FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 25 - Security Profiles > FortiClient Profiles > Configuring endpoint protection

Configuring endpoint protection

Endpoint Protection requires that all hosts connecting to an interface have the FortiClient Endpoint Security application installed. Make sure that all endpoints behind the interface are able to install this application. Currently, FortiClient Endpoint Security is available for Microsoft Windows (2000 and later), Apple (Mac OS X and later), and Android devices only.

By default, the FortiGuard service provides the FortiClient installer. If you prefer to host it on your own server, see Changing the FortiClient installer download location, below.

To set up Endpoint Protection, complete the following:

  • Create a FortiClient Profile or use the default profile. See Creating a FortiClient profile. Enable the application sensor and web category filtering profiles that you want to use.
  • Configure the FortiGate unit to support endpoint registration using FortiHeartBeat (under Network > Interfaces, allow FortiHeartBeat admission control).
  • Optionally, enforce FortiClient registration. See Enforcing FortiClient registration.
  • Optionally, configure application sensors and web filter profiles as needed to monitor or block applications.
  • Optionally, modify the Endpoint NAC Download Portal replacement messages (one per platform). See Modifying the endpoint protection replacement messages.

Creating a FortiClient profile

The default FortiClient profile has only AntiVirus, Web Filter, and VPN options enabled. You can modify this profile or create your own FortiClient profiles, including settings for iOS and Android devices.

It is possible for more than one profile to be assigned to a device type. As with security policies, clients are matched to FortiClient profiles in the order that the profiles appear in the list.

note icon Features involving general settings have been removed from the FortiClient profile GUI in 5.4.1. Features emphasizing compliance of the endpoint devices have been added. These enhancements facilitate integration with the Cooperative Security Fabric.
To create a FortiClient profile - GUI - FortiOS 5.4.0
  1. If you plan to use the Application Firewall feature, go to Security Profiles > Application Control to create the Application Sensors that you will need.
  2. If you plan to use the Web Category Filtering, go to Security Profiles > Web Filter to create the Web Filter Profile that you will need.
  3. Go to Security Profiles > FortiClient Profiles.
    If there is only the default FortiClient profile, it will be displayed and ready to edit. At the top right of the page you can select or create other profiles.
  4. Select Create New or select an existing profile and Edit it.
  5. In Assign Profile To, select the device groups, user groups, and users to which this FortiClient profile applies. This is not available for the default profile.
  6. Configure the FortiClient Profile under the following tabs: Security, VPN, Advanced, and Mobile. These tabs are removed in FortiOS 5.4.1 and later.
Security option Description
AntiVirus
  Realtime Protection Enable to configure AV options, including Scan File Downloads, Block malicious websites, and Block attack channels.
  Scheduled Scan Enable to configure the following:

  • Type: Select from Quick, Full, or Custom.
  • Schedule: Select from Daily, Weekly, or Monthly.
  • Time: Select when the scan should take place.
  Excluded Paths Enable to add paths you wish to be excluded from AV scanning.
Web Filter
  Profile Select which Web Filter Profile you wish to use.
  Client Side when On-Net Select to enable client side web filtering when the device is On-Net.
Application Firewall
  Application Control list Select which Application Control Sensor you wish to use.
  Monitor unknown applications Enable to monitor any applications that do not fall into any Application Control categories.

 

VPN option Description
VPN
  Client VPN Provisioning Enable to configure the FortiClient VPN client, and enter the VPN configuration details.
  Allow user defined VPN Enable to accept VPN tunnels for specific users.
  VPN before Windows logon Enable to establish the VPN connection before logging in to Windows.

 

Advanced option Description
  Install CA Certificates Enable to force the FortiClient endpoint to download CA Certificates from the FortiGate.
  Disable Unregister Option Enable to prevent managed endpoints from unregistering.
  Upload Logs to FortiAnalyzer Enable to determine where FortiClient will upload its logs. Same as System will send the logs as configured via Log & Report > Log Settings. Select Specify to upload them elsewhere.
  FortiManager updates Enable to download client signature updates from FortiManager from specified IP addresses. Also, you can Failover to FDN when FortiManager is not available.
Dashboard Banner Enable to display the dashboard banner.
  Client-based Logging when On-Net Enable to always save logs on the client. Logs can be viewed with the FortiClient Console.
  Single Sign-on Mobility Agent Enable to configure a specific server with a pre-shared key for SSO.

 

Mobile option Description
iOS
  Web Filter Select which Web Filter Profile you wish to use, and select Client Side when On-Net to enable client side web filtering when the iOS device is On-Net.
  Client VPN Provisioning Enable to configure the FortiClient VPN client, and enter the VPN configuration details.
  Distribute Configuration Profile Enable to select and upload a '.mobileconfig' file that will be distributed to iOS devices.
Android
  Web Filter Select which Web Filter Profile you wish to use, and select Client Side when On-Net to enable client side web filtering when the Android device is On-Net.
  Client VPN Provisioning Enable to configure the FortiClient VPN client, and enter the VPN configuration details.
  1. Select Apply.
To create a FortiClient profile - GUI - FortiOS 5.4.1 and later

Follow steps 1 through 5 above.

  1. Under FortiClient endpoint compliance, select the action to take if a unit is non-compliant: Block, Warning, or Auto-update. For information on what each action means, see FortiClient Profile changes (356205) in What's New in FortiOS 5.4 of this chapter.
  2. Use the drop-down menu to select the quarantine level for Endpoint Vulnerability Scan on Client.
  3. Set the minimum FortiClient version in System compliance and, if you have a FortiAnalyzer configured, enable the log to upload to FortiAnalyzer compliance option.
  4. Select which Security Profiles to enable: AntiVirus, Web Filter, and / or Application Firewall.
  5. Select Apply.
To create a FortiClient profile - CLI:

This example creates a profile for Windows and Mac computers.

config endpoint-control profile

edit ep-profile1

set device-groups mac windows-pc

config forticlient-winmac-settings

set forticlient-av enable

set forticlient-wf enable

set forticlient-wf-profile default

end

end

To install CA certificates - CLI:

config endpoint-control profile

edit <profile>

config forticlient-winmac-settings

set install-ca-certificate [enable | disable]

end

next

end

note icon FortiOS 5.4.0 permits you to install CA certificates through the CLI. FortiOS 5.4.1 only allows CA certificates to be installed through the GUI by going to System > Certificates.

Enforcing FortiClient registration

When you enable FortiTelemetry (formerly known as FortiHeartbeat) on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the FortiGate and install FortiClient before gaining access to network services.

The following example includes editing the default FortiClient Profile to enforce real time antivirus protection and malicious website blocking.

To enforce FortiClient registration on the internal interface - GUI:
  1. On the FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled.
  2. Go to Network > Interfaces and edit the internal interface.
  3. Under Restrict Access, enable FortiClient Telemetry.
  4. Under Admission Control, enable Enforce FortiClient Telemetry for all FortiClients.
    Optionally, you can also Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.
  5. Go to Security Profiles > FortiClient Profiles.
  6. Under the Security tab, enable Realtime Protection, Scan File Downloads, Block malicious websites, and Block attack channels.

Changing the FortiClient installer download location

By default, FortiClient installers are downloaded from the FortiGuard network. You can also host these installers on a server for your users to download. In that case, you must configure FortiOS with this custom download location. For example, to set the download location to a customer web server with address custom.example.com, enter the following command:

config endpoint-control settings

set download-location custom

set download-custom-link "http://custom.example.com"

end

Storing FortiClient configuration files

Advanced FortiClient configuration files of up to 32k may be stored:

  1. Enable the advanced FortiClient configuration option in the endpoint profile:

 

config endpoint-control profile

edit "default"

set forticlient-config-deployment enable

set fct-advanced-cfg enable

set fct-advanced-cfg-buffer "hello"

set forticlient-license-timeout 1

set netscan-discover-hosts enable

next

end

 

  1. Export the configuration from FortiClient (xml format).
  2. Copy the contents of the configuration file and paste in the advanced FortiClient configuration box.

 

If the configure file is greater than 32k, you need to use the following CLI:

config endpoint-control profile

edit <profile>

config forticlient-winmac-settings

config extra-buffer-entries

edit <entry_id>

set buffer xxxxxx

next

end

end

next

end