Creating a FortiClient profile

Chapter 14 Managing Devices : Endpoint Protection : Creating a FortiClient profile

There is a default FortiClient profile for Windows and Mac OS that enables only AntiVirus, Web Filtering, and VPN. You can modify this profile or create your own FortiClient profiles.

Except for the default profile, each FortiClient profile is assigned to particular device groups, and optionally to particular users and user groups. If no other FortiClient profile is assigned to a particular device type, the default profile applies. It is possible for more than one profile to be assigned to a device type. As with security policies, clients are matched to FortiClient profiles in the order that the profiles appear in the list.

When Compliant with FortiClient Profile is selected in the security policy, all users of that policy must have FortiClient Endpoint Security installed. The FortiGate unit pushes the FortiClient profile settings to the FortiClient application on the client.

To create a FortiClient profile - web-based manager

1. If you will use the Application Firewall feature, go to Security Profiles > Application Control to create the Application Sensors that you will need.

2. If you will use Web Category Filtering, go to Security Profiles > Web Filter to create the web filter profile that you will need.

3. Go to User & Device > FortiClient Profiles.

If there is only the default FortiClient profile, it is displayed, ready to edit. At the top right of the page you can select or create other profiles.

4. Select Create New or select an existing profile and Edit it.

5. In Assign Profile To, select the device groups, user groups, and users to which this FortiClient profile applies. This is not available for the default profile.

6. Enter the FortiClient Configuration Deployment settings for Windows and Mac:


Antivirus Protection		ON — enable the FortiClient realtime AntiVirus feature.
Web Category Filtering		ON — enable web category filtering. Select the web filter profile to use.
VPN		ON - enable VPN use by FortiClient.
	Client VPN Provisioning	Enable to configure the FortiClient VPN client. Enter the VPN configuration details.
Application Firewall		ON — enable application control. Select the application sensor to use.
Use FortiManager for client software/signature update		ON — FortiClient software obtain AV signatures and software updates from the specified FQDN or IP address. Failover to FDN when FortiManager is not available is enabled by default.
Dashboard Banner		ON — Display dashboard banner.

7. Enter the FortiClient Configuration Deployment settings for iOS:


Web Category Filtering		ON — enable web category filtering. Select the web filter profile to use.
Client VPN Provisioning		Enable to configure the FortiClient VPN client. You can enter multiple VPN configurations by selecting the “+” button.
	VPN Name	Enter a name to identify this VPN configuration in the FortiClient application.
	Type	Select IPsec or SSL-VPN. If you select IPsec, select a VPN Configuration File that contains the required IPsec VPN configuration. The Apple iPhone Configuration Utility produces .mobileconfig files which contain configuration information for an iOS device. If you select SSL-VPN, enter the VPN configuration details.
Distribute Configuration Profile		ON — Distribute configuration information to iOS devices running FortiClient Endpoint Security. Select Browse and locate the file to be distributed. The Apple iPhone Configuration Utility produces .mobileconfig files which contain configuration information for an iOS device.

8. Enter the FortiClient Configuration Deployment settings for Android:


Web Category Filtering		ON — enable web category filtering. Select the web filter profile to use.
	Disable Web Category Filtering when protected by this FortiGate	Disables FortiClient web category filtering when client traffic is filtered by the FortiGate unit. Selected by default.
Client VPN Provisioning		Enable to configure the FortiClient VPN client. You can enter multiple VPN configurations by selecting the “+” button.
	VPN Name	Enter a name to identify this VPN configuration in the FortiClient application.
	Type	Select IPsec or SSL-VPN. Enter the VPN configuration details.

9. Select OK.

To create a FortiClient profile - CLI

This example creates a profile for Windows and Mac computers.

config endpoint-control profile

edit ep-profile1

set device-groups mac windows-pc

config forticlient-winmac-settings

set forticlient-av enable

set forticlient-wf enable

set forticlient-wf-profile default

end