnerabilities found on
the endpoint. If any detected vulnerabilities require you to manually install remediation patches, the list of
affected software is also displayed.
To scan now:
FortiClient scans the endpoint for known vulnerabilities, and a summary of vulnerabilities found on the
system is displayed.
If any detected vulnerabilities require you to manually install remediation patches, a dialog box is displayed
that informs you what software should be updated. If you fail to update the identified software, you might
lose access to the network. If you lose access to the network, contact your system administrator for
assistance. Following is an example of the dialog box:
2. If applicable, read the list of software that requires manual installation of software patches, and click OK. See
Manually fix detected vulnerabilities on page 111.
Cancel scan
In standalone mode, when FortiClient is scanning for vulnerabilities, a Cancel Scan button is displayed, and you
can click the button to cancel the scan.
The Vulnerability Scan tab identifies vulnerabilities on the endpoint that should be fixed by installing software
patches. You can automatically install software patches by clicking the Fix Now link, or you can review detected
vulnerabilities before installing software patches.
Any software patches that cannot be automatically installed are listed on the Vulnerability Scan tab, and you
should manually download and install software patches for the vulnerable software.
If compliance is enabled for FortiClient in managed mode, and FortiGate compliance rules require it, all software
patches must be installed within a time frame to maintain compliant status and network access. See also
Compliance and vulnerability scanning on page 107.
1. In the Vulnerability Scan tab, beside Vulnerabilities Detected, click Fix Now to automatically install software
patches to fix the detected vulnerabilities.
FortiClient installs the software patches. You may need to reboot the endpoint device to complete
installation.
1. In the Vulnerability Scan tab, beside Vulnerabilities Detected, click the <number>link to review information
about vulnerabilities before installing patches.
A page of details is displayed.
2. Click each category with vulnerabilities to view its details. For example, click the Browser category to view details
about detected browser vulnerabilities.
3. Click the Details icon for each vulnerability to view its details, and click OK to close the detailed view.
4. In each category, select the check box for the software for which you want to install patches.
For example, in the OS category, expand Operating System, and select the check box beside the
vulnerabilities for which you want to install patches.
You may be unable to choose which patches to install, depending on your FortiClient configuration. You are
also unable to select the check box for any software that requires manual installation of patches.
In some cases, FortiClient cannot automatically install software patches, and you must manually download and
install software patches. After each scan, the Vulnerability Scan tab lists any software that requires you to
manually download and install software patches. See also Scan now on page 107.
If a software vendor has ceased to provide patches for its software, the software is
tagged as obsolete in the signatures used by the Vulnerability Scan feature, and you
must uninstall the software to fix detected vulnerabilities. The obsolete tag is visible in
the details. See View details about vulnerabilities on page 112.
If compliance is enabled for FortiClient in managed mode, and FortiGate compliance rules require it, all software
patches must be installed within a time frame to maintain compliant status and network access. See also
Compliance and vulnerability scanning on page 107.
1. On the Vulnerability Scan tab, identify the software that requires manual fixing.
Any software with detected vulnerabilities that requires you to manually download and install software
patches is displayed in the Vulnerabilities Detected area. In the following example, Java JDK and
PHPrequire manual updates:
2. Download the latest software patch for each software from the Internet, and install it on the endpoint.
3. After you install the software for all remaining vulnerabilities, go to the Vulnerability Scan tab, and click the Scan
Now button to instruct FortiClient to confirm that the vulnerabilities are fixed.
If the manual fixes were successful, the Vulnerability Scan tab displays Vulnerabilities Detected: None after
the scan completes.
1. On the Vulnerability Scan tab, any software with detected vulnerabilities that requires you to manually download
and install software patches is displayed in the Vulnerabilities Detected area.
2. You can view more details by clicking the Vulnerabilities Detected <number>link or the category for detected
vulnerabilities, such as Critical, High, Medium, or Low.
3. Click the Details icon.
If the detected vulnerability requires you to manually download and install a fix, it is communicated in the
Recommended Action section. In addition, the following information is displayed:The fix for the
vulnerability must be manually installed from:<link>.
You can view the history of last seven vulnerability scans and patches. You can view the history to see what
software was identified as vulnerable and whether patches for the vulnerabilities were installed.
This section describes the options on the File > Settings page.
What options you can change on the Settings page depends on whether FortiClient is in standalone or managed
mode. In managed mode, settings might by locked by FortiGate or EMS.
System
Logging
3. Select the features for which you want to add entries to the log file:
Application Firewall Select Application Firewall to enable logging for this feature.
Web Security/Web Filter Select Web Security or Web Filter to enable logging for this feature.
Vulnerability Scan Select Vulnerability Scan to enable logging for this feature.
It is recommended to use the debug logging level only when needed. Do not leave the
debug logging level permanently enabled in a production environment to avoid
unnecessarily consuming disk space.
l FortiClient
l FortiGate or EMS
l FortiAnalyzer or FortiManager
When FortiClient connects Telemetry to FortiGate or EMS, the endpoint can upload logs to FortiAnalyzer or
FortiManager units on port 514 TCP.
FortiClient Telemetry must connect to FortiGate or EMS for FortiClient to upload logs
to FortiAnalyzer or FortiManager.
3. Select a location for the log file, type a name for the log file, and click Save.
4. Click OK.
VPN options
1. Go to File > Settings from the toolbar, and expand the VPN section.
2. Select Enable VPN before logon to enable VPN before log on.
3. Click OK.
Antivirus options
Adware Select to enable adware detection and quarantine during the antivirus
scan.
Riskware Select to enable riskware detection and quarantine during the antivirus
scan.
Alert when viruses are Select to have FortiClient provide a notification alert when a threat is
detected detected on your personal computer. When Alert when viruses are
detected under AntiVirus Options is not selected, you will not receive the
virus alert dialog box when attempting to download a virus in a web
browser.
Pause background Select to pause background scanning when your computer is operating on
scanning on battery power battery power.
Enable FortiGuard Select to automatically send suspicious files to the FortiGuard Network for
Analytics analysis.
Advanced options
These settings can be configured only when FortiClient is in standalone mode. When FortiClient Telemetry is
connected to FortiGate or EMS, these settings are set by the XML configuration (if configured).
Enable Single Sign-On Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To
mobility agent use this feature you need to apply a FortiClient SSO mobility agent license
to your FortiAuthenticator device.
Customize port Enter the port number. The default port is 8001.
Pre-shared Key Enter the pre-shared key. The pre-shared key should match the key
configured on your FortiAuthenticator device.
Default tab Select the default tab to be displayed when opening FortiClient.
The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates FortiAuthenticator with user logon
and network information.
FortiClient/FortiAuthenticator protocol
The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using
TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator,
which replies with an acknowledgment packet.
1. In FortiAuthenticator, select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
2. Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
3. Select Enable authentication and enter a secret key or password.
4. Select OK to save the setting.
1. Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network
Interface window opens.
To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you
must first apply the applicable FortiClient license for FortiAuthenticator. For more
information, see the FortiAuthenticator Administration Guide in the Fortinet Docu-
ment Library.
For information on purchasing a FortiClient license for FortiAuthenticator, please con-
tact your authorized Fortinet reseller.
Configuration lock
To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of
the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked,
configuration changes are restricted, and FortiClient cannot be shut down or uninstalled.
When the configuration is locked you can perform the following actions on the Settings page:
FortiTray
When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to
perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is
closed.
When the configuration is locked, the option to shut down FortiClient from FortiTray is
grayed out.
You can access the FortiClient Diagnostic Tool from the FortiClient console. Go to Help > About.
On FortiClient (Windows), you can also access the Diagnostic Tool from the Start
menu.
You can use the FortiClient Diagnostic tool to generate a debug report, and then provide the debug report to the
FortiClient team to help with troubleshooting. For example, if you are working with customer support on a
problem, you can generate a debug report, and email the report to customer support to help with troubleshooting.
2. Click the Diagnostic Tool button in the top-right corner. The FortiClient Diagnostic Tool dialog box is displayed.
4. (Optional)When prompted, launch and disconnect the VPN tunnels for which you want to collect information.
A Diagnostic_Result file is created and displayed in a folder on the endpoint device. The default folder
location is C:\Users <user name>\AppData\Local\Temp\.
5. Click Close.
You can operate FortiClient VPNs using the COM-based FortiClient API. The API can be used with IPsec VPN
only. SSL VPN is currently not supported.
Overview
API reference
GetRemainingKeyLife(bstrTunnelName Retrieve the remaining key life for the named con-
As String, pSecs As Long, nection. Whether keylife time (pSecs) or data
pKBytes As Long)
(pKBytes) are significant depends on the detailed set-
tings in the FortiClient application.
For a list of FortiClient log messages, see the FortiClient 5.6.0 Online Help at
http://docs.fortinet.com/forticlient/admin-guides. The table of log messages is too wide to fit into the page size
of the FortiClient 5.6.0 Administration Guide.
FortiClient checks many applications for vulnerabilities. FortiClient can automatically patch vulnerabilities from
some applications, but not all applications. For some applications, the user must manually patch vulnerabilities.
For the latest list of supported software, see the FortiGuard Center (FortiGuard.com).
FortiClient (Windows)
l 7-Zip
l Microsoft Bulletin
l Apple iTunes
l Mozilla Firefox
l Mozilla Firefox ESR
l Foxit Reader
l Java JRE
l Wireshark
l Mozilla Thunderbird
l Adobe Air
l Adobe Acrobat
l Adobe Acrobat DC
l Adobe Reader
l Adobe Acrobat Reader DC
l Adobe Flash Player Active X plug-in for Internet Explorer
l Adobe Flash Player NPAPI plug-in for Firefox
l PostgreSQL (version 9.1 or later)
l VideoLAN VLC Media Player
l VMware Player
l VMware Workstation Player
l Adobe AIRSDK
l Adobe Acrobat X
FortiClient (OSX)
l Adobe Acrobat
l Adobe Acrobat DC
l Adobe Acrobat Reader DC
l Adobe Flash Player NPAPI plug-in
l Apple Products
l Mozilla Firefox
l Mozilla Firefox ESR
l Google Chrome
l Java JRE
l SeaMonkey
l Mozilla Thunderbird
l Mozilla Thunderbird ESR
l VideoLANVLC Media Player
l VMware Fusion
l Wireshark
l Java JDK
l MySQL Server
l Adobe Reader
This section identifies the processes used by FortiClient (Windows)and FortiClient (OS X).
The following table identifies the processes in Task Manager used by FortiClient (Windows):
FortiClient Application Database Service Network Access Control (NAC) and Antivirus
FortiClient Scheduler Windows ensures that FortiClient services are running when
needed
FortiClient System Helper FortiClient ensures that 32-bit processes can access 64-bit
resources
FortiClient User Avatar Agent FortiClient Console and FortiClient Telemetry use to obtain
avatar images for users
FortiClient Virus Feedback Service Antivirus and FortiClient Console use to submit samples to
FortiGuard