Chapter 14 Managing Devices for FortiOS 5.0 : Endpoint Protection : Creating a FortiClient profile
  
Creating a FortiClient profile
Each FortiClient profile is assigned to particular device groups, user groups, or individual users. When Compliant with FortiClient Profile is selected in Device Identity policy authentication rule, all users of that rule must have FortiClient Endpoint Security installed. The FortiGate unit pushes the FortiClient profile settings to the FortiClient application on the client.
There is a default FortiClient profile for Windows and Mac OS that enables only AntiVirus, Web Filtering, and VPN. You can also create your own FortiClient profiles.
To create a FortiClient profile - web-based manager
1. If you will use the Application Firewall feature, go to Security Profiles > Application Control > Application Sensors to create the Application Sensors that you will need.
2. If you will use Web Category Filtering, go to Security Profiles > Web Filter > Profiles to create the web filter profile that you will need.
3. Go to User & Device > Endpoint Protection > FortiClient Profiles.
The list of FortiClient profiles is displayed.
4. Select Create New or select an existing profile and Edit it.
5. In Assign Profile To, select the device groups, user groups, and users to which this FortiClient profile applies. This is not available for the default profile.
6. Enter the FortiClient Configuration Deployment settings for Windows and Mac:
Antivirus Protection
ON — enable the FortiClient realtime AntiVirus feature.
Web Category Filtering
ON — enable web category filtering. Select the web filter profile to use.
 
Disable Web Category Filtering when protected by this FortiGate
Disables FortiClient web category filtering when client traffic is filtered by the FortiGate unit. Selected by default.
Client VPN Provisioning
Enable to configure the FortiClient VPN client. Enter the VPN configuration details.
Application Firewall
ON — enable application control. Select the application sensor to use.
Endpoint Vulnerability Scan on Client
ON — FortiGate unit will perform vulnerability scan on client. Select the desired schedule.
 
Initiate Scan After Client Registration
Enables scan following registration, regardless of schedule. Selected by default.
Upload logs to FortiAnalyzer /FortiManager
ON — FortiClient software will upload its logs to the specified FQDN or IP address. Select the desired schedule.
Use FortiManager for client software/signature update
ON — FortiClient software obtain AV signatures and software updates from the specified FQDN or IP address. Failover to FDN when FortiManager is not available is enabled by default.
Dashboard Banner
ON — Display dashboard banner.
7. Enter the FortiClient Configuration Deployment settings for iOS:
Web Category Filtering
ON — enable web category filtering. Select the web filter profile to use.
 
Disable Web Category Filtering when protected by this FortiGate
Disables FortiClient web category filtering when client traffic is filtered by the FortiGate unit. Selected by default.
Client VPN Provisioning
Enable to configure the FortiClient VPN client. You can enter multiple VPN configurations by selecting the “+” button.
 
VPN Name
Enter a name to identify this VPN configuration in the FortiClient application.
 
Type
Select IPsec or SSL-VPN.
If you select IPsec, select a VPN Configuration File that contains the required IPsec VPN configuration. The Apple iPhone Configuration Utility produces .mobileconfig files which contain configuration information for an iOS device.
If you select SSL-VPN, enter the VPN configuration details.
Distribute Configuration Profile
ON — Distribute configuration information to iOS devices running FortiClient Endpoint Security. Select Browse and locate the file to be distributed.
The Apple iPhone Configuration Utility produces .mobileconfig files which contain configuration information for an iOS device.
8. Enter the FortiClient Configuration Deployment settings for Android:
Web Category Filtering
ON — enable web category filtering. Select the web filter profile to use.
 
Disable Web Category Filtering when protected by this FortiGate
Disables FortiClient web category filtering when client traffic is filtered by the FortiGate unit. Selected by default.
Client VPN Provisioning
Enable to configure the FortiClient VPN client. You can enter multiple VPN configurations by selecting the “+” button.
 
VPN Name
Enter a name to identify this VPN configuration in the FortiClient application.
 
Type
Select IPsec or SSL-VPN. Enter the VPN configuration details.
9. Select OK.
To create a FortiClient profile - CLI
This example creates a profile for Windows and Mac computers.
config endpoint-control profile
edit ep-profile1
set device-groups mac windows-pc
config forticlient-winmac-settings
set forticlient-av enable
set forticlient-wf enable
set forticlient-wf-profile default
end
end