Configuring endpoint protection

Endpoint Protection requires that all hosts connecting to an interface have the FortiClient Endpoint Security application installed. Make sure that all endpoints behind the interface are able to install this application. Currently, FortiClient Endpoint Security is available for Microsoft Windows (2000 and later), Apple (Mac OS X and later), and Android devices only.

By default, the FortiGuard service provides the FortiClient installer. If you prefer to host it on your own server, see Changing the FortiClient installer download location, below.

To set up Endpoint Protection, complete the following:

  • Create a FortiClient Profile or use the default profile. See Creating a FortiClient profile. Enable the application sensor and web category filtering profiles that you want to use.
  • Configure the FortiGate unit to support endpoint registration using FortiTelemetry (under Network > Interfaces, allow FortiTelemetry admission control).
  • Optionally, enforce FortiClient registration. See Enforcing FortiClient registration.
  • Optionally, configure application sensors and web filter profiles as needed to monitor or block applications.
  • Optionally, modify the Endpoint NAC Download Portal replacement messages (one per platform). See Modifying the endpoint protection replacement messages.

Creating a FortiClient profile

FortiClient profiles allow you to perform vulnerability scans on endpoints and make sure endpoints are running compliant versions of FortiClient. Also, security posture features cause FortiClient to apply realtime protection, AntiVirus, web filtering, and application control on endpoints.

It is possible for more than one profile to be assigned to a device type. As with security policies, clients are matched to FortiClient profiles in the order that the profiles appear in the list.

Features involving general settings have been removed from the FortiClient profile GUI in 5.4.1. Features emphasizing compliance of the endpoint devices have been added. These enhancements facilitate integration with the Security Fabric.

To create a FortiClient profile - GUI - FortiOS 5.6.0
  1. If you plan to use the Application Firewall feature in the FortiClient profile, go to Security Profiles > Application Control to create the Application Sensors that you will need.
  2. If you plan to use the Web Category Filtering, go to Security Profiles > Web Filter to create the Web Filter Profile that you will need.
  3. Go to Security Profiles > FortiClient Profiles. If there is only the default FortiClient profile, it will be displayed and ready to edit. At the top right of the page you can select or create other profiles.
  4. Select Create New or edit an existing profile.
  5. In Assign Profile To, select the device groups, user groups, and users to which this FortiClient profile applies. This is not available for the default profile.
  6. Set the Endpoint Vulnerability Scan on Client quarantine level. Similar to FortiOS 5.4, you can set the FortiClient Profile to run the FortiClient vulnerability scanner on endpoints and you can set the vulnerability quarantine level to quarantine endpoints that don't comply.The FortiGate will quarantine a host when a vulnerability with the level of severity selected, or higher, is detected. Options are: Critical, High, Medium, Low, and Information.
  7. System ComplianceFortiOS 5.6 system compliance settings are similar to those in 5.4 with the addition of a non-compliance action. System compliance checking is performed by FortiClient but the non-compliance action is applied by the FortiGate:
    • select the Minimum FortiClient version, if necessary. The lowest supported version is 5.4.1.
    • identify which logs, if any, you will upload to FortiAnalyzer
    • set the Non-compliance action: Block or Warning.
  8. Under Security Posture Check, enable the required options for your network:
    • Realtime Protection
    • Third party AntiVirus on Windows is required for Windows endpoints
    • identify which logs, if any, you will upload to FortiAnalyzer
    • select whether to enable an Web Filter security profile, and / or anApplication Control sensor.
    • set the Non-compliance action: Block or Warning.
  9. Select OK or Apply.

 

To create a FortiClient profile - CLI:

This example creates a profile for Windows and Mac computers.

config endpoint-control profile

edit ep-profile1

set device-groups mac windows-pc

config forticlient-winmac-settings

set forticlient-av enable

set forticlient-wf enable

set forticlient-wf-profile default

end

end

Enforcing FortiClient registration

When you enable FortiTelemetry (formerly known as FortiHeartbeat) on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the FortiGate and install FortiClient before gaining access to network services.

The following example includes editing the default FortiClient Profile to enforce real time antivirus protection and malicious website blocking.

To enforce FortiClient registration on the internal interface - GUI:
  1. On the FortiGate, go to System > Feature Visibility and enable Endpoint Control.
  2. Go to Network > Interfaces and edit the internal interface.
  3. Under Administrative Access, enable FortiClient Telemetry.
  4. Under Admission Control, enable Enforce FortiClient Compliance Check.
    Once this is enabled, you have the option to Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.
  5. Go to Security Profiles > FortiClient Profiles.
  6. Under the Security Posture Check , enable Realtime Protection, Up-to-date signatures.

Changing the FortiClient installer download location

By default, FortiClient installers are downloaded from the FortiGuard network. You can also host these installers on a server for your users to download. In that case, you must configure FortiOS with this custom download location. For example, to set the download location to a customer web server with address custom.example.com, enter the following command:

config endpoint-control settings

set download-location custom

set download-custom-link "http://custom.example.com"

end

Storing FortiClient configuration files

Advanced FortiClient configuration files of up to 32k may be stored:

  1. Enable the advanced FortiClient configuration option in the endpoint profile:

 

config endpoint-control profile

edit "default"

set forticlient-config-deployment enable

set fct-advanced-cfg enable

set fct-advanced-cfg-buffer "hello"

set forticlient-license-timeout 1

set netscan-discover-hosts enable

next

end

 

  1. Export the configuration from FortiClient (xml format).
  2. Copy the contents of the configuration file and paste in the advanced FortiClient configuration box.

 

If the configure file is greater than 32k, you need to use the following CLI:

config endpoint-control profile

edit <profile>

config forticlient-winmac-settings

config extra-buffer-entries

edit <entry_id>

set buffer xxxxxx

next

end

end

next

end

Blocking access to unsupported FortiClient endpoints

You can use the following command to deny registration of unsupported FortiClient endpoints. An unsupported FortiClient endpoint means the endpoint is running FortiClient but for some reason not all of the criteria are available to identify the endpoint, or the endpoint may be running an unsupported version of FortiClient. Information required that is not available could include the endpoint's IP address or MAC address is not visible.

config endpoint-control setting

set forticlient-dereg-unsupported-client enable

end

Configuring the FortiClient offline grace period

Administrators can configure an offline grace period for registered and offline FortiClients so that PROBE can be processed and, as a result, endpoint compliance is not triggered.

  • The grace period is allowed for a client that is compliant, registered, and offline.
  • The grace period has a used status which determines if the client is before, during, or after grace period.
  • Online and compliant clients will reset the grace status to unused.
Syntax

config endpoint-control settings

set forticlient-offline-grace {enable | disable}

set forticlient-offline-grace-interval <seconds>   <-- The default is 120

end