FortiClient Manager : Configuring FortiClient agent settings : Setting the firewall options of a FortiClient agent
 
Setting the firewall options of a FortiClient agent
When controlled by FortiManager, the FortiClient application normally blocks all access for which there is no firewall policy and raises a firewall policy violation alert to the FortiManager unit. Optionally, you can change the FortiClient firewall default action to allow all accesses for which there is no Deny firewall policy.
The FortiClient application has three pre-configured firewall profiles: Basic home use, Basic business and Custom. The custom profile is the default. You define firewall policies as needed to allow or deny traffic.
Select a FortiClient agent in the All Managed Clients or Ungrouped Clients lists and select Firewall > Option to configure the firewall default action.
Override
Select to override the policy inherited from the group to which the computer belongs.
Basic Setting
 
 
Enable Firewall
Select to enable the firewall.
 
Firewall Profile
Select one of the following profiles.
Basic home use — Allow all outgoing traffic and deny all incoming traffic.
Basic business — Allow all outgoing traffic, allow all incoming traffic from the trusted zone, and deny all incoming traffic from the public zone.
Custom profile — This is the default profile. You can configure firewall policies to control application access to the network and to control traffic between address groups.
 
When launch new applications
Select firewall action when an unknown application tries to communicate through the firewall:
Ask — The user is asked if the application should be allowed or denied network access. This is the default option.
Allow — Allow the application to communicate, but raise a firewall violation alert.
Block — The application is blocked and raises a firewall violation alert.
 
Disable task bar notification of blocked network traffic
Do not alert FortiClient user that traffic is blocked.
 
Enable Trusted IP
Trusted IP addresses, defined in Firewall > Trusted IP are not scanned for potential intrusion attempts. See “Configuring trusted IPs exempted from intrusion detection”.
 
Rules order of global firewall policy
When there are “allow” and “deny” firewall rules in FortiClient, this setting determines the action that has higher priority when rules overlap.
Allow rules first — When selected, the “allow” firewall rules in FortiClient are processed first.
Deny rule first — When selected, the “deny” firewall rules in FortiClient are processed first.
Ping Servers
 
Use Ping servers to determine the trust status of networks
The FortiClient application checks for response from ping servers you have configured to determine whether it is connected to a trustworthy network. See “Configuring ping servers for a FortiClient agent firewall”.
Zone Security Setting
Select the security level for the Public and Trusted zones.
 
Public Zone Security Level
High — Block ICMP, NetBIOS, but allow other traffic coming from this zone.
Medium — Block ICMP and NetBIOS from this zone, but allow other traffic. Allow NetBIOS to this zone.
Low — Allow all traffic, except where disallowed by application policies.
By default, the Public Zone has High security level.
 
Trusted Zone Security Level
High — Block ICMP, NetBIOS, but allow other traffic coming from this zone.
Medium — Allow all traffic to and from this zone.
Low — Allow all traffic, except where disallowed by application policies.
By default, the Trusted Zone has Medium security level.