New device management features include:
- On-Net Status for FortiClient Devices
- Endpoint Licenses
- URL Filter Lists in Endpoint Control
- FortiGuard Categories Consistency with FortiClient
- Default Device Groups
- Device Detection for Traffic Not Flowing Through the FortiGate
The Online column of the FortiClient Monitor has been changed to Status. This column will show the current status of the device, and whether or not it is registered.
Two of the possible status options are on-net or off-net. In order to record this information, the DHCP server must be enabled for FortiClient On-Net Status. In order to determine if a FortiClient device is on or off net, a DHCP cookie is sent to FortiClient that contains the FortiGate's serial number. FortiClient will then compare that serial number to the number for the FortiGate it is registered with. If they match, the FortiClient will be considered on-net.
In configurations using high availability, the cookie contains the serial number of all cluster members.
This status has also led to the following options have been added to FortiClient profiles:
- Client Web Filtering when On-Net: when enabled, web filtering is applied to FortiClient traffic even when it is protected by a FortiGate unit.
- Auto-connect when Off-Net: This option allows the FortiClient to autoconnect to a VPN even when it has an off-net status.
- Client-based Logging when On-Net: when enabled, the FortiClient will continue to log even when its traffic is flowing through a FortiGate unit.
New Endpoint licenses are now available in FortiOS 5.2. Information about the status of the current license can be found in the FortiClient section of the License Information widget.
The following licenses will be available:
- Desktop models and FortiGate-VM00: 200 clients
- 1U models, FortiGate-VM01 and FortiGate-VM02: 2,000 clients
- 2U models and FortiGate-VM04: 8,000 clients
- 3U models, FortiGate-ATCA, and FortiGate-VM08: 20,000 clients
Because the new licenses are for one year, the activation method has changed. New licenses are purchased similarly to a FortiGuard service, with no further registration of the license required. The device can then be registered with the FortiGate unit.
If the device does not have access to Internet, you can download the license key from support site and manually upload it to your FortiGate. The license will be for that specific device and will have an license expiry date.
While the older licenses from FortiOS 5.0 will still be supported, they will have the following limitations:
- The On-Net Status feature will not be supported.
- Logging options will only appear in the CLI.
- FortiAnalyzer Support for logging and reporting will be limited.
- You will not be able to enter any v5.0 license keys.
URL filters can now be sent to devices running FortiClient that connect to the FortiGate unit. All URL filter types (Simple/Regex/Wildcard) and actions (Allow/Block/Exempt/Monitor) can be deployed to FortiClient
Upon receiving the URL filter list, FortiClient will save and display the received URL filter list in the web-based manager.
If the URL list is later changed or removed from the FortiGate unit, these changes will also appear in FortiClient.
If FortiGuard categories are disabled on a FortiGate unit, they will now also be disabled in FortiClient for managed devices, even if FortiGuard categories were used previously.
The predefined device groups have been changed to the following:
- Windows PC (includes Windows servers and computers but not tablets or phones)
- Mobile devices (includes tablets and phones from all vendors)
- VoIP phones
- Router/firewall/gateway devices (does not include switch devices)
- Other (for unknown devices)
To improve accuracy, device types are now identified using UIDs instead of MAC addresses.
In FortiOS 5.2, any traffic hitting a FortiGate interface, regardless of whether it is going to be dropped, forwarded or processed locally, will be used by device detection, allowing devices to be detected even if their traffic does not flow through the FortiGate unit. This includes traffic that hits an interface with IPS sniffer mode enabled, as well as broadcast and multicast traffic.