endpoint-control : profile
 
profile
Use this command to configure an Endpoint NAC profile.
Syntax
config endpoint-control profile
edit <profile_name>
set description <string>
set replacemsg-override-group <groupname_string>
set device-groups <group_list>
set users <user_list>
set user-groups <usergroup_list>
config extra-buffer-entries
edit <entry_id>
set buffer <config_str>
end
config forticlient-winmac-settings
set auto-vpn-when-off-net {enable | disable}
set auto-vpn-name <name_str>
set client-log-when-on-net {enable | disable}
set forticlient-application-firewall {enable | disable}
set forticlient-application-firewall-list <applist_name>
set forticlient-ad {enable | disable}
set forticlient-advanced-cfg {enable | disable}
set forticlient-advanced-cfg-buffer <xml_config_str>
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <xml_config_str>
set forticlient-av {enable | disable}
set forticlient-log-upload {enable | disable}
set forticlient-log-upload-schedule {daily | hourly}
set forticlient-log-upload-server {FQDN | ip4_addr}
set forticlient-log-ssl-upload {enable | disable}
set forticlient-settings-lock {enable | disable}
set forticlient-settings-lock-passwd <pwd_str>
set forticlient-ui-options {af av vpn vs wf}
set forticlient-update-failover-to-fdn {enable | disable}
set forticlient-update-from-fmg {enable | disable}
set forticlient-update-server {<FQDN | ip4_addr> [<FQDN | ip4_addr> <FQDN | ip4_addr>]}
set forticlient-vpn-provisioning {enable | disable}
set view-profile-details {enable | disable}
config forticlient-vpn-settings
edit <vpn_name>
set remote-gw <ipv4_addr>
set auth-method {certificate | psk}
set preshared-key <psk_str>
set ssl-require-certificate {enable | disable}
set ssl-vpn-access-port <port_int>
set type {ipsec | ssl}
end
set forticlient-vuln-scan {enable | disable}
set forticlient-vuln-scan-schedule {daily | weekly | monthly}
set forticlient-vuln-scan-on-registration {enable | disable}
set forticlient-wf {enable | disable}
set forticlient-wf-profile <profile_name>
set disable-wf-when-protected {enable | disable}
end
config forticlient-android-settings
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <xml_config_str>
set forticlient-vpn-provisioning {enable | disable}
config forticlient-vpn-settings
edit <vpn_name>
set remote-gw <ipv4_addr>
set auth-method {certificate | psk}
set preshared-key <psk_str>
set ssl-require-certificate {enable | disable}
set ssl-vpn-access-port <port_int>
set type {ipsec | ssl}
end
set forticlient-wf {enable | disable}
set forticlient-wf-profile <profile_name>
set disable-wf-when-protected {enable | disable}
end
config forticlient-ios-settings
set client-vpn-provisioning {enable | disable}
config client-vpn-settings
edit <vpn_name>
set type {ipsec | ssl}
set auth-method {certificate | psk}
set preshared-key <psk_str>
set vpn-configuration-name <cfg_name_str>
set vpn-configuration-content <str>
set remote-gw <addr>
set sslvpn-access-port <port_int>
set sslvpn-require-certificate {enable | disable}
end
set distribute-configuration-profile {enable | disable}
set configuration-name <str>
set configuration-content <str>
set forticlient-wf {enable | disable}
set disable-wf-when-protected {enable | disable}
end
end
 
Variable
Description
Default
<profile_name>
Enter a name for this Endpoint NAC profile.
No default.
auto-vpn-when-off-net {enable | disable}
Enable automatic use of a VPN when not on the FortiGate network. This is available when client-vpn-provisioning is enabled.
disable
auto-vpn-name <name_str>
Enter the name of the VPN to automatically connect to. Available when auto-vpn-when-off-net is enabled.
No default.
client-log-when-on-net {enable | disable}
Enable client-based logging when on-net.
disable
client-vpn-provisioning {enable | disable}
Enable or disable setting client VPN configuration.
disable
description <string>
Optionally, enter a description enclosed in quote (") marks.
No default.
device-groups <group_list>
Enter a space-delimited list of the device groups that are assigned to this endpoint profile.
null
forticlient-application-firewall {enable | disable}
Enable application detection.
disable
forticlient-application-firewall-list <applist_name>
Enter the name of the application list to use. See application list.
No default.
forticlient-ad {enable | disable}
Enable or disable FortiClient advertising.
disable
forticlient-advanced-cfg {enable | disable}
Enable or disable setting a custom FortiClient configuration.
disable
forticlient-advanced-cfg-buffer <xml_config_str>
Custom FortiClient configuration in XML format, enclosed in quote (") marks. Available when forticlient-advanced-cfg is enabled. Maximum buffer size is 32KB.
No default.
forticlient-advanced-vpn {enable | disable}
Enable or disable setting custom FortiClient VPN configuration.
disable
forticlient-advanced-vpn-buffer <xml_config_str>
Custom FortiClient VPN configuration in XML format, enclosed in quote (") marks. Available when forticlient-advanced-vpn is enabled.
No default.
forticlient-av {enable | disable}
Enable or disable FortiClient antivirus protection.
disable
forticlient-log-upload {enable | disable}
Enable of disable uploading logs to FortiAnalyzer unit via FortiGate unit.
disable
forticlient-log-upload-schedule {daily | hourly}
Set log upload schedule.
hourly
forticlient-log-upload-server {FQDN | ip4_addr}
Set upload forticlient log upload server.
null
forticlient-log-ssl-upload {enable | disable}
Upload logs securely. Available when forticlient-log-upload is enabled.
enable
forticlient-settings-lock {enable | disable}
Enable to lock FortiClient settings. This is available if forticlient-config-deployment is enable.
disable
forticlient-settings-lock-passwd <pwd_str>
Set the password to unlock FortiClient configuration. This is available when forticlient-settings-lock is enable.
No default.
forticlient-ui-options {af av vpn vs wf}
Set the user interface components of FortiClient that will be available to the user.
af - application firewall
av - antivirus
vpn - VPN
vs - vulnerability scan
wf - web filtering
av vpn wf
forticlient-update-failover-to-fdn {enable | disable}
Enable FortiClient update failover from FortiManager to FDN.
enable
forticlient-update-from-fmg {enable | disable}
Enable or disable FortiClient update from FortiManager.
disable
forticlient-update-server {<FQDN | ip4_addr> [<FQDN | ip4_addr> <FQDN | ip4_addr>]}
Enter one or more FortiClient update servers.Separate entries with spaces.
null
forticlient-vpn-provisioning {enable | disable}
Enable or disable setting FortiClient VPN configuration.
disable
forticlient-vuln-scan {enable | disable}
Enable or disable endpoint vulnerability scanning.
disable
forticlient-vuln-scan-schedule {daily | weekly | monthly}
Set endpoint vulnerability scan schedule.
monthly
forticlient-vuln-scan-on-registration {enable | disable}
Enable or disable endpoint vulnerability scan when endpoint registers.
enable
forticlient-wf {enable | disable}
Enable or disable FortiClient web category filtering.
 
forticlient-wf-profile <profile_name>
FortiClient web filter profile to use.
default
disable-wf-when-protected {enable | disable}
Disable FortiClient webfiltering when FortiGate unit is providing web filtering.
enable
users <user_list>
Enter a space-separated list of the users to whom this profile applies. This is not available for the default profile.
No default.
user-groups <usergroup_list>
Enter a space-separated list of the user groups to which this profile applies. This is not available for the default profile.
No default.
view-profile-details {enable | disable}
Enable or disable client viewing of profile settings.
enable
replacemsg-override-group <groupname_string>
Enter the replacement message group name to use for portal message generating. The group must have its group-type set to ec. Maximum of 35 characters long.
If no group is specified, the default will take effect.If the group does not contain certain ec messages they will be loaded from the per-vdom or global settings.
No default.
distribute-configuration-profile {enable | disable}
Enable to provide .mobileconfig information to all iOS clients.
disable
configuration-name <str>
Enter the iOS configuration name.
No default.
configuration-content <str>
Enter XML .mobileconfig file content.
No default.
config client-vpn-settings variables
edit <vpn_name>
 
No default.
type {ipsec | ssl}
Select IPsec or SSL VPN.
ipsec
vpn-configuration-name <cfg_name_str>
Enter the name of the VPN configuration. (IPsec)
No default.
vpn-configuration-content <str>
Enter XML .mobileconfig file content.
No default.
remote-gw <addr>
Enter gateway FQDN or IP address. (SSL VPN)
No default.
sslvpn-access-port <port_int>
For SSL VPN, enter port number to use.
443
sslvpn-require-certificate {enable | disable}
For SSL VPN, enable or disable authenticating clients by certificate.
disable
config extra-buffer-entries variables
Use for additional configuration strings if forticlient-advanced-cfg-buffer is too full (more than 32kB). This is available when forticlient-advanced-cfg is enabled
edit <entry_id>
 
No default.
buffer <config_str>
Enter extra configuration string (32kB max).
No default.
config forticlient-vpn-settings variables
edit <vpn_name>
 
No default.
remote-gw <ipv4_addr>
Enter gateway IP address.
No default.
auth-method {certificate | psk}
Select certificate or pre-shared key authentication.
psk
preshared-key <psk_str>
Enter the pre-shared key.
No default.
ssl-vpn-access-port <port_int>
For SSL VPN, enter port number to use.
443
ssl-require-certificate {enable | disable}
For SSL VPN, enable or disable authenticating clients by certificate.
disable
type {ipsec | ssl}
Select IPsec or SSL VPN.
ipsec