FortiClient Endpoint Security User Guide
Contents
1. Enter a description name e Server Address Enter the IP address of the server you need to access e Username Enter your user name e Password Enter the password associated with your user account Client Certificate Select a certification if required In the Global Settings area select the Keep connection alive until manually stopped check box to have the connection stay up until you log out Click OK Click Connect 30 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback VPN Monitoring VPN connections Connecting to a VPN before Windows logon You can connect to a VPN before you log onto Windows if you have selected the Start VPN before logging on to Windows option see Setting connection options on page 28 A FortiClient VPN icon is displayed on the Windows login screen Figure 17 VPN icon on Windows login screen No VPN Active VPN connection connection z You need to connect to the VPN before logging onto Windows only if the VPN provides the connection to your Windows domain In this case you should not disconnect from the VPN until you log off of the Windows domain To connect to a VPN from the Windows login screen 1 Click the VPN icon 2 Select the required VPN connection from the Connections list 3 Click Connect The FortiClient software opens a log window and begins to negotiate a VPN connection with the re2. 407 1 0 AntiSpyware Engine 1 0 6 Feature Free Edition Premium Edition Antivirus updates Daily using core signature database Hourly using extended signature database Anti spyware updates Daily Hourly IPSEC VPN client Included Included SSL VPN client Included Included Endpoint Application Detection Daily Daily and custom application submission Endpoint NAC monitoring and control Included requires FortiGate Included requires FortiGate WAN optimization Included requires FortiGate Included requires FortiGate centralized reporting with FortiAnalyzer Anti Spam Not included Included Web content filtering Included Included Firewall protection Included Included Central Management Not included Included requires FortiManager Online forum self help Included Included Product support Not included Included Log configuration and Not included Included Installation notes e Windows Vista SP1 Make sure that Windows is not installing updates while you install the FortiClient application If Windows Update has run and it requested a reboot be sure to reboot your computer before installing the FortiClient application FortiClient Endpoint Security Version 4 0 MR1 User Guide 8 04 40001 99166 20090622 http docs fortinet com Feedback Installation Install log Install log e Servers In the FortClient 4 0 release an
3. SoftThinks Microsoft Co Absolute So Adobe Syst Microsoft Co Dell Inc Fortinet Inc SingleClick Apache Soft Andrea Elec Sensible Visi Adobe Syst Adobe Syst Sim bdiernon Version 4 0 28 110 14 0 8064 0206 12 0 1 310ct08 2 0 0 65 4 0 28 110 6 0 6001 18000 7 0 1438 0 6 0 6001 18226 11 6 0 1 build 60 1 9 0 11 7 0 6001 16503 1 0 82 22 1 3 59 0 8 0 885 0 8 0 12 0 6504 5000 LLLI 4 0 2065 0 1 1 0 2 2 2 6 1 0 64 7 2 3 56 9 1 0 2009022700 9 1 0 2009022700 enana Path C Program Files x8 C Program Files x8 C Program Files Sy C Program Files x8 C Program Files x8 C Windows splwow C Program Files x8 C Windows system C Program Files x8 C Program Files x8 C Windows system C Windows sminst C Program Files x86 Microsoft Search E WindowsSysw T C Program Files x8 C Program Files x8 c Program Files x8 C Windows SysW C Program Files x8 C Program Files x8 C Program Files x8 C Windows System C Program Files x8 C Program Files x8 C Program Files x8 C ABronram Eilas fu n 76 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feed
4. e Check and restore compliance with the corporate security policy Lock or unlock the FortiClient application e View and configure logging Entering a license key The FortiClient application uses license keys or registration codes to distinguish between the Free edition and the Premium licensed edition The edition type Free or Premium will be displayed in the General gt Status window You will use a license key if you are already have an existing license key and are registered with FortiCare You will use a registration code if you are not registered with FortiCare When you purchase and enter a license key into the software antivirus updates are available until the license expires The General gt Status window displays the license serial number and expiry date If your FortiClient is managed by FortiManager then license keys can be pushed out to your FortiClient by your IT department Contact your authorized reseller or visit http www forticlient com to buy or renew a license key Note If you have a registration code it cannot be activated during installation You will need to enter the registration key in the FortiClient console FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 11 http docs fortinet com e Feedback Complying with corporate policy General Figure 3 Entering a license key from the General gt Status tab FortiClient Version 4 0 28 110 Free Edition FCT
5. gt Connections Click Advanced and select Add Enter the following information and click OK Connection Name Enter a descriptive name for the connection VPN Type Select Manual IPsec Remote Gateway Enter the IP address or the fully qualified domain name FQDN of the remote gateway Remote Network Enter the IP address and netmask of the network behind the FortiGate unit Authentication Method Select Pre shared Key Pre shared Key Enter the pre shared key To create a configuration based on an existing configuration NO oO fh WwW DN Go to VPN gt Connections Select the connection to use as the basis for this connection Click Advanced and select Clone Enter a name for the new connection and click OK Select the name of the clone in the VPN Connections list Click Advanced and select Edit Modify the settings of the new connection as needed To set the virtual IP address If your configuration requires a virtual IP address do the following 1 2 ao a kb amp 7 8 Go to VPN gt Connections Double click a connection The Edit Connection window opens Click Advanced In the Advanced Settings window select the Acquire Virtual IP Address check box Click Config In the Virtual IP Acquisition window do one of the following e Select Dynamic Host Configuration Protocol DHCP over IPSec e Select Manually Set and enter the IP address Subnet Mask DNS Server and WINS Server addresses as required For det
6. least secure DH group 5 is most secure You cannot select multiple DH Groups The remote FortiGate gateway must use the same DH Group settings Key Life Select either Seconds or KBytes for the keylife or select both The keylife causes the IPSec key to expire after a specified amount of time after a specified number of kbytes of data have been processed by the VPN tunnel or both If you select both the key does not expire until both the time has passed and the number of kbytes have been processed When the key expires a new key is generated without interrupting service P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 2147483648 kbytes FortiClient Endpoint Security Version 4 0 MR1 User Guide 24 04 40001 99166 20090622 http docs fortinet com e Feedback VPN Configuring VPNs Table 4 FortiClient advanced VPN settings Replay Detection With replay detection the FortiClient software checks the sequence number of every IPSec packet to see if it has been previously received If the same packets exceed a specified sequence range the FortiClient software discards them PFS Perfect forward secrecy PFS improves security by forcing a new Diffie Hellman exchange whenever keylife expires NAT Traversal Enable this option if you expect the IPSec VPN traffic to go through a gateway that performs NAT If no NAT device is detected enabling NAT traversal has no effect If you enable
7. 0 22 07 2009 2 37 05 PM No data engine upd 7 AntiSpyware Engine 1 0 22 07 2009 2 37 05 PM No data engine upd AntiSpam Engine 3 1 22 07 2009 2 37 05 PM No data engine upd AntiSpam Rules 1 869 22 07 2009 2 37 05 PM No data engine upd lt Update Schedule V Enable scheduled update Daily at 14 37 When a new version of FortiClient is available Download and install the new version without notification Download the new version and notify me before installing Notify me before downloading or installing the new version Update Status No data engine update is available 2 Click Update Now In the Update Status area you can view the update process and results A status of No data engine update is available means that your antivirus definitions and antivirus engine are using the latest version To schedule updates 1 Inthe Update Schedule area select Enable scheduled update 2 Doone of the following Select Daily and enter the time of day Select Every and select the interval 1 to 24 hours 3 Click Apply for which updates occur The Free edition can only be updated once a day If you want to Caution If you are running the Free edition of FortiClient you can only set the time of day y be able to have hourly updates you will need to purchase the Premium edition server select the Use this server to update option at the top of the update page and enter the URL of the update server You do not need
8. 12 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback General Locking and unlocking the software The Corporate Policy Compliance section shows FortiClient is compliant with corporate policy or it shows the Make FortiClient compliant with corporate policy check box Select the check box to bring FortiClient settings into compliance with the policy For more information see the Endpoint Network Access Control chapter in the Administrator s Guide Locking and unlocking the software You can modify FortiClient software settings only if your Windows account has administrative privileges You can prevent other administrative users from modifying the settings by locking FortiClient with a password If your FortiClient software is remotely managed using the FortiManager System the FortiManager administrator can lock your configuration settings If your FortiClient application is locked the General Settings page shows an Unlock button To lock the FortiClient application locally 1 Goto General gt Status and click Lock Settings 2 Inthe Input Password window enter the password in the Password field and re enter it in the Confirm field 3 Select OK To unlock the FortiClient application locally 1 Obtain the password from your administrator 2 Goto General gt Status and click Unlock 3 Enter the password in the Password field 4 Optionally select Remove
9. 8002860874231 VPN No active connection Antivirus Enable real time protection Enable startup list monitoring Virus Signatures Version 10 420 AntiVirus Engine 405 Spyware Signatures Version 1 0 AntiSpyware Engine 1 0 Last scan July 23 09 12 35 33 PM Update Automatic update scheduled at 14 37 every day Last successful update July 22 09 2 37 05 PM Show FortiClient console when logon into Windows Enter License Key Lock Settings Copyright 2003 2009 Fortinet Inc www fortinet com To enter a license key 1 2 3 Go to General gt Status and click Enter License Key In the FortiClient Activation Wizard Welcome screen click OK Enter your valid license key or registration code and click OK If you entered a registration code the Online Activation screen appears Once the wizard has successfully activated FortiClient click Finish If you used a registration code you can now register your product by clicking on the Fortinet link Figure 4 License window License Please input your license key Cancel _ Complying with corporate policy If FortiClient is centrally managed a security policy can be set that requires antivirus anti spam firewall or web filtering features to be enabled The Corporate Policy Compliance section of the General page is visible if this is the case If FortiClient is not in compliance with the security policy it cannot operate a VPN tunnel
10. Microsoft TCP IP communications protocol e Native Microsoft PPP dialer for dial up connections e an Ethernet connection Z Note The FortiClient software installs a virtual network adapter Note While Windows Server is supported Fortinet does not recommend installing FortiClient onto Domain Controllers FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Language Support Installation Supported FortiGate models and FortiOS versions The FortiClient VPN feature is compatible with all FortiGate models running FortiOS version 2 36 and later Language Support The FortiClient Endpoint Security user interface and documentation is localized for e English e French e Simplified Chinese The FortiClient installation software detects the language of the operating system and installs the matching language version of the application If a language other than one of the above is detected the English language version of the software is installed Installing FortiClient Before beginning the installation ensure you uninstall any other VPN client software such as SSH Sentinel FortiClient may not function properly with other VPN clients installed on the same computer If you have an older version of FortiClient software installed on your computer the Windows executable version of the installer automatically upgrades your FortiClient installation to the new versio
11. Outlook Express to collect spam automatically Caution The Anti Spam feature is not available if you are using the Free edition If you want to use anti spam you will need to upgrade to the Premium edition Note On Microsoft Windows Vista anti spam works in Microsoft Outlook but not in Windows Mail You can do the following e Installing anti spam plug in e Enabling anti spam e Adding white black and banned word lists e Manually labelling email e Submitting misclassified email to Fortinet Figure 31 AntiSpam General C Submit mis rated Email automatically C Dor t prompt user to submit mis rated Email White black list Banned word list Status Email address Sensitive word Add Add FortiClient AntiSpam supports Outlook Express Outlook 2000 and newer versions You can use regular expression in white black list and banned words Apply FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 71 http docs fortinet com e Feedback Installing anti spam plug in Anti spam Figure 32 Anti spam plug in on Outlook Eile Edit view Favorites Tools Actions Help Anew amp DS X Gepenly Poreply to all GE Forward Zj Send Receive Ro Find Z_Oraanize 07 Ez Smee elel BF e KKK KDDEKDDDD From J 7 Received T G Yong Sun Tue 3 14 2006 6 03 AM Roman Jarg Teci Tue 3 14 2006 4 39 AM Joe Yu FortiClient RTM 5 00PM PST T Tue 3 14 2006 1 44 AM RealP
12. Password to permanently unlock the application This is not available if FortiManager has locked the FortiClient application Select OK 6 When you have finished modifying settings select Relock a Note Even if your FortiClient software is locked you can perform antivirus scans use VPN tunnels change VPN certificates and change CRLs Configuring proxy server settings If you use a proxy server for your LAN you can specify the proxy server settings so that the FortiClient software can go through the proxy server to get antivirus signature updates to submit viruses and to obtain certificates online using simple certificate enrollment protocol SCEP FortiClient software supports HTTP SOCKS v4 and SOCKS v5 proxy protocols To configure proxy server settings 1 Goto General gt Connection FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 13 http docs fortinet com e Feedback Updating FortiClient General Figure 5 General gt Connection settings Proxy Enable proxy for Update Virus submission Online SCEP Select Enable proxy for Updates Virus submission and Online SCEP as needed 3 For Proxy Type select HTTP SOCKS V4 or SOCKS V5 Enter the proxy server s IP Address and Port number You can get this information from your network administrator 5 Enter the User name and Password 6 Select Apply Updating FortiClient You can view the current antivirus definition
13. and save it in a directory on the FortiClient computer After exporting the certificate request you can submit it to the CA so that the CA can sign the certificate To send the certificate request toa CA 1 On the FortiClient computer open the local certificate request using a text editor 2 Connect to the CA web server 3 Follow the CA web server instructions to add a base64 encoded PKCS 10 certificate request to the CA web server e paste the certificate request to the CA web server submit the certificate request to the CA web server To retrieve the signed local certificate from the CA After you receive notification from the CA that it has signed the certificate request connect to the CA web server and download the signed local certificate to the FortiClient computer To import the signed local certificate 1 Goto VPN gt My Certificates 2 Click Import 3 Enter the path or browse to locate the signed local certificate on the FortiClient computer 4 Click OK The signed local certificate is displayed on the My Certificates list with the Type as Certificate The expiration date of the certificate is listed in the Valid To column To export the signed local certificate 1 Goto VPN gt My Certificates Select the certificate and click Export In the Save As window select the folder where you want to save the file Enter a file name Select either PKCS7 or PKCS12 If you select PKCS12 you must enter a password of at least
14. copy in quarantine area before cleaning Z Note If FortiClient cannot clean an infected file it quarantines the file automatically 48 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback Antivirus and Anti Malware Configuring email scanning 5 6 7 8 Select or clear the following two options Do not pop up alert message box in real time scan Do not pop up alert message box in registry monitor Optionally click Advanced Settings On the Advanced Settings window you can e enable scanning of compressed files You can also specify the largest compressed file that FortiClient will scan A size limit of 0 means no limit e enable grayware scanning and specify which types of grayware to look for e enable heuristic scanning FortiClient software uses heuristic techniques to scan files to find the unknown viruses and threats that have not yet been cataloged with signatures Heuristics looks at characteristics of a file such as size or architecture as well as behaviors of its code to determine the likelihood of an infection You can choose to deny access to files heuristics finds suspicious or to only display a warning enable scanning of files when written to or read from disk optionally including files on network drives Click OK Click Apply To enable real time protection 1 2 Go to General gt Status In the Antivirus section
15. email local certificate request 35 manually labelling 73 email address local certificate request 35 email scanning 49 encryption incoming VPN traffic 32 outgoing VPN traffic 32 endpoint profile 75 entering a license key 11 error configuration 33 eToken certificate 36 exclude selecting the file types to exclude 46 exclusion list adding a new file extension 46 exporting local certificate request 36 extended signature database 45 F file extension add to the file types or exclusion list 46 file types adding a new file extension 46 selecting the file types to scan or exclude 46 firewall policy 75 FortiClient updating 16 FortiClient Manager 41 48 55 FortiClient software manual update 14 15 FortiGate 16 41 48 55 75 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback 79 Index FortiGate gateway connect to 29 FortiGate models supported by FortiClient 6 FortiGate network connect to 29 FortiManager 16 Fortinet customer service 3 FortiOS versions supported by FortiClient 6 Free edition 7 11 14 15 17 45 71 72 G general 11 general settings 11 IKE and IPSec policies configuring 22 IKE proposals 24 import CA certificate 37 CRL 38 signed local certificate 36 install configuration 6 data 6 log 9 upgrade 6 installation 5 introduction 1 intrusion detection 61 IP address local cer
16. infected attachment is removed but the body of the message remains Exclude the Exchange Fortinet recommends that you enable this setting to avoid filesystem files from file impairing the operation of the Exchange server scanning Exclude all files that have Fortinet recommends that you enable this setting to avoid extensions associated impairing the operation of the Exchange server with Exchange Server In the SQL Server Options section select the following options as needed Exclude SQL Server Fortinet recommends that you enable this setting to avoid impairing filesystem files from file the operation of SQL server scanning Exclude all files that have Fortinet recommends that you enable this setting to avoid impairing extensions associated the operation of SQL server with SQL Server from virus scanning 50 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback Antivirus and Anti Malware Managing quarantined files 4 Select Apply Managing quarantined files Infected files are files that have been detected as being a virus or malware Infected files are quarantined if you select the Quarantine or Clean options in either AntiVirus gt Settings or AntiVirus gt Realtime Protection Unless you enable Save a copy in quarantine area before cleaning the Clean option quarantines only the files that it cannot clean Go to AntiVirus gt Quarantine to ma
17. is displayed on the CA Certificates list The expiration date of the certificate is listed in the Valid To column Validating certificates FortiClient can validate certificates using Online Certificate Status Protocol OCSP or Certificate Revocation Lists CRL A CRL is a list of CA certificate subscribers paired with digital certificate status The list contains the revoked certificates and the reason s for revocation It also records the certificate issue dates and the CAs that issued them The FortiClient software uses the CRL to ensure that the certificates belonging to the CA and the remote VPN peer are valid OCSP if available provides more up to date validation of certificates without maintaining CRLs in the FortiClient application To enable OCSP 1 Goto VPN gt CRL 2 Select Enable OCSP 3 In the Responder Host box enter your OCSP responder host name Your network administrator can provide this information 4 Inthe Port box enter your CA s OCSP port number The default is 80 5 Click Apply To retrieve the CRL 1 Connect to the CA web server 2 Follow the CA web server instructions to download the CRL To import the CRL 1 Goto VPN gt CRL 2 Click Import 3 Enter the path or browse to locate the CRL on the FortiClient computer 4 Click OK The CRL is displayed on the CRL list 38 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback WAN Opt
18. provides FortiClient Endpoint Security Version 4 0 MR1 User Guide 4 04 40001 99166 20090622 http docs fortinet com e Feedback Installation System requirements Installation There are two types of installation packages available for FortiClient software e a Windows executable file e a Microsoft Installer MSI package compressed into a zip file The Windows executable file provides easy installation on a single computer For details see Installing FortiClient on page 6 The MSI package is customizable for a larger roll out to many computers in an organization For more information see the FortiClient Administration Guide If you are installing the FortiClient application on a 64 bit platform you must use a 64 bit installer The 64 bit installer files have _x64 in their name System requirements To install FortiClient 4 0 you need acomputer compatible computer with Pentium processor or equivalent a compatible operating system and minimum RAM e Microsoft Windows 2000 128 MB e Microsoft Windows XP 32 bit and 64 bit 256 MB e Microsoft Windows Server 2003 32 bit and 64 bit 384 MB e Microsoft Windows Vista 512 MB e Microsoft Windows 7 512 MB e acompatible email application for the AntiSpam feature e Microsoft Outlook 2000 or later e Microsoft Outlook Express 2000 or later a compatible email application for the AntiLeak feature e Microsoft Outlook 2000 or later e 100 MB hard disk space e Native
19. range when the rule should be executed In the Add Time window specify a description time range and one or more days Time range is specified using a 24 hour clock Bind this rule to Select all adapters or a single ethernet adapter on your computer to apply this rule Z Note You can use any combination of the filtering criteria 4 Click Close 5 Click OK Managing address protocol and time groups To simplify management you can combine the source addresses destination address protocols and time schedules into groups and use the groups when creating rules To create a group Go to Firewall gt Applications Click Edit gt Advanced gt Groups Select Address Group Protocol Group or Time Group Click Add Enter a name and description Click Add Do one of the following N Oo fh WO DY e For an address group enter the Subnet IP Range IP Address or FQDN fully qualified domain name e Fora protocol group specify the Protocol Destination Port and Source Port numbers e For atime group specify the day and time range 8 Click OK three times 9 Click Close 10 Click OK 58 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback Firewall Configuring network security zones Configuring network security zones FortiClient firewall protects your system by categorizing the network systems into three zones Go to Firewall gt Network t
20. select Enable real time protection imposes a four second wait for the Yes button to be available Z Note If you disable real time protection confirmation is required The confirmation dialog Configuring email scanning FortiClient software can scan incoming and outgoing email and email attachments for malware viruses FortiClient software can also use heuristic techniques to scan email attachments to find unknown viruses and threats that have not yet been cataloged with signatures Heuristics looks at the characteristics of a file such as size or architecture as well as the behavior of its code to determine the likelihood of an infection To scan email for viruses 1 2 Go to Antivirus gt Email In the Virus scanning section select SMTP for outgoing mail POP3 for incoming mail and MS Outlook if Outlook connects to a Microsoft Exchange server To prevent worms from spreading via email select Enable email worm detection Then select what to do when a malicious action is detected either Terminate the offending process or Prompt user to ask whether to terminate the process This is available only if you enabled SMTP virus scanning To apply heuristic scanning in the Heuristics scanning section select Enable email attachments heuristics scanning Then select what to do when a suspicious attachment is detected either Log warning message or Strip and quarantine FortiClient Endpoint Security Version 4 0 MR1 User Guide 0
21. the XAuth server They can be saved as part of an advanced VPN configuration or they can be entered manually every time a connection is attempted For information about how to configure the XAuth server see FortiGate Administration Guide and FortiGate IPSec VPN Guide Figure 13 Configuring eXtended authentication Extended Authentication XAuth Permit 3 w attempts Automatic login To configure XAuth 1 2 Go to VPN gt Connections Double click a connection The Edit Connection window opens Click Advanced In the Advanced Settings window click Config for the eXtended Authentication option 26 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback VPN Using the FortiClient VPN client 5 In the Extended Authentication window do one of the following If you want to enter the login user name and password for each VPN connection select Prompt to login You can choose whether FortiClient permits three two or only one attempt to enter the correct user name and password When FortiClient prompts you to log in you can select the password save option so that you do not have to enter the password the next time you are prompted to log in e If you want FortiClient to automatically send the XAuth credentials select Automatic login and enter the user name and password 6 Click OK three times Setting up a VPN with SSL VPN connect
22. the test is successful the last line of the log will read IKE daemon stopped FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 27 http docs fortinet com e Feedback Using the FortiClient VPN client VPN VPN policy first To test the VPN connection the FortiClient software attempts to K Note For a VPN with automatic configuration the FortiClient software downloads the negotiate the VPN connection but does not actually open a VPN connection If the last line of the log reads Next_time x sec where x isan integer the test was not successful The FortiClient software is continuing to try to negotiate the connection See Troubleshooting VPN connections on page 33 4 Click Close Figure 14 A successful connection test Test Connectivity sys_get_local_gwy called in remote gw 209 87 254 222 in Next hop 192 168 0 1 sys_get_local_gwy called in remote gw 209 87 254 222 in Next hop 192 168 0 1 Detect local gateway for peer 209 87 254 222 Next hop 192 168 0 1 Initializing sa OK Initiator sent 209 87 254 222 quick mode message 2 DONE expire st 2 timeout 120 Adding timer 3 expiry 120 data 5895160 Adding to bucket 1 at index 120 confirmed nat t draft3 confirmed nat t draft3 Next_time 120 sec In run_timer_list jiffies O0000000 skipped 0 tvecs 1 gt bits is 3 tvecs n gt index is 0 confirmed nat t draft3 IKE
23. to specify http or https as part of the URL J Note The default update server is forticlient fortinet com If you want to use a different check box and field is unavailable To use a different server you need to upgrade to the Caution If you are using the Free edition of FortiClient the Use this server to update y Premium edition To manually update the software and antivirus signatures 1 Download the FortiClient update package file pkg file to the FortiClient computer FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 15 http docs fortinet com Feedback Backing up and restoring FortiClient settings General 2 Goto General gt Update and click Manual Update 3 In the Open window locate the update package file and click Open manual updates If you want to perform manual updates you will need to upgrade to the Caution If you have the Free edition of FortiClient installed you will not be able to perform y Premium edition Keeping FortiClient updated without FortiGate or FortiClient Manager If you are running FortiClient and it is not connected to a FortiGate unit or managed through FortiClient Manager you can keep the version up to date in the Update tab If your FortiClient is managed by a FortiGate unit or FortiClient Manager this setting is not available To download the latest FortiClient version without a FortiGate or FortiClient Manager 1 Goto General gt Up
24. to the Inbox folder and forwarded to Fortinet When you update the FortiClient software the Outlook plug in will update its spam database so that when an email from the same sender address comes in it will not be sent to the Spam folder Submitting misclassified email to Fortinet You can configure the FortiClient program to automatically send misclassified email that is innocent email classified as spam or spam classified as innocent email to the Fortinet FortiGuard AntiSpam service to enhance the service s email scanning accuracy In this case you will not be prompted to submit misclassified email manually You can also just configure the FortiClient program to stop prompting users to submit misclassified email manually In this case no misclassified email will be sent to Fortinet For more information see Manually labelling email on page 73 To configure sending misclassified email to Fortinet 1 Goto AntiSpam gt Settings 2 Select the Submit mis rated Email automatically check box 3 Click Apply To stop prompting users to submit misclassified email manually 1 Goto AntiSpam gt Settings 2 Select the Don t prompt users to submit mis rated email check box 3 Click Apply 74 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback App Detection Viewing applications running on your computer App Detection App Detection works in conjunctio
25. 04 40001 99166 20090622 43 http docs fortinet com e Feedback Configuring antivirus settings Antivirus and Anti Malware 5 If you selected a Directory or Full System scan select the scan priority Low The operating system allocates less CPU time to scanning e Normal The operating system allocates a normal amount of CPU time to scanning High The operating system allocates more amount of CPU time to scanning The higher the priority the sooner the scan will complete You may notice a difference in system performance depending on the priority selected 6 Click OK 7 To modify a schedule select the schedule and then click Edit 8 To delete a schedule select the schedule then click Delete During scheduled antivirus scans the FortiClient Scan Progress window normally does not display unless a virus is found Optionally to view this window right click the FortiClient system tray icon and select Show antivirus scan window s Configuring antivirus settings You can specify what types of files to scan and what to do when malware or a virus is detected You can also specify an SMTP server to use when submitting a quarantined file to Fortinet for analysis For information on how to submit a quarantined file see Managing quarantined files on page 51 Malware virus detection is enabled by default Figure 22 Configuring antivirus settings File types to scar Al files Program files and
26. 08 2009 12 48 08 PM WebFilter status blocked service http hostname c blog Warning 05 08 2009 12 44 07 PM WebFilter status blocked service http hostname c blog Warning 05 08 2009 12 40 37 PM WebFilter status blocked service http hostname c blog Warning 05 08 2009 12 37 14 PM WebFilter status blocked service http hostname c blog Waring 05 08 2009 11 46 36 AM Firewall proto IP status accept src 172 16 78 11 ethe Warming 05 08 2009 11 46 34 AM Firewall proto UDP service Iimnr status deny stc 172 Warming 05 08 2009 11 46 31 AM Firewall proto UDP service limnr status deny stc 172 To manage the log messages 1 Goto General gt Log View 2 From the dropdown list select the log entry type you want to view 3 Use the log navigation buttons to move between log entries or to move to the top or bottom of the log file The most recent log entries are displayed at the top of the list Optionally select a specific log entry from the log window to view the complete log entry information 4 To save the log messages click Export 5 To delete all the log messages click Clear All 6 To display the most recent log messages click Refresh FortiClient Endpoint Security Version 4 0 MR1 User Guide 18 04 40001 99166 20090622 http docs fortinet com Feedback VPN Configuring VPNs VPN FortiClient Endpoint Security can establish a VPN tunnel between your computer and a FortiGate unit or other VPN gateway With the aid of this manual you need on
27. 090622 http docs fortinet com Feedback Index policy corporate security complying with 12 policy settings modifying default 22 modifying legacy 22 Premium edition 7 11 14 15 17 45 71 72 profiles web filter 67 proposal IKE 24 IPSec 24 protection configuring real time 48 Q quarantined files managing 51 quick scan running 42 R real time protection configuring 47 48 remote monitoring VPN connections 32 remote FortiGate network connect to 29 removable drives scan in full system scan 43 scan on insertion 45 replay detection 25 request a signed local certificate 36 restore changed startup list entry 52 53 quarantined file 51 rejected startup list entry 52 53 retrieve CA certificate 37 CRL 38 signed local certificate 36 S scan files in a specified directory for viruses 42 for viruses 41 removable drives 43 45 selecting the file types to scan 46 security policy complying with 12 settings general 11 signed local certificate importing 36 requesting 36 smartcard certificate 36 SSL VPN tunnel client 29 new connection 30 Start VPN before logging onto Windows option 29 startup list entries viewing 52 startup list entry restoring a changed or rejected startup list entry 52 53 state province local certificate request 35 T technical support 3 time out monitoring VPN connections 32 traffic summary viewing 32 troubleshooting VPN 33 t
28. 4 40001 99166 20090622 http docs fortinet com e Feedback 49 Configuring server protection Antivirus and Anti Malware 5 Click Apply Configuring server protection If FortiClient Endpoint Security is installed on a server you have access to settings relevant to servers Exchange Server protection in version 4 0 of FortiClient Endpoint Security is included for customer evaluation and is available only if enabled at installation Figure 25 Server protection settings Exchange Server Options Integrate virus scanning into Exchange 2003 2007 When a virus is found Quarantine the attachment O Remove the attachment only CO Exclude the Exchange filesystem files from file scanning 0 Exclude all files that have extensions associated with Exchange Server from virus scanning SQL Server Options Exclude SQL Server filesystem folders from virus scanning Exclude all files that have extensions associated with SQL Server from virus scanning Apply To configure server protection 1 2 Go to AntiVirus gt Server Protection In the Exchange Server Options section select the following options as needed Integrate virus scanning Scan Exchange data stores for viruses into Exchange 2003 2007 When a virus is found Select the action to take Quarantine the attachment You can go to Antivirus gt Quarantine to see the quarantined attachment files and restore or delete them Remove the attachment only The
29. Client software retries a dropped connection four times stopped Beep when connection error Select if you want the FortiClient software to sound a beep occurs when a VPN connection drops By default the alarm stops after 60 seconds even if the connection has not been restored You can change the duration or select Continuously so that the alarm stops only when the connection is restored Connecting to the remote network After you set up a VPN connection you can start or stop the connection as required corporate security policy the VPN will not operate Select Make Compliant with Corporate Note If the FortiClient computer is centrally managed and does not comply with the Policy from the system tray menu to make the required changes to FortiClient settings For more information see Complying with corporate policy on page 12 To connect to a remote FortiGate gateway 1 2 3 5 Go to VPN gt Connections Select the connection you want to start Click Connect The FortiClient software opens a log window and begins to negotiate a VPN connection with the remote FortiGate firewall If the negotiation is successful and the connection is established the last line of the log will read Negotiation Succeeded Select OK or wait for the log window to close automatically If the last line of the log is Negotiation failed Please check log and the log window does not close automatically the connection att
30. FortiClient Endpoint security Version 4 0 MR1 User Guide FSRTMET UNIFIED THREAT MANAGEMENT SOLUTIONS FortiClient Endpoint Security User Guide Version 4 0 MR1 Build 4 1 0 124 30 September 2009 04 40001 99166 20090622 Copyright 2009 Fortinet Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of Fortinet Inc Trademarks Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBlIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the United States and or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Contents Contents Introd ction sssini nenene lene a i aye ee enema a e eee ne eerie renner 1 About FortiClient Endpoint Security cseeeccseseeeeeeseeeeeeseeeeeeeeeeneeesneeseeeeseeeeeeseeseneees 1 About this AOCUMOENE eisseccccccciee ste ccceeecececcceeeesetecdenestetecete
31. Google search or web sites that allow image audio or video searches Your FortiClient accesses the nearest FortiGuard Web Filtering Service Point to determine the categories and classification of a requested web page The FortiClient application blocks the web page if the web page is in a category or classification that you have blocked Web filter profiles specify which categories and classifications of web sites are allowed or blocked There are three predefined web filter profiles Default Child and Adult You can modify the categories blocked in each profile and create new profiles as needed You specify which profile applies to each user of the computer For instance you can use the predefined Child web access profile to prevent your children from accessing inappropriate web sites You also specify a global profile that applies to unknown users FortiClient web filtering filters both HTTP and HTTPS web traffic The filtering process does not compromise the security of the HTTPS connection in any way Note If the FortiGuard service is unreachable or the subscription is expired URLs are not blocked even if Block all unrated URLs is enabled FortiClient web filtering also allows you to specify URLs to always block or to allow by bypassing the web filter Setting the administration password You must set a password to prevent users from modifying the web filter settings shutting down the program or uninstalling the program To se
32. I DH Group AES128 MD5 oh o2 AE5S128 SHAI Delete all Key Life sec 28800 Local ID Mv IPSec Proposals DH Group Encryption Authentica Add 01 O2 5 3DES MD5 3DES SHAN Delete key Lite AES128 MD5 V Second AES128 SHA Delete all econds Seconds 1800 KBytes Advanced Options M Replay Detection Dead Peer Detection PFS V V Nat Traversal C Autokey Keep Alive Keepalive Frequency 5 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 23 http docs fortinet com Feedback Configuring VPNs VPN Table 2 FortiClient IKE settings correspond to FortiGate phase 1 settings IKE Proposals Add or delete encryption and authentication algorithms The proposal list is used in the IKE negotiation between the FortiClient software and the remote FortiGate unit The FortiClient software will propose the algorithm combinations in order starting at the top of the list The remote FortiGate gateway must use the same proposals Mode Select either Main or Aggressive Main mode provides an additional security feature called identity protection which hides the identities of the VPN peers so that they cannot be discovered by passive eavesdroppers Main mode requires the exchange of more messages than Aggressive mode It is also difficult to use efficiently when a VPN peer uses its identity as part of the authentication process When us
33. Microsoft Exchange and FTP file transfers 4 Set Maximum Disk Cache to 512 1024 or 2048MB The default is 512MB If your hard disk can accommodate a larger cache better optimization performance is possible 5 Click Apply FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 39 http docs fortinet com e Feedback Enabling WAN Optimization WAN Optimization FortiClient Endpoint Security Version 4 0 MR1 User Guide 40 04 40001 99166 20090622 http docs fortinet com e Feedback Antivirus and Anti Malware Scanning for viruses and malware Antivirus and Anti Malware Using the FortiClient antivirus feature you can protect your computer by regularly scanning your files for viruses and malware The FortiClient software can also perform real time virus and malware protection and monitor Windows Registry changes This section includes the following topics Scanning for viruses and malware e Configuring antivirus settings e Configuring real time protection e Configuring email scanning e Configuring server protection e Managing quarantined files e Monitoring Windows startup list entries Scanning for viruses and malware You can run a quick scan to detect the most malicious software Malicious software or malware includes computer viruses worms trojan horses most rootkits spyware dishonest adware crimeware and other malicious and unwanted software You can also set up s
34. NAT traversal you can set the keepalive frequency NAT traversal is enabled by default Keepalive If NAT Traversal is selected enter the Keepalive Frequency in seconds Frequency The keepalive frequency specifies how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until the IKE and IPSec keylife expires The keepalive frequency can be from 0 to 900 seconds Autokey Keep Alive Enable this option to keep the VPN connection open even if no data is being transferred Dead Peer Enable this option to clean up dead VPN connections and establish new Detection VPN connections Configuring Virtual IP address acquisition The FortiClient software supports two methods for virtual IP address acquisition dynamic host configuration protocol DHCP over IPSec and manual entry Select the DHCP over IPSec option to allow the DHCP server in the remote network to dynamically assign an IP address to your FortiClient computer after the VPN connection is established Select the Manually Set option to manually specify a virtual IP address for your FortiClient computer This virtual IP address must be an actual address in the remote network You can also specify the DNS and WINS server IP addresses of the remote network For information about how to configure the FortiGate gateway see FortiGate Administration Guide and FortiGate IPSec VPN Guide address to be in the same su
35. You can copy an existing profile or create an empty profile that allows all categories Edit the settings as needed Select Rename Profile to change the name as needed 7 Optionally click Edit List to specify URLs to always block or to bypass the WebFilter To specify URLs to block or bypass Go to WebFilter gt Settings Click Modify Settings Enter the password if applicable In the Black white list of URLs area click Edit List 1 2 3 4 On the Profile Management tab select profile for which you want to specify URLs 5 6 Click Add FortiClient Endpoint Security Version 4 0 MR1 User Guide 68 04 40001 99166 20090622 http docs fortinet com Feedback Web Filter Modifying web filter settings 7 Inthe Set URL permission window enter the URL In the URL box you can enter e wildcard characters and in URLs e complete URLs IP addresses partial URLs e file types such as jpg to block all jpeg files and swf to block all flash animations 8 As you enter the URL the Protocol Hostname and URL Path fields are automatically filled out FortiClient breaks the components of the URL down which is useful for scenarios where a slash character is missed in the URL or URLs that contain wildcards 9 Select Block or Bypass 10 Click OK 11 Repeat steps 6 through 10 for each URL that you want to add You can also edit existing entries or delete unwanted entries 12 Click Close 13 Click OK Configuring
36. a virus is detected during real time file system monitoring Quarantine move the file to a quarantine directory e Clean attempt to remove the virus from the infected file If this is not possible move the file to the quarantine area If you selected Clean in step 5 and you want to save a copy of the found virus select the Save a copy in quarantine area before cleaning Configure the settings to submit viruses See Specifying an SMTP server for virus submission on page 47 If you want to add a FortiClient antivirus scan command to the Windows Explorer shortcut menu select Integrate with Windows shell See Integrating FortiClient antivirus scanning with Windows shell on page 47 Optionally select the Notify user the virus signature is out of date check box 10 Optionally select the Scan removable media on insertion check box 11 Optionally select the Pause background scanning on battery power check box 12 Optionally click Advanced Settings On the Advanced Settings window do the following Select or clear the Use extended signature database check box If you want to do antivirus scans using the full antivirus database select the check box If you only want to scan for active viruses clear the check box to use the core antivirus database By default the check box is selected The extended signature database is comprised of the full antivirus database Using this option will take a longer time to scan
37. ails see Configuring Virtual IP address acquisition on page 25 Click OK Click OK To add additional remote networks to a connection 1 2 Go to VPN gt Connections Double click the connection which can access the network that you want to add The Edit Connection window opens FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 21 http docs fortinet com e Feedback Configuring VPNs VPN 7 8 Select Advanced The Advanced Settings window opens In the Remote Network area click Add In the Network Editor window enter the P Address and Subnet mask of the remote network and click OK Repeat Steps 4 and 5 for each additional network you want to add You can specify up to 16 remote networks Click OK Click OK To use Internet browsing over IPSec 1 2 NO on fb W Go to VPN gt Connections Double click a connection The Edit Connection window opens Click Advanced In the Advanced Settings window click Add Enter 0 0 0 0 0 0 0 0 and click OK Click OK Click OK Z Note For the FortiClient computer to be able to use Internet browsing over IPSec the remote FortiGate gateway must also be configured to allow such traffic To transfer VPN configuration settings to your Windows mobile device 1 2 3 4 Connect your mobile device to your computer using the USB cable Start Microsoft ActiveSync and make sure that it detects your device Go t
38. and antivirus engine version information and configure updates on the Update page Each copy of the FortiClient software has a unique identifier called UID The UID is displayed at the upper right corner of the General gt Update page Whenever FortiClient sends out an update request it also sends out the ID number If you encounter any update problem Fortinet technical support can use this number to pinpoint the problem If the FortiClient computer uses a proxy server you can specify the proxy server settings so that the FortiClient software can get updates through the proxy server See Configuring proxy server settings on page 13 Updates can be run manually or scheduled to run automatically on a daily basis They cannot be updated hourly If you want hourly updates you need to upgrade to the Note If you are running the Free edition of FortiClient the definition files are updated daily Z Premium edition To initiate immediate updates 1 Goto General gt Update 14 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback General Updating FortiClient Figure 6 The General gt Update tab used to maintain FortiClient UID 2860874231 Component Version Last Update Update Status amp AntiVirus Signatures 10 420 22 07 2009 2 37 05 PM No data engine upd Antivirus Engine 4 0 5 22 07 2009 2 37 05 PM No data engine upd A AntiSpyware Signatures 1
39. available on the Fortinet Tools and Documentation CD shipped with your Fortinet product You do not receive this CD if you download the FortiClient application The documents on the CD are current at shipping time For up to date versions of Fortinet documentation visit the Fortinet Technical Documentation web site at http docs forticare com Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center The knowledge center contains troubleshooting and how to articles FAQs technical notes a glossary and more Visit the Fortinet Knowledge Center at http kb fortinet com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly configure easily and operate reliably in your network You can access FortiClient support using the links provided in the General gt Help amp Support page FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 3 http docs fortinet com e Feedback Customer service and technical support Introduction Please visit the Fortinet Technical Support web site at http support fortinet com to learn about the technical support services that Fortinet
40. ave not plugged the USB token into your computer s USB port you must do so now Then the CA Web page displays that your certificate request has been received N Oo To install a certificate 1 Logon to the CA Server if the certificate has been signed 2 Select Checking on a pending certificate then select Next 3 Select the certificate request then select Next 4 Select Install this certificate to install the certificate to the USB token Getting a CA certificate For the FortiClient software and the FortiGate gateway to authenticate themselves to each other they must both have a CA certificate from the same CA The FortiClient computer obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiClient computer Z Note The CA certificate must comply with the X 509 standard To retrieve the CA certificate 1 Connect to the CA web server 2 Follow the CA web server instructions to download the CA certificate To import the CA certificate 1 Goto VPN gt CA Certificates 2 Click Import 3 Enter the path or browse to locate the CA certificate on the FortiClient computer FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 37 http docs fortinet com e Feedback Managing digital certificates VPN 4 Click OK The CA certificate
41. back 77 78 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Index Index A antispam 71 enabling 72 Microsoft Outlook 71 Windows Mail 71 antispam plug in installing 72 antivirus 41 antivirus settings configuring 44 app detection 75 App_Detection 75 application detection see app detection authentication 32 autokey keep alive 25 B Beep when connection error occurs option 29 bytes incoming VPN traffic 32 outgoing VPN traffic 32 Cc CA certificate getting a CA certificate 37 importing 37 retrieve 37 categories web filter 65 certificate eToken 36 importing a CA certificate 37 smartcard 36 city local certificate request 35 classification web filter 65 code page 6 comments on Fortinet technical documentation 3 company local certificate request 35 configuration error 33 configuration data 6 connect to a remote FortiGate gateway 29 to the remote FortiGate network 29 core signature database 45 corporate policy complying with 12 country local certificate request 35 CRL getting a CRL 38 importing 38 retrieve 38 customer service 3 D dead peer detection 25 default policy settings modifying 22 department local certificate request 35 DH group policy setting 24 digital certificate management certificate management 33 domain name local certificate request 35 E
42. ber bytes sent The encryption algorithm and key The authentication algorithm and key Traffic summary The traffic summary displays a graph of the incoming and outgoing VPN traffic The left column displays incoming traffic and the right column displays outgoing traffic The total number of incoming and outgoing bytes transferred is also displayed icon will change to a traffic summary graph The red column indicates incoming traffic The K Note When traffic is transferred over an open VPN connection the FortiClient system tray green column indicates outgoing traffic Exporting and importing VPN policy files You can export a VPN policy file to your local or network computer as a backup of the VPN configuration settings If required you can import this file back to your local FortiClient computer or to other FortiClient computers To export a VPN policy file Go to VPN gt Connections a fF O N Select the connection for which you want to export the VPN policy file Click Advanced and select Export In the Open window select a file folder and enter a file name Click Save To import a VPN policy file 1 Goto VPN gt Connections 2 Click Advanced and select Import 3 Locate the file and click Open 32 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback VPN Managing digital certificates the existing one S Troubleshooting VPN c
43. bnet of the remote network because the v2 50 FortiGate gateway does not support proxy ARP If you are connecting to a v2 80 or later FortiGate gateway consult your network administrator for a proper virtual IP address Note If you are connecting to a v2 50 FortiGate gateway you cannot set the virtual IP Figure 12 Configuring virtual IP address acquisition Virtual IP Acquisition Options Dynamic Host Configuration Protocol DHCP over IPSec O Manually Set IP Subnet Mask DNS Server WINS Server FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 25 http docs fortinet com e Feedback Configuring VPNs VPN To configure virtual IP address acquisition 1 2 7 Go to VPN gt Connections Double click a connection The Edit Connection window opens Click Advanced The Advanced Settings window opens Select the Acquire virtual IP address check box and click Config Select Dynamic Host Configuration Protocol DHCP over IPSec or Manually Set The default is DHCP If you select Manually Set enter the P address and Subnet Mask Optionally specify the DNS Server and WINS Server IP addresses Click OK three times Configuring eXtended authentication XAuth If the remote FortiGate unit is configured as an XAuth server it will require the FortiClient software to provide a user name and password when a VPN connection is attempted The user name and password are defined by
44. can The FortiClient Scan Progress window opens displaying the scanning process and results 3 Click Pause Resume or Stop to interrupt the scan Click Show Details to view the Infected file list The Infected file list displays the names of any infected files 5 Right click on entries and choose from the following actions e Delete the file Quarantine the file e Submit Virus to Fortinet Submit as false positive to Fortinet To view the log file for the scan select View Log 7 Click Close to close the FortiClient Scan Progress window To scan files in a specified directory 1 Goto AntiVirus gt Scan 2 Inthe File System Scan area click Browse to locate the directory to scan 3 Click Scan Now The FortiClient Scan Progress window opens displaying the scanning process and results 4 Click Show Details to view the Infected file list The Infected file list displays the names of any infected files 42 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback Antivirus and Anti Malware Scanning for viruses and malware 5 Right click on entries and choose from the following actions Delete the file Quarantine the file e Submit Virus to Fortinet e Submit as false positive to Fortinet 6 To view the log file for the scan select View Log 7 Click Close to close the FortiClient Scan Progress window To perform a full system scan 1 Goto AntiVirus gt S
45. can 2 Inthe File System Scan section click Full System Scan 3 Select Network drives or Removable media if you want them included in the scan Optionally you can change the relative priority of virus scanning compared to other processes 4 Click Start The FortiClient Scan Progress window opens displaying the scanning process and results 5 Click Show Details to view the Infected file list The Infected file list displays the names of any infected files 6 Right click on entries and choose from the following actions Delete the file e Quarantine the file e Submit Virus to Fortinet e Submit as false positive to Fortinet 7 To view the log file for the scan select View Log 8 Click Close to close the FortiClient Scan Progress window To manage scan schedules 1 Goto AntiVirus gt Scan 2 Inthe Scheduled Scan area click Add 3 Inthe New Schedule window set up a new schedule You can set up daily weekly or one time schedules You can also specify which folder to scan 4 Select the type of scan e Directory scan Click Browse and select the directory to scan This type will only scan the selected directory e Full system scan Select the Network Drives or Removable Media options Select the scan priority This type will scan the entire computer e Quick scan You cannot set a scan priority for Quick Scans This type scans only running processes FortiClient Endpoint Security Version 4 0 MR1 User Guide
46. can schedules and scan the files in a specified folder Depending on the option you set in Antivirus gt Settings the FortiClient software does one of the following when it finds viruses e Displays a virus alert message e Quarantines the virus infected file e Cleans the virus infected file your antivirus definitions may be checked to see they are up to date If your antivirus are not up to date then access to the internet may be blocked You will need to update your antivirus definition files in order to access the internet Note If your FortiClient is being managed by a FortiGate unit or FortiClient Manager then For information about how to configure what happens when the FortiClient software finds a virus see Configuring antivirus settings on page 44 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 41 http docs fortinet com e Feedback Scanning for viruses and malware Antivirus and Anti Malware Figure 21 Scanning for viruses and malware Quick Scan To detect and repair the most malicious viruses and worms File System Scary Choose scan target Full System Scan l Scan Now Scheduled Scan Directory Scan Type Schedule lt gt Add Edit Delete an During antivirus scanning the FortiClient system tray icon is animated A bar repeatedly Ee rolls from the bottom to the top of the icon To run a quick scan 1 Goto AntiVirus gt Scan 2 Select Quick S
47. canning until you have done this Go to both Antivirus gt Settings and Antivirus gt Realtime Protection to edit the exclusion lists Protection window is disabled To enable antivirus server protection use the msi package with the public property WITHEXCHANGE 1 For example msiexec i forticlient msi WITHEXCHANGE 1 Note If FortiClient is directly installed on SQL or Exchange server the AntiVirus gt Server Note While Windows Server is supported Fortinet does not recommend installing FortiClient onto Domain Controllers Installing from a drive created with subst Installing from an MSI package does not work if the MSI file is located on a drive created with the subst command You can do any of the following specify the real path to the file e move the MSI file to a location where this is not an issue e use the exe installer instead if possible During the installation FortiClient logs all install activities to a log file automatically Should any problems arise during the install you can review the install log to see where and when the issue occurred The install log file fcinstalllog txt is located in the following directory on Windows 2000 in the c winnt directory on Windows XP in the c windows directory When installing using the msi installation the install does not create the install log automatically For an msi installation to produce a log use the following command msiexec i FortiClient ms
48. content filtering into a single software package With the FortiClient application you can create VPN connections to remote networks scan your computer for viruses configure real time protection against viruses and unauthorized modification of the Windows registry restrict access to your system and applications by setting up firewall policies restrict Internet access according the rules you specify filter incoming email on your Microsoft Outlook and Microsoft Outlook Express to collect spam automatically use the remote management function provided by the FortiManager System ForitClient can be downloaded directly from www forticlient com About this document This document explains how to install and use the features of FortiClient Endpoint Security This document contains the following chapters Installation explains how to install the FortiClient application on your computer General describes how to enter a license key how to lock or unlock the application settings how to configure optional proxy server settings and log settings and log view VPN describes how to configure an IPSec VPN with the FortiClient application WAN Optimization describes to enable WAN optimization Antivirus and Anti Malware describes how to scan files for viruses how to configure real time scanning of files as you access them how to configure virus scanning of incoming and outgoing email and how to prevent unauthorized modificatio
49. d traffic only application level control rules are applied The advanced firewall rules do not have effect For inbound traffic the advanced firewall rules will be applied first then the application control rules For the traffic related to system processes such as NetBIOS traffic is accepted only when it is allowed by both advanced rules and zone security settings Note If your FortiClient is being managed by a FortiGate unit or FortiClient Manager then Z your firewall settings may be checked to see if it is enabled set to Normal If your firewall is not enabled then access to the internet may be blocked You will need to enable your firewall set your firewall mode to Normal in order to access the internet Selecting a firewall mode By default FortiClient firewall runs in Normal mode to protect your system You can go to Firewall gt Status to select a different firewall mode protection level FortiClient firewall has the following running modes Deny all Blocks all the incoming and outgoing traffic Normal You can select from the three protection profiles See Selecting a firewall profile on page 55 Pass all No firewall protection Selecting a firewall profile If you select the Normal firewall mode on Firewall gt Status you can select from the following three firewall protection profiles Basic home use Allows all outgoing traffic and denies all incoming traffic Select this profile if your computer i
50. daemon stopped Figure 15 A failed connection test Test Connectivity In tun_timer_list jiffies OO000004 skipped 10 tvecs 1 gt bits is 3 tvecs n gt index is 0 No response from the peer retransmit st 1 set retransmit st 1 timeout 5 Adding timer 2 expiry 5 data 5893464 Adding to queue Adding timer 3 expiry 5 data 5893464 Adding to bucket 1 at index 15 Next_time 5 sec In run_timer_list jiffies 0000000F skipped 5 tvecs 1 gt bits is 3 tvecs n gt index is 0 No response from the peer retransmit st 1 set retransmit st 1 timeout 5 Adding timer 2 expiry 5 data 5893464 Adding to queue Adding timer 3 expiry 5 data 5893464 Adding to bucket 1 at index 20 Next_time 5 sec Setting connection options The following options apply to VPN connections You can find them on the VPN gt Connections page Select Apply after making any changes 28 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback VPN Using the FortiClient VPN client Start VPN before logging on to Select this option if you need to log on to a Windows domain Windows through a VPN when you start up your Windows workstation See Connecting to a VPN before Windows logon on page 31 Keep IPSec service running Select to retry dropped connections indefinitely By default the forever unless manually Forti
51. date 2 In the When a new version of FortiClient is available area select one of the following e Download and install the new version without notification e Download the new version and notify me before installing e Notify me before downloading or installing the new version 3 Click Apply Backing up and restoring FortiClient settings If you have administrative privileges on your computer you can save all FortiClient settings to a file so that you can easily restore them at a later date For example if you are forced to reinstall the software after replacing a hard drive loading a backup will restore FortiClient to the same settings it had when you made the backup You can also use a single backup file to configure multiple FortiClient installations with identical settings Note Backup Restore features are not available if the FortiClient application is centrally managed by a FortiManager unit To back up the FortiClient settings 1 Goto General gt Backup Restore Figure 7 Backup and Restore settings Backup Last backup date time Never backed up Last backed up to Restore Restore 2 Click Backup 3 Enter a file name and location in the Save As window 16 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback General Logs 4 Enter a password in the Input Password window Enter the password again in the Confirm field to ensure you ty
52. documents Exclusion list Select files and folders Select file types What to do when a virus is found Clean Quarantine if unsuccessful Quarantine OdAlert C Save a copy in quarantine area before cleaning Virus submission C Use this mail account to submit virus SMTP server User name Password C Enable automatically submitting suspicious files to Fortinet Inc Integrate with windows Shell Advanced Settings Notify user the virus signature is out of date C Scan removable media on insertion Pause background scanning on battery power To configure antivirus settings 1 Goto AntiVirus gt Settings 2 Select the file types to be scanned 3 Add or delete file types to be scanned for viruses See Selecting file types to scan on page 46 44 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback Antivirus and Anti Malware Configuring antivirus settin gs 9 Select files folders and file types to be excluded from virus scanning To exclude a file or folder click Select file and folders then click Add to add the file or folder to the exemption list To exclude a file type click Select file types then add the file types For more information see Selecting file types to scan on page 46 Select what to do when a virus is found The default is Clean e Alert display a message if
53. e a global profile for users not specified in Per User Settings tab Global profile Default profile z Profile Default profile is permanently assigned Global black white list of URLs You can manage a list of URLs which will be blocked or bypassed by WebFilter regardless their ratings Edit uist_ If an URL was found in both black and white list Block Bypass C Block all unrated URLs Cancel To configure the web filter global settings 1 Goto WebFilter gt Settings Click Modify Settings Enter the password if applicable In the WebFilter Settings window select Enable webfilter a Aa ON Select the Enable URL rating with FortiGuard Filtering Services if you want to use FortiGuard rating services and the black white list to check to determine if the URL is allowed or denied FortiGuard rating services will use the categories and or classifications that are used listed in FortiClient to block URLs Leave the check box clear if you only want to use the black white list to decide whether to allow or deny access to the URL 6 Optionally you can change the Global profile Select Default Profile Child or Adult FortiClient Endpoint Security Version 4 0 MR1 User Guide 66 04 40001 99166 20090622 http docs fortinet com Feedback Web Filter Modifying web filter settings In the Change Current Profile window do one of the following e Select Permanently change curre
54. eight characters 6 Click Save a fF O N Getting a signed smartcard certificate If you are using a USB token smartcard certificate for authentication you must also have the certificate signed by the CA server and install the signed certificate on your token The following procedures use a Windows 2000 Advanced Server as an example Note Current FortiClient releases have been tested with the Aladdin eToken PRO and Aladdin eToken NG OTP series USB tokens 36 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback VPN Managing digital certificates General steps to get a signed smartcard certificate 1 Send the certificate request to the CA server See To send a certificate request on page 37 2 Install the signed certificate on the token See To install a certificate on page 37 To send a certificate request 1 Log on to the CA server for example http lt CA_server gt certsrv 2 Select Request a certificate then select Next 3 Select Advanced request then select Next 4 Select Submit a certificate request to this CA using a form 5 In the request form e Enter the identifying information For Intended Purpose select Client Authentication Certificate e For CSP select eToken Base Cryptographic Provider e Leave all other default settings Click Submit When prompted to enter the eToken password enter the password If you h
55. empt failed Test the connection to verify the configuration To stop the connection select Disconnect Using the FortiClient SSL VPN tunnel client The FortiClient SSL VPN tunnel client is available for Windows and MacOS systems The list of available connections are from the list of VPN Connections in FortiClient FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 29 http docs fortinet com e Feedback Using the FortiClient VPN client VPN Figure 16 FortiClient SSL VPN 55 FortiClient SSL VPN ES Connection Name test Re Server Address 172 16 1 1 Usemame test Password 7 Client Certificate v Connection Status Disconnected Bytes Sent 0 Duration 00 00 00 Bytes Received 0 Settings Connect Exit m To use the SSL VPN standalone tunnel client Go to Start gt All Programs gt FortiClient gt FortiClient SSL VPN Select the Connection Name from the list Enter the Username and Password if required The username and password may already be entered Select a Client Certificate if required Click Connect To manually terminate the connection click Exit To create a new connection A O N Go to Start gt All Programs gt FortiClient gt FortiClient SSL VPN Click Settings Click New Connection Enter the following information and click OK Connection Name Enter a name for the connection Description
56. es 47 Configuring email Scanning cceecceeceeeeeeeeeeeeeeeeeeeeeeeneeseeseseeeeseeseeeeeeseeseeseeneeeeeseeeenens 49 Configuring Server protection cccccesseeereeeeseeeeseeeeeeeeeeeeeeseeeeeeeeeseeeeeeeeesseeeeeeneeseeneees 50 Managing quarantined fileS ccccscceeeeeeseeeeeeeeeeeeeeeeeeeeeeeesneeeeeeeeseeeeeeseesseeeeeeeenseneees 51 Monitoring Windows startup list CNtri S ceeecssseeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeneenes 51 Restoring changed or rejected startup list entries 0 0 eee ceeeeeeeeteeneeeeeeeeneaeees 52 PR WAM cg secctacn oa csse tetas mace sdiccadieia bamnladaee ce Moca tran ements ana ue need eae SLEA 55 Selecting a firewall mode ccccceesseceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeseeeeeeeeesesseeeseeeseneeees 55 selecting a firewall profile iciiassacecdanscaacteusnnaceessapssadeneloauacdeaaesaceeeanpaeed EEE 55 Viewing network statistics sssssusseennennnnnnnrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnne 56 Configuring application access permissionS sssssssssssueesennrnnnnnnnnnunnnnnnnnnnnnnnnnnnne 57 Managing address protocol and time groupS sseeeesssesereessseerrssetrrrssrtrrrnssrnnsssene 58 Configuring network security ZONES ssssssssserennnnnnnnnunnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nennen 59 Adding IP addresses to ZONOS 0 ceeeccceceeeseeneeeececeneeeeeceaeeneeeedaaeneeeeeceenseeeteceensaeees 59 FortiClient Endpoint Securi
57. es to the registry The FortiClient software assumes the following registry changes are unauthorized if the changes were not made by an authorized user e adding removing or modifying an application installation e changing an existing application s configuration settings Z Note Monitoring the Windows Registry is not supported on 64 bit Microsoft Windows XP The startup list shows the Windows registry entries for any applications that are started as part of your Windows profile when you log on to Windows The list includes applications that are displayed in the system tray The list also includes any applications that are started transparently and are not displayed in the system tray Entries are displayed in three lists e The Rejected entries list displays new unauthorized startup entries FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 51 http docs fortinet com e Feedback Monitoring Windows startup list entries Antivirus and Anti Malware e The Changed entries list displays previously existing entries that have changed since the last Windows startup e The Current startup list displays all current registry entries The startup list is checked when the FortiClient software starts The registry keys listed are e HKLN indicates local machine and runs for all users e HKCU indicates current user e ShellServiceObjectDelayLoad is equivalent to the Run key but the entries in the key are
58. ewall Filtering Rule window enter the following information and select OK Name Description State Action Source Destination Protocol Time Bind this rule to Enter a name for the rule Optionally enter a short description Either Enable or Disable the rule Either Allow or Block the traffic Apply the rule to the traffic that originates from the source address and terminates at your computer Select Add to add the source address For information about adding an address group see Managing groups on page 62 Apply the rule to the traffic that originates from my computer and terminates at the destination address Select Add to add the destination address For information about adding an address group see Managing groups on page 62 Select Add to add a protocol to the rule While specifying the protocol in the Add Protocol window you can also specify the destination and source ports Select Add to add a day time range when the rule should be executed In the Add Time window specify a description time range and one or more days Time range is specified using a 24 hour clock Select all adapters or a single ethernet adapter on your computer to apply this rule Z Note You can use any combination of the filtering criteria 4 Click OK Managing groups To simplify management you can combine the source addresses destination address protocols and time schedules into groups and use the groups when c
59. explicitly loaded by the shell such as Explorer exe during logon Each entry is a shell extension Figure 26 Registry Monitor What to view O Rejected entries O Changed entries E7 w HKLM SOFTWARE Microsoft Windows CurrentVersion Run E w HKCUSS oftware Microsoft windows CurrentVersion Run E w HKLM SOFTWARE Microsoft Windows CurrentVersion ShellS erviceO bjectD elayLoad H O C Documents and Settings jcoles Start Menu Programs Startup C Documents and Settings juser Start Menu Programs Startup O C Documents and Settings All Users Start Menu Programs Startup O C Documents and Settings Default User Start Menu Programs Startup To enable startup list monitoring e In General gt Status select the Enable startup list monitoring check box By selecting this check box FortiClient warns you if there are changes to the startup list such as malware changes every time your computer is started To view Windows startup list entries 1 Goto AntiVirus gt Registry Monitor 2 Under What to view select Rejected entries Changed entries or Current startup list 3 Optionally click Refresh to refresh the startup list entries to view recently added changed or rejected registry entries Restoring changed or rejected startup list entries Changed or rejected entries can be restored Hp Caution If you are unsure what application an entry is for do not restore the startup list entry FortiClient Endpoint Secu
60. f Request Continue with To export the local certificate request 9 Ifyou selected Online SCEP as the Enrollment Method select an issuer CA from the list provided or enter the URL of the CA server If the FortiClient computer uses a proxy server you must configure the proxy server settings before you can use online SCEP See Configuring proxy server settings on page 13 10 In the Challenge Phrase field enter the challenge phrase if the certificate authority requires it 11 In the Key Size bits field select the VPN certificate key size 1024 4096 bits 12 Click OK The FortiClient software e submits the local certificate request e retrieves and imports the signed local certificate e retrieves and imports the CA certificate The signed local certificate is displayed on the Local Certificates list with the type of Certificate The CA certificate is displayed on the CA Certificates list The expiration dates of the certificates are listed in the Valid To column of each list The FortiClient software generates 1024bit keys Continue with Validating certificates on page 38 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 35 http docs fortinet com e Feedback Managing digital certificates VPN To export the local certificate request 1 Goto VPN gt My Certificates 2 From the certificate list select the local certificate to export 3 Click Export 4 Name the file
61. folders The AntiVirus Options window opens 3 Click Add FortiClient Endpoint Security Version 4 0 MR1 User Guide 46 04 40001 99166 20090622 http docs fortinet com Feedback Antivirus and Anti Malware Configuring real time protection 4 Navigate to the desired file or folder and click OK 5 Add or remove other files and folders as needed 6 Click OK quarantined In the quarantine file list right click the file and select Exclude file folder from K Note You can also exclude a file or folder from antivirus scanning after it has been antivirus scanning For more information see Managing quarantined files on page 51 To add files types the exclusion list 1 Goto AntiVirus gt Settings 2 Inthe Exclusion List area click Select file types The File Scan Extensions window opens Click New In the New File Extension window enter the file extension and click OK Add or remove other files types as needed Click OK oa Aa OQ Specifying an SMTP server for virus submission Instead of using the default mail server you can specify an SMTP server to use when submitting the quarantined files To specify an SMTP server 1 Go to AntiVirus gt Settings 2 Under Virus Submission select Use this mail account to submit virus 3 Inthe SMTP server field enter the SMTP server that you use for outgoing email 4 If the SMTP server needs authentication to log on select Need authentication and enter the logon user na
62. i L v c logfile txt Alternatively you can install the appropriate logging active directory group policies FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Installing the FortiClient SSL VPN Client Installation Installing the FortiClient SSL VPN Client The FortiClient 4 0 MR1 installer contains the SSL VPN installation If you are upgrading FortiClient from a previous version and want to install the SSL VPN client you will have to install the SSL VPN separately To install the SSL VPN client you can do one of the following e Download the SSL VPN installer package SslvpnClient msi or SslvpnClient exe from https support fortinet com e Connect to your FortiGate unit to install it automatically e Uninstall your current version of FortiClient and install the FortiClient v4 0 MR1 10 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback General Entering a license key General Use the General menu to e View the FortiClient software version and serial number e View the status of the VPN service e Enable or disable real time antivirus protection e Enable or disable Windows system startup list monitoring e View the current version of the antivirus files and the last scan time Set the FortiClient console to open automatically at startup e Enter a product license key
63. ication 5 Click OK Note Permission levels for the public zone can only be lower than or equal to those for the trusted zone To create a firewall rule 1 Go to Firewall gt Applications 2 Click Edit gt Advanced gt Add 3 In the Advanced Firewall Filtering Rule window enter the following information and click OK FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 57 http docs fortinet com e Feedback Configuring application access permissions Firewall Name Enter a name for the rule Description Optionally enter a short description State Either Enable or Disable the rule Action Either Allow or Block the traffic Source Apply the rule to the traffic that originates from the source address and terminates at your computer Select Add gt gt gt to add the source address For information about adding an address group see Managing address protocol and time groups on page 58 Destination Apply the rule to the traffic that originates from your computer and terminates at the destination address Select Add gt gt gt to add the destination address For information about adding an address group see Managing address protocol and time groups on page 58 Protocol Select Add gt gt gt to add a protocol to the rule While specifying the protocol in the Add Protocol window you can also specify the destination and source ports Time Select Add gt gt gt to add a day time
64. imization Enabling WAN Optimization WAN Optimization WAN Wide Area Network optimization accelerates a broad range of applications accessed by distributed workforces Factors that can affect the performance of applications deployed in a WAN include e bandwidth e latency e throughput congestion e packet loss Configuring WAN optimization consists of adding rules that match traffic accepted by a firewall policy according to source and destination addresses and destination ports of the traffic in addition to defining the WAN optimization techniques to be applied to the traffic Enabling WAN Optimization FortiClient WAN Optimization works exclusively with WAN optimization on a FortiGate unit to accelerate network access FortiClient will automatically detect if WAN optimization is enabled on the optimizing FortiGate unit it is connected to and transparently make use of the byte caching and protocol optimization features available Byte caching and protocol optimization are bidirectional To configure WAN Optimization on the FortiGate unit see the FortiGate Web Optimization Web Cache and Web Proxy User Guide available from www docs fortinet com To enable WAN Optimization 1 Goto WAN Optimization Figure 20 WAN optimization Enable WAN Optimization Disk Cache Size Maximum Disk Cache Size 512 v MB Select Enable WAN Optimization 3 Enable the protocols to be optimized HTTP web browsing CIFS file sharing MAPI
65. ing aggressive mode the VPN peers exchange identifying information in the clear DH Group Ser one or more Diffie Hellman groups from DH group 1 2 and 5 When the VPN peers have static IP addresses and use aggressive mode select a single matching DH group When the VPN peers use aggressive mode in a dialup configuration select up to three DH groups for the dialup server and select one DH group for the dialup user client or gateway When the VPN peers employ main mode you can select multiple DH groups Key Life Enter the number in seconds The keylife is the amount of time in seconds before the IKE encryption key expires When the key expires a new key is generated without interrupting service P1 proposal keylife can be from 120 to 172 800 seconds Local ID If you are using peer IDs for authentication enter the peer ID FortiClient will use to authenticate itself to the remote FortiGate gateway If you are using certificates for authentication you can enter the local ID which is the distinguished name DN of the local certificate Note there is no limit to how many FortiClient peers can use the same local Table 3 FortiClient IPSec settings correspond to FortiGate phase 2 settings IPSec Proposals Add or delete encryption and authentication algorithms The remote FortiGate gateway must use the same proposals DH Group Select one Diffie Hellman group from DH group 1 2 and 5 DH group 1 is
66. ion SSL VPN Secure Sockets Layer is a type of VPN that runs on Secure Socket Layers technology and is accessible via https over web browsers It permits users to establish safe and secure remote access sessions from virtually any Internet connected browser SSL VPN solutions allow organizations to deliver the level of corporate network access required for each connecting person as well as the location from which they access it It provides a secure connection between remote users and internal network resources To create an SSL VPN connection Go to VPN gt Connections Click Advanced and select Add In the New Connection window enter the Connection Name Select the SSL VPN type Enter the IP address or the fully qualified domain name FQDN of the remote gateway Enter the Username and Password for the remote gateway Click OK N Oo FP WD Using the FortiClient VPN client When you have configured your VPN connections you can use FortiClient to make secure connections Testing the connection After you configure a VPN you can test the VPN connection from your FortiClient computer This is optional but it provides more information than the Connect function if the connection fails To test the connection 1 Goto VPN gt Connections 2 Select the connection you want to test 3 Click Advanced and select Test A Test Connectivity window opens and begins to negotiate the VPN connection with the remote FortiGate unit If
67. item select the item and click Edit To remove a list item select the item and click Delete Click Apply NO oo fh WD Manually labelling email You can manually mark an email as a spam or as an innocent mail If you have not enabled the FortiClient Submit mis rated Email automatically check box you will be prompted to submit a selected email to Fortinet when you mark an email as a spam or as an innocent mail Otherwise the selected email will be sent to Fortinet automatically to train its FortiGuard database For more information see Submitting misclassified email to Fortinet on page 74 To manually mark an email as spam 1 Open Microsoft Outlook or Outlook Express 2 Ifyou find a spam in your Inbox folder select the email 3 Click Mark As Spam on the FortiClient toolbar The email is sent to the Spam folder and is forwarded to Fortinet When you update the FortiClient software the Outlook plug in will update its spam database so that when an email from the same sender address comes in it will be sent to the Spam folder To manually mark an email as an innocent mail 1 Open Microsoft Outlook or Outlook Express FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 73 http docs fortinet com e Feedback Submitting misclassified email to Fortinet Anti spam 2 If you find an innocent email in your Spam folder select the email 3 Click Mark Not Spam on the Fortinet toolbar The email is sent
68. l Certificates ccccceeesennneeeeeeeneeeeeeeeeneeeeeeeeneeeenseeeneeeeneneeneeeenneeneeeeenss 33 Getting a signed local Certificate ceeeceeeeeeeeeceeeeeeeaaeeeeeeeaaeeeeeeeenaeeeeeeeeaaas 34 Getting a signed smartcard Certificate 2 0 eee eeeeceeeneeeeeeeenneeeeeeeeaaeeeeeeeenaeeeeeeeeaas 36 Getting a CA Certificate eee eeeenne etre eeeaeeeeeeeeeaeeeeeeeeaaaeeeeeeeaeeeeeeeeceeeeseeeaas 37 Validating CertnCatess oi o a iase desnseeedanied aetna ae 38 WAN Optimization woccscscccnsccissci cs tiecsscestccccesteccensstedeinestsicecsensewsctsrecencests 39 Enabling WAN Optimization cccccccssseeeeeeseeeneeeeeeeeenseeeeeeeenseeeesseenseeeenseeneeeenseeeneeeeneas 39 Antivirus and Anti Malware ccccseseeeeeeeeeeceeeeeeeeeeeeeeeeeeeeeeeeeenenennnees 41 Scanning for viruses ANd MAlWALE ceceessseeeeeeeeseeeeeeeeeseneeeeeeeeesneeseeesseeeeeeeenseseenees 41 Configuring antivirus settings ssssssssesennnnrnnnnnnnnnnnnnnnnnunnnnnnunnnnnnnnnnnnnnnnnnnnnnnnnnnnn nunne 44 Selecting file ypes tO SCAN ocres asiai rani ia A ARRA NSS 46 Selecting files folders and file types to exclude from scanning 2 0 eeee 46 Specifying an SMTP server for virus SUDMISSION ceeeeeeteeeeeeetteeeeeeeetaeeeeeeeeaas 47 Integrating FortiClient antivirus scanning with Windows shell cc cceeeeeeees 47 Configuring real time protection ccccseeeeeceseeeeseeeeeeeeeseeeeseeeeseeseeseeeseesesseeeeeeseeseenne
69. l list you will be asked whether to Z Note You cannot edit or delete settings for the fortiproxy application Apart from application access control network zone security and intrusion detection FortiClient firewall protects your computer with another layer of security advanced firewall rules The firewall rules allow or block network traffic according to the following three types of filtering criteria you specify Source and destination addresses can be your own computer one of the two zones Public Zone and Trusted Zone a single IP address a range of IP addresses a subnet or a address group For information about adding an address group see Managing groups on page 62 e Network protocols can be TCP UDP or TCP UDP e Day and Time ranges can be applied to a rule to restrict access based on the day of the week and the time of day The advance firewall rules take precedence over the zone security settings For example if a rule blocks the traffic to the Trusted Zone the traffic will be blocked To add an application to the access control list 1 Go to Firewall gt Applications 2 Click Add 3 In the Add New Application window enter or browse to the application Path 4 Select permission levels for the public zone and trusted zone Allow Allows the application network access e Ask Prompts to ask your permission for the application to have network access e Block Blocks all network access for the appl
70. layer RealGuide New Lil Kim and Ma Mon 3 13 2006 11 39 PM BUILD ANNOUNCEMENT Mon 3 13 2006 9 39 BUILD ANNOUNCEMENT Mon 3 13 2006 9 23 nt v Mon 3 13 2006 8 42 PM Mon 3 13 2006 5 20 PM Mon 3 13 2006 4 37 Mon 3 13 2006 4 32 Mon 3 13 2006 4 03 calendar ott for Reminder Overtime Meal Order Mon 3 13 2006 3 48 Installing anti spam plug in Install the anti spam plug in on Microsoft Outlook or Outlook Express 2000 or newer version To install anti spam plug in on Outlook 1 On your computer install Microsoft Outlook or Outlook Express if you do not already have it Install FortiClient software 3 Reboot your computer A Spam folder appears on the Outlook folder List Spam sent to you will be put into the Spam folder automatically Fortinet Inc Mark As Spam and Mark Not Spam icons appear on the Outlook toolbar Enabling anti spam You must enable the FortiClient anti spam feature for the Outlook plug in to work Caution If you are running the Free edition of FortiClient this feature is not available You will need to purchase a Premium license in order to use anti spam To enable anti spam 1 Goto AntiSpam gt Settings 2 Select Enable AntiSpam 3 Click Apply Z Note On Outlook Express anti spam filtering is not effective with an IMAP email server Adding white black and banned word lists You can allow whitelist or block blacklist email addresses and ban email c
71. licies eececeeeeeeeeeeeeeeeeeeneeeeeeetteeeeeeetneeeeeeeeaa 22 Configuring Virtual IP address ACQUISITION eceeeeeeeeetteeeeeeeeteeeeeeeettteeeeereeee 25 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Contents Configuring eXtended authentication XAUtH e cess eeceeeeeeeeeneeeeeeentaeeeeeeeaaas 26 Setting up a VPN with SSL VPN connection 0 cece eee eeeeeeeeeeeenteeeeeeeenaeeeeeeeeaees 27 Using the FortiClient VPN Client cccccceeesseneeeeeeeeneeeeeeeeceneeeeseeeeneeeesseceneeeesseenneeeeness 27 Testing the connection secan a ined ile Ginnie a E nent 27 Setting connection OPtIONS 2c20 cccecsereeeeeeeeeen ee cecbbececedeaeaeeeeedeaenesetedceeneeedenebensees 28 Connecting to the remote NEtWOFK eee eeeceeeeneeeeeeeeeeeeeeeeeeeaaeeeeeeeaaeeeeeeenaeeeeeeenaaes 29 Using the FortiClient SSL VPN tunnel Client cee eceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenaeeeees 29 Connecting to a VPN before Windows IOGON ccceeeeeeeeeeeeeeeeeeeeneeeeeeeenateeeeeenaaes 31 Monitoring VPN CONNECTIONS cccceseeetteeeeeeceneeeeeeeceeeeeeeeeceeeeeeaseceneeeenseceneeeenseceneneeneas 31 Exporting and importing VPN policy fil S ec ceeeeeeeeeeeeeeeeeseeeeeeeeeseeeeaaeeeeseeeaeees 32 Troubleshooting VPN CONNECTIONS cceceeee cette eee eeene eee eeeeeeeeeteetaeeeeeteenaeeeeeeeeaees 33 Managing digita
72. lling FortiClient you can choose to install either the Free or Premium edition Table 1 describes the differences between the two editions To install the Premium edition you need to purchase a license key You can upgrade to the Premium edition after you have installed the Free edition See Entering a license key on page 11 for more information If you are using the Free edition of FortiClient it will be shown on the General gt Status page If you are using the Premium edition there is no edition name in the General gt Status page need to enter the registration key in the FortiClient console after the installation of Note If you have a registration code it cannot be activated during installation You will Z FortiClient See Entering a license key on page 11 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Installing the Free or Premium FortiClient Editions Installation Figure 2 FortiClient showing the Free editon General Status 8 FortiClient Version VPN No active connection Antivirus Enable real time protection Virus Signatures Version Spyware Signatures Version Last scan Update Automatic update Last successful update 4 029 114 10 420 not active August 05 09 3 26 28 PM Table 1 FortiClient Free and Premium Edition features FCT8002860874231 Enable startup list monitoring AntiVirus Engine
73. ly a few pieces of information from the VPN administrator to configure the FortiClient VPN settings Configuring VPNs If the VPN gateway is a FortiGate unit running FortiOS 3 0 or later it can download the settings to your FortiClient application You need to know only the IP address or domain name of the VPN gateway See Setting up a VPN with automatic configuration on page 19 If the VPN gateway is a FortiGate unit running FortiOS 2 80 or earlier or it is a third party gateway you must configure the FortiClient VPN settings manually You need to know e the IP address or domain name of the VPN gateway e the IP address and netmask of the network s you want to reach through the VPN gateway in some cases a virtual IP address setting e unless default settings are used IKE and IPsec policy settings e if extended authentication XAuth is used your user name and password See Setting up a VPN with manual configuration on page 20 If you are setting up an SSL VPN connection see Setting up a VPN with SSL VPN connection on page 27 If you are configuring a VPN to use either local digital certificates or smartcard eToken certificate for authentication see Managing digital certificates on page 33 before proceeding Digital certificates are not required for configuring FortiClient VPN connections Digital certificates are an advanced feature provided for the convenience of system administrators This manual ass
74. me and password 5 Select the Enable automatically submitting suspicious files to Fortinet Inc check box to send any suspicious virus files to Fortinet 6 Click Apply Integrating FortiClient antivirus scanning with Windows shell By integrating FortiClient antivirus scanning with Windows shell you can use the FortiClient antivirus shortcut menu in Windows Explorer to scan the selected folders or files for viruses or malware To integrate with Windows shell 1 Goto AntiVirus gt Settings 2 Select Integrate with Windows Shell 3 Click Apply In Windows Explorer you can right click on folders or files and select Scan with FortiClient Antivirus to scan them Configuring real time protection Configure real time protection settings to specify FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 47 http docs fortinet com e Feedback Configuring real time protection Antivirus and Anti Malware Which file types to scan What types of malware to detect Which file types to exclude from scanning What to do when a virus is detected during real time monitoring your antivirus settings may be checked to see if it is enabled Enable real time protection is Note If your FortiClient is being managed by a FortiGate unit or FortiClient Manager then selected If your antivirus is not enabled then access to the internet may be blocked You will need to enable your antivirus protectio
75. mote FortiGate firewall If the negotiation is successful and the connection is established the last line of the log will read Negotiation Succeeded Click OK or wait for the IKE Negotiation window to close automatically 5 Log on to the Windows domain 6 After you log off of the Windows domain select the VPN icon to disconnect the VPN Monitoring VPN connections Go to VPN gt Monitor to view current VPN connection and traffic information Figure 18 VPN Monitor Current Connection Traffic Summary Name Local Gateway 0 0 0 0 Remote 0 0 00 Time Out sec 0 Incoming Packets 0 Bytes 0 Encryption Auth Outgoing In 0 bps Packets 0 Bytes 0 Dut 0 bps Encryption Auth FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 31 http docs fortinet com Feedback Monitoring VPN connections VPN Current connection Name Local Gateway Remote Time Out sec Incoming Packets Bytes Encryption Auth Outgoing Packets Bytes Encryption Auth The name of the current VPN connection The IP address of the local gateway the FortiClient computer The IP address of the remote gateway the FortiGate unit The remaining lifetime of the VPN connection The number of packets received The number of bytes received The encryption algorithm and key The authentication algorithm and key The number of packets sent The of num
76. n retaining your current configuration FortiClient 4 0 can reuse configuration data from FortiClient versions 2 0 1 6 or 1 2 but not from version 1 0 Note For FortiClient version 1 0 and 1 2 installations it is recommended that you uninstall the software before installing version 4 0 to ensure a clean install You can also perform an upgrade installation of FortiClient software using the zip version of the installer which contains an MSI installer package To install the FortiClient software Windows executable installer 1 Double click the FortiClient installer program file 2 Follow the instructions on the screen selecting Next to proceed through the installation options When the installation has completed the FortiClient Configuration Wizard begins unless you are upgrading an existing installation To install the FortiClient software MSI installer 1 Extract the files from the FortiClient Setup zip archive into a folder 2 Doone of the following To perform a new installation double click the FortiClient msi file To perform an upgrade installation execute the following command at the command prompt all on one line case as shown msiexec i lt path_to_installation_folder gt FortiClient msi REINSTALL ALL REINSTALLMODE vomus FortiClient Endpoint Security Version 4 0 MR1 User Guide 6 04 40001 99166 20090622 http docs fortinet com e Feedback Installation Installing the Free or Premium FortiClient Edi
77. n in order to access the internet Figure 24 Configuring real time protection File types to scary O All files Program files and documents Select file types Exclusion list Select files and folders Select file types What to do when a virus is found Clean Quarantine if unsuccessful Quarantine Deny Access Options C Do not pop up alert message box in real time scan Registry Monitor C Do not pop up alert message box in registry monitor Advanced Settings To configure real time protection Go to AntiVirus gt Realtime Protection In the File types to scan area select either All files or Program files and documents as needed If you select Program files and documents you can modify the list of file types to be scanned See Selecting file types to scan on page 46 Optionally select files folders and file types to be excluded from virus scanning e To exclude a file type see To add files types the exclusion list on page 47 To exclude a file or folder see To add files and folders to the exclusion list on page 46 Under What to do when a virus is found select Deny Access Quarantine or Clean Deny Access You cannot open run or modify the file until it is cleaned Quarantine The file is moved to a quarantine directory Clean The FortiClient agent attempts to remove the virus from the infected file Clean is selected by default Optionally select Save a
78. n with a FortiGate to monitor applications running on an endpoint An endpoint is most often a single computer with a single IP address being used to access network services through a FortiGate unit FortiClient will periodically send application IDs to the FortiGate unit which will compare it against the endpoint profile The FortiGate unit will take the following actions against the running and installed applications Allow For any applications that are configured as Allow the FortiGate unit will take no action e Monitor For any applications that are configured as Monitor the FortiGate unit records the application in the logs and in the endpoint list but will not take any action e Block For any applications that are configures as Block the FortiGate unit will quarantine the host and record the violating application in the logs and the endpoint list You apply endpoint control in a firewall policy When traffic attempts to pass through the firewall policy the FortiGate unit runs compliance checks on the originating host on the source interface Non compliant endpoints are blocked If a user is web browsing they receive a message telling them that they are non compliant or they are redirected to a web portal where they can download the FortiClient application installer Viewing applications running on your computer You can use the App Detection gt Status window to view which processes are running on your computer
79. nage quarantined files Automatically delete Quarantine retains all files until you delete or restore them unless quarantined files you configure automatic deletion Delete files older than Enable to automatically delete quarantined files Enter the number of days to retain files Select Apply Restore Move the selected file back to its original location Caution The restored file might be infected Refresh Update the displayed list of files Delete Delete the selected file Submit gt gt gt You can select files in the quarantined file list and use either of the following options to submit it to Fortinet Note You can submit a maximum of three files per day Submission uses the default mail server unless you specify an alternate SMTP server in Antivirus gt Settings See Specifying an SMTP server for virus submission on page 47 Submit virus Submit the selected file to Fortinet as a virus Submit as false positive Alert Fortinet that the selected file is not a virus If there is a file in the quarantine list that you do not want scanned in future right click on the list entry and select Exclude file folder from antivirus scanning Monitoring Windows startup list entries Some malware viruses can modify existing Windows registry entries or insert new entries to cause malicious code to be executed when you start or log on to Windows The FortiClient software can monitor the Windows startup list and detect unauthorized chang
80. nin aa iesceeend atocuecees secedetend ANNAA KNA AARRE KAA AAR EEAO A SNAAKS 72 Adding white black and banned word lists ccccccesseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeennes 72 Manually labelling email 22c2 c lt ccecceesceecctectececenceceneccctieccesenesieiteeeetaiesceseacteniiveccsnstncese 73 Submitting misclassified email to Fortinet ccceeesssseeeeeeeeseeeeeeeeeeeeeeeeeeeeeeeeeeenes 74 App DOTS CUO IN sicavccciecsensstsnccccnceccesd ieseceewtstescotsasenncccabceegesscceateneceeuceessnsseees 75 Viewing applications running ON your COMPUTED ceeeeceeeeeeeeeeeeeeeeeeeeeeeseeneeeeeeeees 75 Vg C alee em ee PE ee ee Pee 79 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback iii Contents iv FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Introduction About FortiClient Endpoint Security Introduction This chapter introduces you to FortiClient Endpoint Security software and the following topics About FortiClient Endpoint Security About this document Using the FortiClient system tray menu Documentation Customer service and technical support About FortiClient Endpoint Security FortiClient Endpoint Security is a unified security agent for Windows computers that integrates personal firewall IPSec VPN antivirus antispyware anti spam and web
81. ns to the Windows startup list or to the registry FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Using the FortiClient system tray menu Introduction e Firewall describes how to configure the FortiClient firewall You can use pre defined or custom settings e Web Filter describes how to configure the FortiClient application to control the types of web page content accessible on your computer using the Fortinet FortiGuard Web Filtering service Anti spam describes how to configure spam filtering for your Microsoft Outlook or Outlook Express email client The FortiClient application works with the Fortinet FortiGuard AntiSpam service to determine which email messages are spam You can also create your own black list and white list of email addresses e App Detection displays the applications that are currently running on your computer Using the FortiClient system tray menu Many frequently used FortiClient features are available from the system tray menu Right click the FortiClient icon to access the menu Figure 1 FortiClient system tray menu Open FortiClient Console FortiClient Help About FortiClient IE VPN SE Disable Realtime AV Protection Enable Startup Registry Monitor Firewall Sp Disable WebFilter Disable AntiSpam Update Now Shutdown FortiClient Open FortiClient Console FortiClient Help About FortiClie
82. nsteteeeeeecticeceeensteseseeaeeteeeesseceteties 1 Using the FortiClient system tray Menu cccccessseneeeeeeeeeeeeeeeeeeenseeeeeeeeeseeeeseeeeseeeseeaes 2 DOCUMENTATION is ceeccceseeciccecsscceeccsesceced ccepsecttvccyanctted ccvseeceaccceaecceteceesecded ccuseecrtdecyeeccteeeeetiees 3 Fortinet Tools and Documentation CD i icsiniwuntesneasctdncnnncessnsnassmtdidecaindnadainiinsessuecans 3 Fortinet Knowledge Center aeecorerensicerinta aneii 3 Comments on Fortinet technical documentation eee cecceeeeeeeeeeeeeenteeeeeeeentaeeeeeeeaaes 3 Customer service and technical SUPPOTt 2 c cecceeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeseeeeneaneeeees 3 DEVS Cea NRHN iossiesesec teases snes acted et eucnenede oe stecdtven teeter eres doeneeceeiens 5 System requirements cece is eceees cvcecteedeteventeeesdseteuebi cieecteuee AARNE A R ANNAN NANA NANANA NANNAN dessus 5 Supported FortiGate models and FortiOS Versions ccccccccccceeeeseeaeseaeseseeeseneess 6 Language SUpport icici cesccecteescciecties ceteeisteccteeetnesscceertey Eaa EEEE aaan 6 Installing FortiClient sssini sanaan E ASNA ASANKA anuncenvaseaceneeessecttereresscee 6 Installing the Free or Premium FortiClient Editions sssssuusesenunnnrnnnnnnnnnnnnnnnnnnnnnnnnnn 7 Installation notes sosna A E E eee 8 E E cevensuertnechacccerneesuccey 9 Installing the FortiClient SSL VPN Client ccccssseeeeeeeeeceeeeeeeeeeeeeeeeseceeeeeeneeseeeenes 10 7 e ne ru aa ee 11 E
83. nt Make Compliant with Corporate Policy Compliant with Corporate Policy VPN Enable Disable Realtime antivirus Protection Opens the management console so that you can configure the settings and use the services Opens the online help Displays version and copyright information Enables antivirus anti spam firewall or web filtering features as required to comply with the security policy This item is visible if the FortiClient computer is centrally managed and a security policy is set but the FortiClient settings do not comply For more information see Complying with corporate policy on page 12 FortiClient complies with the security policy This item is visible if the FortiClient computer is centrally managed a security policy is set and the FortiClient settings comply If you have already added VPN tunnels you can start or stop the VPN connections by selecting or deselecting the connection names See Connecting to the remote network on page 29 For details see Configuring real time protection on page 47 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback Introduction Documentation Enable Disable Startup For details see Monitoring Windows startup list entries on page 51 Firewall You can select Deny All Normal or Pass All See Selecting a firewall mode on page 55 Enable Disable WebFilter For detail
84. nt profile setting e Select Temporarily change profile for the currently logged on user and select Until log off or enter the number of minutes The Global profile applies to users not listed in the Per User settings Optionally in the Global black white list of URLs area click Edit List to specify URLs to always block or to bypass the WebFilter See To specify URLs to block or bypass Optionally to determine how to handle a URL that is found in both the black and white list select Block or Bypass 10 Optionally select the Block all unrated URLs check box If the check box is clear unrated URLs are allowed 11 Click OK To specify URLs to block or bypass 1 8 9 In the WebFilter Settings gt Global Settings tab click Edit List in the Global black white list of URLs area Click Add In the Set URL Permission window enter the URL In the URL field you can enter e wildcard characters and in URLs complete URLs IP addresses partial URLs e file types such as jpg to block all jpeg files and swf to block all flash animations As you enter the URL the Protocol Hostname and URL Path fields are automatically filled out FortiClient breaks the components of the URL down which is useful for scenarios where a slash character is missed in the URL or URLs that contain wildcards Select Block or Bypass Click OK Repeat steps 2 through 6 for each URL that you want to add You can als
85. ntering a license Key sicissscecccccssseccteccssseeceeccsseeccetvcsssecttteccs se ctttecesseetsieecs se cnntvesnnentiereeen 11 Complying with corporate POliCy cccccsssseeeeesssseeeeesseeeeeeeesseeeeeeeseseeeeeeessseeeeeneeeseeeees 12 Locking and unlocking the software eceeeetteeeeeeen eee eeeeeeeneeeeeeeeeeeeeeesneeeeeeeenseeneeeeenees 13 Configuring proxy Server SettiNS ccccccssseeeeeeesseeeeeeeeeseeeeeeeeesseeeeeeeeeseeeeeeeesseeeeeees 13 Updating FoOrtiCliemt cc cicczcccceecweseccteeecesceqeesenedecceucersqccniesceeuchueiiieseethiedeceucetencarsecetietaess 14 Keeping FortiClient updated without FortiGate or FortiClient Manager 16 Backing up and restoring FortiClient settings cccccssseeeeeeseeeneeeeeeeeeeeeneneeeeeeenees 16 LOGS E cctecesaseccteceeseeceteceyae cccecees see E E ctnectnacinebeecn 17 Configuring log settings cece eeeeeee eee eeeeeeeeeeeeeaeeeeeeeeaeeeeeeeeaeeeeeeeiaeeeeeeeaas 17 Viewing OG MNOS aii scree snnadedecsssgaceceeiiensedesensh O peeeeiva adsadeeciate 18 PIN asc setenv E E A E E 19 C nfgu rnng VPNS sasssa aAA aR NARA ANAR na AAAA N ENAA 19 Setting up a VPN with automatic Configuration eee eeceeeeeeeeeeeeeeeetteeeeeeentaeeeeeeeaas 19 Setting up a VPN with manual Configuration 0 e cece eeeceeeeeeeeeceeeeeeeentaeeeeeeenaaees 20 Configuring basic FortiClient VPN settings 0 eceeeeeeeceeeeeeeeeeteeeeeeeetieeeeeeeeae 20 Configuring IKE and IPSec po
86. o VPN gt Connections Click Advanced and select Sync to Mobile Device Your tunnel definitions are transferred to your mobile device Configuring IKE and IPSec policies FortiClient has two preconfigured IKE and IPSec policies Use the Legacy policy for a VPN to a FortiGate unit running FortiOS v2 36 and for any Cisco gateways that only support legacy settings Use the Default policy for a VPN to a FortiGate unit running FortiOS v2 50 or higher To modify the Legacy or Default policy settings 1 2 Go to VPN gt Connections Double click a connection Click Edit Connection window opens Select Advanced The Advanced Settings window opens 22 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback VPN Configuring VPNs 4 Inthe Policy area click Legacy or Default The policy settings appear in the IKE and IPSec boxes You can use the Legacy or Default policies If you want to configure the detailed settings continue with following steps 5 In the Policy area click Config 6 Inthe Connection Detailed Settings window configure the settings in the following table Click OK to save the settings You can also click Legacy or Default to go back to the original legacy or default settings Figure 11 Editing the detailed configuration settings Connection Detailed Settings IKE Proposals re Encryption Authentica Add Main eerie DES SHA
87. o configure these zones Public Zone By default FortiClient firewall treats IP addresses in the public zone with the highest security level You can also customize the security levels See Customizing security settings on page 60 Trusted Zone By default FortiClient firewall treats IP addresses in the trusted zone with medium level security settings For information about security level settings see Customizing security settings on page 60 Blocked Zone All traffic to and from IP addresses in the blocked zone is not allowed FortiClient firewall prioritizes the zones in the order of blocked zone trusted zone and public zone This means e Ifan IP address is listed in all of the three zones it will be blocked e Ifitis listed in both the trusted and public zones it will be trusted e Ifitis not listed in any of the three zones it will be public Figure 28 Network security zones Network Zone Description Add 172 20 120 51 255 255 255 0 Trusted Marvell Yukon 88E80017 192 168 1 2 255 255 255 0 Trusted Marvell Yukon 88E80017 172 20 120 0 255 255 255 0 Trusted Public Zone Security Level Trusted Zone Security Level High Inbound network sharing NetBIOS is High NetBIOS network sharing is allowed reas Application control is on Application control is on Medium Medium Network Detection Trusted Ping Servers When a new network is detected Ask the user if it is trusted Use ping
88. o edit existing entries or delete unwanted entries Click Close Click OK Managing web filter profiles On the Profile Management tab of WebFilter settings you can modify existing profiles create new profiles delete unwanted profiles except Default Child and Adult FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 67 http docs fortinet com e Feedback Modifying web filter settings Web Filter Figure 30 Web filter profiles WebFilter Settings Global Settings Profile Management Per User Settings Profile Name Desc Create Profile Default profile Adult Delete Profile Settings of selected profile Name Description J J O O O l Black white list of URLs You can manage a list of URLs for the profile Cancel To modify profiles Go to WebFilter gt Settings Click Modify Settings Enter the password if applicable On the Global Settings tab ensure that Enable webfilter is selected Select the Profile Management tab ou fh WD Do any of the following Select a profile from the list and modify its settings in the Settings of selected profile area A red X indicates a blocked category or classification e Select a profile from the list and click Restore Defaults to undo all modifications e Select an unwanted profile from the list and click Delete Profile to remove it e Click Create Profile to create a new profile
89. o not want the FortiClient software to scan all files for viruses or malware you can select file types from the default list of file types You can add file types to or delete file types from the default file types list You can also reset the file types list to defaults extension to scan and also add the same file extension to the exclusion list files with this Note The exclusion list takes priority over the inclusion list For example if you select a file Z extension will not be scanned Figure 23 Adding a new file extension Scan File Extensions What kinds of files to scan To add a new file type to the scanned file types 1 Goto AntiVirus gt Settings 2 Inthe File types to scan area select Program files and documents 3 Click Select File Types The Scan File Extensions window opens Click New 5 In the New File Extension window type the file extension to add to the list You can also add file types with double extensions Click OK 7 Click OK Z Note Scanning files with no extension is enabled by default Selecting files folders and file types to exclude from scanning There may be some folders or specific files and file types that you do not want FortiClient software to scan for viruses or malware You can add these files and folders to the files and folders exclusion list To add files and folders to the exclusion list 1 Goto AntiVirus gt Settings 2 In the Exclusion List area click Select files and
90. o to Firewall gt Network 2 In the Network Detection area select one of the following Ask the user if it is trusted An alert will display and the user can determine if the network is allowed or denied e Use ping servers to decide the status The network is considered trusted if the ping is returned from the server FortiClient will start with the first trusted ping server and will continue down the list until a ping is returned You will need to enter the trusted ping server addresses For details see To manage trusted ping servers To manage trusted ping servers 1 Go to Firewall gt Network 2 Inthe Trusted Ping Servers area do one of the following e Click Add and enter a ping server address You can enter an IP address or an FQDN web address e Click Delete to delete a ping server address e Click Edit and modify the ping server address Configuring intrusion detection FortiClient software can detect and block some common network attacks using the hard coded signatures Because the signatures are hardcoded into the program to get the latest signatures you must install the latest FortiClient build Go to Firewall gt Intrusion Detection to view the IP addresses where the detected attacks originate You can move the IP addresses to the blocked zone by clicking Move to blocked zone so that the traffic from these IP addresses will be blocked If any of the IP addresses can be trusted you can move the IP add
91. onnections Most connection failures are due to a configuration mismatch between the remote FortiGate unit and the FortiClient software The following are some tips to troubleshoot a VPN connection failure PING the remote FortiGate firewall from the FortiClient computer to verify you have a working route between the two e Check the FortiClient software configuration Table 5 lists some common FortiClient software configuration errors e Check the FortiGate firewall configuration Table 6 lists some common FortiGate Antivirus Firewall configuration errors Table 5 Common FortiClient software configuration errors Note If the imported file has the same file name as an existing connection it will overwrite Configuration Error Correction Wrong remote network information Check the IP addresses of the remote gateway and network Wrong preshared key Reenter the preshared key Wrong Aggressive Mode peer ID Reset to the correct Peer ID Mismatched IKE or IPSec proposal combination in the proposal lists Make sure both the FortiClient software and the remote FortiGate gateway use the same proposals Wrong or mismatched IKE or IPSec Diffie Hellman group Make sure you select the correct DH group on both ends No Perfect Forward Secrecy PFS when it is required Enable PFS Table 6 Common FortiGate Antivirus Firewall configuration errors Configuration Error Correc
92. ontaining the words you specify By doing so incoming email will be first filtered against these lists e Ifthe email address is in the white list and the email content does not contain any of the banned words the email will go through without being filtered If the email address is in the black list or the email content contains any of the banned words the email will be sent to the spam folder FortiClient Endpoint Security Version 4 0 MR1 User Guide 72 04 40001 99166 20090622 http docs fortinet com Feedback Anti spam Manually labelling email If the email address is neither in the white list or black list and the email content does not contain any of the banned words the email will be filtered by the Fortinet FortiGuard AntiSpam service Note When adding banned words and email addresses to the White black list you can use regular expression meta characters To add white black lists Go to AntiSpam gt Settings In the White black list area click Add Enter the email address that you want to block or allow Select Block to add the address to black list and Allow to add it to white list Click OK To modify a list item select the item and click Edit To remove a list item select the item and click Delete Click Apply Oo N Oa FR WODND To add banned words Go to AntiSpam gt Settings In the Banned word list area click Add Enter the word that you want to ban Click OK To modify a list
93. ped it correctly Remember this password because you must enter it correctly when you restore the backup file To restore the FortiClient settings 1 2 3 4 Logs Go to General gt Backup Restore Click Restore Choose the file you want to restore in the Open window Enter the password associated with the file FortiClient confirms that the configuration is restored Click OK Use the FortiClient logging feature to configure logging of different types of events for any or all of the FortiClient services Configuring log settings You can specify the log level log type log size and log entry lifetime i Caution The Log Settings features are not available if you are using the Free edition If you want to configure the log settings you will need to upgrade to the Premium edition To configure log settings 1 Goto General gt Log Settings Figure 8 Configuring log settings Log Size Maximum Log Size 51 20 w KB Event Log Settings Log Level Warning v What to log O Check to select Remote logging O Server Apply 2 Enter the Maximum Log Size The default is 5120 KB Log entries are overwritten starting with the oldest when the maximum log file size is reached 3 In the Event Log Settings area select the Log Level You can select Error Warning or Information The default is Warning FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http doc
94. reating rules To create a group 1 Goto Firewall gt Advanced 2 Click Groups 3 Select Address Group Protocol Group or Time Group 62 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Firewall Configuring advanced firewall rules Click Add Enter a name and description Click Add For an address group enter the subnet IP range or IP address For a protocol group enter specify the protocol and port number For a time group specify the day and time range 8 Click OK twice NO on fF Z Note You can edit existing groups but you cannot change their names FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 63 http docs fortinet com e Feedback Configuring advanced firewall rules Firewall FortiClient Endpoint Security Version 4 0 MR1 User Guide 64 04 40001 99166 20090622 http docs fortinet com e Feedback Web Filter Setting the administration password Web Filter FortiClient Endpoint Security uses the Fortinet FortiGuard Web Filtering service to help you control web URL access FortiGuard Web Filtering sorts hundreds of millions of web pages into a number of content categories Each web site belongs to one or more categories Unrated is also considered a category FortiGuard Web Filtering can also assign one of several classifications to web sites that provide cached content such as
95. ress to the trusted IP list by clicking Trust this IP so that FortiClient will not detect traffic from this IP address any more You can also remove an IP from the Trusted IP list by clicking Don t trust this IP Configuring advanced firewall rules Apart from application access control network zone security and intrusion detection FortiClient firewall protects your computer with another layer of security advanced firewall rules The firewall rules allow or block network traffic according to the following three types of filtering criteria you specify FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 61 http docs fortinet com e Feedback Configuring advanced firewall rules Firewall Source and destination addresses can be your own computer one of the two zones Public Zone and Trusted Zone a single IP address a range of IP addresses a subnet or a address group For information about adding an address group see Managing groups on page 62 e Network protocols can be ICMP TCP UDP or TCP UDP e Day and Time ranges can be applied to a rule to restrict access based on the day of the week and the time of day The advance firewall rules take precedence over the zone security settings For example if a rule blocks the traffic to the Trusted Zone the traffic will be blocked To create a firewall rule 1 Goto Firewall gt Advanced 2 Click Add 3 In the Advanced Fir
96. rity Version 4 0 MR1 User Guide 52 04 40001 99166 20090622 http docs fortinet com Feedback Antivirus and Anti Malware Monitoring Windows startup list entries To restore a changed or rejected startup list entry 1 Goto AntiVirus gt Registry Monitor 2 Under What to view select Changed entries or Rejected entries 3 Select the entry you want to restore 4 Click Restore FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 53 http docs fortinet com e Feedback Monitoring Windows startup list entries Antivirus and Anti Malware FortiClient Endpoint Security Version 4 0 MR1 User Guide 54 04 40001 99166 20090622 http docs fortinet com e Feedback Firewall Selecting a firewall mode Firewall Using the FortiClient firewall feature you can protect your computer by using the following FortiClient firewall features e Application level network access control You can specify the applications that can access the network and be accessed by the network e Network security zone The network is categorized into two zones the Public Zone and the Trusted Zone You can configure different security settings for each zone Intrusion detection FortiClient firewall can detect and block common network attacks e Advanced firewall rules You can create specific rules to control the traffic based on source addresses destination addresses protocols or time frames For outboun
97. rusted ping servers 61 U unlocking FortiClient 13 update FortiClient software 14 15 update schedule setting 15 updating FortiClient 16 upgrading 6 URL block or bypass 66 V VPN audible dropped connection alarm 29 basic settings 21 certificates 33 configuring IKE and IPSec policies 22 connecting before Windows logon 31 connecting to remote network 29 connection options 28 extended authorization XAuth 26 import export policy files 32 introduction 19 modifying legacy and default settings 22 monitoring connections 31 retrying dropped connections 29 setting up automatic connection 19 setting up connection manually 20 smartcard certificate 36 startup before network login 29 testing the connection 27 troubleshooting 33 using FortiClient VPN client 27 virtual IP address acquisition 25 26 W WAN optimization 39 enabling 39 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback 81 Index web filter 65 administration password 65 categories 65 classification 65 global settings 66 per user settings 69 profiles 67 settings 65 URL block URL bypass 67 URLs to block or bypass 68 X XAuth configuring 26 82 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback KR Ie www fortinet com KR Ie www fortinet com
98. s see Web Filter on page 65 Enable Disable AntiSpam For details see Anti spam on page 71 Update Now Update Antivirus definitions and Anti spam rules Show antivirus scan View antivirus scan windows hidden during scheduled scans window s This menu item is available only during a scan Shutdown FortiClient Stops all FortiClient services and closes FortiClient console The confirmation dialog imposes a four second wait for the Yes button to be available Documentation You can access FortiClient documentation using the links provided in the General gt Help amp Support page The Fortinet Technical Documentation web site at http docs forticare com provides current documentation for all Fortinet products In addition to this FortiClient Endpoint Security User Guide the FortiClient online help provides information and procedures for using and configuring the FortiClient software If you are responsible for deploying FortiClient Endpoint Security to an enterprise see the FortiClient Endpoint Security Administration Guide for information about customized installation central management using a FortiManager system network wide per user web filtering and configuration of FortiGate devices to support FortiClient VPN users Information about FortiGate Antivirus Firewalls is available from the FortiGate online help and the FortiGate Administration Guide Fortinet Tools and Documentation CD All Fortinet documentation is
99. s a standalone home computer and not connected to other networks or computers FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 55 http docs fortinet com e Feedback Viewing network statistics Firewall Basic business Allows all outgoing traffic allows all incoming traffic from the trusted zone and denies all incoming traffic from the public zone For zone information see Configuring network security zones on page 59 Custom profile This is the default profile The Custom profile allows you to configure the application level permissions network zone permissions and advanced firewall filtering rules See Configuring application access permissions on page 57 Configuring network security zones on page 59 and Configuring advanced firewall rules on page 61 Viewing network statistics You can configure the FortiClient software to display the following network traffic information Figure 27 Firewall status Network statistics 100 a 0 5 hours 5 minutes Inbound traffic packets Ss V Outbound traffic packets lea Blocked network packets Blocked application requests Pea Current connections ize Inbound traffic Number of incoming network packets Outbound traffic Number of outgoing network packets Blocked network packets Network packets that are blocked by the firewall Blocked application request Number of blocked requests from out
100. s fortinet com e Feedback Logs General 4 Select what to log You can select either All events or Check to select If you choose Check to select specify the types of events to log 5 Click Apply To configure remote logging 1 Goto General gt Log Settings 2 Inthe Remote logging section select Server and enter the server IP address or FQDN in the adjacent field 3 Select FortiAnalyzer if you are using a FortiAnalyzer unit to record logs otherwise select Syslog 4 From the Facilities list select the name used to identify this FortiClient computer in the logs The default is local7 5 If you are logging to a syslog from the Syslog log level list select the minimum severity of logs to record 6 Click Apply Viewing log files The Log View displays logs of all events or only the events associated with a specific service You can view save clear or refresh the log entries Figure 9 Viewing logs ALL x Export Clear All Refresh Type Time Source Description Warning 05 08 2009 1 05 29 PM WebFilter status blocked service http hostname c blog Warning 05 08 2009 1 03 08 PM WebFilter status blocked service http hostname c blogi Warning 05 08 2009 12 58 08 PM WebFilter status blocked service http hostname c blogi Warning 05 08 2009 12 55 07 PM WebFilter status blocked service http hostname c blogi Warning 05 08 2009 12 50 09 PM WebFilter status blocked service http hostname c blogi Warning 05
101. servers to decide the status Adding IP addresses to zones You can add a subnet an IP range or an individual IP address to the network zones You can also edit or delete the existing IP entries To add IP addresses 1 Go to Firewall gt Network Click Add In the P Address window select a zone and enter the IP addresses that belong to it Optionally enter a description Click OK a fF WO N FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 59 http docs fortinet com e Feedback Customizing security settings Firewall Customizing security settings For the public and trusted zones you can use the default high medium or low level security settings You can also customize these default settings High By default incoming connections are allowed only if there are listening ports for these connections Medium By default most connections are allowed unless you customize the settings Note that the default medium security level settings for public and trusted zones are different For public zone the incoming ICMP and NetBIOS packets are blocked For trusted zone these packets are allowed Low Packet level rule is disabled and application level control is on Note The security level for the public zone can only be higher than or equal to that for the trusted zone To customize the security settings 1 Go to Firewall gt Network 2 Inthe Public Zone Security Le
102. ses default FortiClient settings and preshared keys for VPN authentication To set up a VPN connection your FortiClient settings must match those of the VPN server a FortiGate unit for example To use digital certificates for VPN authentication see Managing digital certificates on page 33 Configuring basic FortiClient VPN settings Go to VPN gt Connections to add delete edit or rename a VPN connection To add a FortiClient to FortiGate VPN you need to e Setup the VPN tunnel from FortiClient to the remote FortiGate gateway e If your administrator requires it configure the FortiClient VPN to use a virtual IP address either manually assigned or obtained using DHCP over IPSec e Optionally add the IP addresses of additional networks behind the remote gateway e Configure Internet browsing over IPSec if you want to access the Internet through the VPN tunnel Figure 10 Creating a new VPN connection Name Gateway Policy Server Authentication Status New Connection Connection Name Configuration Remote Gateway Remote Network Options Authentication Method C Stat VPN ba Preshared key Keep IPSec age Corca mw Beep when q Continuously Stop after 60 seconds 20 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback VPN Configuring VPNs To create a FortiClient VPN configuration 1 2 3 Go to VPN
103. side to access your local applications and vice versa Current connections Number of current connections between your system and the network To view the traffic information 1 2 Go to Firewall gt Status Select the traffic type you want to view The information displays in the graphical monitor Click View Connections to view the current active connections listening ports PID and other detailed information Click Close By default whenever FortiClient firewall blocks network traffic a notification pops up in the FortiClient system tray area To disable the blocked traffic notification select the Disable taskbar notification for blocked network traffic check box 56 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback Firewall Configuring application access permissions Configuring application access permissions You can specify which applications can access the network and be accessed by the network To do this you assign the applications access permissions Three levels of access permissions are available Allow Ask and Block allow them network access By default FortiClient allows the legitimate Windows system applications to access the network These applications are displayed in the application control list You can modify or delete the permission levels of these applications Note For applications not listed in the access contro
104. t the password 1 Goto WebFilter gt Settings 2 Click Change Password 3 Enter the password twice and click OK Modifying web filter settings Web filter profiles define which categories of web sites are blocked You can modify the predefined web filter profiles or define additional profiles as needed You can assign a web filter profile to each user and assign a global profile that applies to any user not specified in the per user settings FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 65 http docs fortinet com e Feedback Modifying web filter settings Web Filter Configuring the web filter global settings FortiClient comes with three predefined profiles to allow or block different combinations of web categories Default Default web filter profile which is initially the same as the Child profile Child Blocks categories that are not suitable for children Adult Only blocks the security violating web sites You cannot delete the predefined profiles You can however modify these profiles Also you can specify URLs to always block or to bypass category blocking The Global Profile applies to any user for whom there are no per user settings Figure 29 Web filter global settings Webfiter Settings i Global Settings Profile Management Per User Settings F Enable webfilter V Enable URL rating with FortiGuard tm Filtering Services Global Profile You can choos
105. tificate request 35 IPSec policies configuring 22 IPSec proposals 24 K Keep IPSec service running forever unless manually stopped option 29 keepalive frequency 25 key entering a license key 11 key life incoming VPN traffic 24 outgoing VPN traffic 24 L language support 6 legacy policy settings modify 22 license key entering 11 local certificate city 35 company 35 country 35 department 35 domain name 35 email 35 email address 35 importing a signed local certificate 36 IP address 35 requesting 36 retrieving an signed local certificate 36 state province 35 local gateway 32 local id 24 locking FortiClient 13 log file configuring settings 17 viewing 18 logging 9 logs managing log files 18 manage log files 18 quarantined files 51 scan schedules 43 mis rated email submitting 74 mode policy setting 24 monitoring VPN connections 31 name 32 N name monitoring VPN connections 32 NAT traversal 25 network detection 61 Notify user the virus signature is out of date 45 O obtaining a signed local certificate 34 OCSP enabling 38 options for VPN connection 28 P packets incoming VPN traffic 32 outgoing VPN traffic 32 Pause background scanning on battery power 45 PFS advanced VPN setting 25 ping server 61 ping servers 61 policies IKE IPSec configuring 22 80 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20
106. tificates Click Generate Enter a Certificate Name Under subject information select the D Type for the subject You can select from Domain Name Email Address or IP Address 5 Enter the information for the ID type that you selected Domain name Enter the fully qualified domain name of the FortiClient computer being certified Email address Enter the email address of the owner of the FortiClient computer being certified IP address Enter the IP address of the FortiClient computer being certified 6 Optionally click Advanced and enter the advanced setting information and click OK Email Enter a contact email address for the FortiClient computer user Department Enter a name that identifies the department or unit within the organization requesting the certificate for the FortiClient computer such as Manufacturing or MF Company Enter the legal name of the organization requesting the certificate for the FortiClient computer City Enter the name of the city or town where the FortiClient Computer is located State Province Enter the name of the state or province where the FortiClient computer is located Country Enter the name of the country where the FortiClient computer is located 7 Select either File Based or Online SCEP as the Enrollment Method 8 If you selected file based enrollment click OK The private public key pair is generated and the certificate request is displayed in the My Certificates list with the type o
107. tion Wrong direction of the encryption policy For example external to internal instead of internal to external Change the policy to internal to external Wrong firewall policy source and destination addresses Reenter the source and destination address Wrong order of the encryption policy in the firewall policy table The encryption policy must be placed above other non encryption policies Managing digital certificates To use local or smartcard digital certificates you need e a signed certificate e the certificate authority CA certificates for any CAs you are using any applicable certificate revocation lists CRLs or the URL for Online Certificate Status Protocol OCSP validation FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback 33 Managing digital certificates VPN Getting a signed local certificate If you want to have a local certificate signed by the CA server and then import it into FortiClient following the steps below The FortiClient software can use a manual file based enrollment method or the simple certificate enrollment protocol SCEP to get certificates SCEP is simpler but can only be used if the CA supports SCEP File based enrollment requires copying and pasting text files from the local computer to the CA and from the CA to the local computer SCEP automates this process b
108. tions 3 Follow the instructions on the screen selecting Next to proceed through the installation options When the installation has completed the FortiClient Configuration Wizard begins unless you are upgrading an existing installation To use the FortiClient Configuration Wizard after installation 1 In the FortiClient Configuration Wizard Welcome window do one of the following e Select Basic Setup if you are installing FortiClient on a standalone computer e Select Advanced Setup if you are installing FortiClient on a computer in a network 2 For Basic Setup configure the Antivirus schedule settings For more update information see To manage scan schedules on page 43 and Updating FortiClient on page 14 3 For Advanced Setup do the following e Add IP addresses to FortiClient s public trusted blocked zones For more information see Configuring network security zones on page 59 e If you computer uses a proxy server enter the proxy server information See Configuring proxy server settings on page 13 e Configure the update settings See Updating FortiClient on page 14 e Set the schedule for the Antivirus scans See To manage scan schedules on page 43 and Updating FortiClient on page 14 4 Click Update 5 Once FortiClient has been successfully configured click Close to start scanning your hard drive for viruses Installing the Free or Premium FortiClient Editions When insta
109. tivirus protection that integrates with Microsoft Exchange is available for evaluation Install the FortiClient application from the command line with the WITHEXCHANGE 1 option If you use the exe installer the command line option is v WITHEXCHANGE 1 FortiClient Endpoint Security automatically detects Microsoft Exchange installations and enables the Exchange Server Options under Antivirus gt Server Protection Fortinet recommends that you enable the options that exclude Exchange filesystem folders and associated files from virus scanning A preset list of files to exclude is then added to the antivirus and real time protection settings FortiClient Endpoint Security automatically detects SQL Server installations and enables the SQL Server Options under Antivirus gt Server Protection Fortinet recommends that you enable the options that exclude SQL Server file system folders and associated files from virus scanning A preset list of files to exclude is then added to the antivirus and real time protection settings For all server software verify that server software product folders and files are excluded from The core signature database is comprised of viruses that currently active This option will take less time to scan your computer because of the smaller database The core signature database does not require a license and is updated frequently scanning as their vendors recommend Do not enable real time protection or initiate virus s
110. ty Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback Contents Customizing security settings ccc cess eee ee eee eeeeeeeeeeeeeeeeeeeeeeeeaseeeeeeeesseeeeeeeeesseeenees 60 Network Detection cccscccssscceeccscectaneerscectiecesescctae ceascectie ccasnanbie esesnnnane caseustieecsetesieeesess 61 Configuring intrusion detection cccccceeeeseeeeeeeeeseeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeneeeeeeseenens 61 Configuring advanced firewall rules cccssseeeeeesseeeeeeseeeeeeeeeeeseeeeeeeeeesseeeeeeeeesenenes 61 Managing QlOUPS eisrean a a A T O 62 Web PU ssid ceinatec sete dace aasasec ccna teeamunteeGeeadcesducsceskavencsseeeatcueisswarseecsacees 65 Setting the administration password ccccessseeeeeeesseeeeeeeeseeeeeeeeseeeeeeeeseseeeeeneeeeeeees 65 Modifying web filter S ttingS c ccccssseenseeeeeeseneeeeeseeneeeeesecenseeessseenseeesseeneeeeeeseaneeeenens 65 Configuring the web filter global settings 0 c cc ceeeeeeeeeeeeeeneeeeeeeenteeeeeeeenaeeeeeeeeaaees 66 Managing web filter profiles cccsseeeeeesseeeeeeeeeseeeeeeeeeeneeseeeeeseeeseeeseseeeeeeeeeseeaeees 67 Configuring web filter per USer settings cccceeeseeeeeeeneeeeeeeeeneeeeeeeeeenseeeneeees 69 AntiSpan sisanne eaa aa eaaa aa A a eaaa rA 71 Installing anti spam plug in ssssssussesennnrnnnnnnnnnnnnnnnnnnnnnnnnunnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nanne nnna 72 Enablingantispani sssri
111. umes the user has prior knowledge of how to configure digital certificates for their implementation Setting up a VPN with automatic configuration If the remote FortiGate gateway is configured as a VPN policy deployment server you can configure the FortiClient software to download the VPN policies from the FortiGate gateway The policy server has a daemon running all the time for incoming policy download requests This daemon communicates with the FortiClient computer to process user authentication policy lookup and delivery After the policy is sent out the daemon closes the SSL connection and you can start up the VPN tunnel from the FortiClient side Note For VPNs with automatic configuration only preshared keys are supported Certificates are not supported FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 19 http docs fortinet com e Feedback Configuring VPNs VPN On the FortiClient side you only need to create a VPN name and specify the IP address of the FortiGate gateway To add a VPN with automatic configuration on the FortiClient computer Go to VPN gt Connections Click Advanced and select Add In the New Connection window enter a connection name For Configuration select Automatic IPsec For Policy Server enter the IP address or FQDN of the FortiGate gateway Click OK ao ah WON Setting up a VPN with manual configuration This VPN configuration described here u
112. ut CRLs must still be manually copied and pasted between the CA and the local computer Z Note The digital certificates must comply with the X 509 standard General steps to get a signed local certificate 1 Generate the local certificate request See To generate a local certificate request on page 34 Export the local certificate request to a csr file See To export the local certificate request on page 36 Send the signed local certificate request to a CA See To send the certificate request to a CA on page 36 Retrieve the signed certificate from a CA See To retrieve the signed local certificate from the CA on page 36 Import the signed local certificate into FortiClient You can also backup the certificate by exporting it See To import the signed local certificate on page 36 and To export the signed local certificate on page 36 Figure 19 Generating a local certificate request Generate Certificate Certificate Name Subject Information ID Type ID Name Advanced Enrollment Method File Based Online SCEP Issuer CA Select a Issuer CA Z CA Server URL Challenge Phrase Key Size bits 2048 x J OK Cancel i To generate a local certificate request 1 Go to VPN gt My Certificates 34 FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com Feedback VPN Managing digital cer
113. vel or Trusted Zone Security Level areas move the slider to High or Medium Note Low level security disables packet level rules and you cannot customize the Low level settings 3 Click Setting 4 If you select High level modify the following settings and select OK Allow ICMP in Allow incoming ICMP Internet Control Message Protocol traffic By default this option is not selected Allow NetBIOS in Allow incoming NetBIOS traffic By default this option is not selected Allow NetBIOS out Allow outgoing NetBIOS traffic By default this option is not selected Select one of the following options Allow other inbound traffic This option is selected by default coming from this zone Block other inbound traffic This option is not selected by default coming from this zone 5 If you select Medium level modify the following settings and select OK Block ICMP in Block incoming ICMP Internet Control Message Protocol traffic By default this option is not selected Block NetBIOS in Block incoming NetBIOS traffic By default this option is not selected 6 Click OK FortiClient Endpoint Security Version 4 0 MR1 User Guide 60 04 40001 99166 20090622 http docs fortinet com e Feedback Firewall Network Detection Network Detection When a new network is detected by FortiClient you can determine if the network is trusted or let a ping server decide the status To determine what to do when a new network is detected 1 G
114. web filter per user settings If you have administrator privileges on the computer you can specify which webfilter profile applies to each user The Global profile specified in webfilter Global Settings applies to any user not specified in Per User settings To specify per user webfilter settings Go to WebFilter gt Settings Click Modify Settings Enter the password if applicable In the Global Settings tab select Enable webfilter Select the Per User Settings tab oar wn Do any of the following To add a user setting click Add enter or select a user name and select the profile to apply Click OK To modify a user setting select the user name and click Edit Select a different profile and click OK To delete a user setting select the user name and click Delete 7 Select OK FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 69 http docs fortinet com e Feedback Modifying web filter settings Web Filter FortiClient Endpoint Security Version 4 0 MR1 User Guide 70 04 40001 99166 20090622 http docs fortinet com e Feedback Anti spam Anti spam The Anti spam feature is a plug in for Microsoft Outlook and Microsoft Outlook Express 2000 or newer versions It is supported by the Fortinet FortiGuard AntiSpam service Once this feature is enabled and installed on the Outlook Outlook Express it filters your incoming email and sets up a spam folder on your Outlook
115. which category they belong to the vendor of the application the version and the path where the application is running from on your computer For more information see the FortiClient Administration Guide To view the applications running on your computer 1 Goto App Detection gt Status 2 Click Refresh to refresh the list of processes that are currently running FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 75 http docs fortinet com e Feedback Viewing applications running on your computer App Detection Figure 33 App Detection Application FortiClient Console I ee WMI Provider Host G Firefox e tpenet Erg Hl P A mysqld exe io AcroTray LausfThAl Plattorna Windows Live Co Synaptics Pointing Skype Extras Man FortiClient Proxy Thunking Spooler SupportSoft Conta 3 Activation Licensi Microsoft Window SoftThinks Agent Microsoft SeaPort FrameMaker 8 0 A Microsoft Office 0 Advanced Networ FortiClient SSL VP Remote Access Fi Nw Apache HTTP Se E Andrea filters APO BF FATray lert Applic E Adobe Acrobat Sp Category Security Security Security Vendor Fortinet Inc Microsoft Co Synaptics Skype Tech Fortinet Inc Microsoft Co SupportSott Microsoft Co Acresso Sof Mozilla Corp Microsoft Co
116. your computer The extended signature database requires a premium license and is updated less frequently The core signature database is comprised of viruses that currently active This option will take less time to scan your computer because of the smaller database The core signature database does not require a license and is updated frequently Free edition The Free edition only scans for recent antivirus files using the core antivirus Note The Use extended signature database check box is not available if you are using the signature database recent viruses If you want to scan your computer using the complete extended database you will need to upgrade to the Premium edition Specify whether to scan compressed files and set the file size limit The default size limit is 0 which means no limit e Specify whether to scan grayware and what types of grayware to look for e Enable heuristic scanning FortiClient software uses heuristic techniques to scan files to find unknown viruses and threats that have not yet been cataloged with signatures Heuristics looks at characteristics of a file such as size or architecture as well as behaviors of its code to determine the likelinood of an infection FortiClient Endpoint Security Version 4 0 MR1 User Guide 04 40001 99166 20090622 http docs fortinet com e Feedback 45 Configuring antivirus settings Antivirus and Anti Malware Selecting file types to scan If you d
Download Pdf Manuals
Related Search