FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 25 - Security Profiles > FortiClient Profiles > Endpoint protection overview

Endpoint protection overview

Endpoint Protection enforces the use of up-to-date FortiClient Endpoint Security software on endpoints (workstation computers and mobile devices). It pushes a FortiClient profile to the FortiClient application, specifying security settings, including:

  • Real-time antivirus protection - on or off
  • FortiClient web category filtering based on web filters defined in a FortiGate Web Filter profile
  • FortiClient Application Control (application firewall) using application sensors defined in the FortiGate Application Control profile

The FortiClient profile can also:

  • Create VPN configurations
  • Install CA certificates
  • Upload logs to FortiAnalyzer or FortiManager
  • Enable use of FortiManager for client software/signature update
  • Enable a dashboard banner
  • Enable client-based logging while on-net
  • Output a mobile configuration profile (.mobileconfig file for iOS)

User experience

When using a web browser, the user of a non-compliant endpoint receives a replacement message HTML page from the FortiGate unit. The message explains that the user needs to install FortiClient Endpoint Security and provides a link to do so. The user cannot continue until the FortiClient software is installed.

For information about modifying the replacement message, see Modifying the endpoint protection replacement messages.

Default FortiClient non-compliance message for Windows

After installing FortiClient Endpoint Security, the user will receive an invitation to register with the FortiGate unit. If the user accepts the invitation, the FortiClient profile is sent to the device's FortiClient application. Now the user is compliant and can connect to the network. FortiClient Endpoint Security registered with a FortiGate unit does not need to be separately licensed with FortiGuard.

The FortiGate unit can also register endpoints connecting over the Internet through a VPN. The user can accept an invitation to register with the FortiGate unit. See Configuring endpoint registration over a VPN.


FortiGate endpoint registration limits

To view the number of endpoints that are registered and the total that can be registered, go to Dashboard. Under License Information, find FortiClient. You will see a line like "Clients Registered 4 of 10". This means that there are four registered endpoints and a total of ten are allowed.

When the registration limit is reached, the next FortiClient-compatible device will not be able to register with the FortiGate unit. The user of the device sees a message in the FortiClient application. The FortiClient profile is not sent to client and the client cannot connect through the FortiGate unit.

For all FortiGate models, the maximum number of registered endpoints is ten. For all models except 20C, you can purchase an endpoint license to increase this capacity:

To add an endpoint license - GUI
  1. Go to Dashboard.
  2. In the License Information widget, under FortiClient, select Enter License, enter the license key, and select OK.
Maximum registered endpoints with endpoint license
Model type Max Registered Endpoints
30 to 90 series 200
100 to 300 series 600
500 to 800 series, VM1, VM2 2 000
1000 series, VM4 8 000
3000 to 5000 series, VM8 20 000