FortiClient v5.0 Administration Guide
Contents
1. TT coack M continue 2 Read the Software License Agreement and select Continue You have the option to print or save the Software Agreement on this screen You will be prompted to Agree with the terms of the license agreement Figure 9 Software License Agreement eoo I Install FortiClient a Software License Agreement i English 7 8 Introduction amp License Fortinet Product License Agreement EULA and Warranty Terms Destination Select Installation Type Trademarks and Copyright Statement Fortinet FortiGate and FortiGuard are registered trademarks of Fortinet Inc and other Fortinet names herein may also be trademarks registered or otherwise of Fortinet All other product or company names may be trademarks of their respective owners Copyright 2002 2011 Fortinet Inc All Rights reserved Contents and terms are subject to change by Fortinet without prior notice No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from Fortinet Inc as stipulated by the United States Copyright Act of 1976 Installation Summary Product License Agreement CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT THE OA THIS AGREEMENT OA EULA USE OF FORTINET ING FORTINET PRODUCT S AND ANY UPDATES THERETO INCLUDING HARDWARE APPLIANCE PRODUCTS SOFTWARE AND FIA2. Fortinet Technologies Inc Page 27 FortiClient v5 0 Administration Guide Step 1 Download and install FortiClient Open a web browser from your workstation and attempt to open a web page the web page will be directed to the Captive Portal Follow the instructions on the portal to download and install FortiClient Figure 25 Captive Portal block page is displayed Endpoint Security Required The use of this security policy requires that the latest FortiClient Endpoint Security software is working properly Please make sure e FortiClient is installed and running FortiClient is registered with FortiGate and currently in online status and e the Disable configuration sync with FortiGate option in FortiClient settings is turned off Installing FortiClient requires that you have administrator privileges on your computer If you do not please contact your network administrator to have FortiClient installed The installer may be downloaded using the following link FortiClientInstaller Windows Enterprise 5 0 0 exe Installation instructions e For Internet Explorer 1 Click the above link to download the installer 2 When Internet Explorer asks what action you would like to take click Run e For Firefox 1 Click the above link to download the installer 2 Save the installer and note the location it is saved to 3 Open the folder containing the installer and run it FortiClient installation may take a few minutes Thank you
3. Expand Computer Configuration gt Policies gt Software Settings Right click Software Settings and select New gt Package 10 Select the path of your distribution point and FortiClient installer file and then select Open Select Assigned and select OK The package will then be generated 11 If you wish to expedite the installation process on both the server and client computers force a GPO update 12 The software will be installed on the client computer s next reboot You can also wait for the client computer to poll the domain controller for GPO changes and install the software then Uninstall FortiClient using Microsoft Active Directory server This section describes how to remove FortiClient from client computers using Active Directory 1 On your domain controller select Start gt Administrative Tools gt Group Policy Management The Group Policy Management MMC Snap in will open Expand the Group Policy Objects container and right click the Group Policy Object you created to install FortiClient and select Edit The Group Policy Management Editor will open Select Computer Configuration gt Policy gt Software Settings gt Software Installation You will now be able to see the package that was used to install FortiClient Right click the package select All Tasks gt Remove Choose Immediately uninstall the software from users and computers or Allow users to continue to use the software but prevent new i
4. Remote Gateway Enter the IP address hostname of the remote gateway Multiple remote gateways can be configured by separating each entry with a semicolon If one gateway is not available the VPN will connect to the next configured gateway Port Select to change the port The default port is 443 Authentication Select to prompt on login or save login Username If you selected to save login enter the username in the dialog box Client Certificate Select to enable client certificates Certificate Select the certificate option on the drop down menu Do not warn Invalid Select if you do not want to warned if the server presents an invalid Server Certificate certificate Fortinet Technologies Inc Page 49 FortiClient v5 0 Administration Guide Create a new IPsec VPN connection To create a new IPsec VPN connection select Configure VPN or use the drop down menu on the GUI On this menu you can configure options outlined in the following figure and table Figure 58 Psec VPN configuration options Connection Name Remote Gateway Authentication Method Pre Shared Key Authentication XAuth Connection Name Type Description Remote Gateway Authentication Method X 509 Certificate Pre shared Key Authentication XAuth Username Fortinet Technologies Inc Create new VPN Connection pak 90 1 Type SSL YPN e IPsec VPN Description 10 10 90 1 psecdemo fortinet com Pre Shared Key e Username test OK Cancel E
5. ET Client VPN Provisioning D I Name Sunnyvale California Type IPsec VPN SSL VPN Remote Gateway 12 2 43 1 Authentication Method Certificate ore Upload Logs to FortiAnalyzer FortiManager IP Address Change Step 3 Configure Firewall Policies To configure a firewall policy for Endpoint Management go to Policy gt Policy gt Policy and select Create New on the right hand toolbar For Policy Subtype select Device Identity Figure 19 Create new device identity policy New Policy Policy Type Firewall VPN Policy Subtype Address User Identity amp Device Identity Incoming Interface internal v Source Address 15 Click to add Outgoing Interface wan1 Enable NAT amp Use Destination Interface Address Fixed Port Use Dynamic IP Pool Click to add Configure Authentication Rules Create New Destination Address Endpoint Compliance Schedule UTM Security Traffic Shaping Logging No matching entries found E Customize Authentication Messages Comments Write a comment Add an Accept authentication rule for all compliant Windows PC clients This rule will allow Windows clients which have installed FortiClient and have been registered to this FortiGate to pass traffic Fortinet Technologies Inc Page 25 FortiClient v5 0 Administration Guide Figure 20 Accept authentication rule for compliant Windows PC clients Destination Address Ej all d Device E Windows PC F Compli
6. Registration Listen for broadcast messages 2 Configure an IPsec VPN connection from FortiClient to the management FortiGate For more information on configuring IPsec VPN see Create a new IPsec VPN connection on page 50 3 Connect to the VPN 4 You can now search for the FortiGate gateway See Step 2 FortiClient registration on oage 28 for more information 5 After registration the client is able to receive the Endpoint Profile Fortinet Technologies Inc Page 31 FortiClient v5 0 Administration Guide Remembered FortiGates FortiClient v5 0 Patch Release 1 adds the option to remember the FortiGate when accepting the broadcast registration message Figure 34 Option to remember FortiGate E FortiGate Detected A broadcast registration message received from FortiGate 172 17 61 169 FG80CM3909613127 Ej remem her this FortiGate Ignore All This feature will be enhanced in future patch releases to allow FortiClient to automatically switch between different remembered devices Select the registration icon on the dashboard to view information for the current registered device including the hostname domain serial number and IP address Figure 35 Remembered FortiGates F SATINMET l Karen Hughes 2 i in AntiVirus VM d E Realtime Pr ion Enabled Hostname Win 64 PC ete Domain N A SN FGSOCM3909613127 Ei IP 172 17 61 1 a 4 Web Filter Remembered FortiGates 1
7. 10 10 90 1 ssldemo fortinet comj17 2 17 61 143 44 3 lt x server gt lt connection gt lt connections gt lt sslvpn gt lt vpn gt lt ftorticlient Configuration This is a balanced but incomplete XML configuration fragment All closing tags are included but some important elements to complete the SSL VPN configuration are omitted For SSL VPN all FortiGates must use the same TCP port Enabling VPN autoconnect VPN auto connect uses the following XML tag lt aucoconnect tunnel ssl 198 no cert lt autoconnect tunnel gt Enabling VPN always up VPN always up uses the following XML tag lt keep running gt 1 lt keep running gt VPN before logon is currently not supported in FortiClient v5 0 Patch Release 1 Mac OS X VPN tunnel amp script Windows Feature overview This feature supports auto running a user defined script after the configured VPN tunnel is connected or disconnected The scripts are batch scripts in Windows and shell scripts in Mac OS X They will be defined as part of a VPN tunnel configuration on FortiGate s XML format Endpoint Profile The profile will be pushed down to FortiClient from FortiGate When FortiClient s VPN tunnel is connected or disconnected the respective script defined under that tunnel will be executed Fortinet Technologies Inc Page 56 FortiClient v5 0 Administration Guide Map a network drive after tunnel connection The script will map a network drive and copy
8. 17 Device Management options Name Alias Link Status Addressing mode IP Network Mask Administrative Access Enable DHCP Server Security Mode Customize Portal Messages User Groups Device Management Detect and Identify Devices Broadcast Discovery Messages Enable Explicit Web Proxy Listen for RADIUS Accounting Messages Secondary IP Address Comments Administrative Status Edit Interface fmec1 2 00 09 0F DB F2 55 Up Manual DHCP Dedicate to FortiAP 187 28 154 2 255 255 255 0 HTTPS SSH PING HTTP FMG Access SNMP TELNET FCT Access E Captive Portal E Click to add E E E Write a comment D 256 Upe OG Down ON Apply Step 2 Configure the Client Endpoint Profile To configure the Client Endpoint Profile go to User amp Device gt Device gt Endpoint Profile Edit as required Select Apply to save the setting Fortinet Technologies Inc Page 24 FortiClient v5 0 Administration Guide Figure 18 Edit endpoint profile Edit Endpoint Profile FortiClient Configuration Deployment Windows and Mac Antivirus Realtime Protection on Client when installed TM Application Firewall client reputation hol TM web Category Filtering client reputation Disable Web Category Filtering when protected by this FortiGate ET Endpoint Vulnerability Scan on Client Schedule Scan Type Daily Weekly Monthly Initiate Scan After Client Registration
9. 8 Protected by Fortigate Unregister Application Firewall Application Firewall Enabled Remote Access ES No VPN Connected gt Se Vulnerability Scan ee b Vulnerability Scan Enabled Fortinet Technologies Inc Page 32 FortiClient v5 0 Administration Guide Select Remembered FortiGates to show a list of FortiGate devices that FortiClient has previously registered with Use the right click menu to forget a specific device Select the device that you would like to remove from the remembered FortiGates list right click and select Forget You can also change the order of devices in this list using the right click menu Figure 36 Show remembered devices Remembered FortiGates Last Seen Z Beit EE ee Er sorry ene o Forget et dnb NE 17 61 169 SE Save Close View FortiClient registration on the FortiGate Web based Manager You can view all registered FortiClient on the FortiGate Web based Manager Each new registration will be automatically added to the device table To view registered devices go to User amp Devices gt Device gt Device Definition The state for the new FortiClient registration is listed as Registered Gent Zug State c Fl eee che PI Eee GET Merle ER KA Li peon az briar BR LSA ERR ARA Fesige Leg Die ie ES b4 B8baizce c MIN CI PFGLHOTUZ LT ees EA KA Fridag Leg oF da d F etal F217 68 84 i hs Fridag weed Hoos git spri 172 17 514 140 OH CH se
10. For additional managed clients an upgraded license must be purchased The maximum number of managed clients varies per device model Client limits FortiGate Model Free registrations FortiClient license upgrade SKU FortiGate 40 60 80 series VMOO N A FortiGate 100 200 300 600 800 10 1 000 client registrations series VMO1 VM01 Xen FCC C0103 LIC VMO2 VM02 Xen FortiGate 1000 3000 5000 series 10 3 000 client registrations VM04 VM04 Xen VM08 VM08 Xen FCC C0105 LIC In high availability HA configurations all cluster members require an upgrade license key For more information go to www forticlient com Page 7 Supported operating systems Windows Microsoft Windows 8 32 bit and 64 bit Microsoft Windows 7 32 bit and 64 bit Microsoft Windows Vista 32 bit and 64 bit Microsoft Windows XP 32 bit Mac OS X Mac OS X v10 8 Mountain Lion Mac OS X v10 7 Lion Mac OS X v10 6 Snow Leopard Minimum system requirements Windows Microsoft Internet Explorer 8 0 or later Windows compatible computer with Pentium processor or equivalent Compatible operating system and minimum RAM 512MB 600 MB free hard disk space Native Microsoft TCP IP communication protocol Native Microsoft PPP dialer for dial up connections Ethernet NIC for network connections Wireless adapter for wireless network connections Adobe Acrobat Reader or another PDF reader for user manual MSI installer 3 0 or later Mac OS X Fortin
11. IPsec VPN and SSL VPN FortiClient Remote Access VPN FortiClient v5 0 supports both IPsec and SSL VPN connections to your network for remote access This section describes how to configure remote access Add a new connection Select Configure VPN on the FortiClient dashboard to add a new VPN configuration Figure 56 Configure a new VPN connection F HTINMET FortiClient IY This computer is protected by FortiClient software gt L Antivirus A 5 Threats Quarantined Parental Control Parental Control Enabled Application Firewall Application Firewall Enabled Configure VPN Remote Access Ho VPN Connected Vulnerability Scan Nas Vulnerability Scan Enabled Create a new SSL VPN connection To create anew SSL VPN connection select Configure VPN or use the drop down menu on the dashboard On this menu you can configure options outlined in the following figure and table Page 48 Figure 57 SSL VPN configuration options Create new VPN Connection Connection Name ssl_90_1 Type SSL VPN IPsec VPN Description Remote Gateway 10 10 90 1 seldemo fortinet com J Customize port 443 Authentication Prompt on login Save login Username test Client Certificate WM Certificate Prompt on connect e Do not Warn Invalid Server Si Certificate OK Cancel Connection Name Enter a name for the connection Type Select SSL VPN Description Enter a description for the connection optional
12. S zi _ a FortiGate Group Filtering zer SI Dynamic Policy Enable Windows Active Directory domain controllers Gm Accounting Proxy Rule Sets a Sources Enable Radius Accounting SSO clients C Use remote LDAP server for SSO groups lookup i Destinations LDAP server Please Select gt Enable FortiClient SSO Mobility Agent Service Listening port 8001 Enable authentication Secret key eeccccces 4 To enable FortiClient FSSO services on the interface select System gt Network gt Interface select Edit to edit the network interface select FortiClient FSSO to enable Figure 73 Enable services FortiAuthenticator Lana D OP FESRTINET Help Logout _ a Dashboard a Status Interface port1 Era Network ng E Status i beg z e DNS _ a Static Routing IPv4 172 16 68 48 255 255 255 0 amp Maintenance f i IPV6 H E Messages f Admin access M Telnet SSH Kai HTTPS HTTP Services M RADIUS Auth RADIUS Accounting ki LDAP ki LDAPS Ki FortiGate FSSO OCSP Kl FortiClient FSSO History OK Cancel To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator you must first apply the applicable FortiClient license for FortiAuthenticator For more information see the FortiAuthenticator v2 0 Administration Guide at http docs fortinet com For information on purchasing a FortiClient license for FortiAuthent
13. Select Destination Password Confirm No Password Page 62 Logging To configure logging select File on the toolbar and Settings on the drop down menu Select Logging to view the drop down menu On this menu you can configure logging for the following features e VPN e Antivirus e Update e Application Firewall e Parental Control e Vulnerability Scan You can specify the logging level and select to export logs or clear logs Figure 66 Logging options Y Logging Enable logging for these features W VPN W Application Firewall VW Antivirus Parental Control Al Update Vulnerability Scan Log Level Information EN Log file Export logs Clear logs Logging Level Description Emergency The system becomes unstable Alert Immediate action is required Critical Functionality is affected Error An error condition exists and functionality could be affected Warning Functionality could be affected Notice Information about normal events Information General information about system operations Debug Debug FortiClient Updates To configure updates select File on the toolbar and Settings on the drop down menu Select System to view the drop down menu On this menu you can configure the behavior of FortiClient when a new software version is available on the FortiGuard Distribution Servers FDS Fortinet Technologies Inc Page 63 FortiClient v5 0 Administration Guide Figure 67 Update options Y System Backup or r
14. This Endpoint Profile will permit traffic through the FortiGate A system tray bubble message will be displayed once update is complete Figure 31 Configuration update notification message Configuration update was received from FortiGate The FortiClient console will display that it is successfully registered to the FortiGate The Endpoint Profile is installed on FortiClient Fortinet Technologies Inc Page 30 FortiClient v5 0 Administration Guide Figure 32 Registered FortiClient console F SATINMET FortiClient Registered to FortiGate FW80CM3911603923 2 Adam ong dei NONE Antivirus d Realtime Protection Enabled gt off Realtime Protection Enabled Database is up to date Web Filter x Protected by Fortigate Vg datt N 0 Threats Quarantined i Application Firewall Application Firewall Enabled sr dE EE Ce Seege Exclusion List No VPN Connected R Last Scan Never Scanned Last Update 29 10 2012 90 Vulnerability Scan PENE ER ME k YO Found 54 pe Scan Now En E Update Now Deploy the Endpoint Profile to clients over VPN You can deploy the Endpoint Profile to clients over a VPN connection 1 On the FortiGate dashboard select File gt Settings Under Registration select Specify FortiGate address and enter the IP address and port number if required of the FortiGate s internal interface Figure 33 Preferred FortiGate address
15. some files after the tunnel is connected lt on connect lt script lt os gt windows lt os gt lt script lt script lt CDATA net use x 192 168 10 3 ftpshare f usersHoney Boo Boo md c test COPY SI PDP GIVES l1 gt lt Script gt EE lt script gt lt on connect gt Delete a network drive after tunnel is disconnected The script will delete the network drive after the tunnel is disconnected lt on disconn ct gt lt script lt os gt windows lt os gt seri gt lt script gt lt 1 CDATA net use x DELETE ES lt script gt Script gt lt script gt lt on disconnect gt VPN tunnel amp script Mac OS X Map a network drive after tunnel connection The script will map a network drive and copy some files after the tunnel is connected son Connect lt soripi gt lt os gt mac lt os gt lt script bin mkdir Volumes installers sbin ping c 4 192 168 1147 gt Users admin Desktop dropbox p txt sbin mount t smbfs kimberly RigUpTown ssldemo fortinet com installer Fortinet Technologies Inc Page 57 FortiClient v5 0 Administration Guide s Volumes installers gt Users admin Desktop dropbox m txt bin mkdir Users admin Desktop dropbox dir bin cp Volumes installers log Users admin Desktop dropbox dir lt Script gt lt Scripts lt on connecl gt Delete a network drive after tunnel is disconnected The script will delete the network drive
16. 012 3 19 16 PM LI Parental Control t Parental Control Enabled Application Firewall Application Firewall Enabled View All Remote Access Ho VPN Connected SS Last Scan Never Scanned Last Update 2412 2012 Vulnerability Scan SS M Kal Vulnersbility Scan Enabled P ScanNow Update Now Page 35 Scan Now To perform on demand antivirus scanning select the Scan Now button on the FortiClient dashboard Use the drop menu to select Custom Scan Full Scan or Quick Scan The dashboard notes the date of the last scan above the button Custom Scan runs the rootkit detection engine to detect and remove rootkits Custom Scan allows you to select a specific file folder on your local hard disk drive HDD to scan for threats Full Scan runs the rootkit detection engine to detect and remove rootkits Full Scan then performs a full system scan including all files executables de and drivers for threats Quick System Scan runs the rootkit detection engine to detect and remove rootkits Quick System Scan only scans executable files die drivers that are currently running for threats Figure 41 Antivirus scan options F ATINMET FortiClient A This computer is protected by FortiClient software IA gt CH Antivirus D ep e GE Ae Dr Dm rie i eff Real time Protection Enabled Disable Database is up to date amp 5 Threats Quarantined Exclusion List Parental Control Parental Control En
17. F RTINMET FortiClient v5 0 Administration Guide FortiClient v5 0 Administration Guide January 09 2013 04 501 183401 20130109 Copyright 2013 Fortinet Inc All rights reserved Fortinet FortiGate and FortiGuard are registered trademarks of Fortinet Inc and other Fortinet names herein may also be trademarks of Fortinet All other product or company names may be trademarks of their respective owners Performance metrics contained herein were attained in internal lab tests under ideal conditions and performance may vary Network variables different network environments and other conditions may affect performance results Nothing herein represents any binding commitment by Fortinet and Fortinet disclaims all warranties whether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests Fortinet disclaims in full any guarantees Fortinet reserves the right to change modify transfer or otherwise revise this publication without notice and the most current version of the publication shall be applicable Technical Documentation docs fortinet com Knowledge Base kb fortinet com Customer Service amp Supp
18. MWARE INCLUDED THEREIN BY H OFTWARE PROD OLD BY FORTINE 3 Select the destination folder for the installation Fortinet Technologies Inc Page 15 FortiClient v5 0 Administration Guide Figure 10 Destination Select screen eoo I Install FortiClient a Select a Destination How do you want to install this software 8 Introduction License 7 Install for all users of this computer amp Destination Select Installation Type Installation Summary Installing this software requires 19 4 MB of space You have chosen to install this software for all users of this computer Continue 4 Select Install to perform a standard installation on this computer You can change the install location from this screen Figure 11 Installation Type screen eoo Install FortiClient a Standard Install on Macintosh HD Introduction amp License This will take 19 4 MB of space on your computer Destination Select Click Install to perform a standard installation of this software for all users of this computer All users of this computer will be able to use this Installation software amp Installation Type Summary Change Install Location 5 Depending on your system you may be prompted to enter your system password Figure 12 Enter system password to continue em 8 0 Q E Intl Berti leen a Installer is trying to inst
19. TT Remember Username Fortinet Technologies Inc Page 70 FortiClient v5 0 Administration Guide Index A antivirus custom scan 36 38 enable or disable 35 exclusion list 40 full scan 36 38 logging 41 notifications 35 perform on demand scanning 36 quick scan 36 38 schedule a scan 38 update now 37 view quarantined threats 39 application firewall application firewall rules 46 enable or disable 45 logging 47 view applications blocked 45 E Enable Registration Key for FortiClient 34 F forticlient licensing 7 FortiClient Endpoint Registration 34 FortiTray 69 G grayware 10 installation EULA 12 15 forticlient 12 15 language support 9 minimum system requirements 8 setup wizard 12 15 supported operating systems 8 L licensing 7 M MSI custom MSI installation 19 FortiClient Configurator 18 Microsoft Active Directory 19 Microsoft System Center Configuration Manager 20 R registration key 34 remembered FortiGates 32 S settings advanced options 65 antivirus 64 backup or restore the full configuration file 62 certificate management 64 logging 63 SSO mobility agent 66 updates 63 VPN options 64 V vulnerability scan Bugtrag ID 60 logging 61 perform a vulnerability scan 59 update now 59 view scan results 60 XML always up 54 autoconnect 54 connect VPN before logon 52 create a redundant IPsec VPN 57 priority based SSL VPN connections 53 55 Page 71
20. To view the current FortiClient version engine and signature information select Help on the toolbar and About on the drop down menu Figure 43 About FortiClient page Cl FortiClient 501 194 latest version Serial UID Engine AntiVirus Anti Rootkit Signatures AntiVirus AntiVirus Extended Anti Rootkit Application Vulnerability Scan Fortinet Technologies Inc Quick Start Guide FCT8001381786725 BEGBr64CG509DB4CF3ASCBI42AED2064A0 Status Version W Up to date 5 035 W Upto date 2025 Status Version W Up to date 16 909 W Up to date 16 866 W Up to date 1 546 W Up to date 4 277 W Upto date 1 292 Copyright Information Close Page 37 FortiClient v5 0 Administration Guide Schedule Antivirus scanning To schedule antivirus scanning select Weekly Scan on the content pane On this menu you can configure options outlined in the following figure and table Figure 44 Antivirus scheduling File Help Schedule Type Scan On Start Scan Type Fortinet Technologies Inc Configure the AntiVirus Scan Schedule Schedule Type Weekly EN Scan On Monday EN Start 18 1130 Lelmuwu Scan Type Full system scan EN OK Cancel Select Daily Weekly or Monthly on the drop down menu For Weekly scheduled scan select the day of the week on the drop down menu For Monthly scheduled scan the day of the month on the drop down menu Select the start time on the drop down menus The time format is represented
21. User Identity amp Device Identity Incoming Interface any Source Address E all F Outgoing Interface ports Primary Internat Enable MAT Configure Authentication Rules re Device Endpoint Compliance Service Schedule UTM Security Traffic ShapinglLogging Adin Windows PC ALL always D ACCEPT Windows PE ALL always i Captive Portal Enforce FortiChent Comoalic all Ali ALL always L D L w ACCEPT m Customize Authentication Messages Comments nte 5 cimma TZ I DR Cancel After the FortiGate configuration has been completed you can proceed with FortiClient configuration Configure your Windows PC on the corporate network with the default gateway set to the IP of the FortiGate FortiClient Endpoint network topologies The following FortiClient Endpoint Profile topologies are supported e Client is directly connected to FortiGate either to a physical port switch port or WiFi SSID This topology supports client registration configuration sync and endpoint profile enforcement e Client is connected to FortiGate but is behind a router or NAT device This topology supports client registration and configuration sync e Client is connected to FortiGate across a VPN connection This topology supports client registration configuration sync and endpoint profile enforcement Figure 24 Network topologies 4 frre b To configure FortiClient for Endpoint Management follow the steps listed below
22. VPN rranunnnnnnnnnanonnnennnennnennnennnennnnnnnennnennnennnennnennsenne 55 Priority based SSL VPN connections arrnnnnrnnnrnnnnnnnnnnnnnennnnennnrnnnnrnnnnennnennnnen 55 For SSL VPN all FortiGates must use the same TCP port rranrnanenanennnennnenn 56 Enabling VPN AULTOCONMECC EE 56 Enabling VPN always Up OE 56 VPN t nnel amp Script ale e LC EEN 56 RT OE AV SEE 56 Map a network drive after tunnel CONNECTION arnarrnnrnnnnnnrvanrnnrnnrrnnenannnnener 57 Delete a network drive after tunnel is deconnected 57 VPN tunnel amp script Mac OS X EE 57 Map a network drive after tunnel connection arnarrnnrnnnrnnrnanrnnrnnrrnnenannnnener 57 Delete a network drive after tunnel is deconnected 58 Viner SN 59 AE la E e lee e E 59 NNN 59 BENN 59 View Vulnerabilities A 60 Vulner bilty SCAN I0GANG Laguumninnsnummbsn smmmdim and EEN EEEn 61 oS RNS EE ON A TE 62 Backup or restore full configuration anrnnnrnnnrnnnrnnnrnnnrnnnrnnnrnnnennnennnennnennnennnennnenn 62 Mee NN EEE EEE EEE 63 Beie EE 63 PNI 64 Certificate Management aannannnnnnannnnnnnnrnnnrnnrnnennrrnnrnnrnnrrnnrrnernnnnnennnrnnernnrnnennennne 64 SINN ue 64 PAV ING SCO 6110 LE 65 Single Sign On Mobility Adent 66 FortiClient FortiAuthenticator Protocol cccccccscecseeeseeeseeeseeeeeceeeeeeeseeeeeeeees 66 COOU On OC EE EN 68 FOCUN VE 69 Connect toa VPN eene TEE 70 Je E 71 Fortinet Technologies Inc Page 5 FortiClient v5 0 A
23. VPN supports priority based configurations for redundancy LOrEIClICn EE E lt vpn gt lt sslvpn gt lt options gt lt enabled gt 1 lt enabled gt lt options gt lt connections gt lt connection gt Fortinet Technologies Inc Page 53 FortiClient v5 0 Administration Guide lt name gt ssl 90 1 lt name gt lt server gt 10 10 90 1 ssldemo fortinet com 172 17 61 143 44 3 lt server gt lt connection gt lt connections gt lt sslvpn gt lt yp lt torticlieont Conriguralion gt This is a balanced but incomplete XML configuration fragment All closing tags are included but some important elements to complete the SSL VPN configuration are omitted For SSL VPN all FortiGates must use the same TCP port Enabling VPN autoconnect VPN auto connect uses the following XML tag lt autoconnect tunnel gt ipsecdemo fortinet com lt autoconnect tunnel Inside lt vpn gt lt options gt Save password is also needed because it is autoconnect lt save password gt 1 lt save password gt Enabling VPN always up VPN always up uses the following XML tag lt keep running gt l lt keep running gt Inside lt vpn gt lt connection gt Fortinet Technologies Inc Page 54 FortiClient v5 0 Administration Guide Advanced features Mac OS X Create a redundant IPsec VPN To use VPN resiliency redundancy you will configure a list of FortiGate IP FQDN servers instead of just one lt L Or icli n
24. abled Application Firewall Application Firewall Enabled Remote Access Ho VPN Connected Quick Scan Full Scan Custom Scan Last Update 2412 2012 Vulnerability Scan E Kal vumnersbility Scan Enabled D ScanNow gt Update Now Fortinet Technologies Inc Page 36 FortiClient v5 0 Administration Guide Scan a file or folder To perform a virus scan a specific file or folder right click the file or folder and select Scan with FortiClient AntiVirus Figure 42 Scan a specific file or folder Browse in Adobe Bridge CS5 1 Share with k MagicISO SVN Checkout TortoiseSVN Add to archive Add to 2012 TBD rar Compress and email E td FortiClient Compress to 2012 TBD rar and email mum D o ZipGenius Restore previous versions CH Combine supported files in Acrobat Create ISO image file Scanning for viruses and malware Action Scan files Location C Users dshearman Desktop S N Updates SYN FCT A3 ltem 31de06333609d5297 7b64dc05a545efc7c80036c3 syn base Scanned files 24 Scanned boot blocks 4 Infected files 0 Infected boot blocks O Pause Stop Show Details gt gt Scan with FortiClient AntiVirus Update Now To perform on demand update of FortiClient version engines and signatures select the Update Now button on the content pane The content pane notes the date of the last update above the button
25. abled Remote Access No VPN Connected Vulnerability Scan EN dl Vulnerability Scan Enabled Click the lock to make changes d wf Realtime Protection Enabled wf Database is up to date Se 0 Threat Quarantined Exclusion List 3 Weekly Scan at 18 30 on Monday Last Scan Last Update 11 6 2012 Scan Now v Update Now Page 17 FortiClient v5 0 Administration Guide Provisioning FortiClient FortiClient MSI configuration tool The FortiClient Configurator tool is the recommended method of creating a customized installation of FortiClient This document was written for FortiClient v5 0 Patch Release 1 for Windows Not all features described in this document are supported for FortiClient v5 0 Patch Release 1 for Mac OS X Usage FortiClientConfigurator exe m lt path to FortiClient msi file gt optional switches Switches and switch parameters are case sensitive m lt path to FortiClient msi file gt Required REGISTRATIONKEY lt key gt Use to prevent users from changing FortiClient settings FCOCITIP lt iprpert Or Tqdn sport FortiClient will attempt to register to this FortiGate If it cannot it will try to register to the default gateway Example usage FortiCilientConfigurator exe m c downloads forticlient msi REGISTRATIONKEY sercretpassword This command above creates the following directories containing files ready for deployment c downloads FortiClient packag
26. after the tunnel is disconnected lt on disconnecc gt lt script lt os gt mac lt os gt lt SCript gt sbin umount Volumes installers bin rm fr Users admin Desktop dropbox lt script gt lt sctipt gt lt on disconnects For more information see the FortiClient v5 0 XML Reference at the Fortinet Technical Documentation site http docs fortinet com Fortinet Technologies Inc Page 58 FortiClient v5 0 Administration Guide Vulnerability Scan Vulnerability Scan FortiClient v5 0 includes an Vulnerability Scan module to check your personal computer for known system vulnerabilities This section describes how to enable Vulnerability Scan and configuration options Scan Now To perform a vulnerability scan select the Scan Now button on the FortiClient dashboard FortiClient will scan your personal computer for known vulnerabilities The dashboard notes the date of the last scan above the button Figure 61 Vulnerability scan in progress FiSATIMET FortiClient This computer is protected by FortiClient software gt Scanning for Vulnerabilities Parental Control Parental Control Enabled Application Firewall All Vulnerabilities B Application Firewall Enabled Remote Access No VPN Connected Duration 00 00 05 Vulnerabilities Scanned 33 Vulnerabilities Detected 0 Vulnerability Scan Vulnerability Scan Enabled gt Update Now Select the Update Now button on the FortiCli
27. all new software Type your password to allow this Name Drew Shearman Cancel GinstallSoRware 6 The installation was successful Select Close to exit the installer Fortinet Technologies Inc Page 16 FortiClient v5 0 Administration Guide Fortinet Technologies Inc Figure 13 The installation was successful amp Install FortiClient a The installation was completed successfully o Introduction License Destination Select 8 Installation Type 8 Installation Summary The installation was successful The software was installed FortiClient has been saved to the Applications folder Figure 14 Applications folder p App Store ef Automator Dictionary FortiClie installer FortiExplorer Dm Contacts Dashboard ei FortiClient Calendar DM FaceTime Font Book Ce TS Image Capture DVD Player Firefox 7 42 Game Center GarageBand Double click the FortiClient icon to launch the application The application console loads to your desktop Select the lock icon on the bottom left of the dashboard to make changes to the FortiClient configuration Figure 15 Default FortiClient dashboard is locked FortiClient FESATINET FortiClient This computer is protected by FortiClient software AntiVirus Realtime Protection Enabled cy Parental Control Parental Control Enabled Application Firewall Application Firewall En
28. and select New Distribution Points from the contextual menu A Wizard will open Select your SCCM server from the list of available servers and select Next You will then see a summary and the Wizard will complete You will now need to update the distribution point that was just created with the advertisement package Right click Distribution Points and now select Update Distribution Points from the contextual menu pop up window will appear Confirm the update by selecting Yes Using Microsoft SCCM 2007 to Remove FortiClient Fortinet Technologies Inc Open the Configuration Manager Console System Center Configuration Manager gt Site Database gt Computer Management gt Software Distribution gt Package gt Advertisement Select the FortiClient package you wish to uninstall then select Per system uninstall Ensure you select the correct boundary collection Specify when the advertisement will broadcast to the members of the target collection Complete the Wizard Ensure you delete the initial Installation Advertisement you used to install FortiClient to prevent SCCM from reinstalling FortiClient Page 22 FortiClient v5 0 Administration Guide Endpoint Management Introduction The purpose of this section is to provide basic instructions on how to configure deploy and manage FortiClient configurations from FortiGate Endpoint Management requires FortiClient v5 0 0 GA or later and a FortiGate FortiGate FortiWiF
29. ant with Endpoint Profile MI Schedule B always Service B ALL G Action vf ACCEPT W Log Allowed Traffic O Generate Logs when Session Starts F Capture Packets Add a Captive Portal authentication rule for all non compliant Windows PC clients This rule will redirect all Windows clients via a web browser to a dedicated portal where they can download the client Once registered to the FortiGate the Endpoint Profile will be assigned Figure 21 Captive portal authentication rule for Windows PC devices Destination Address E all F Device E Windows PC U Schedule 5 always Service CG ALL Action Captive Portal hi Device Detection Portal Enforce FortiClient Compliance Email Address Collection E Log Violation Traffic Optional Add an Accept authentication rule to allow traffic from all other devices to pass traffic without enforcing FortiClient Compliance Figure 22 Accept Authentication Rule for all other devices Destination Address FF all G Device All G W Compliant with Endpoint Profile Schedule Ti always Service ALL Action y ACCEPT E Log Allowed Traffic Once these three authentication rules are configured select OK to save the new policy setting Your client configuration is ready for deployment Fortinet Technologies Inc Page 26 FortiClient v5 0 Administration Guide Figure 23 Firewall policy configuration Mew Policy Policy Type Frewall VPN Polo Subtype Address O
30. ay Page 10 e VPN auto connect always up Support ability to automatically connect to a VPN tunnel without user interaction Support ability to configure the VPN to always be connected e Vulnerability Scan Identify system and application vulnerabilities Fortinet Technologies Inc Page 11 FortiClient v5 0 Administration Guide Installing FortiClient Installing FortiClient on a Windows computer The following instructions will guide you though the installation of FortiClient on a Windows computer To install FortiClient 1 Double click the FortiClient executable file to launch the setup wizard The Setup Wizard will install FortiClient on your computer Figure 1 Welcome screen Welcome to the FortiClient Setup Wizard The Setup Wizard will install FortiClient on your computer Click Next to continue or Cancel to exit the Setup Wizard rs Yes I have read and accept the Next 2 Read the license agreement and select Next to continue You have the option to print the EULA on this screen Figure 2 End User License Agreement End User License Agreement Please read the following license agreement carefully Fortinet Product License Agreement EULA and Warranty Terms Trademarks and Copyright Statement Fortinet FortiGate and FortiGuard are registered trademarks of Fortinet Inc and other Fortinet names herein may also be trademarks registered or otherwise of Fortinet All other product or compan
31. corde pop san Usa rman purk Hr LZSRS i he 40 second ago wend TP Addie ge JER 10 113 Dkeg k UR i hs A mutes ego Caan Last Seen I second boo egen gi ER EJ BI rd D Bisebed Cipa Portal Lerecorsd pop Cedigerg FortiC bent EJ Best ered det auk Cee ae ee a i he 7 manip A ee Stade eee ee i i L muren Beg Bari Dke k T je i rari age wni Cj dier dende 8 K gng AT LE 26 168 10 205 e ju J hrs Bgo rjeenal Gj Gii E che NHA IMT fed ua i Fortinet Technologies Inc Page 33 FortiClient v5 0 Administration Guide Configure preferred FortiGate IP on FortiClient for registration The FortiClient admin user can specify a preferred FortiGate IP address for registration and client configuration management When an unregistered FortiClient starts up it first looks for the preferred FortiGate If the preferred FortiGate is not reachable it will look to connect to default gateway If both the preferred FortiGate and default gateway are not reachable FortiClient will listen for the broadcast message from FortiGate To configure a preferred FortiGate IP address on FortiClient go to File gt Settings Select Registration to expand the drop down menu Enter the IP address and port number if required of the FortiGate s internal interface Figure 38 Configure preferred FortiGate on FortiClient Registration Enable FortiClient Endpoint Registration optional To enable FortiClient Endpoint Registration on For
32. dministration Guide Change Log Date Change Description 2012 11 02 Initial release 2012 11 07 Updated scripts chapters This document is now inclusive of both Windows and Mac OS X It is important to note that not all features available for Windows are available for Mac OS X 2012 11 15 Updated IPsec and SSL VPN chapter 2012 11 22 Added note about FortiClient License for FortiAuthenticator 2012 11 27 Updated script commands to match changes in the FortiClient v5 0 XML Reference 2013 01 09 Updated for FortiClient v5 0 Patch Release 1 Removed XML chapter see to the FortiClient v5 0 XML Reference for more information Removed FortiClient Tools chapter see the FortiClient v5 0 Patch Release 1 Release Notes for more information Page 6 Introduction FortiClient has been completely re designed for v5 0 FortiClient provides a comprehensive network security solution for endpoints while improving your visibility and control FortiClient allows you to manage the security of multiple endpoint devices from the FortiGate interface This document provides an overview of FortiClient v5 0 This document was written for FortiClient v5 0 Patch Release 1 for Windows Not all features described in this document are supported for FortiClient v5 0 Patch Release 1 for Mac OS X Licensing Licensing on the FortiGate is based on the number of registered clients FortiGate 40C and higher models support ten 10 free managed FortiClient licenses
33. e only if you Optimization have a FortiGate device and your FortiGate is configured for WAN Optimization Maximum Disk Select to configure the maximum disk cache size The default value Cache Size is 512MB Enable Single Sign On Select to enable Single Sign On Mobility Agent for mobility agent FortiAuthenticator To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device Server address Enter the FortiAuthenticator IP address Customize port Enter the port number The default port is 8001 Pre Shared Key Enter the pre shared key The pre shared key should match the key configured on the FortiAuthenticator Disable configuration Select to disable configuration synchronization with FortiGate sync with FortiGate Disable proxy Select to disable proxy when troubleshooting FortiClient troubleshooting only Default tab Select the default tab to be displayed when opening FortiClient Single Sign On Mobility Agent The FortiClient Single Sign On Mobility Agent acts as a client that updates with FortiAuthenticator with user logon and network information FortiClient FortiAuthenticator Protocol The FortiAuthenticator listens on a configurable TCP port FortiClient connects to FortiAuthenticator using TLS SSL with two way certificate authentication The FortiClient sends a logon packet to FortiAuthenticator which replies with an acknowledgement packet FortiClient FortiAuthenticator c
34. ect to clear all logs You will be presented a confirmation window select Yes to proceed Page 41 FortiClient v5 0 Administration Guide Antivirus options To configure antivirus options select File on the toolbar and Settings on the drop down menu Select AntiVirus Options to view the drop down menu On this menu you can configure options outlined in the following figure and table Figure 49 Antivirus options Y AntiVirus Options Grayware Options Adware W Riskware Al Alert when viruses are detected W Pause background scanning on battery power W Enable FortiGuard Analytics Antivirus Options Grayware Options Adware Riskware Alert when viruses are detected Pause background Grayware is an umbrella term applied to a wide range of malicious applications such as spyware adware and key loggers that are often secretly installed on a user s computer to track and or report certain information back to an external source without the user s permission or knowledge Select to enable adware detection and quarantine during the antivirus scan Select to enable riskware detection and quarantine during the antivirus scan Select to have FortiClient provide a notification alert when a threat is detected on your personal computer Select to pause background scanning when your personal scanning on battery power computer is operating on battery power Enable FortiGuard Analytics Select to automatically send susp
35. ed ActiveDirectory c downloads FortiClient packaged ManualDistribution FortiClient Configurator application The FortiClientConfiguratorGUI tool is an application interface to the FortiClient repacking command line tool The wizard will guide you through the process of specifying settings to be applied to the FortiClient MSI file Page 18 Figure 16 FortiClient Configuration application interface Welcome to the FortiClient repackaging GUI This is application is an interface to the FortiClient repackaging command ine tool The wizard pages will take you through the process of specifying settings and customizations to be applied to the FortiClientdd MSI of your choice FortiClientConfig Creating a custom MSI installation file You can create a custom MSI installer file for your customized FortiClient Application 1 Determine the command line options you need for your customized FortiClient installer 2 In the folder where you expanded the installer zip package execute the following command line entry FortiClientConfigurator exe m lt path to FortiClient msi file gt lt optional switches gt A new subdirectory is created which contains the FortiClient MSI file For more information on FortiClient XML configuration see the FortiClient v5 0 XML Reference at the Fortinet Technical documentation site http docs fortinet com Deploy FortiClient using Microsoft Active Directory AD server There are multi
36. ement e At the top 5 At the bottom OK Cancel Fortinet Technologies Inc Page 46 Cancel DG D 0 FortiClient v5 0 Administration Guide 2 Select either Category or Application For category use the drop down list to select a category For application type either the full name of the application or first letter to search all applications starting with the selected letter FortiClient Application Firewall can only block applications for which FortiGuard has an application signature You can submit a request to add a application signature on the FortiGuard site 3 Select the action to Block or Allow the category or application 4 Select placement of the rule At the top or At the bottom 5 Select OK to save the setting To edit a rule 1 On the settings page when you hover the mouse cursor on a rule a hidden icon menu is available Select the edit icon to change the action of the rule Select the delete icon to remove the rule Select the move icon and drag and drop the rule to a new position on the list a P Sa KN Select OK to save the setting and return to the FortiClient dashboard Application Firewall logging To configure Application Firewall logging select File on the toolbar and Settings on the drop down menu Select Logging to view the drop down menu Select Application Firewall the logging menu to enable logging for this module Fortinet Technologies Inc Page 47 FortiClient v5 0 Administration Guide
37. ements in FortiClient v5 0 including Patch Release 1 Antivirus and Antimalware Protection against the latest virus and grayware adware riskware threats Client antivirus is free and auto updates every three hours Application Firewall Block allow and monitor applications that send traffic to the network Bring Your Own Device BYOD Diagnostic Tool Enhancements to the FortiClient Console Endpoint Management using FortiGate including Automatic endpoint registration and user initiated endpoint registration Deploy VPN IPsec SSL configuration Enable disable Antivirus real time protection Manage deploy Web Filtering and Application Firewall configuration Registration over IPsec VPN or SSL VPN FortiGuard Analytics Automatically send suspicious files to the FortiGuard Network for analysis Localization Support Parental Control Web Filter Block allow warn and monitor web traffic based on categories Remember multiple FortiGates for Endpoint Control registrations Remote Access IPsec and SSL VPN Secure Virtual Private Network VPN access to your network Supports multiple gateways for a single tunnel Rootkit detection and removal Single Sign On Mobility Agent support with FortiAuthenticator FSSO Collector Agent Support automatic executing of a custom batch script via an IPsec VPN tunnel Support multiple maximum 10 gateway IP FQDN in a single IPsec VPN configuration Support XML configuration VPN from system tr
38. ent dashboard to update the vulnerability signature Page 59 View Vulnerabilities When the scan is complete FortiClient will display the number of vulnerabilities found on the dashboard Select the Found link to view a list of vulnerabilities detected on your system Figure 62 Vulnerabilities detected page Vulnerabilities Detected in the Last 30 Days Vulnerability Name Severity Details Time 1 Adobe Flash Player and AIR Multiple Vulnerabilities APSB 12 24 Critical 33877 241272012 2 35 21 PM 2 MS VS Active Template Library Remote Code Execution Critical 20531 24 12 2012 2 35 21 PM 3 Oracle Java SE Critical Patch Update October 2012 Critical 33716 241272012 2 35 21 PM 4 Oracle Java SE Critical Patch Update Advisory February 2012 Critical 32669 2412 2012 2 35 21 PM 5 Oracle Java GE Critical Patch Update February 2011 Critical 27926 2412 2012 2 35 21 PM 6 Dracle Java GE Critical Patch Update June 2011 Critical 30899 2412 2012 2 35 21 PM T Oracle Java Runtime True Type Font IDEF Opcode Buffer Ove Critical 21444 2412 2012 2 35 21 PM amp Oracle Java Runtime Environment Memory Corruption Vulnera Critical 33559 2412 2012 2 35 21 PM 9 Oracle Java MkxerSequence Array Index Remote Code Execut Critical 30551 2412 2012 2 35 21 PM 10 racle Java FileDialog show Buffer Overflow Critical 28761 2412 2012 2 35 21 PM 11 racle Java SE Critical Patch Update June 2012 Critical 32430 2412 2012 2 35 21 PM 12 Microso
39. estore full configuration Backup Restore Software update Automatically download and install updates O Alert when updates are available VPN options To configure VPN options select File on the toolbar and Settings on the drop down menu Select VPN Options to view the drop down menu On this menu you can configure to enable VPN before logon Figure 68 VPN options Y VPN Options Enable VPN before logon Certificate Management To configure VPN certificates select File on the toolbar and Settings on the drop down menu Select Certificate Management to view the drop down menu On this menu you can configure IPsec VPN to use local certificates and import certificates to FortiClient Figure 69 Certificate options Y Certificate Management Use local certificate uploads IPSec only Import Antivirus options To configure antivirus options select File on the toolbar and Settings on the drop down menu Select AntiVirus Options to view the drop down menu On this menu you can configure grayware options and the behavior of FortiClient when a virus is detected Fortinet Technologies Inc Page 64 FortiClient v5 0 Administration Guide Figure 70 Antivirus options Y AntiVirus Options Grayware Options MW Adware Riskware W Alert when viruses are detected V Pause background scanning on battery power W Enable FortiGuard Analytics Grayware Options Grayware is an umbrella term applied to a wide range of maliciou
40. et Technologies Inc Intel processor 256MB of RAM 20MB of hard disk drive HDD space TCP IP communication protocol Ethernet NIC for network connections Wireless adapter for wireless network connections Page 8 FortiClient v5 0 Administration Guide Language support Windows FortiClient v5 0 Windows is localized for the following languages Graphical User Interface Documentation English United States v v French v German v Portuguese Brazil v Spanish Spain v Chinese Simplified v Chinese Traditional v Japanese v Korean v Mac OS X FortiClient v5 0 Mac OS X is localized for the following languages Graphical User Interface Documentation English United States v v French v German v Portuguese Brazil v Spanish Spain v Chinese Simplified v Chinese Traditional v Japanese v Korean v Please review the FortiClient v5 0 Patch Release 1 Windows Release Notes or the FortiClient v5 0 Patch Release 1 Mac OS X Release Notes prior to upgrading Release Notes are available at the Customer Service amp Support site Fortinet Technologies Inc Page 9 FortiClient v5 0 Administration Guide What s New tn FortiClient v5 0 Summary of enhancements This document was written for FortiClient v5 0 Patch Release 1 for Windows Not all features described in this document are supported for FortiClient v5 0 Patch Release 1 for Mac OS X The following is a list of enhanc
41. for the configuration changes made to FortiClient to take effect Select Yes to restart your system now or select No to manually restart later Figure 6 System Restart Confirmation b You mustrestart your system for the configuration p changes made to FortiClient to take effect Click Yes to restart now or No if you plan to manually restart later 7 To launch FortiClient double click the desktop shortcut icon Figure 7 Select the FortiClient shortcut to launch FortiClient Fortinet Technologies Inc Page 14 FortiClient v5 0 Administration Guide Installing FortiClient on a Mac OS X computer The following instructions will guide you though the installation of FortiClient on a Mac OS X computer To install FortiClient 1 Double click the FortiClient dmg installer file to launch the FortiClient installer The FortiClient Installer will install FortiClient on your computer Select Continue Figure 8 Welcome screen eoo I Install FortiClient a Welcome to the FortiClient Installer 8 Introduction FortiClient for Mac OS X is a unified security agent for computers that integrates antivirus SSL and IPSec VPN remote access web filtering firewall and vulnerability scan into a single software amp Destination Select package FortiClient for Mac OS X has a user friendly interface that allows for quickly setting up protection for your computer License Installation Type Installation Summary
42. for your patience Step 2 FortiClient registration After FortiClient completes installation FortiClient will automatically launch and search for a FortiGate device for registration There are three ways that the FortiClient FortiGate communication is initiated 1 FortiClient connects to the preferred IP address if provided 2 If 1 fails FortiClient will attempt to connect to the default gateway IP address 3 If 2 fails FortiClient will listen for FortiGate broadcast messages Your personal computer s default gateway IP should be configured to be the IP set on the FortiGate interface Figure 26 shows an example broadcast message sent by the FortiGate and received by FortiClient Select Accept to register with this FortiGate device Upon registration the FortiGate will send the Endpoint Profile to FortiClient Figure 26 FortiGate broadcast message FSSbIU ET A broadcast registration message received from FortiGate FWF60C3611011606 Accept Ignore Ignore All Fortinet Technologies Inc Page 28 FortiClient v5 0 Administration Guide Figure 27 shows the behavior of FortiClient on initial setup FortiClient will search for available FortiGate devices to complete registration Select the FortiGate icon on the FortiClient dashboard to retry the search Figure 27 FortiClient will search for an available FortiGate FiSATIMET gt Y Searching for FortiGate Cancel Remote Access Ho VPN Connected E ge La
43. ft XML Core Services Remote Code Execution Vulner Critical 32958 2412 2012 2 35 21 PM 13 MS Windows Unauthorized Digital Certificates Spoofing KB2 Critical 32685 24 12 2012 2 35 21 PM 14 Apple Safari Multiple Vulnerabilities APPLE SA 2012 11 01 2 Critical 33527 2412 2012 2 35 21 PM 15 Adobe Flash Player and AlR Multiple Vulnerabilities APSB12 14 Critical 32255 2412 2012 2 35 21 PM 16 Adobe Flash Player and AlR Multiple vulnerabilities APSB12 19 Critical 33028 2412 2012 2 35 21 PM 17 Adobe Flash Dauer and ADR Multiple Vulnerabilities APSB12 22 Critical 33582 2412 2012 2 35 21 PM Close Clear Vulnerability Name The name of the vulnerability Severity The severity level assigned to the vulnerability Critical High Medium Low Info Details FortiClient vulnerability scan lists a Bugtraq BID number under the details column You can select the BID to view details of the vulnerability on the FortiGuard site or search the web using this BID number Time The date and time that the vulnerability was detected Close Close the window and return to the FortiClient dashboard Clear Clear the Vulnerability Scan results Select the Details ID number from the list to view information on the selected vulnerability on the FortiGuard site The site details the release date severity impact description affected products and recommended actions Fortinet Technologies Inc Page 60 FortiClient v5 0 Administration Guide F
44. gory or application This section describes how to enable the application firewall settings Enable Disable Application Firewall To enable or disable FortiClient Real time Protection select the Enable Disable button on the FortiClient dashboard Figure 53 Application Firewall module FiiATINMET FortiClient This computer Is protected by FortiClient software gt a Antivirus 5 Threats Quarantined PV Application Firewall Enabled ia 0 Applications Blocked In the Last 7 Days Parental Control Sene dar Application Profile e Botnet Application Firewall Social Networking gt Application Firewall Enabled Remote Access Ho VPN Connected Vulnerability Scan EI V Vulnerability Scan Enabled Disable Settings View Applications blocked To view blocked applications select Applications Blocked on the FortiClient dashboard This page lists all applications blocked in the past seven days including the count and time of last occurrence Page 45 Application Firewall rules To view Application Firewall rules select the Settings button on the FortiClient dashboard Figure 54 Application Firewall rules File Help Add Rule Application Category FortiClient Other Botnet iTunes Apple OK To add a new rule 1 Select the Add Rule button Figure 55 Add rule window Category amp Application Facebook Facebook LA Action Block 0 Allow Plac
45. i FortiGate VM running FortiOS v5 0 0 GA or later and FortiCarrier devices running FortiOS Carrier v5 0 0 GA or later Endpoint Management is available on the FortiGate 40C and higher devices Configure Endpoint Management In FortiOS v5 0 configuration and management of FortiClient endpoint agents can now be handled by the FortiGate You can configure your FortiGate device to discover new devices on your network enforce FortiClient registration and deploy a pre configured endpoint profile to connected devices The endpoint profile can be deployed to devices on your network and over a VPN connection To configure Endpoint Management on the FortiGate follow the steps listed below Step 1 Enable Device Management and Broadcast Discovery Messages To configure Device Management go to System gt Network gt Interface select the interface and select Edit on the toolbar On the Edit Interface page you can select to enable Detect and Identify Devices To enable Broadcast Discovery Messages optional you must first enable FCT Access under Administrative Access Select Apply to save the setting Broadcast Discovery Messages is an optional configuration When enabled the FortiGate will broadcast messages to your network allowing client connections to discover the FortiGate for FortiClient registration Without this feature enabled the user will enter the IP address or URL of the FortiGate to complete registration Page 23 Figure
46. icator please contact your authorized Fortinet reseller Fortinet Technologies Inc Page 67 FortiClient v5 0 Administration Guide Configuration lock To prevent unauthorized changes to the FortiClient configuration select the lock icon located at the bottom left of the Settings page You will be prompted to enter and confirm a password When the configuration is locked configuration changes are restricted and FortiClient cannot be shut down or uninstalled Figure 74 Configuration lock gat Please Provide Password Password Confirm Cancel OK Cancel When the configuration is locked you can perform the following actions e Antivirus e Complete an antivirus scan view threats found and view logs e Select Update Now to update signatures e Parental Control e View violations e Application Firewall e View applications blocked e Remote Access e Configure edit or delete an IPsec VPN or SSL VPN connection e Connect to a VPN connection e Vulnerability Scan e Complete a vulnerability scan of the system e View vulnerabilities found e Register and unregister FortiClient for Endpoint Control e Settings e Export FortiClient logs e Backup the FortiClient configuration To perform configuration changes or to shut down FortiClient select the lock icon and enter the password used to lock the configuration Fortinet Technologies Inc Page 68 FortiClient v5 0 Administration Guide FortiTray When FortiClient is running o
47. icious files to the FortiGuard Fortinet Technologies Inc Network for analysis Page 42 FortiClient v5 0 Administration Guide Parental Control Web Filtering FortiClient Parental Control Web Filtering Parental Control Web Filtering allows you to block allow warn and monitor web traffic based on URL category URL categorization is handled by the FortiGuard Network When FortiClient is registered to a FortiGate the Parental Control module will reflect Web Filtering You can disable Web Filtering on the FortiClient from the FortiGate If the FortiClient device is behind a FortiGate the client device will use the Web Filter profile on the FortiGate Enable Disable Parental Control Web Filtering To enable or disable FortiClient Parental Control Web Filtering toggle the Enable Disable button on the FortiClient dashboard Parental Control is enabled by default Figure 50 Parental Control module FiiATINET FortiClient A This computer is protected by FortiClient software Antivirus FEE PV Parental Control Enabled 4 laf 0 Violations In the Last 7 Days Parental Control d Le Parental Control Profile Drug Abuse Application Firewall Alternative Beliefs Application Firewall Enabled Hacking Illegal or Unethical Discrimination Explicit Violence Abortion Remote Access No VPN Connected Vulnerability Scan SEH Na Vulnerability Scan Enabled Disable Settings Enable Disab
48. igure 63 FortiGuard site details FI RTINET FortiGuard CC Kee Oracle Java SE Critical_ Patch Update June 2012 Release Date Jun 29 2012 Severity critical Impact The exploitation of these vulnerabilities could result in arbitrary code execution or lead to denial of service Vulnerability Scan logging To configure Vulnerability Scan logging select File on the toolbar and Settings on the drop down menu Select Logging to view the drop down menu Select Vulnerability Scan on the logging menu to enable logging for this module Fortinet Technologies Inc Page 61 FortiClient v5 0 Administration Guide Settings Backup or restore full configuration To backup or restore the full configuration file select File on the toolbar and Settings on the drop down menu Select System to view the drop down menu On this menu you can perform a backup or restore a full configuration file Figure 64 Backup and restore options ZS System Backup or restore full configuration Backup Restore O Alert when updates are available When performing a backup you can select the file destination and save the file in an unencrypted or encrypted format Figure 65 Backup file options File Help Y System Backup or restore full configuration Backup Restore Software update Automatically download and install updates G Alert when updates are available ba La CITT fag Backup Configuration
49. iltering settings rrrranrrnnnrnnnnevnnrrnnnrrnnrrnnnrnnnnennnennnnen 44 VIEW profile el le EE 44 Application FRE E 45 FortiClient Application Firewall cccccccscccseeceeeceeeeseeesecaueeageeeeeeeseseueeeeeseeeeseeses 45 Enable Disable Application Firewall 45 View Applications blocked rnnrnnnnnnnnnnrnnrnnnnnnrnnnnnnnnnnnnnnnnnennnnnsnnnnnnnnnnnnnnnnenn 45 Application Firewall rules cccccccsecseecsecceeceeeceeeeeeeesaeeauecaeeceeeeeeeeseesaeeseeees 46 Application Firewall logging senoennenennnnnnennnnnnrnnnsnnnnnenrnnnsnrrnrnrnrnennnnnennennnnnnne 47 IPSEC VPN and SOE VP Nussi emaekeaeen dansken 48 FortiClient Remote Access VPN r runannnnnnnnnnnnnrnnnrnnnrnnnrnnnnnnnrnnnenanenanennnennnenasennsene 48 Ada aA NeW COME ee 48 Create a new SSL VPN Gonpnecton 48 Create a new IPsec VPN cGonnecton 50 og aia eter YPN EE 51 Advanced features Windows nanssnsanounnnnonrrnnrnrrnrrnrrnrnnrrnrrnrnnrrnrnnrrnrnnrnnrnnrnnne 52 Connect VPN before logon AD environmentel 52 Create a redundant IPsec VPN rrannnnnnnnnnnanonnnennnennnnnnnennnennnnnnnnnnsennnennnennrnnnsenee 53 Priority based SSL VPN connections arrnnnnrnnnrnnnnnnnnnnnnnernnnnnnnrnnnnrnnnnennnennnnen 53 ENADING NPNAUGEON ET Lune ed sekaddsdae 54 Enabling VPN always Up WE 54 Fortinet Technologies Inc Page 4 FortiClient v5 0 Administration Guide Advanced features Mac OS A 55 Create a redundant IPsec
50. in hours and minutes 24 hour clock Select the scan type Custom Scan runs the rootkit detection engine to detect and remove rootkits Custom Scan allows you to select a specific file folder on your local hard disk drive HDD to scan for threats Full Scan runs the rootkit detection engine to detect and remove rootkits Full Scan then performs a full system scan including all files executables de and drivers for threats Quick System Scan runs the rootkit detection engine to detect and remove rootkits Quick System Scan only scans executable files de drivers that are currently running for threats Page 38 FortiClient v5 0 Administration Guide View quarantined threats To view quarantined threats select Threats Quarantined on the FortiClient dashboard On this page you can view restore or delete the quarantined file You can also submit the file to FortiGuard Figure 45 Threats quarantined page File Name d e3cngriy com part juh3vugh com part bsgzdhta com part ceav4ize compart uavbtna3 co Submit virus Date Quarantined 2012 12 24 15 18 32 2012 12 24 15 18 32 2012 1 2 24 15 18 33 2012 12 24 15 18 33 Sending file Infected file C Program Files NON ortinet FortillentkquarantinetBuarantFile22835eb Submitted Status Virus Name Wuarantined File Mane Stop Not Submitted Quarantined EICAR_TEST_FILE QuarantFile22835e8f Logs Refresh Submit Restore Delete Close File Name Date Quara
51. le Toggle to enable or disable Parental Control Settings Select to configure Parental Control profile Page 43 Parental Control Web Filtering settings You can configure a profile to allow block warn or monitor web traffic based on category under Profile Use the right click menu to set the action for the full category or sub category You can add websites to the exclusion list and set the permission to allow or block If the website is part of a blocked category an allow permission on the Exclusion List would allow the user to access the specific URL Figure 51 Profile and exclusion list File Help The following web sites are explicitly blocked or allowed URL wen facebook Cam i ww fortinet com E Altemative Dalia allow Www penthouse cam O Marijuana COO Nudity and Risque i O Other Adult Materials O Pomography Log all URLs OK Cancel View profile violations To view profile violations select Violations in the Last 7 Days on the FortiClient dashboard Figure 52 Traffic violations ffupdate conduit services com Malicious Websites 2102012 9 53 37 AM dshearman Fortinet Technologies Inc Page 44 FortiClient v5 0 Administration Guide Application Firewall FortiClient Application Firewall FortiClient v5 0 can recognize the traffic generated by a large number of applications You can create rules to block or allow this traffic per cate
52. lete an existing VPN connection using the drop down menu When connected the dashboard will display the connection status duration and other relevant information You can now browse your remote network Select the Disconnect button when you are ready to terminate the VPN session Fortinet Technologies Inc Page 51 FortiClient v5 0 Administration Guide Figure 60 SSL VPN connection established FiATIMET FortiClient IN This computer is protected by FortiClient software WA emm RM E VPN Name demo site Parental Control 1 Violation Status Up Duration 00 00 24 Application Firewall Application Firewall Enabled FS Remote Access d A VPN Connected ge Vulnerability Scan VE Vulnerability Scan Enabled Disconnect Bytes Received L 4331 Bytes Sent gt 8279 Status The status of the VPN connection Duration The duration of the VPN connection Bytes Received Bytes received through the VPN connection Bytes Sent Bytes sent through the VPN connection Advanced features Windows Connect VPN before logon AD environments The VPN lt options gt tag holds global information controlling VPN states The VPN will connect first then logon to AD Domain lt EOrLICGl lene COnbIguralion gt lt vpn gt lt options gt lt show vpn before logon gt 1 lt show vpn before logon gt lt use windows credentia
53. ls gt 1 lt use windows credentials gt lt options gt lt vpn gt lt Fo rtiolient configuration Fortinet Technologies Inc Page 52 FortiClient v5 0 Administration Guide Create a redundant IPsec VPN To use VPN resiliency redundancy you will configure a list of FortiGate IP FQDN servers instead of just one lt EOrLiIcClien COntiguralion gt lt Von gt lt ipsecvpn gt lt options gt lt Options gt lt connections gt lt connection gt lt name gt psk 90 1 lt name gt lt type gt manual lt type gt sike Seruings lt prompt certificate gt 0 lt prompt certificate gt lt server gt 10 10 90 1 ipsecdemo fortinet com 172 17 61 143 lt server gt lt redundantsortmethod gt 1 lt redundantsortmethod gt lt jike settings lt Connection gt lt connections gt lt ipsecvpn gt lt vpn gt lt ror liene COonriguralion This is a balanced but incomplete XML configuration fragment All closing tags are included but some important elements to complete the IPsec VPN configuration are omitted RedundantSortMethod 1 This XML tag sets the IPsec VPN connection as ping response based The VPN will connect to the FortiGate which responds the fastest RedundantSortMethod 0 By default RedundantSortMethod 0 and the IPsec VPN connection is priority based Priority based configurations will try to connect to the FortiGate starting with the first on the list Priority based SSL VPN connections SSL
54. n your system you can select the FortiTray icon on the Windows system tray to perform various actions The FortiTray icon is available in the system tray even when the FortiClient dashboard is closed e Default menu options e Open FortiClient console e Shutdown FortiClient e Dynamic menu options depending on configuration e Connect to a configured IPsec VPN or SSL VPN connection e Display the antivirus scan window if a scheduled scan is currently running e Display the Vulnerability scan window if a vulnerability scan is running If you hover the mouse cursor over the FortiTray icon you will receive various notifications including the version AV signature and AV engine Figure 75 System tray icon ee Pri fh iar Cpen FortiClient Console Connect to IPsec VPN connection e Shutdown PortiClient Na E i e Customize au we Customize 1 r A 2 21 PM T Thursday 03 01 2013 When the configuration is locked the option to shut down FortiClient from FortiTray is greyed out Fortinet Technologies Inc Page 69 FortiClient v5 0 Administration Guide Connect to a VPN connection To connect to a VPN connection from FortiTray select the Windows System Tray and right click on the FortiTray icon Select the connection you wish to connect to enter your username and password in the authentication window and select OK to connect Figure 76 Authentication window Username tmosbylafortinet com Password PATTTTT
55. nrrnnrrnnrnnnrrnnrrnnrvnnrrnnrnnnrnnnr 24 Step 3 Configure Firewall Policies A 25 Step 1 Download and install FortChent ccc ccecseeseeeeeeeeeeeeeeeeeeeeeenseeeaes 28 Step 2 FortiClient registration cccsccceececeeeceeecceeeeeuceceeeecueeseeeeseeesueeseeessees 28 Step 3 FortiGate deploys the Endpoint Profile cccceecceeeeeeeeeeeeeeeeeeeeees 30 Deploy the Endpoint Profile to clients over VPN rranrnnrnannnnrnannnnrnnnnnnennnnnnennn 31 Remembered FortiGate cccccscccssecceeecceeeceececseecaueeseeeceeseeseeeeaeesageeseeeseeeesaeees 32 View FortiClient registration on the FortiGate Web based Manager 33 Page 3 Configure preferred FortiGate IP on FortiClient for registration rrranrrnnrrnnnrnnn 34 Enable FortiClient Endpoint Registration optional 34 TN 35 FortiClient Antivirus 35 ENDE DENE nh 35 Klee Vleit 35 PN 36 PE TO 37 ENN 37 Schedule Antivirus ecammimg 38 View Quarantined threats anrnnrnnnrnnrnnnrnnnnnnnnnnnnnnnnnnnnnnnrnnnnnnnnnnnnnnnnnsnunnnnnnene 39 Add files folders to an exclusion let 40 EEE WY AU e e EEE EEE 40 PAUSES NOC GINO EE 41 age S19 ONS EEE rata Ea EE EE 42 Parental Control Web Filtering anxsaxsanvannnnnnnnnnnnnnnnnnnnnennnnnnnnnennennnnnnennnnnnnnnn 43 FortiClient Parental Control Web Filtering rrvanrrnnrrnnnrnnnnnnanrrnnnennnrnnnnrnnnnennnennnnen 43 Enable Disable Parental Control Web Flterng 43 Parental Control Web F
56. nstallations Select OK The package will delete If you wish to expedite the uninstallation process on both the server and client computers force a GPO update as shown in the previous section The software will be uninstalled on the client computer s next reboot You can also wait for the client computer to poll the domain controller for GPO changes and uninstall the software then Deploy using Microsoft System Center Configuration Manager 2007 If you would like to use Microsoft s System Center Configuration Manager SCCM to deploy FortiClient use the following method Fortinet Technologies Inc These instructions assume you have already installed and configured SCCM If you have not please refer to Microsoft s online help sources for information on this task Page 20 FortiClient v5 0 Administration Guide Step 1 Create Your Package 1 Startup your Configuration Manager Console GUI and expand the following Computer Management gt Software Distribution gt Packages 2 Right click Packages and select New gt Package from the contextual menu A Wizard will open 3 Fill in the packages properties as you desire in the General tab 4 Under the Data Source tab select the This package contains source files box then select the Set button to specify the source of the SCCM package SCCM will then ask you to specify the path to the installation executable Select that path then select OK 5 Select the box adjacent t
57. nter a name for the connection Select IPsec VPN Enter a description for the connection optional Enter the IP address hostname of the remote gateway Multiple remote gateways can be configured by separating each entry with a semicolon If one gateway is not available the VPN will connect to the next configured gateway Select either X 509 Certificate or Pre shared Key on the drop down menu Select X 509 Certificate on the drop down menu or enter the pre shared key in the dialog box See Certificate Management for information on configuring certificate options Select to prompt on login save login or disable If you selected save login enter the username in the dialog box Page 50 FortiClient v5 0 Administration Guide Connect to a VPN To connect to a VPN select the name of the VPN from the drop down menu Enter your username password and select the Connect button Figure 59 Connection options FSSbPIIIET FortiClient This computer is protected by FortiClient software P gt W AntiVirus di 5 Threats Quarantined Parental Control Parental Control Enabled Ll psk 90 1 I Add new connection Edit the selected connection Delete the selected connection Application Firewall Application Firewall Enabled Remote Access Mo VPN Connected sch Vulnerability Sc Vulnerability Scan Vulnerability Scan Enabled Connect You can also select to edit an existing VPN connection and de
58. ntined File Information Logs Refresh Submit Restore Delete Close Fortinet Technologies Inc The name of the file The date and time that the file was quarantined by FortiClient Select a file from the list to view detailed information including the quarantined location status virus name and quarantined file name Select to view FortiClient log data Select to refresh the list Select to submit the quarantined file to FortiGuard Select to add the selected file folder to the exclusion list Select to delete the quarantined file Select to close the page and return to the FortiClient dashboard Page 39 FortiClient v5 0 Administration Guide Add files folders to an exclusion list To add files folders to the antivirus exclusion list select Exclusion List on the content pane On the following configuration page select the symbol to add files or folders to the list Any files or folders on this exclusion list will not be scanned Figure 46 Antivirus Exclusion List File Help Exclusion List E Add filevfolder to the exclusion list Ka C Usersidshearman Desktop Technical Documentation E OK Cancel Antivirus warning When FortiClient antivirus detects a virus while attempting to download a file via a web browser you will receive a warning dialog message similar to Figure 47 Browse to the Threat Quarantine menu on the dashboard to view details on the detected threat Figure 47 Example virus warning message g P
59. o Update distribution points on a schedule and then set the schedule to how often you wish Set your Data Access options if required Under the Distribution Settings tab set your sending priority High is recommended Under the Reporting tab leave the settings as default OS at oS Under the Security tab set the rights for the package class and instance rights 10 Review your package choices under the Summary tab then select Next The Wizard will complete Step 2 Create a Program for Your Package 1 Startup your Configuration Manager Console GUI and expand the following Computer Management gt Software Distribution gt Packages Select the newly created FortiClient package Right click that package and select New gt Program from the contextual menu 2 Under the General tab fill in the appropriate details For a silent install ensure you use the ms switch under the command line options 3 Under the Requirements tab check the boxes next to the client platforms you wish to install to Windows Vista Windows XP etc 4 Set your Environment variables It is recommended to select that the program can run Whether or not a user is logged on 5 You can leave the Advanced and Windows Installer tabs as default 6 If you require a notification sent to Microsoft Operations Manager MOM select the appropriate options under the MOM Maintenance tab 7 As with the previous step review your Summary and then create your prog
60. ommunication requires the following e The IP address should be unique in the entire network e The FortiAuthenticator should be accessible from clients in all locations e The FortiAuthenticator should be accessible by all FortiGates FortiClient Single Sign On Mobility Agent requires a FortiAuthenticator running v2 0 0 GA build 0006 or later Enter the FortiAuthenticator Server IP address port number and the pre shared key configured on the FortiAuthenticator Enable Single Sign On Mobility Agent on FortiClient 1 Select File on the toolbar and Settings on the drop down menu 2 Select Advanced to view the drop down menu 3 Select to Enable Single Sign On mobility agent Fortinet Technologies Inc Page 66 FortiClient v5 0 Administration Guide 4 Enter the FortiAuthenticator server address and the pre shared key Enable FortiClient SSO Mobility Agent Service on the FortiAuthenticator 1 Select SSO amp Dynamic Policies gt SSO gt Options 2 Select Enable FortiClient SSO Mobility Agent Service and a TCP port value for the listening port 3 Select Enable authentication and enter a secret key value Figure 72 FortiAuthenticator configuration FortiAuthenticator SE Q Or FRATINET Logout System Edit FSSO Configuration SE 550 Login expiry minutes 480 Ir Ce av Login Portal WM Enable authentication a SSO Groups Secret key SS a Domain Controllers Ge i vel a Radius Accounting
61. ort support fortinet com Training Services training fortinet com FortiGuard fortiguard com Document Feedback techdocs fortinet com Table of Contents EEE WE 6 Ji deefe er e EE 7 BEE T ETNE 7 Supported operating SYSTEMS rranrnanrnnnennnrnnnrnnnnnnnrnnrnnnrrnnnrnnrenanennnnnnnnnnnnnnnnnnnnnssnnn 8 MMS NN 8 ME GOD OE EE 8 Minimum system reculremments EEN 8 Al aile E 8 MICOS EE 8 Language SUS EE 9 ae OE EE 9 REENEN 9 What s New in FortiClient V5 0 anrnnnnnnvnnnvnnnnnnvnnnnnnnnnnnennvennnnnnnnnnnnnnnnnennnennr 10 Summary of enhancements nannnanannennnannnnrnnnnnnrnrrnnrnnrrnnrnnernnennennrrnnernnrnnennennnn 10 Installing FortiClient EE 12 Installing FortiClient on a Windows Computer 12 Installing FortiClient on a Mac OS X Computer 15 Provisioning FOT Ne RE java 18 FortiClient MSI configuration tool 18 Bier 18 EXAMI CUS E 18 FortiClient Configurator application cccccccsecceceeseeeseeceeeaseceeeeeeeeeeeseeesseeees 18 Creating a custom MSI installation nie 19 Deploy FortiClient using Microsoft Active Directory AD eener 19 Deploy using Microsoft System Center Configuration Manager 2007 0 20 Endpoint Management u annnrnnnnnnnnnnnnnnnnnnnnnnnnennnnnnnnnnnnnnnnnnnnnnnennnnnnnnnnnnnnnvnnnnne 23 MUNN 23 Configure Endpoint Management 23 Step 1 Enable Device Management and Broadcast Discovery Messages 23 Step 2 Configure the Client Endpoint Profile r r
62. ple ways to deploy FortiClient to endpoint devices using Microsoft Active Directory The following instructions are based from Microsoft Windows Server 2008 If you are using a different version of Microsoft Server your MMC or snap in locations may be different Using Microsoft AD to Deploy FortiClient On your Domain Controller create a distribution point 1 Log on to the server computer as an administrator Fortinet Technologies Inc Page 19 FortiClient v5 0 Administration Guide 8 9 Create a shared network folder where the FortiClient MSI installer file will be distributed from Set file permissions on the share to allow access to the distribution package Copy the FortiClient MSI installer package into this share folder Select Start gt Administrative Tools gt Active Directory Users and Computers After selecting your domain right click to select a new Organizational Unit OU Move all the computers you wish to distribute the FortiClient software to into the newly created OU Select Start gt Administrative Tools gt Group Policy Management The Group Policy Management MMC Snap in will open Select the OU you just created Right click it Se ect Create a GPO in this domain and Link it here Give the new GPO a name then select OK Expand the Group Policy Object container and find the GPO you just created Right click the GPO and select Edit The Group Policy Management Editor MMC Snap in will open
63. r coniiguration gt lt vpn gt lt ipsecvpn gt lt options gt q Options gt lt connections gt lt connection gt lt name gt psk 90 1 lt name gt lt type gt manual lt type gt EE Ree lt prompt certificate gt 0 lt prompt certificate gt lt server gt 10 10 90 1 ipsecdemo fortinet com 172 17 61 143 lt server gt lt redundantsortmethod gt 1 lt redundantsortmethod gt lt ike settings gt lt connection lt connections gt lt ipsecvpn gt lt vpn gt lt forticlient conriguraction gt This is a balanced but incomplete XML configuration fragment All closing tags are included but some important elements to complete the IPsec VPN configuration are omitted RedundantSortMethod 1 This XML tag sets the IPsec VPN connection as ping response based The VPN will connect to the FortiGate which responds the fastest RedundantSortMethod 0 By default RedundantSortMethod 0 and the IPsec VPN connection is priority based Priority based configurations will try to connect to the FortiGate starting with the first on the list Priority based SSL VPN connections SSL VPN supports priority based configurations for redundancy SE te contiguraliaon gt lt vpn gt lt sslvpn gt lt options gt lt enabled gt 1 lt enabled gt Fortinet Technologies Inc Page 55 FortiClient v5 0 Administration Guide lt options gt lt connections gt lt connection gt lt name gt ssl 90 1 lt name gt lt server gt
64. ram Step 3 Advertising Your Package to Client PCs 1 Startup your Configuration Manager Console GUI and expand the following Computer Management gt Software Distribution gt Advertisements Right click Advertisements and select New gt Advertisement from the contextual menu 2 When prompted about no distribution points select Yes We will update the distribution point later in the process 3 Under the Schedule tab set the date you wish the advertisement to commence and expire if you desire Set your priority level recommended setting is High Select on the yellow star to set the mandatory settings 4 Under the Distribution Points tab select Download content from distribution point and run locally for both settings 5 Under the Interaction tab you can use this to warn logged in users that the program is going to run and provide a countdown timer until execution 6 Under the Security tab set the rights for the package class and instance rights Fortinet Technologies Inc Page 21 FortiClient v5 0 Administration Guide 7 Review your package choices under the Summary tab then select Next The Wizard will complete Step 4 Create and Update Your Distribution Point 1 Startup your Configuration Manager Console GUI and expand the following Computer Management gt Software Distribution gt Packages Expand the package you created and right click Distribution Points Right click Distribution Points
65. rocess CA Program Files 66 SMozilla Firefox firefox ene ltem c usersdshearmanjappdataslocalitemp bvzg gg com part WUE EICAH TEST FILE Status Quarantined Do not show me this alert for next 24 hours Close T View recently detected virus es Fortinet Technologies Inc Page 40 FortiClient v5 0 Administration Guide Antivirus logging To configure antivirus logging select File on the toolbar and Settings on the drop down menu Select Logging to view the drop down menu On this menu you can configure options outlined in the following figure and table Figure 48 Logging options Logging Enable logging for these features FI VPN Application Firewall W antivirus Parental Control Update VWulnerability Scan Log Level Information Le Log file Export logs Clear logs Logging Enable logging for these features Log Level Log file Export logs Clear logs Fortinet Technologies Inc Select antivirus to enable logging for this feature Select the level of logging Emergency The system becomes unstable Alert Immediate action is required Critical Functionality is affected Error An error condition exists and functionality could be affected Warning Functionality could be affected Notice Information about normal events Information General information about system operations Debug Debug FortiClient Select to export logs to your local hard disk drive HDD in log format Sel
66. s applications such as spyware adware and key loggers that are often secretly installed on a user s computer to track and or report certain information back to an external source without the user s permission or knowledge Adware Select to enable adware detection and quarantine during the antivirus scan Riskware Select to enable riskware detection and quarantine during the antivirus scan Alert when viruses are Select to display notification message window when a virus is detected detected Pause background Select to pause background scanning when on battery power scanning on battery power Enable FortiGuard Analytics Select to automatically send suspicious files to the FortiGuard Network for analysis Advanced options To configure advanced options select File on the toolbar and Settings on the drop down menu Select Advanced to view the drop down menu On this menu you can configure WAN Optimization Single Sign On configuration sync with FortiGate disable proxy and the default tab when FortiClient is started Figure 71 Advanced options e Advanced W Enable WAN Optimization Maximum Disk Cache Size 512 MEB W Enable Single Sign On mobility agent Server address Customize port 8001 Pre Shared Key Disable configuration sync with FortiGate Default tab AntiVirus Fortinet Technologies Inc Page 65 FortiClient v5 0 Administration Guide Advanced Enable WAN Select to enable WAN Optimization You should enabl
67. st Scan Never Scanned Last Update 2412 2012 Vulnerability Scan ll Ni Vulnerability Scan Enabled pe Scan Now eg Ea Update Now If FortiClient is unable to detect a FortiGate device enter the IP address or URL of the device and select the Retry button as illustrated in Figure 28 Figure 28 Enter the FortiGate IP or URL FiiATINET FortiClient This computer is protected by FortiClient software gt Y E Remote Access Ho VPM Connected Last Scan Never Scanned Last Update 2412 2012 Vulnerability Scan IMU W Vulnerability Scan Enabled ps Scan Now m e Update Now Fortinet Technologies Inc Page 29 FortiClient v5 0 Administration Guide When FortiClient locates the FortiGate you will be prompted to confirm the registration as illustrated in Figure 29 Select the Confirm button to complete registration Figure 29 Registration confirmation window Registering to FortiGate 192 168 10 1 FWF60C3G11011606 FRSATINET With following information Confirm Cancel Upon successful registration the FortiGate will deploy the endpoint configuration Figure 30 Registration complete Registered to FortiGate 192 168 10 1FVWF60C3G11011606 FPSSsATINET With following information Endpoint User punky SEPA ja fe ge Logged into Domain Hostname spirit Step 3 FortiGate deploys the Endpoint Profile The FortiGate will deploy the Endpoint Profile after registration is complete
68. tiClient go to System gt Config gt Advanced Select Enable Registration Key for FortiClient enter the Registration Key and select Apply Figure 39 Enable FortiClient Endpoint Registration on FortiGate FortiClient Endpoint Registration Enable Registration Key for FortiClient Registration Key TTT The FortiClient user will need to enter the same registration key to successfully register FortiClient to the FortiGate Fortinet Technologies Inc Page 34 FortiClient v5 0 Administration Guide Antivirus FortiClient Antivirus FortiClient v5 0 includes an Antivirus module to scan system files executables de and drivers FortiClient will also scan for and remove rootkits This section describes how to enable Antivirus and configuration options Enable Disable Antivirus To enable or disable FortiClient Real time Protection toggle the Enable Disable option on the FortiClient dashboard Notifications Select the bell icon on the FortiClient dashboard to view all notifications When a virus has been detected an exclamation icon will appear on the Antivirus tree menu tab The bell icon will change from gray to yellow Select View All to view all Antivirus event notifications Figure 40 Notifications window a F iATINMET FortiClient This computer is protected by FortiClient software ON K Notificatior close CH AntiVirus D e oye 5 Threats Quarantined a Antivirus Malware EICAR TEST FILE i x 24 12 2
69. y names may be trademarks of their respective owners Copyright 2002 2011 Fortinet Inc All Rights reserved Contents and terms are subject to change by Fortinet without prior notice No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from Fortinet Int as stipulated by the United States Copyright Act of 1976 Product License Agreement x Page 12 3 Select Change to choose an alternate folder destination for installation Select Next to continue Figure 3 Destination Folder selection Destination Folder a Click Next to install to the default folder or dick Change to choose another Install FortiClient to C Program Files x86 Fortinet FortClient 4 Select Install to continue Figure 4 Ready to install FortiClient Ready to install FortiClient Click Install to begin the installation Click Back to review or change any of your installation settings Click Cancel to exit the wizard ted Fortinet Technologies Inc Page 13 FortiClient v5 0 Administration Guide 5 Select Finish to exit the FortiClient Setup Wizard Figure 5 Installation completed Completed the FortiClient Setup Wizard Click the Finish button to exit the Setup Wizard 6 On anew FortiClient installation you do not need to reboot your system When upgrading the FortiClient version you must restart your system
Download Pdf Manuals
Related Search