Anda di halaman 1dari 113

FortiClient v5.0.

0
Administration Guide

FortiClient v5.0.0 Administration Guide


November 02, 2012
04-500-183401-20121102
Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.

Technical Documentation

docs.fortinet.com

Knowledge Base

kb.fortinet.com

Customer Service & Support

support.fortinet.com

Training Services

training.fortinet.com

FortiGuard

fortiguard.com

Document Feedback

techdocs@fortinet.com

Table of Contents
Change Log....................................................................................................... 6
Introduction....................................................................................................... 7
Licensing.................................................................................................................. 7
Client limits......................................................................................................... 7
Supported operating systems ................................................................................. 8
Windows ............................................................................................................ 8
Mac OS X ........................................................................................................... 8
Minimum system requirements................................................................................ 8
Windows ............................................................................................................ 8
Mac OS X ........................................................................................................... 8
Language support.................................................................................................... 9
Windows ............................................................................................................ 9
Mac OS X ........................................................................................................... 9

Whats New in FortiClient v5.0.0 GA ............................................................. 10


Summary of enhancements ................................................................................... 10

Installing FortiClient ....................................................................................... 11


Installing FortiClient on a Windows computer ....................................................... 11
Installing FortiClient on a Mac OS X computer...................................................... 14

Provisioning FortiClient ................................................................................. 17


FortiClient MSI configuration tool .......................................................................... 17
Usage............................................................................................................... 17
Example usage................................................................................................. 17
Creating a custom MSI installation file .................................................................. 17
Deploy FortiClient using Microsoft Active Directory (AD) server ........................... 18
Deploy using Microsoft System Center Configuration Manager 2007 .................. 19

Central Management...................................................................................... 21
Introduction............................................................................................................ 21
Configure Endpoint Management..........................................................................
Step 1: Enable Device Management and Broadcast Discovery Messages.....
Step 2: Configure the Client Endpoint Profile ..................................................
Step 3: Configure Firewall Policies ..................................................................
Step 1: Download and install FortiClient..........................................................
Step 2: FortiClient registration .........................................................................
Step 3: FortiGate deploys the Endpoint Profile ...............................................
Deploy the Endpoint Profile to clients over VPN .............................................

21
21
22
23
26
27
30
31

View FortiClient registration on the FortiGate Web-based Manager..................... 32


Configure preferred FortiGate IP on FortiClient for registration ............................ 32

Page 3

Enable FortiClient Endpoint Registration (optional) ............................................... 32

AntiVirus .......................................................................................................... 34
FortiClient AntiVirus ...............................................................................................
Enable/Disable AntiVirus..................................................................................
Notifications .....................................................................................................
Scan Now.........................................................................................................
Update Now .....................................................................................................
Schedule AntiVirus scanning ...........................................................................
View quarantined threats .................................................................................
Add files/folders to an exclusion list ................................................................
AntiVirus warning .............................................................................................

34
34
34
35
36
37
38
39
40

AntiVirus logging .................................................................................................... 41


AntiVirus options.................................................................................................... 42

Parental Control/Web Filtering ..................................................................... 43


FortiClient Parental Control/Web Filtering .............................................................
Enable/Disable Parental Control/Web Filtering................................................
Parental Control/Web Filtering settings ...........................................................
View profile violations ......................................................................................

43
43
44
44

Application Firewall........................................................................................ 45
FortiClient Application Firewall ..............................................................................
Enable/Disable Application Firewall.................................................................
View Applications Blocked ..............................................................................
Application Firewall Rules ................................................................................
Application Firewall logging .............................................................................

45
45
45
46
47

IPsec VPN and SSL-VPN................................................................................ 48


FortiClient Remote Access (VPN) ..........................................................................
Add a new connection .....................................................................................
Create a new SSL-VPN connection.................................................................
Create a new IPsec VPN connection ...............................................................
Connect to a VPN ............................................................................................

48
48
49
50
51

Advanced features (Windows) ...............................................................................


Connect VPN before logon (AD environments)................................................
Create a redundant IPsec VPN ........................................................................
Priority based SSL-VPN connections ..............................................................
Enabling VPN autoconnect ..............................................................................
Enabling VPN always up ..................................................................................

53
53
53
54
54
54

Advanced features (Mac OS X).............................................................................. 55


Enabling VPN autoconnect .............................................................................. 55
Enabling VPN always up .................................................................................. 55
VPN tunnel & script (Windows) ..............................................................................
Feature overview..............................................................................................
Map a network drive after tunnel connection ..................................................
Delete a network drive after tunnel is disconnected........................................

Fortinet Technologies Inc.

Page 4

55
55
55
56

FortiClient v5.0.0 Administration Guide

VPN tunnel & script (Mac OS X)............................................................................. 56


Map a network drive after tunnel connection .................................................. 56
Delete a network drive after tunnel is disconnected........................................ 57

Vulnerability Scan ........................................................................................... 58


Vulnerability Scan ..................................................................................................
Scan Now.........................................................................................................
Update Now .....................................................................................................
View Vulnerabilities ..........................................................................................
Vulnerability Scan logging................................................................................

58
58
58
59
60

Settings ........................................................................................................... 61
Backup or restore full configuration ...................................................................... 61
Logging .................................................................................................................. 62
Updates ................................................................................................................. 62
VPN options ........................................................................................................... 63
Certificate Management ........................................................................................ 63
AntiVirus options.................................................................................................... 63
Advanced options .................................................................................................. 64
Single Sign-On Mobility Agent............................................................................... 64
FortiClient/FortiAuthenticator Protocol ............................................................ 64

Interpreting the XML Configuration File....................................................... 66


FortiClient XML configuration ................................................................................ 66
Configuration file extensions ................................................................................. 66
File extensions ................................................................................................. 66
File Sections .......................................................................................................... 66
Configuration file sections ............................................................................... 66
Import and export command line utility commands and syntax ...........................
Upload the FortiClient XML file to FortiGate....................................................
Example FortiClient XML configuration file (Windows) ....................................
Example FortiClient XML configuration file (Mac OS X)...................................

67
68
69
89

FortiClient Tools ........................................................................................... 111


Tools .................................................................................................................... 111
Windows ........................................................................................................ 111
Mac OS X ....................................................................................................... 111

Index .............................................................................................................. 112

Fortinet Technologies Inc.

Page 5

FortiClient v5.0.0 Administration Guide

Change Log
Date

Change Description

2012-11-02

Initial release.

2012-11-07

Updated scripts chapters. This document is now inclusive of both Windows and Mac OS X. It is
important to note that not all features available for Windows are available for Mac OS X.

2012-11-15

Updated IPsec and SSL-VPN chapter.

2012-11-22

Added note about FortiClient License for FortiAuthenticator.

2012-11-27

Updated script commands to match changes in the FortiClient v5.0.0 XML Reference.

Page 6

Introduction
FortiClient has been completely re-designed for v5.0.0 GA. FortiClient provides a
comprehensive network security solution for endpoints while improving your visibility and
control. FortiClient allows you to manage the security of multiple endpoint devices from the
FortiGate interface. This document provides an overview of FortiClient v5.0.0.

This document was written for FortiClient v5.0.0 GA for Windows. Not all features described in
this document are supported for FortiClient v5.0.0 GA for Mac OS X.

Licensing
Licensing on the FortiGate is based on the number of registered clients. FortiGate 40C and
higher models support ten (10) free managed FortiClient licenses. For additional managed
clients, an upgraded license must be purchased. The maximum number of managed clients
varies per device model.

Client limits
FortiGate Model

Free registrations FortiClient license upgrade SKU

FortiGate 40, 60, 80 series, VM00

10

N/A

FortiGate 100, 200, 300, 600, 800


series, VM01, VM02

10

1000 client registrations


FCC-C0103-LIC

FortiGate 1000, 3000, 5000 series,


VM04, VM08

10

3000 client registrations


FCC-C0105-LIC

In high availability (HA) configurations, all cluster members require an upgrade license key.

For more information, go to www.forticlient.com.

Page 7

Supported operating systems


Windows
Microsoft Windows 8 (64-bit)
Microsoft Windows 7 Service Pack 1 (32-bit, 64-bit)
Microsoft Windows Vista Service Pack 2 (32-bit, 64-bit)
Microsoft Windows XP Service Pack 3 (32-bit)

Mac OS X
OS X Mountain Lion (v10.8)
Mac OS X Lion (v10.7)
Mac OS X Snow Leopard (v10.6)

Minimum system requirements


Windows
Microsoft Internet Explorer 8.0 or later
Windows compatible computer with Pentium processor or equivalent
Compatible operating system and minimum RAM: 512MB
600 MB free hard disk space
Native Microsoft TCP/IP communication protocol
Native Microsoft PPP dialer for dial-up connections
Ethernet NIC for network connections
Wireless adapter for wireless network connections
Adobe Acrobat Reader for user manual
MSI installer 3.0 or later

Mac OS X
Intel processor
256MB of RAM
20MB of hard disk drive (HDD) space
TCP/IP communication protocol
Ethernet NIC for network connections
Wireless adapter for wireless network connections

Fortinet Technologies Inc.

Page 8

FortiClient v5.0.0 Administration Guide

Language support
Windows
FortiClient v5.0.0 is localized for the following languages:
Graphical User Interface

Documentation

English

German

Portuguese (Brazil)

Spanish (Spain)

Korean

Japanese

Graphical User Interface

Documentation

English

German

Japanese

Chinese

Mac OS X
FortiClient v5.0.0 is localized for the following languages:

Please review the FortiClient v5.0.0 (Windows) Release Notes/FortiClient v5.0.0 (Mac OS X)
Release Notes prior to upgrading. Release Notes are available at the Customer Service &
Support site.

Fortinet Technologies Inc.

Page 9

FortiClient v5.0.0 Administration Guide

Whats New in FortiClient v5.0.0 GA


Summary of enhancements

This document was written for FortiClient v5.0.0 GA for Windows. Not all features described in
this document are supported for FortiClient v5.0.0 GA for Mac OS X.

The following is a list of enhancements in FortiClient v5.0.0 GA:


Antivirus and Antimalware
Protection against the latest virus, grayware (adware/riskware) threats.
Client antivirus is free, and auto updates every three hours.
Application Firewall
Block, allow, and monitor applications that send traffic to the network.
Bring Your Own Device (BYOD)
Diagnostic Tool
Enhancements to the FortiClient dashboard
Endpoint Management using FortiGate, including:
Automatic endpoint registration. User initiated endpoint registration.
Deploy VPN (IPsec/SSL) configuration
Enable/disable Antivirus real-time protection.
Manage/deploy Web Filtering and Application Firewall configuration.
Localization support
Parental Control/Web Filter
Block, allow, warn, and monitor web traffic based on category.
Remote Access (IPsec and SSL VPN)
Secure Virtual Private Network access to your network.
Supports multiple gateways for a single tunnel.
Rootkit detection and removal
Single Sign-On Mobility Agent support with FortiAuthenticator/FSSO Collector Agent
Support automatic executing of a custom batch script via an IPsec VPN tunnel
Support multiple (maximum 10) gateway IP/FQDN in a single IPsec VPN configuration
Support XML configuration
VPN from system tray
VPN auto connect/always up
Support ability to automatically connect to a VPN tunnel without user interaction
Support ability to configure the VPN to always be connected
Vulnerability Scan
Identify system and application vulnerabilities.

Page 10

Installing FortiClient
Installing FortiClient on a Windows computer
The following instructions will guide you though the installation of FortiClient on a Windows
computer.
To install FortiClient
1. Double-click the FortiClient executable file to launch the setup wizard. The Setup Wizard will
install FortiClient on your computer.
Figure 1: Welcome screen

2. Read the license agreement and select Next to continue. You have the option to print the
EULA on this screen.
Figure 2: End-User License Agreement

Page 11

3. Select Change to choose an alternate folder destination for installation. Select Next to
continue.
Figure 3: Destination folder selection

4. Select Install to continue.


Figure 4: Ready to Install FortiClient

Fortinet Technologies Inc.

Page 12

FortiClient v5.0.0 Administration Guide

5. Select Finish to exit the FortiClient Setup Wizard.


Figure 5: Installation completed

6. On a new FortiClient installation, you do not need to reboot your system. When upgrading
the FortiClient version, you must restart your system for the configuration changes made to
FortiClient to take effect. Select Yes to restart your system now, or select No to manually
restart later.
Figure 6: Restart your system to complete the installation

7. To launch FortiClient, click the desktop shortcut icon.


Figure 7: Select the FortiClient shortcut to launch

Fortinet Technologies Inc.

Page 13

FortiClient v5.0.0 Administration Guide

Installing FortiClient on a Mac OS X computer


The following instructions will guide you though the installation of FortiClient on a Mac OS X
computer.
To install FortiClient
1. Double-click the FortiClient .dmg installer file to launch the FortiClient installer. The
FortiClient Installer will install FortiClient on your computer. Select Continue.
Figure 8: Welcome screen

2. Read the Software License Agreement and select Continue. You have the option to print, or
save the Software Agreement on this screen. You will be prompted to Agree with the terms
of the license agreement.
Figure 9: Software License Agreement

3. Select the destination folder for the installation.

Fortinet Technologies Inc.

Page 14

FortiClient v5.0.0 Administration Guide

Figure 10:Destination Select screen

4. Select Install to perform a standard installation on this computer. You can change the install
location from this screen.
Figure 11:Installation Type screen

5. Depending on your system, you may be prompted to enter your system password.
Figure 12:Enter system password to continue

6. The installation was successful. Select Close to exit the installer.

Fortinet Technologies Inc.

Page 15

FortiClient v5.0.0 Administration Guide

Figure 13:The installation was successful

7. FortiClient has been saved to the Applications folder.


Figure 14:Applications folder

8. Double-click the FortiClient icon to launch the application. The application dashboard loads
to your desktop. Select the lock icon on the bottom left of the dashboard to make changes
to the FortiClient configuration.
Figure 15:Default FortiClient dashboard is locked

Fortinet Technologies Inc.

Page 16

FortiClient v5.0.0 Administration Guide

Provisioning FortiClient
FortiClient MSI configuration tool
The FortiClient Configurator tool is the recommended method of creating a customized
installation of FortiClient.

This document was written for FortiClient v5.0.0 GA for Windows. Not all features described in
this document are supported for FortiClient v5.0.0 GA for Mac OS X.

Usage
FortiClientConfigurator.exe -m <path to FortiClient.msi file> [optional
switches]

Switches and switch parameters are case sensitive.

-m <path to FortiClient msi file> (Required)


--REGISTRATIONKEY <key>
Use to prevent users from changing FortiClient settings.
--FGTIP <ip:port or fqdn:port>
FortiClient will attempt to register to this FortiGate. If it cannot, it will try to register to the default
gateway.

Example usage
FortiClientConfigurator.exe -m c:\downloads\forticlient.msi
--REGISTRATIONKEY sercretpassword
This command above creates the following directories containing files ready for deployment:
c:\downloads\FortiClient_packaged\ActiveDirectory\
c:\downloads\FortiClient_packaged\ManualDistribution\

Creating a custom MSI installation file


You can create a custom MSI installer file for your customized FortiClient Application:
1. Determine the command line options you need for your customized FortiClient installer.

Page 17

2. In the folder where you expanded the installer .zip package, execute the following command
line entry:
FortiClientConfigurator.exe -m <path to FortiClient.msi file>
<optional switches.
A new subdirectory is created, which contains the FortiClient MSI file.

Deploy FortiClient using Microsoft Active Directory (AD) server


There are multiple ways to deploy FortiClient to endpoint devices using Microsoft Active
Directory.

The following instructions are based from Microsoft Windows Server 2008. If you are using a
different version of Microsoft Server, your snap-in locations may be different.

Using Microsoft AD to Deploy FortiClient:


On your Domain Controller, create a distribution point.
1. Log on to the server computer as an administrator.
2. Create a shared network folder where the FortiClient MSI installer file will be distributed from.
3. Set file permissions on the share to allow access to the distribution package. Copy the
FortiClient MSI installer package into this share folder.
4. Select Start > Administrative Tools > Active Directory Users and Computers.
5. After selecting your domain, right-click to select a new Organizational Unit (OU).
6. Move all the computers you wish to distribute the FortiClient software to into the
newly-created OU.
7. Select Start > Administrative Tools > Group Policy Management. The Group Policy
Management MMC Snap-in will open. Select the OU you just created. Right-click it and
Select Create a GPO in this domain, and Link it here. Give the new GPO a name, then select
OK.
8. Expand the Group Policy Object container, and find the GPO you just created. Right-click
the GPO and select Edit. The Group Policy Management Editor MMC Snap-in will open.
9. Expand Computer Configuration > Policies > Software Settings. Right-click Software
Settings and select New > Package.
10.Select the path of your distribution point and FortiClient installer file, and then select Open.
Select Assigned and select OK. The package will then be generated.
11.If you wish to expedite the installation process, on both the server and client computers,
force a GPO update.
12.The software will be installed on the client computers next reboot. You can also wait for the
client computer to poll the domain controller for GPO changes and install the software then.
Uninstall FortiClient using Microsoft Active Directory server
This section describes how to remove FortiClient from client computers using Active Directory:
1. On your domain controller, select Start > Administrative Tools > Group Policy Management.
The Group Policy Management MMC Snap-in will open. Expand the Group Policy Objects
container and right-click the Group Policy Object you created to install FortiClient and select
Edit. The Group Policy Management Editor will open.

Fortinet Technologies Inc.

Page 18

FortiClient v5.0.0 Administration Guide

2. Select Computer Configuration > Policy > Software Settings > Software Installation. You will
now be able to see the package that was used to install FortiClient.
3. Right-click the package, select All Tasks > Remove. Choose Immediately uninstall the
software from users and computers, or Allow users to continue to use the software but
prevent new installations. Select OK. The package will delete.
4. If you wish to expedite the uninstallation process, on both the server and client computers,
force a GPO update as shown in the previous section. The software will be uninstalled on the
client computers next reboot. You can also wait for the client computer to poll the domain
controller for GPO changes and uninstall the software then.

Deploy using Microsoft System Center Configuration Manager 2007


If you would like to use Microsofts System Center Configuration Manager (SCCM) to deploy
FortiClient, use the following method:

These instructions assume you have already installed and configured SCCM. If you have not,
please refer to Microsofts online help sources for information on this task.

Step 1: Create Your Package


1. Startup your Configuration Manager Console GUI and expand the following: Computer
Management > Software Distribution > Packages.
2. Right-click Packages and select New > Package from the contextual menu. A Wizard will
open.
3. Fill in the packages properties as you desire in the General tab.
4. Under the Data Source tab, select the This package contains source files box, then select the
Set button to specify the source of the SCCM package. SCCM will then ask you to specify
the path to the installation executable. Select that path, then select OK.
5. Select the box adjacent to Update distribution points on a schedule and then set the
schedule to how often you wish.
6. Set your Data Access options if required.
7. Under the Distribution Settings tab, set your sending priority. High is recommended.
8. Under the Reporting tab, leave the settings as default.
9. Under the Security tab, set the rights for the package class and instance rights.
10.Review your package choices under the Summary tab, then select Next. The Wizard will
complete.
Step 2: Create a Program for Your Package
1. Startup your Configuration Manager Console GUI and expand the following:
Computer Management > Software Distribution > Packages.
Select the newly-created FortiClient package. Right-click that package and select New >
Program from the contextual menu.
2. Under the General tab, fill in the appropriate details. For a silent install, ensure you use the
-ms switch under the command line options.
3. Under the Requirements tab, check the boxes next to the client platforms you wish to install
to (Windows Vista, Windows XP, etc.).

Fortinet Technologies Inc.

Page 19

FortiClient v5.0.0 Administration Guide

4. Set your Environment variables - it is recommended to select that the program can run
Whether or not a user is logged on.
5. You can leave the Advanced and Windows Installer tabs as default.
6. If you require a notification sent to Microsoft Operations Manager (MOM), select the
appropriate options under the MOM Maintenance tab.
7. As with the previous step, review your Summary and then create your program.
Step 3: Advertising Your Package to Client PCs
1. Startup your Configuration Manager Console GUI and expand the following:
Computer Management > Software Distribution > Advertisements.
Right-click Advertisements and select New > Advertisement from the contextual menu.
2. When prompted about no distribution points, select Yes. We will update the distribution
point later in the process.
3. Under the Schedule tab, set the date you wish the advertisement to commence (and expire,
if you desire). Set your priority level (recommended setting is High). Select on the yellow
star to set the mandatory settings.
4. Under the Distribution Points tab, select Download content from distribution point and run
locally for both settings.
5. Under the Interaction tab, you can use this to warn logged in users that the program is going
to run, and provide a countdown timer until execution.
6. Under the Security tab, set the rights for the package class and instance rights.
7. Review your package choices under the Summary tab, then select Next. The Wizard will
complete.
Step 4: Create and Update Your Distribution Point
1. Startup your Configuration Manager Console GUI and expand the following:
Computer Management > Software Distribution > Packages.
Expand the package you created, and right-click Distribution Points.
Right-click Distribution Points and select New Distribution Points from the contextual
menu. A Wizard will open.
2. Select your SCCM server from the list of available servers and select Next. You will then see
a summary and the Wizard will complete.
3. You will now need to update the distribution point that was just created with the
advertisement package. Right-click Distribution Points and now select Update Distribution
Points from the contextual menu. A pop-up window will appear. Confirm the update by
selecting Yes.
Using Microsoft SCCM 2007 to Remove FortiClient:
1. Open the Configuration Manager Console:
System Center Configuration Manager > Site Database > Computer Management >
Software Distribution > Package > Advertisement.
2. Select the FortiClient package you wish to uninstall, then select Per-system uninstall. Ensure
you select the correct boundary collection. Specify when the advertisement will broadcast to
the members of the target collection.
3. Complete the Wizard. Ensure you delete the initial Installation Advertisement you used to
install FortiClient to prevent SCCM from reinstalling FortiClient.

Fortinet Technologies Inc.

Page 20

FortiClient v5.0.0 Administration Guide

Central Management
Introduction
The purpose of this section is to provide basic instructions on how to configure, deploy, and
manage FortiClient configurations from FortiGate.

Endpoint Management requires FortiClient v5.0.0 GA or later, and a FortiGate (FortiGate,


FortiWiFi, FortiGate-VM) running FortiOS v5.0.0 GA or later, and FortiCarrier devices running
FortiOS Carrier v5.0.0 GA or later.

Endpoint Management is available on the FortiGate 40C, and higher devices.

Configure Endpoint Management


In FortiOS v5.0.0 GA, configuration and management of FortiClient endpoint agents can now be
handled by the FortiGate. You can configure your FortiGate device to discover new devices on
your network, enforce FortiClient registration, and deploy a pre-configured endpoint profile to
connected devices. The endpoint profile can be deployed to devices on your network, and over
a VPN connection.
To configure Endpoint Management on the FortiGate, follow the steps listed below.

Step 1: Enable Device Management and Broadcast Discovery Messages


To configure Device Management, go to System > Network > Interface, select the interface, and
select Edit on the tool-bar. On the Edit Interface page you can select to enable Detect and
Identify Devices. To enable Broadcast Discovery Messages (Optional) you must first enable
FCT-Access under Administrative Access. Select Apply to save the setting.
Broadcast Discovery Messages is an optional configuration. When enabled, the FortiGate will
broadcast messages to your network, allowing client connections to discover the FortiGate for
FortiClient registration. Without this feature enabled, the user will enter the IP address or URL of
the FortiGate to complete registration.

Page 21

Figure 16:Device Management options

Step 2: Configure the Client Endpoint Profile


To configure the Client Endpoint Profile, go to User & Device > Device > Endpoint Profile. Edit as
required. Select Apply to save the setting.

Fortinet Technologies Inc.

Page 22

FortiClient v5.0.0 Administration Guide

Figure 17:Edit Endpoint Profile

Step 3: Configure Firewall Policies


To configure a firewall policy for Endpoint Management, go to Policy > Policy > Policy, and
select Create New on the right-hand tool bar. For Policy Subtype, select Device Identity.

Fortinet Technologies Inc.

Page 23

FortiClient v5.0.0 Administration Guide

Figure 18:Create new Device Identity policy

Add an Accept Authentication Rule for all compliant Windows-PC clients. This rule will allow
Windows clients which have installed FortiClient, and have been registered to this FortiGate to
pass traffic.
Figure 19:Accept Authentication rule for compliant Windows-PC clients.

Add a Captive Portal Authentication Rule for all non-compliant Windows-PC clients. This rule
will redirect all Windows clients (web browser) to a dedicated portal where they can download
the client. Once registered to the FortiGate, the Endpoint Profile will be assigned.

Fortinet Technologies Inc.

Page 24

FortiClient v5.0.0 Administration Guide

Figure 20:Captive Portal Authentication Rule for Windows-PC devices.

(Optional) Add an Accept Authentication rule to allow traffic from all other devices to pass traffic
without enforcing FortiClient Compliance.
Figure 21:Accept Authentication Rule for all other devices

Once these three Authentication rules are configured, select OK to save the new policy setting.
Your client configuration is ready for deployment.
Figure 22:Firewall policy configuration

Fortinet Technologies Inc.

Page 25

FortiClient v5.0.0 Administration Guide

After the FortiGate configuration has been completed, you can proceed with FortiClient
configuration. Configure your Windows PC on the corporate network with the default gateway
set to the IP of the FortiGate.

FortiClient Endpoint network topologies


The following FortiClient Endpoint Profile topologies are supported.
Client is directly connected to FortiGate; either to a physical port, switch port or WiFi SSID.
This topology supports client registration, configuration sync, and endpoint profile
enforcement.
Client is connected to FortiGate, but is behind a router or NAT device.
This topology supports client registration, and configuration sync.
Client is connected to FortiGate across a VPN connection.
This topology supports client registration, configuration sync, and endpoint profile
enforcement.
Figure 23:Network topologies

To configure FortiClient for Endpoint Management, follow the steps listed below.

Step 1: Download and install FortiClient


Open a web browser from your workstation and attempt to open a web page, the web page will
be directed to the Captive Portal. Follow the instructions on the portal to download and install
FortiClient.

Fortinet Technologies Inc.

Page 26

FortiClient v5.0.0 Administration Guide

Figure 24:Captive Portal block page is displayed.

Step 2: FortiClient registration


After FortiClient completes installation, FortiClient will automatically launch and search for a
FortiGate device for registration. There are three ways that the FortiClient/FortiGate
communication is initiated:
1. FortiClient connects to the preferred IP address (if provided).
2. If 1. fails, FortiClient will attempt to connect to the default gateway IP address.
3. If 2. fails, FortiClient will listen for FortiGate broadcast messages.

Your personal computers default gateway IP should be configured to be the IP set on the
FortiGate interface.

Figure 25 shows an example broadcast message sent by the FortiGate, and received by
FortiClient. Select Accept to register with this FortiGate device. Upon registration, the FortiGate
will send the Endpoint Profile to FortiClient.
Figure 25:FortiGate broadcast message

Fortinet Technologies Inc.

Page 27

FortiClient v5.0.0 Administration Guide

Figure 26 shows the behavior of FortiClient on initial setup. FortiClient will search for available
FortiGate devices to complete registration. Select the ? icon on the FortiClient dashboard to
retry the search.
Figure 26:FortiClient will search for an available FortiGate

If FortiClient is unable to detect a FortiGate device, enter the IP address or URL of the device
and select the Retry button as illustrated in Figure 27.

Fortinet Technologies Inc.

Page 28

FortiClient v5.0.0 Administration Guide

Figure 27:Enter the FortiGate IP or URL

When FortiClient locates the FortiGate, you will be prompted to confirm the registration as
illustrated in Figure 28. Select the Confirm button to complete registration.
Figure 28:Registration confirmation window

Upon successful registration, the FortiGate will deploy the endpoint configuration.

Fortinet Technologies Inc.

Page 29

FortiClient v5.0.0 Administration Guide

Figure 29:Registration complete

Step 3: FortiGate deploys the Endpoint Profile


The FortiGate will deploy the Endpoint Profile after registration is complete. This Endpoint
Profile will permit traffic through the FortiGate. A system tray bubble message will be displayed
once update is complete.
Figure 30:Configuration update notification message

The FortiClient console will display that it is successfully registered to the FortiGate. The
Endpoint Profile is installed on FortiClient.

Fortinet Technologies Inc.

Page 30

FortiClient v5.0.0 Administration Guide

Figure 31:Registered FortiClient console

Deploy the Endpoint Profile to clients over VPN


You can deploy the Endpoint Profile to clients over a VPN connection.
1. On the FortiGate dashboard, select File > Settings. Under System, select Use preferred
FortiGate address, and enter the IP address and port (if required) of the FortiGates internal
interface.
Figure 32:Preferred FortiGate address

2. Configure an IPsec VPN connection from FortiClient to the management FortiGate. For more
information on configuring IPsec VPN see Create a new IPsec VPN connection on
page 50.
3. Connect to the VPN.
4. You can now search for the FortiGate gateway. See Step 2: FortiClient registration on
page 27 for more information.
5. After registration, the client is able to receive the Endpoint Profile.

Fortinet Technologies Inc.

Page 31

FortiClient v5.0.0 Administration Guide

View FortiClient registration on the FortiGate Web-based Manager


You can view all registered FortiClient on the FortiGate Web-based Manager. Each new
registration will be automatically added to the device table. To view registered devices go to
User & Devices > Device > Device Definition. The state for the new FortiClient registration is
listed as Registered.
Figure 33:FortiGate device

Configure preferred FortiGate IP on FortiClient for registration


The FortiClient admin user can specify a preferred FortiGate IP address for registration and
client configuration management. When an unregistered FortiClient starts up, it first looks for
the preferred FortiGate. If the preferred FortiGate is not reachable, it will look to connect to
default gateway. If both the preferred FortiGate and default gateway are not reachable,
FortiClient will listen for the broadcast message from FortiGate.
To configure a preferred FortiGate IP address, go to File > Settings, on FortiClient.
Figure 34:Configure preferred FortiGate on FortiClient

Enable FortiClient Endpoint Registration (optional)


To enable FortiClient Endpoint Registration, go to System > Config > Advanced, on FortiClient.
Select Enable Registration Key for FortiClient, enter the Registration Key, and select Apply.

Fortinet Technologies Inc.

Page 32

FortiClient v5.0.0 Administration Guide

Figure 35:Enable FortiClient Endpoint Registration on FortiGate

The FortiClient user will need to enter the same registration key to successfully register
FortiClient to the FortiGate.

Fortinet Technologies Inc.

Page 33

FortiClient v5.0.0 Administration Guide

AntiVirus
FortiClient AntiVirus
FortiClient v5.0.0 includes an AntiVirus module to scan system files, executables, dlls, and
drivers. FortiClient will also scan for, and remove rootkits.
This section describes how to enable AntiVirus, and configuration options.

Enable/Disable AntiVirus
To enable or disable FortiClient Real-time Protection, toggle the [Enable/Disable] option on the
FortiClient dashboard.

Notifications
Select the bell icon on the FortiClient dashboard to view all notifications. When a virus has been
detected, an exclamation icon will appear on the AntiVirus tree-menu tab. The bell icon will
change from gray to yellow.
Figure 36:Notifications window

Page 34

Scan Now
To perform on-demand AntiVirus scanning, select the Scan Now button on the FortiClient
dashboard. Use the drop-menu to select Custom Scan, Full Scan, or Quick Scan. The
dashboard notes the date of the last scan above the button.
Custom Scan runs the rootkit detection engine to detect and remove rootkits. Custom Scan
allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats.
Full Scan runs the rootkit detection engine to detect and remove rootkits. Full Scan then
performs a full system scan including all files, executables, dlls, and drivers for threats.
Quick System Scan runs the rootkit detection engine to detect and remove rootkits. Quick
System Scan only scans executable files, dlls, drivers that are currently running for threats.
Figure 37:AntiVirus Scan Now options

Fortinet Technologies Inc.

Page 35

FortiClient v5.0.0 Administration Guide

Update Now
To perform on-demand update of FortiClient version, engines, and signatures, select the
Update Now button on the content pane. The content pane notes the date of the last update
above the button.
To view the current FortiClient version, engine, and signature information, select Help on the
tool-bar, and About on the drop-down menu.
Figure 38:About FortiClient page

The Database is up-to-date message on the FortiClient dashboard refers to the AntiVirus
signatures being up-to-date. Select Help > About for more information.

Fortinet Technologies Inc.

Page 36

FortiClient v5.0.0 Administration Guide

Schedule AntiVirus scanning


To schedule AntiVirus scanning, select Weekly Scan on the content pane. On this menu you can
configure options outlined in the following figure and table.
Figure 39:AntiVirus scheduling

Schedule Type

Select Daily, Weekly or Monthly on the drop-down menu.

Scan On

For Weekly scheduled scan, select the day of the week on the
drop-down menu. For Monthly scheduled scan, the day of the month on
the drop-down menu.

Start

Select the start time on the drop-down menus. The time format is
represented in hours and minutes, 24-hour clock.

Scan Type

Select the scan type:


Custom Scan runs the rootkit detection engine to detect and remove
rootkits. Custom Scan allows you to select a specific file folder on your
local hard disk drive (HDD) to scan for threats.
Full Scan runs the rootkit detection engine to detect and remove
rootkits. Full Scan then performs a full system scan including all files,
executables, dlls, and drivers for threats.
Quick System Scan runs the rootkit detection engine to detect and
remove rootkits. Quick System Scan only scans executable files, dlls,
drivers that are currently running for threats.

Fortinet Technologies Inc.

Page 37

FortiClient v5.0.0 Administration Guide

View quarantined threats


To view quarantined threats, select Threats Quarantined on the FortiClient dashboard. On this
page you can view, restore, or delete the quarantined file. You can also submit the file to
FortiGuard.
Figure 40:Threats quarantined page

File Name

The name of the file.

Date Quarantined The date and time that the file was quarantined by FortiClient
File Information

Select a file from the list to view detailed information including the
quarantined location, status, virus name, and quarantined file name.

Logs

Select to view FortiClient log data.

Refresh

Select to refresh the list.

Submit

Select to submit the quarantined file to FortiGuard.

Restore

Select to add the selected file/folder to the exclusion list.

Delete

Select to delete the quarantined file.

Close

Select to close the page, and return to the FortiClient dashboard.

Fortinet Technologies Inc.

Page 38

FortiClient v5.0.0 Administration Guide

Add files/folders to an exclusion list


To add files/folders to the AntiVirus exclusion list, select Exclusion List on the content pane. On
the following configuration page, select the + symbol to add files or folders to the list. Any files
or folders on this exclusion list will not be scanned.

Figure 41:AntiVirus Exclusion List

Fortinet Technologies Inc.

Page 39

FortiClient v5.0.0 Administration Guide

AntiVirus warning
When FortiClient Antivirus detects a virus while attempting to download a file via a
web-browser, you will receive a warning dialog message similar to Figure 42. Browse to the
Threat Quarantine menu on the dashboard to view details on the detected threat.
Figure 42:Example virus warning message

Fortinet Technologies Inc.

Page 40

FortiClient v5.0.0 Administration Guide

AntiVirus logging
To configure AntiVirus logging, select File on the tool-bar, and Settings on the drop-down menu.
Select Logging to view the drop-down menu. On this menu you can configure options outlined
in the following figure and table.
Figure 43:Logging options

Logging
Enable logging for
these features

Select AntiVirus to enable logging for this feature.

Log file
Export logs

Select to export logs to your local hard disk drive (HDD) in .log
format.

Clear logs

Select to clear all logs. You will be presented a confirmation window,


select Yes to proceed.

Upload logs to
Select to upload FortiClient logs to the registered FortiGate.
registered FortiGate

Fortinet Technologies Inc.

Page 41

FortiClient v5.0.0 Administration Guide

AntiVirus options
To configure AntiVirus options, select File on the tool-bar, and Settings on the drop-down menu.
Select AntiVirus Options to view the drop-down menu. On this menu you can configure options
outlined in the following figure and table.
Figure 44:AntiVirus options

AntiVirus Options
Grayware Options
Adware

Select to enable Adware detection and quarantine during the


AntiVirus scan.

Riskware

Select to enable Riskware detection and quarantine during the


AntiVirus scan.

Alert when viruses


are detected

Select to have FortiClient provide a notification alert when a threat is


detected on your personal computer.

Pause background Select to pause background scanning when your personal computer
scanning on battery is operating on battery power.
power

Fortinet Technologies Inc.

Page 42

FortiClient v5.0.0 Administration Guide

Parental Control/Web Filtering


FortiClient Parental Control/Web Filtering
Parental Control/Web Filtering allows you to block, allow, warn, and monitor web traffic based
on category.

When FortiClient is registered to a FortiGate, the Parental Control module will reflect Web
Filtering. You can disable Web Filtering on the FortiClient, from the FortiGate. If the FortiClient
device is behind a FortiGate, it will use the Web Filter profile on the FortiGate.

Enable/Disable Parental Control/Web Filtering


To enable or disable FortiClient Parental Control/Web Filtering, toggle the [Enable/Disable]
button on the FortiClient dashboard. Parental Control is enabled by default.
Figure 45:Parental Control

Page 43

Parental Control/Web Filtering settings


You can configure a profile to allow, block, warn, or monitor web traffic based on category under
Profile. Use the right-click menu to set the action for the full category or sub-category.
You can add websites to the exclusion list and set the permission to allow or block. If the
website is part of a blocked category, an allow permission on the Exclusion List would allow the
user to access the specific site.
Figure 46:Profile and Exclusion List

View profile violations


To view profile violations, select Violations (in the Last 7 Days) on the FortiClient dashboard.
Figure 47:Traffic violations

Fortinet Technologies Inc.

Page 44

FortiClient v5.0.0 Administration Guide

Application Firewall
FortiClient Application Firewall
FortiClient v5.0.0 can recognize the traffic generated by a large number of applications. You can
create rules to block or allow this traffic per category, or application.
This section describes how to enable the application firewall settings.

Enable/Disable Application Firewall


To enable or disable FortiClient Real-time Protection, select the [Enable/Disable] button on the
FortiClient dashboard.
Figure 48:Application Firewall dashboard

View Applications Blocked


To view blocked applications, select Applications Blocked on the FortiClient dashboard. This
page lists all applications blocked in the past seven days, including the count, and time of last
occurrence.

Page 45

Application Firewall Rules


To view Application Firewall rules, select the Settings button on the FortiClient dashboard.
Figure 49:Application Firewall rules

To add a new rule


1. Select Add Rule button.
Figure 50:Create rule window

Fortinet Technologies Inc.

Page 46

FortiClient v5.0.0 Administration Guide

2. Select either Category or Application. For category, use the drop-down list to select a
category. For application, type either the full name of the application or first letter to search
all applications starting with the selected letter.

FortiClient Application Firewall can only block applications for which FortiGuard has an
application signature. You can submit a request to add a application signature on the
FortiGuard site.

3. Select the action to Block or Allow the category or application.


4. Select placement of the rule At the top or At the bottom.
5. Select OK to save the setting.
To edit a rule
1. On the settings page, when you hover the mouse cursor on a rule, a hidden icon menu is
available.
2. Select the edit icon to change the action of the rule.
3. Select the delete icon to remove the rule.
4. Select the move icon and drag-and-drop the rule to a new position on the list.
5. Select OK to save the setting and return to the FortiClient dashboard.

Application Firewall logging


To configure Application Firewall logging, select File on the tool-bar, and Settings on the
drop-down menu. Select Logging to view the drop-down menu. Select Application Firewall the
logging menu to enable logging for this module.

Fortinet Technologies Inc.

Page 47

FortiClient v5.0.0 Administration Guide

IPsec VPN and SSL-VPN


FortiClient Remote Access (VPN)
FortiClient v5.0.0 supports both IPsec and SSL-VPN connections to your network for remote
access.
This section describes how to configure remote access.

Add a new connection


Select Configure VPN on the FortiClient dashboard to add a new VPN configuration.
Figure 51:Configure a new VPN connection

Page 48

Create a new SSL-VPN connection


To create a new SSL-VPN connection, select Configure VPN or use the drop-down menu on the
dashboard. On this menu you can configure options outlined in the following figure and table.
Figure 52:SSL-VPN configuration options

Connection Name

Enter a name for the connection.

Type

Select SSL-VPN.

Description

Enter a description for the connection. (Optional)

Remote Gateway

Enter the IP address/hostname of the remote gateway. Multiple remote


gateways can be configured by separating each entry with a semicolon.
If one gateway is not available, the VPN will connect to the next
configured gateway.

Port

Select to change the port. The default port is 443.

Authentication

Select to prompt on login, or save login.

Username

If you selected to save login, enter the username in the dialog box.

Client Certificate

Select to enable client certificates.

Certificate

Select the certificate option on the drop-down menu.

Do not warn Invalid Select if you do not want to warned if the server presents an invalid
Server Certificate
certificate.

Fortinet Technologies Inc.

Page 49

FortiClient v5.0.0 Administration Guide

Create a new IPsec VPN connection


To create a new IPsec VPN connection, select Configure VPN or use the drop-down menu on
the dashboard. On this menu you can configure options outlined in the following figure and
table.
Figure 53:IPsec VPN configuration options

Connection Name

Enter a name for the connection.

Type

Select IPsec VPN.

Description

Enter a description for the connection. (Optional)

Remote Gateway

Enter the IP address/hostname of the remote gateway. Multiple remote


gateways can be configured by separating each entry with a semicolon.
If one gateway is not available, the VPN will connect to the next
configured gateway.

Authentication
Method

Select either X.509 Certificate or Pre-shared Key on the drop-down


menu.

X.509 Certificate,
Pre-shared Key

Select the X.509 Certificate on the drop-down menu, or enter the


pre-shared key in the dialog box. See Certificate Management for
information on configuring certificate options.

Authentication
(XAuth)

Select to prompt on login, save login, or disable.

Username

If you selected save login, enter the username in the dialog box.

Fortinet Technologies Inc.

Page 50

FortiClient v5.0.0 Administration Guide

Connect to a VPN
To connect to a VPN, select the name of the VPN from the drop-down menu. Enter your
username and password, and select the Connect button.
Figure 54:Connection options

You can also select to edit an existing VPN connection, and delete an existing VPN connection
using the drop-down menu.
When connected, the dashboard will display the connection status, duration, and other relevant
information. You can now browse your remote network. Select the Disconnect button when you
are ready to terminate the VPN session.

Fortinet Technologies Inc.

Page 51

FortiClient v5.0.0 Administration Guide

Figure 55:SSL-VPN connection established

Status

The status of the VPN connection.

Duration

The duration of the VPN connection.

Bytes Received

Bytes received through the VPN connection.

Bytes Sent

Bytes sent through the VPN connection.

Fortinet Technologies Inc.

Page 52

FortiClient v5.0.0 Administration Guide

Advanced features (Windows)


Connect VPN before logon (AD environments)
The VPN <options> tag holds global information controlling VPN states. The VPN will
connect first, then logon to AD/Domain.
<forticlient_configuration>
<vpn>
<options>
<show_vpn_before_logon>1</show_vpn_before_logon>
<use_windows_credentials>1</use_windows_credentials>
</options>
</vpn>
</forticlient_configuration>

Create a redundant IPsec VPN


To use VPN resiliency/redundancy, you will configure a list of FortiGate IP/FQDN servers,
instead of just one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options>
...
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61
.143</server>
<redundantsortmethod>1</redundantsortmethod>
...
</ike_settings>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included,
but some important elements to complete the IPsec VPN configuration are ommitted.

RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to
the FortiGate which responds the fastest.

Fortinet Technologies Inc.

Page 53

FortiClient v5.0.0 Administration Guide

RedundantSortMethod = 0
By default, RedundantSortMethod =0, and the IPsec VPN connection is priority based. Priority
based configurations will try to connect to the FortiGate starting with the first on the list.

Priority based SSL-VPN connections


SSL-VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled>
...
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:44
3</server>
...
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included,
but some important elements to complete the SSL VPN configuration are ommitted.
For SSL-VPN, all FortiGates must use the same TCP port.

Enabling VPN autoconnect


VPN auto connect uses the following XML tag:
<autoconnect_tunnel>ipsecdemo.fortinet.com</autoconnect_tunnel>
Inside:
<vpn>
<options>
Save password is also needed because it is autoconnect:
<save_password>1</save_password>

Enabling VPN always up


VPN always up uses the following XML tag:
<keep_running>1</keep_running>
Inside:
<vpn>
<connection>
Fortinet Technologies Inc.

Page 54

FortiClient v5.0.0 Administration Guide

Advanced features (Mac OS X)


Enabling VPN autoconnect
VPN auto connect uses the following XML tag:
<autoconnect_tunnel>ssl 198 no cert</autoconnect_tunnel>

Enabling VPN always up


VPN always up uses the following XML tag:
<keep_running>1</keep_running>

VPN before logon, IPsec VPN and SSL-VPN redundancy are currently not supported in
FortiClient v5.0.0 GA (Mac OS X).

VPN tunnel & script (Windows)


Feature overview
This feature supports auto running a user-defined script after the configured VPN tunnel is
connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac
OS X. They will be defined as part of a VPN tunnel configuration on FortiGate's XML format
Endpoint Profile. The profile will be pushed down to FortiClient from FortiGate. When
FortiClient's VPN tunnel is connected or disconnected, the respective script defined under that
tunnel will be executed.

Map a network drive after tunnel connection


The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[
net use x: \\192.168.10.3\ftpshare /user:Honey Boo Boo
md c:\test
copy x:\PDF\*.* c:\test
]]>
</script>
</script>
</script>
</on_connect>

Fortinet Technologies Inc.

Page 55

FortiClient v5.0.0 Administration Guide

Delete a network drive after tunnel is disconnected


The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[
net use x: /DELETE
]]>
</script>
</script>
</script>
</on_disconnect>

VPN tunnel & script (Mac OS X)


Map a network drive after tunnel connection
The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>mac</os>
<script>
/bin/mkdir /Volumes/installers
/sbin/ping -c 4 192.168.1.147 >
/Users/admin/Desktop/dropbox/p.txt
/sbin/mount -t smbfs
//kimberly:RigUpTown@ssldemo.fortinet.com/installer
s /Volumes/installers/ >
/Users/admin/Desktop/dropbox/m.txt
/bin/mkdir /Users/admin/Desktop/dropbox/dir
/bin/cp /Volumes/installers/*.log
/Users/admin/Desktop/dropbox/dir/.
</script>
</script>
</on_connect>

Fortinet Technologies Inc.

Page 56

FortiClient v5.0.0 Administration Guide

Delete a network drive after tunnel is disconnected


The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>mac</os>
<script>
/sbin/umount /Volumes/installers
/bin/rm -fr /Users/admin/Desktop/dropbox/*
</script>
</script>
</on_disconnect>

Fortinet Technologies Inc.

Page 57

FortiClient v5.0.0 Administration Guide

Vulnerability Scan
Vulnerability Scan
FortiClient v5.0.0 includes an Vulnerability Scan module to check your personal computer for
known system vulnerabilities.
This section describes how to enable Vulnerability Scan, and configuration options.

Scan Now
To perform a vulnerability scan, select the Scan Now button on the FortiClient dashboard.
FortiClient will scan your personal computer for known vulnerabilities. The dashboard notes the
date of the last scan above the button.
Figure 56:Vulnerability scan in progress

Update Now
Select the Update Now button on the FortiClient dashboard to update the vulnerability
signature.

Page 58

View Vulnerabilities
When the scan is complete, FortiClient will display the number of vulnerabilities found on the
dashboard. Select the Found link to view a list of vulnerabilities detected on your system.
Figure 57: Vulnerabilities detected page

Vulnerability Name The name of the vulnerability


Severity

The severity level assigned to the vulnerability, Critical, High, Medium,


Low, Info.

Details

FortiClient vulnerability scan lists a Bugtraq (BID) number under the


details column. You can select the BID to view details of the vulnerability
on the FortiGuard site, or search the web using this BID number.

Time

The date and time that the vulnerability was detected.

Select the Details ID number from the list to view information on the selected vulnerability on the
FortiGuard site. The site details the release date, severity, impact, description, affected
products, and recommended actions.

Fortinet Technologies Inc.

Page 59

FortiClient v5.0.0 Administration Guide

Figure 58: FortiGuard site details

Vulnerability Scan logging


To configure Vulnerability Scan logging, select File on the tool-bar, and Settings on the
drop-down menu. Select Logging to view the drop-down menu. Select Vulnerability Scan on the
logging menu to enable logging for this module.

Fortinet Technologies Inc.

Page 60

FortiClient v5.0.0 Administration Guide

Settings
Backup or restore full configuration
To backup or restore the full configuration file, select File on the tool-bar, and Settings on the
drop-down menu. Select System to view the drop-down menu. On this menu you can perform a
backup, restore a full configuration file. You can also select to back up the configuration file to a
FortiGate device.
Figure 59:Backup and Restore options

When performing a backup, you can select the file destination, and save the file in an
unencrypted or encrypted format.
Figure 60:Backup file created successfully

Page 61

Logging
To configure logging, select File on the tool-bar, and Settings on the drop-down menu. Select
Logging to view the drop-down menu. On this menu you can configure logging for the following
features:
VPN
AntiVirus
Update
Application Firewall
Parental Control
Vulnerability
You can select to export logs, clear logs, upload logs to the registered FortiGate. When
selecting to upload the logs to a registered FortiGate, you can specify either hourly, or daily
uploads.
Figure 61:Logging options

Upload logs to registered FortiGate, requires a FortiManager or FortiAnalyzer device. The


registered FortiGate send logs received from FortiClient endpoint devices to the specified
FortiManager, or FortiAnalyzer device. This feature will be supported in the next patch release.

Updates
To configure updates, select File on the tool-bar, and Settings on the drop-down menu. Select
Up-to-Date to view the drop-down menu. On this menu you can configure the behavior of
FortiClient when a new software version is available on the FortiGuard Distribution Servers.
Figure 62:Update options

Fortinet Technologies Inc.

Page 62

FortiClient v5.0.0 Administration Guide

VPN options
To configure VPN options, select File on the tool-bar, and Settings on the drop-down menu.
Select VPN Options to view the drop-down menu. On this menu you can configure to enable
VPN before logon.
Figure 63:VPN options

Certificate Management
To configure VPN certificates, select File on the tool-bar, and Settings on the drop-down menu.
Select Certificate Management to view the drop-down menu. On this menu you can configure
IPsec VPN to use local certificates, and import certificates to FortiClient.
Figure 64:Certificate options

AntiVirus options
To configure AntiVirus options, select File on the tool-bar, and Settings on the drop-down menu.
Select AntiVirus Options to view the drop-down menu. On this menu you can configure
Grayware options, and the behavior of FortiClient when a virus is detected.
Figure 65:AntiVirus options

Fortinet Technologies Inc.

Page 63

FortiClient v5.0.0 Administration Guide

Advanced options
To configure advanced options, select File on the tool-bar, and Settings on the drop-down
menu. Select Advanced to view the drop-down menu. On this menu you can configure WAN
Optimization, Single Sign-On, configuration sync with FortiGate, disable proxy, and the default
tab when FortiClient is started.
Figure 66:Advanced options

Single Sign-On Mobility Agent


The FortiClient Single Sign-On Mobility Agent acts as a client that updates with
FortiAuthenticator with user logon and network information.

FortiClient/FortiAuthenticator Protocol
The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to
FortiAuthenticator using TLS/SSL with two-way certificate authentication. The FortiClient sends
a logon packet to FortiAuthenticator, which replies with an acknowledgement packet.
FortiClient/FortiAuthenticator communication requires the following:
The IP address should be unique in the entire network.
The FortiAuthenticator should be accessible from clients in all locations.
The FortiAuthenticator should be accessible by all FortiGates.

FortiClient Single Sign-On mobility agent requires a FortiAuthenticator running v2.0.0 GA build
0006. Enter the FortiAuthenticator (server) IP address, and the pre-shared key configured on the
FortiAuthenticator.

Enable Single Sign-On Mobility Agent on FortiClient


1. Select File on the tool-bar, and Settings on the drop-down menu.
2. Select Advanced to view the drop-down menu.
3. Select to Enable Single Sign-On mobility agent.

Fortinet Technologies Inc.

Page 64

FortiClient v5.0.0 Administration Guide

4. Enter the FortiAuthenticator server address, and pre-shared key.


Enable FortiClient SSO Mobility Agent Service on the FortiAuthenticator
1. Select SSO & Dynamic Policies > SSO > Options.
2. Select Enable FortiClient SSO Mobility Agent Service, and a TCP port value for the listening
port.
3. Select Enable authentication, and enter a secret-key value.
Figure 67:FortiAuthenticator configuration

4. To enable FortiClient FSSO services on the interface, select System > Network > Interface.
select Edit to edit the network interface, select FortiClient FSSO to enable.
Figure 68:Enable services

To enable the FortiClient SSO Mobility agent service on the FortiAuthenticator, you must first
apply the applicable FortiClient license for FortiAuthenticator. For more information, see the
FortiAuthenticator v2.0 Administration Guide at http://docs.fortinet.com. For information on
purchasing a FortiClient license, please contact your authorized Fortinet reseller.

Fortinet Technologies Inc.

Page 65

FortiClient v5.0.0 Administration Guide

Interpreting the XML Configuration File


FortiClient XML configuration
The FortiClient configuration file is user editable. The file uses XML format for easy parsing and
validation. The configuration file is inclusive of all client configurations, and references the client
certificates.

Configuration file extensions


FortiClient supports importation and exportation of its configuration via an XML file.

File extensions
FortiClient supports the following four file types:
.conf
A plain-text configuration file.
.sconf
A secure (encrypted) configuration file.
.conn
A plain-text VPN connection configuration file.
.sconn
A secure (encrypted) VPN connection configuration file
A configuration file can be generated from the settings page of FortiClient GUI or by using the
command-line program: FCConfig.exe, installed with FortiClient.

File Sections
Configuration file sections
The configuration file consists of the following sections:
Meta Data
Basic data controlling the entire configuration file.
System Settings
General configurations that are not specific to any of the modules listed below (or affects
more than one module).
VPN Settings
Certificates
AntiVirus
Endpoint Control
Single Sign-on (SSO) Mobility
WAN Optimization
Page 66

Web Filtering
Application Firewall
Vulnerability Scan

For more information, see the FortiClient v5.0 XML Reference.

Import and export command line utility commands and syntax


Fortinet provides administrators the ability to import and export configurations via the CLI.
The following commands are available for use:

Backup the configuration file


FCConfig -m all -f <filename> -o export -i 1

Backup the configuration file (encrypted)


FCConfig -m all -f <filename> -o export -i 1 -p <encrypted password>

Restore the configuration file


FCConfig -m all -f <filename> -o import -i 1

Restore the configuration file (encrypted)


FCConfig -m all -f <filename> -o import -i 1 -p <encrypted password>

Export the VPN tunnel configuration


FCConfig -m vpn -f <filename> -o exportvpn -i 1

Export the VPN tunnel configuration (encrypted)


FCConfig -m vpn -f <filename> -o exportvpn -i 1 -p <encrypted
password>

Import the VPN tunnel configuration


FCConfig -m vpn -f <filename> -o importvpn -i 1

Import the VPN tunnel configuration (encrypted)


FCConfig -m vpn -f <filename> -o importvpn -i 1 -p <encrypted
password>

Fortinet Technologies Inc.

Page 67

FortiClient v5.0.0 Administration Guide

Upload the FortiClient XML file to FortiGate


In FortiOS v5.0.0 GA, the buffer size for the Endpoint Control XML configuration is 32KB.

Full configuration option


You need to enable advanced configuration from CLI to upload the FortiClient XML file:
config endpoint-control profile
edit "default"
config forticlient-winmac-settings
set forticlient-advanced-cfg enable
set forticlient-advanced-cfg-buffer "copy&paste your advanced
forticlient xml configuration here"
end
next
end

After forticlient-advanced-cfg is enabled, forticlient-advanced-cfg-buffer setting is available


from the CLI. You can also choose to copy/paste the XML content from the Web-based
Manager, go to Device > Endpoint Profile.

Advanced VPN configuration


If you only want to upload the VPN configurations, you can use the CLI as well:
config endpoint-control profile
edit "default"
config forticlient-winmac-settings
set forticlient-vpn-provisioning enable
set forticlient-advanced-vpn enable
set forticlient-advanced-vpn-buffer "copy&paste your advanced
VPN configuration XML here"
end
next
end

Fortinet Technologies Inc.

Page 68

FortiClient v5.0.0 Administration Guide

Example FortiClient XML configuration file (Windows)


The following is an example FortiClient XML configuration file. VPN autoconnect and always up
are enabled in the configuration.
<?xml version="1.0" encoding="UTF-8" ?>
<forticlient_configuration>
<forticlient_version>5.0.0.161</forticlient_version>
<version>5.0</version>
<date>2012/11/15</date>
<partial_configuration>0</partial_configuration>
<os_version>windows</os_version>
<system>
<ui>
<ads>1</ads>
<default_tab>AV</default_tab>
<flashing_system_tray_icon>1</flashing_system_tray_icon>
<hide_system_tray_icon>0</hide_system_tray_icon>
<suppress_admin_prompt>0</suppress_admin_prompt>
<password>Enc
0b6e0c29624a634bf21abcc4cb992786f45a2e1e1addf22d935a0492b18ed339e5888d
314c98af09308ff4861712d12b9c1bd3ef0ba36670</password>
</ui>
<log_settings>
<level>6</level>
<!--0=emergency, 1=alert, 2=critical, 3=error, 4=warning,
5=notice, 6=info, 7=debug, -->
<max_log_size>5120</max_log_size>
<log_events>ipsecvpn,sslvpn,scheduler,update,firewall,av,proxy,shield,
webfilter,endpoint,fssoma,wanacc,configd,vuln</log_events>
<!--ipsecvpn=ipsec vpn, sslvpn=ssl vpn, firewall=firewall,
av=antivirus, webfilter=webfilter, vuln=vulnerability scan, wanacc=wan
acceleration, fssoma=single sign-on mobility for fortiauthenticator,
scheduler=scheduler, update=update, proxy=fortiproxy,
shield=fortishield, endpoint=endpoint control, configd=configuration,
-->
</log_settings>
<proxy>
<update>0</update>
<online_scep>0</online_scep>
<virus_submission>0</virus_submission>
<type>http</type>

Fortinet Technologies Inc.

Page 69

FortiClient v5.0.0 Administration Guide

<address />
<port>80</port>
<username>Enc
6dc3c2c346150a7c3642622e256c6c6310387786779be239</username>
<password>Enc
a0fbf2a976157c9e4221d9afcce0b280d9f266eb55421124</password>
</proxy>
<update>
<use_custom_server>0</use_custom_server>
<server />
<port />
<timeout>60</timeout>
<failoverport>8000</failoverport>
<fail_over_to_fdn>1</fail_over_to_fdn>
<update_action>notify_only</update_action>
<scheduled_update>
<enabled>1</enabled>
<type>interval</type>
<daily_at>03:00</daily_at>
<update_interval_in_hours>3</update_interval_in_hours>
</scheduled_update>
</update>
<fortiproxy>
<enabled>1</enabled>
<enable_https_proxy>1</enable_https_proxy>
<http_timeout>60</http_timeout>
<client_comforting>
<pop3_client>1</pop3_client>
<pop3_server>1</pop3_server>
<smtp>1</smtp>
</client_comforting>
<selftest>
<enabled>0</enabled>
<last_port>65535</last_port>
<notify>0</notify>
</selftest>
</fortiproxy>
</system>
<vpn>
Fortinet Technologies Inc.

Page 70

FortiClient v5.0.0 Administration Guide

<options>
<current_connection_name>psk_90_1</current_connection_name>
<current_connection_type>ipsec</current_connection_type>
<save_password>0</save_password>
<minimize_window_on_connect>1</minimize_window_on_connect>
<show_vpn_before_logon>1</show_vpn_before_logon>
<use_windows_credentials>1</use_windows_credentials>
<show_negotiation_wnd>0</show_negotiation_wnd>
</options>
<sslvpn>
<options>
<enabled>1</enabled>
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server>
<username>Enc
1f62aab909838c5b3871fe47fe92b1476bc964751d50ba91ba3d88d6</username>
<password />
<certificate />
<warn_invalid_server_certificate>0</warn_invalid_server_certificate>
<prompt_certificate>0</prompt_certificate>
<prompt_username>1</prompt_username>
<on_connect>
<script>
<os>windows</os>
<script>
<!--Write MS DOS batch script inside the
CDATA tag below.
One line per command, just like a regular batch script file.
The script will be executed in the context of the user that connected
the tunnel.
Wherever you write #username# in your script, it will be automatically
substituted with the xauth username of the user that connected the
tunnel.
Wherever you write #password# in your script, it will be automatically
substituted with the xauth password of the user that connected the
tunnel.
Fortinet Technologies Inc.

Page 71

FortiClient v5.0.0 Administration Guide

Remember to check your xml file before deploying to ensure that


carriage returns/line feeds are present.
-->
<script>
<![CDATA[]]>
</script>
</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script>
<!--Write MS DOS batch script inside the
CDATA tag below.
One line per command, just like a regular batch script file.
The script will be executed in the context of the user that connected
the tunnel.
Wherever you write #username# in your script, it will be automatically
substituted with the xauth username of the user that connected the
tunnel.
Wherever you write #password# in your script, it will be automatically
substituted with the xauth password of the user that connected the
tunnel.
Remember to check your xml file before deploying to ensure that
carriage returns/line feeds are present.
-->
<script>
<![CDATA[]]>
</script>
</script>
</script>
</on_disconnect>
</connection>
</connections>
</sslvpn>
<ipsecvpn>
<options>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<usewincert>1</usewincert>
Fortinet Technologies Inc.

Page 72

FortiClient v5.0.0 Administration Guide

<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server>
<authentication_method>Preshared
Key</authentication_method>
<auth_key>Enc
159cf2d1ef8e3a88af3eda71307fa7262d4a630c9f59e9ac7c4e480055dc</auth_key
>
<mode>aggressive</mode>
<dhgroup>5;</dhgroup>
<key_life>28800</key_life>
<localid />
<nat_traversal>1</nat_traversal>
<mode_config>1</mode_config>
<enable_local_lan>0</enable_local_lan>
<nat_alive_freq>5</nat_alive_freq>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<enable_ike_fragmentation>0</enable_ike_fragmentation>
<RedundantSortMethod>1</RedundantSortMethod>
<xauth>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
<username>Enc
9aaa9c8b38cfc0a8ecac0eaa252eb7acbc723305b5ed5a768147f8fb</username>
<password />
</xauth>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
Fortinet Technologies Inc.

Page 73

FortiClient v5.0.0 Administration Guide

<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>1800</key_life_seconds>
<key_life_Kbytes>5120</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<autokey_keep_alive>0</autokey_keep_alive>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
</proposals>
</ipsec_settings>
<on_connect>
<script>
<os>windows</os>
<script>

Fortinet Technologies Inc.

Page 74

FortiClient v5.0.0 Administration Guide

<!--Write MS DOS batch script inside the


CDATA tag below.
One line per command, just like a regular batch script file.
The script will be executed in the context of the user that connected
the tunnel.
Wherever you write #username# in your script, it will be automatically
substituted with the xauth username of the user that connected the
tunnel.
Wherever you write #password# in your script, it will be automatically
substituted with the xauth password of the user that connected the
tunnel.
Remember to check your xml file before deploying to ensure that
carriage returns/line feeds are present.
-->
<script>
<![CDATA[]]>
</script>
</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script>
<!--Write MS DOS batch script inside the
CDATA tag below.
One line per command, just like a regular batch script file.
The script will be executed in the context of the user that connected
the tunnel.
Wherever you write #username# in your script, it will be automatically
substituted with the xauth username of the user that connected the
tunnel.
Wherever you write #password# in your script, it will be automatically
substituted with the xauth password of the user that connected the
tunnel.
Remember to check your xml file before deploying to ensure that
carriage returns/line feeds are present.
-->
<script>
<![CDATA[]]>
</script>
</script>
</script>
Fortinet Technologies Inc.

Page 75

FortiClient v5.0.0 Administration Guide

</on_disconnect>
</connection>
</connections>
</ipsecvpn>
</vpn>
<certificates>
<crl>
<ocsp />
</crl>
</certificates>
<antivirus>
<signature_expired_notification>0</signature_expired_notification>
<scan_on_insertion>0</scan_on_insertion>
<shell_integration>1</shell_integration>
<antirootkit>4294967295</antirootkit>
<disable_csum_cal>0</disable_csum_cal>
<scheduled_scans>
<!--zero, one or more of the following child nodes-->
<full>
<enabled>1</enabled>
<repeat>1</repeat>
<days>2</days>
<time>18:30</time>
<removable_media>1</removable_media>
<network_drives>0</network_drives>
<priority>0</priority>
</full>
</scheduled_scans>
<on_demand_scanning>
<on_virus_found>0</on_virus_found>
<pause_on_battery_power>1</pause_on_battery_power>
<automatic_virus_submission>
<enabled>0</enabled>
<smtp_server>fortinetvirussubmit.com</smtp_server>
<username />
<password>Enc
c9d988206b3fe7b8dbbf887608b24f0b92c0ba1a55118120</password>
</automatic_virus_submission>
Fortinet Technologies Inc.

Page 76

FortiClient v5.0.0 Administration Guide

<compressed_files>
<scan>1</scan>
<maxsize>0</maxsize>
</compressed_files>
<riskware>
<enabled>1</enabled>
</riskware>
<adware>
<enabled>1</enabled>
</adware>
<heuristic_scanning>1</heuristic_scanning>
<scan_file_types>
<all_files>1</all_files>
<file_types>
<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX
,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.C
PT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.F
ON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.
JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT
,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.
QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,
.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,
.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.
WSH,.XLS,.XML,.XTP</extensions>
<include_files_with_no_extension>0</include_files_with_no_extension>
</file_types>
</scan_file_types>
<exclusions>
<!--the element below can exist 0-n times-->
<!--the element below can exist 0-n times-->
<file_types>
<extensions />
</file_types>
</exclusions>
</on_demand_scanning>
<real_time_protection>
<enabled>1</enabled>
<when>0</when>
<on_virus_found>5</on_virus_found>
<popup_alerts>1</popup_alerts>
Fortinet Technologies Inc.

Page 77

FortiClient v5.0.0 Administration Guide

<popup_registry_alerts>0</popup_registry_alerts>
<compressed_files>
<scan>1</scan>
<maxsize>2</maxsize>
</compressed_files>
<riskware>
<enabled>1</enabled>
</riskware>
<adware>
<enabled>1</enabled>
</adware>
<heuristic_scanning>
<enabled>0</enabled>
<action>3</action>
</heuristic_scanning>
<scan_file_types>
<all_files>1</all_files>
<file_types>
<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX
,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.C
PT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.F
ON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.
JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT
,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.
QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,
.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,
.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.
WSH,.XLS,.XML,.XTP</extensions>
<include_files_with_no_extension>0</include_files_with_no_extension>
</file_types>
</scan_file_types>
<exclusions>
<!--the element below can exist 0-n times-->
<!--the element below can exist 0-n times-->
<file_types>
<extensions />
</file_types>
</exclusions>
</real_time_protection>
<email>
Fortinet Technologies Inc.

Page 78

FortiClient v5.0.0 Administration Guide

<smtp>1</smtp>
<pop3>1</pop3>
<outlook>1</outlook>
<wormdetection>
<enabled>0</enabled>
<action>0</action>
</wormdetection>
<heuristic_scanning>
<enabled>0</enabled>
<action>0</action>
</heuristic_scanning>
</email>
<quarantine>
<cullage>100</cullage>
</quarantine>
<server>
<exchange>
<integrate>0</integrate>
<action>0</action>
<excludefilesystemfromscanning>0</excludefilesystemfromscanning>
<excludefileextensionsfromscanning>0</excludefileextensionsfromscannin
g>
</exchange>
<sqlserver>
<excludefilesystemfromscanning>0</excludefilesystemfromscanning>
<excludefileextensionsfromscanning>0</excludefileextensionsfromscannin
g>
</sqlserver>
</server>
</antivirus>
<endpoint_control>
<enabled>1</enabled>
<!--short keepalive timeout in ms-->
<keepalive_short_timeout>20000</keepalive_short_timeout>
<!--keepalive timeout in seconds-->
<keepalive_timeout>1800</keepalive_timeout>
Fortinet Technologies Inc.

Page 79

FortiClient v5.0.0 Administration Guide

<custom_ping_server />
<offnet_update>1</offnet_update>
<user>Enc
bc91188bb060e59641ce75b84b0f319949f191b90b2c99565c8c</user>
<disable_unregister>0</disable_unregister>
<log_upload_enabled>0</log_upload_enabled>
<log_upload_freq_hours>1</log_upload_freq_hours>
<log_last_upload_date>1</log_last_upload_date>
<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>
<show_bubble_notifications>0</show_bubble_notifications>
<ignore_all_broadcast>0</ignore_all_broadcast>
</endpoint_control>
<fssoma>
<enabled>0</enabled>
<serveraddress />
<presharedkey>Enc
099d3d583a9748b62dd3a77a9344aa4ee8bcd6da1372edf8</presharedkey>
</fssoma>
<wan_optimization>
<enabled>0</enabled>
<support_http>1</support_http>
<support_cifs>1</support_cifs>
<support_mapi>1</support_mapi>
<support_ftp>1</support_ftp>
<max_disk_cache_size_mb>512</max_disk_cache_size_mb>
</wan_optimization>
<webfilter>
<https_enabled>1</https_enabled>
<!--use enable_filter to enable/disable WebFiltering-->
<enable_filter>1</enable_filter>
<!--enabled enables/disables the FortiGuard querying service.-->
<enabled>1</enabled>
<log_all_urls>0</log_all_urls>
<white_list_has_priority>0</white_list_has_priority>
<current_profile>0</current_profile>
<partial_match_host>0</partial_match_host>
<disable_when_managed>0</disable_when_managed>
<max_violations>5000</max_violations>
<max_violation_age>90</max_violation_age>
Fortinet Technologies Inc.

Page 80

FortiClient v5.0.0 Administration Guide

<fortiguard>
<enabled>1</enabled>
<rate_ip_addresses>0</rate_ip_addresses>
</fortiguard>
<profiles>
<profile>
<id>0</id>
<cate_ver>6</cate_ver>
<description />
<name />
<temp_whitelist_timeout>300</temp_whitelist_timeout>
<categories>
<category>
<id>1
<!--Drug Abuse (Potentially Liable)-->
</id>
<action>deny</action>
</category>
<category>
<id>2
<!--Alternative Beliefs (Adult/Mature
Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>3
<!--Hacking (Potentially Liable)-->
</id>
<action>deny</action>
</category>
<category>
<id>4
<!--Illegal or Unethical (Potentially
Liable)-->
</id>
<action>deny</action>
</category>
<category>
Fortinet Technologies Inc.

Page 81

FortiClient v5.0.0 Administration Guide

<id>5
<!--Discrimination (Potentially Liable)-->
</id>
<action>deny</action>
</category>
<category>
<id>6
<!--Explicit Violence (Potentially Liable)-->
</id>
<action>deny</action>
</category>
<category>
<id>7
<!--Abortion (Adult/Mature Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>8
<!--Other Adult Materials (Adult/Mature
Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>9
<!--Advocacy Organizations (Adult/Mature
Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>11
<!--Gambling (Adult/Mature Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>12
Fortinet Technologies Inc.

Page 82

FortiClient v5.0.0 Administration Guide

<!--Extremist Groups (Potentially Liable)-->


</id>
<action>deny</action>
</category>
<category>
<id>13
<!--Nudity and Risque (Adult/Mature
Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>14
<!--Pornography (Adult/Mature Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>15
<!--Dating (Adult/Mature Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>16
<!--Weapons (Sales) (Adult/Mature Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>26
<!--Malicious Websites (Security Risk)-->
</id>
<action>deny</action>
</category>
<category>
<id>57
<!--Marijuana (Adult/Mature Content)-->

Fortinet Technologies Inc.

Page 83

FortiClient v5.0.0 Administration Guide

</id>
<action>deny</action>
</category>
<category>
<id>59
<!--Proxy Avoidance (Potentially Liable)-->
</id>
<action>deny</action>
</category>
<category>
<id>61
<!--Phishing (Security Risk)-->
</id>
<action>deny</action>
</category>
<category>
<id>62
<!--Plagiarism (Potentially Liable)-->
</id>
<action>deny</action>
</category>
<category>
<id>64
<!--Alcohol (Adult/Mature Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>65
<!--Tobacco (Adult/Mature Content)-->
</id>
<action>deny</action>
</category>
<category>
<id>83
<!--Child Abuse (Potentially Liable)-->
</id>
<action>deny</action>
Fortinet Technologies Inc.

Page 84

FortiClient v5.0.0 Administration Guide

</category>
<category>
<id>86
<!--Spam URLs (Security Risk)-->
</id>
<action>deny</action>
</category>
</categories>
</profile>
<profile>
<id>2</id>
<cate_ver>6</cate_ver>
<description>deny</description>
<name>deny</name>
<temp_whitelist_timeout>300</temp_whitelist_timeout>
<categories>
<category>
<id>26
<!--Malicious Websites (Security Risk)-->
</id>
<action>deny</action>
</category>
<category>
<id>61
<!--Phishing (Security Risk)-->
</id>
<action>deny</action>
</category>
<category>
<id>86
<!--Spam URLs (Security Risk)-->
</id>
<action>deny</action>
</category>
</categories>
</profile>
<!-This is a table of all Web Filter categories (Id ==> Category Name)
Fortinet Technologies Inc.

Page 85

FortiClient v5.0.0 Administration Guide

0 ==> Unrated
1 ==> Drug Abuse
2 ==> Alternative Beliefs
3 ==> Hacking
4 ==> Illegal or Unethical
5 ==> Discrimination
6 ==> Explicit Violence
7 ==> Abortion
8 ==> Other Adult Materials
9 ==> Advocacy Organizations
11 ==> Gambling
12 ==> Extremist Groups
13 ==> Nudity and Risque
14 ==> Pornography
15 ==> Dating
16 ==> Weapons (Sales)
17 ==> Advertising
18 ==> Brokerage and Trading
19 ==> Freeware and Software Downloads
20 ==> Games
23 ==> Web-based Email
24 ==> File Sharing and Storage
25 ==> Streaming Media and Download
26 ==> Malicious Websites
28 ==> Entertainment
29 ==> Arts and Culture
30 ==> Education
31 ==> Finance and Banking
33 ==> Health and Wellness
34 ==> Job Search
35 ==> Medicine
36 ==> News and Media
37 ==> Social Networking
38 ==> Political Organizations
39 ==> Reference
40 ==> Global Religion
41 ==> Search Engines and Portals
42 ==> Shopping and Auction
Fortinet Technologies Inc.

Page 86

FortiClient v5.0.0 Administration Guide

43 ==> General Organizations


44 ==> Society and Lifestyles
46 ==> Sports
47 ==> Travel
48 ==> Personal Vehicles
49 ==> Business
50 ==> Information and Computer Security
51 ==> Government and Legal Organizations
52 ==> Information Technology
53 ==> Armed Forces
54 ==> Dynamic Content
55 ==> Meaningless Content
56 ==> Web Hosting
57 ==> Marijuana
58 ==> Folklore
59 ==> Proxy Avoidance
61 ==> Phishing
62 ==> Plagiarism
63 ==> Sex Education
64 ==> Alcohol
65 ==> Tobacco
66 ==> Lingerie and Swimsuit
67 ==> Sports Hunting and War Games
68 ==> Web Chat
69 ==> Instant Messaging
70 ==> Newsgroups and Message Boards
71 ==> Digital Postcards
72 ==> Peer-to-peer File Sharing
75 ==> Internet Radio and TV
76 ==> Internet Telephony
77 ==> Child Education
78 ==> Real Estate
79 ==> Restaurant and Dining
80 ==> Personal Websites and Blogs
81 ==> Secure Websites
82 ==> Content Servers
83 ==> Child Abuse
84 ==> Web-based Applications
Fortinet Technologies Inc.

Page 87

FortiClient v5.0.0 Administration Guide

85 ==> Domain Parking


86 ==> Spam URLs
87 ==> Personal Privacy
-->
</profiles>
</webfilter>
<firewall>
<enabled>1</enabled>
<current_profile>0</current_profile>
<default_action>Pass</default_action>
<show_bubble_notifications>0</show_bubble_notifications>
<max_violations>5000</max_violations>
<max_violation_age>90</max_violation_age>
<profiles>
<profile>
<id>0</id>
<rules>
<rule>
<action>Block</action>
<enabled>1</enabled>
<category>
<id>19</id>
</category>
</rule>
</rules>
</profile>
<!-This is a table of all Application Firewall categories (Id ==> Category
Name)
-->
</profiles>
</firewall>
<vulnerability_scan>
<enabled>1</enabled>
<scheduled_scans></scheduled_scans>
</vulnerability_scan>
</forticlient_configuration>

Fortinet Technologies Inc.

Page 88

FortiClient v5.0.0 Administration Guide

Example FortiClient XML configuration file (Mac OS X)


The following is an example FortiClient XML configuration file. VPN autoconnect and always up
are enabled in the configuration.
<?xml version="1.0" encoding="UTF-8"?>
<forticlient_configuration>
<forticlient_version>5.0.0.0068</forticlient_version>
<version>5.0</version>
<date>2012-11-1</date>
<os_version>MacOSX</os_version>
<partial_configuration>0</partial_configuration>
<system>
<log_settings>
<level>1</level>
<max_log_size>10000000</max_log_size>
<log_events>ipsecvpn,sslvpn,webfilter,update,av,firewall</log_events>
</log_settings>
<proxy>
<address></address>
<port></port>
<username></username>
<password></password>
<update></update>
</proxy>
<update>
<server></server>
<port></port>
<update_action>notify_only</update_action>
<scheduled_update>
<enabled>1</enabled>
<type>interval</type>
<update_interval_in_hours>3</update_interval_in_hours>
</scheduled_update>
</update>
<ui>
<password>Enc
420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</password>
<default_tab>WF</default_tab>
<culture_code></culture_code>
Fortinet Technologies Inc.

Page 89

FortiClient v5.0.0 Administration Guide

</ui>
</system>
<vpn>
<options>
<autoconnect_tunnel>ssl 198 no cert</autoconnect_tunnel>
</options>
<ipsecvpn>
<options>
<enabled>1</enabled>
</options>
<connections>
<connection>
<name>ipsec</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<description></description>
<server>172.17.61.166</server>
<authentication_method>Preshared
Key</authentication_method>
<auth_key>Enc
420d2ee65abded897a69c50f49950859b45c780adb269f3aa69aaa6690d2984032</au
th_key>
<mode>aggressive</mode>
<dhgroup>5</dhgroup>
<key_life>28800</key_life>
<localid></localid>
<nat_traversal>1</nat_traversal>
<mode_config>1</mode_config>
<dpd>1</dpd>
<xauth>
<enabled>1</enabled>
<prompt_username>0</prompt_username>
<username>Enc
420d2ee65abded897a69c50f49954d0df619498b1925dd2d993abf54be</username>
<password>Enc
420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</password>
</xauth>
<proposals>
<proposal>3des|md5</proposal>
Fortinet Technologies Inc.

Page 90

FortiClient v5.0.0 Administration Guide

<proposal>3des|sha1</proposal>
<proposal>aes128|md5</proposal>
<proposal>aes128|sha1</proposal>
<proposal>aes256|md5</proposal>
<proposal>aes256|sha1</proposal>
<proposal>aes|md5</proposal>
<proposal>aes|sha1</proposal>
<proposal>des|md5</proposal>
<proposal>des|sha1</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks></remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>1800</key_life_seconds>
<pfs></pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip></ip>
<mask></mask>
<dnsserver></dnsserver>
</virtualip>
<proposals></proposals>
</ipsec_settings>
<on_connect>
<script>
<os>mac</os>
<script></script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>mac</os>
<script></script>
</script>
</on_disconnect>
Fortinet Technologies Inc.

Page 91

FortiClient v5.0.0 Administration Guide

<keep_running>0</keep_running>
</connection>
</connections>
</ipsecvpn>
<sslvpn>
<options>
<enabled>1</enabled>
</options>
<connections>
<connection>
<name>ssl 198 no cert</name>
<description></description>
<server>172.17.61.198:443</server>
<username>Enc
420d2ee65abded897a69c50f49954d0df619498b1925dd2d993abf54be</username>
<password>Enc
420d2ee65abded897a69c50f49950859b45c780aea0e9804dac646c9f6c4b4</passwo
rd>
<certificate>Enc
420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</certificate>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<prompt_certificate>0</prompt_certificate>
<prompt_username>0</prompt_username>
<on_connect>
<script>
<os>mac</os>
<script>/bin/mkdir /Volumes/installers
/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt
/sbin/mount -t smbfs //qa:111111@192.168.1.147/installers
/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt
/bin/mkdir /Users/admin/Desktop/dropbox/dir
/bin/cp /Volumes/installers/*.log
/Users/admin/Desktop/dropbox/dir/.</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>mac</os>
<script>/sbin/umount /Volumes/installers

Fortinet Technologies Inc.

Page 92

FortiClient v5.0.0 Administration Guide

/bin/rm -fr /Users/admin/Desktop/dropbox/*</script>


</script>
</on_disconnect>
<keep_running>1</keep_running>
</connection>
</connections>
</sslvpn>
</vpn>
<endpoint_control>
<enable_enforcement></enable_enforcement>
<enabled>1</enabled>
<keepalive_short_timeout>300</keepalive_short_timeout>
<collect_app_statistics></collect_app_statistics>
<fgt_name></fgt_name>
<fgt_sn>Enc
420d2ee65abded897a69c50f49950f2bbc557e09a920aedd9848f9a1bf295db649e287
69dcb0e8bc1abcede99d7628b51ef58f78479e0015a887a19cfa268d8b28fac302cc6e
26</fgt_sn>
<checksum></checksum>
<corporate_id>Enc
420d2ee65abded897a69c50f49950859b45c780adb26a4adef44f4afba5d2bc649e483
68a4b29cbf1fcfecec9e0726cd6d828f7a4b9e052c985f2ad628a3f8305099</corpor
ate_id>
<ping_server>:0</ping_server>
<custom_ping_server>:0</custom_ping_server>
<log_upload_enabled>1</log_upload_enabled>
<log_upload_freq_hours>1</log_upload_freq_hours>
<log_last_upload_date>0</log_last_upload_date>
<conf_recv_time>0</conf_recv_time>
<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>
<offnet_update>1</offnet_update>
<ignore_all_broadcast>1</ignore_all_broadcast>
<ignore_broadcasts></ignore_broadcasts>
</endpoint_control>
<webfilter>
<enable_filter>1</enable_filter>
<disable_when_managed>0</disable_when_managed>
<enabled>1</enabled>
<current_profile>1000</current_profile>
<log_all_urls>0</log_all_urls>
Fortinet Technologies Inc.

Page 93

FortiClient v5.0.0 Administration Guide

<white_list_has_priority>0</white_list_has_priority>
<partial_match_host>0</partial_match_host>
<fortiguard>
<enabled>0</enabled>
<rate_ip_addresses>0</rate_ip_addresses>
</fortiguard>
<show_bubble_notifications>0</show_bubble_notifications>
<profiles>
<profile>
<id>0</id>
<display_name>Default Profile</display_name>
<description></description>
<cate_ver>0</cate_ver>
<categories>
<category>
<id>1</id>
<action>deny</action>
</category>
<category>
<id>2</id>
<action>deny</action>
</category>
<category>
<id>3</id>
<action>deny</action>
</category>
<category>
<id>4</id>
<action>deny</action>
</category>
<category>
<id>5</id>
<action>deny</action>
</category>
<category>
<id>6</id>
<action>deny</action>
</category>
Fortinet Technologies Inc.

Page 94

FortiClient v5.0.0 Administration Guide

<category>
<id>7</id>
<action>deny</action>
</category>
<category>
<id>8</id>
<action>deny</action>
</category>
<category>
<id>9</id>
<action>deny</action>
</category>
<category>
<id>11</id>
<action>deny</action>
</category>
<category>
<id>12</id>
<action>deny</action>
</category>
<category>
<id>13</id>
<action>deny</action>
</category>
<category>
<id>14</id>
<action>deny</action>
</category>
<category>
<id>15</id>
<action>deny</action>
</category>
<category>
<id>16</id>
<action>deny</action>
</category>
<category>
<id>26</id>
Fortinet Technologies Inc.

Page 95

FortiClient v5.0.0 Administration Guide

<action>deny</action>
</category>
<category>
<id>32</id>
<action>deny</action>
</category>
<category>
<id>57</id>
<action>deny</action>
</category>
<category>
<id>59</id>
<action>deny</action>
</category>
<category>
<id>61</id>
<action>deny</action>
</category>
<category>
<id>62</id>
<action>deny</action>
</category>
<category>
<id>64</id>
<action>deny</action>
</category>
<category>
<id>65</id>
<action>deny</action>
</category>
<category>
<id>83</id>
<action>deny</action>
</category>
<category>
<id>86</id>
<action>deny</action>
</category>
Fortinet Technologies Inc.

Page 96

FortiClient v5.0.0 Administration Guide

</categories>
<urls></urls>
</profile>
<profile>
<id>1000</id>
<display_name>1000</display_name>
<description></description>
<cate_ver>6</cate_ver>
<categories>
<category>
<id>2</id>
<action>deny</action>
</category>
<category>
<id>7</id>
<action>deny</action>
</category>
<category>
<id>8</id>
<action>deny</action>
</category>
<category>
<id>9</id>
<action>deny</action>
</category>
<category>
<id>11</id>
<action>deny</action>
</category>
<category>
<id>13</id>
<action>deny</action>
</category>
<category>
<id>14</id>
<action>deny</action>
</category>
<category>
Fortinet Technologies Inc.

Page 97

FortiClient v5.0.0 Administration Guide

<id>15</id>
<action>deny</action>
</category>
<category>
<id>16</id>
<action>deny</action>
</category>
<category>
<id>19</id>
<action>deny</action>
</category>
<category>
<id>24</id>
<action>deny</action>
</category>
<category>
<id>25</id>
<action>deny</action>
</category>
<category>
<id>26</id>
<action>deny</action>
</category>
<category>
<id>30</id>
<action>deny</action>
</category>
<category>
<id>57</id>
<action>deny</action>
</category>
<category>
<id>61</id>
<action>deny</action>
</category>
<category>
<id>63</id>
<action>deny</action>
Fortinet Technologies Inc.

Page 98

FortiClient v5.0.0 Administration Guide

</category>
<category>
<id>64</id>
<action>deny</action>
</category>
<category>
<id>65</id>
<action>deny</action>
</category>
<category>
<id>66</id>
<action>deny</action>
</category>
<category>
<id>67</id>
<action>deny</action>
</category>
<category>
<id>72</id>
<action>deny</action>
</category>
<category>
<id>75</id>
<action>deny</action>
</category>
<category>
<id>76</id>
<action>deny</action>
</category>
<category>
<id>86</id>
<action>deny</action>
</category>
</categories>
<urls></urls>
</profile>
</profiles>
</webfilter>
Fortinet Technologies Inc.

Page 99

FortiClient v5.0.0 Administration Guide

<firewall>
<enabled>1</enabled>
<show_bubble_notifications>1</show_bubble_notifications>
<current_profile>1000</current_profile>
<profiles>
<profile>
<id>0</id>
<rules>
<rule>
<id></id>
<filter>
<category>5</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>6</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
Fortinet Technologies Inc.

Page 100

FortiClient v5.0.0 Administration Guide

<filter>
<category>7</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>15</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>18</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
Fortinet Technologies Inc.

Page 101

FortiClient v5.0.0 Administration Guide

<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>19</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>20</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
</rules>
</profile>
<profile>
<id>1000</id>
<rules>
<rule>
<id></id>
<filter>
Fortinet Technologies Inc.

Page 102

FortiClient v5.0.0 Administration Guide

<category>2</category>
<vendor>All</vendor>
<behavior>All</behavior>
<technology>All</technology>
<protocol>All</protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>5</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>19</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
Fortinet Technologies Inc.

Page 103

FortiClient v5.0.0 Administration Guide

</rule>
<rule>
<id></id>
<filter>
<category>21</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>24</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>8</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
Fortinet Technologies Inc.

Page 104

FortiClient v5.0.0 Administration Guide

<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>12</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>1</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>15</category>
<vendor></vendor>
Fortinet Technologies Inc.

Page 105

FortiClient v5.0.0 Administration Guide

<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>6</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>7</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
Fortinet Technologies Inc.

Page 106

FortiClient v5.0.0 Administration Guide

<id></id>
<filter>
<category>23</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>22</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>17</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
Fortinet Technologies Inc.

Page 107

FortiClient v5.0.0 Administration Guide

<action>block</action>
<enabled>1</enabled>
</rule>
<rule>
<id></id>
<filter>
<category>3</category>
<vendor></vendor>
<behavior></behavior>
<technology></technology>
<protocol></protocol>
<application></application>
<popularity></popularity>
</filter>
<action>block</action>
<enabled>1</enabled>
</rule>
</rules>
</profile>
</profiles>
</firewall>
<vulnerability_scan>
<enabled>1</enabled>
<scheduled_scans>
<schedule>
<scan_on_fgt_registration>0</scan_on_fgt_registration>
<repeat>2</repeat>
<type>24</type>
<day>31</day>
<time>00:00:00</time>
</schedule>
</scheduled_scans>
</vulnerability_scan>
<antivirus>
<scheduled_scans>
<full>
<enabled>1</enabled>
<repeat>1</repeat>
Fortinet Technologies Inc.

Page 108

FortiClient v5.0.0 Administration Guide

<days>2</days>
<time>18:30</time>
<removable_media>1</removable_media>
</full>
</scheduled_scans>
<on_demand_scanning>
<on_virus_found>4</on_virus_found>
<compressed_files>
<scan>1</scan>
<maxsize>0</maxsize>
</compressed_files>
<riskware>
<enabled>0</enabled>
</riskware>
<adware>
<enabled>0</enabled>
</adware>
<heuristic_scanning>0</heuristic_scanning>
<exclusions></exclusions>
</on_demand_scanning>
<real_time_protection>
<enabled>1</enabled>
<when>0</when>
<on_virus_found>5</on_virus_found>
<popup_alerts>1</popup_alerts>
<compressed_files>
<scan>1</scan>
<maxsize>2</maxsize>
</compressed_files>
<riskware>
<enabled>0</enabled>
</riskware>
<adware>
<enabled>0</enabled>
</adware>
<heuristic_scanning>
<enabled>0</enabled>
<action>0</action>
Fortinet Technologies Inc.

Page 109

FortiClient v5.0.0 Administration Guide

</heuristic_scanning>
<exclusions></exclusions>
</real_time_protection>
<quarantine>
<cullage>100</cullage>
</quarantine>
</antivirus>
</forticlient_configuration>

Fortinet Technologies Inc.

Page 110

FortiClient v5.0.0 Administration Guide

FortiClient Tools
Tools
FortiClient includes various utility tools and files to help with installations.

Windows
The following tools and files are available in the FortiClientTools zip file:
FortiClientConfigurator
FortiClientConfiguratorGUI.exe /FortiClientConfigurator.exe
An installer configuration tool that is used to create customized MSI files.
OnlineInstaller
FortiClientInstaller.exe
This is an installer, which, when run on a Windows client, will connect to the FDS to
download and install the full FortiClient application.
FortiGate
FCInstallerLight.exe
This utility is not intended for end users. It is used in conjunction with the Endpoint
Control feature in FortiOS v5.0. Endpoint Control will redirect all users detected as not
running FortiClient to a dedicated portal. From this portal, the user can download
FCInstallerLight.exe, which will then subsequently download the full FortiClient
installation from the FDS servers.
SupportUtils
FCRemove.exe
FCRemove.exe is a clean-up tool for use only if the Add/Remove Programs feature in
Windows fails to remove FortiClient completely.
FortiClient_Diagnostic_Tool.exe
This tool can be run on the command line to collect information on the locally installed
FortiClient application. Examples of data collected includes: FortiClient version and build
number, log files, configuration file, and VPN tunnel configuration. This can be sent to
Fortinet support team for investigation of customer-reported issues.
ReinstallNIC.exe
A utility to uninstall and reinstall the Windows NIC driver if the user is having problems
with DHCP acquisition after FortiClient is installed (Windows 7 or higher ONLY).

Mac OS X
The following tools and files are available in the FortiClientTools zip file:
OnlineInstaller
FortiClient_4.9.29.68_Installer.dmg
This is an installer, which, when run on a Mac OS X client, will connect to the FDS to download
and install the full FortiClient application.

Page 111

Index
A

antivirus
custom scan 35, 37
enable or disable 34
exclusion list 39
full scan 35, 37
logging 41
notifications 34
perform on-demand scanning 35
quick scan 35, 37
schedule a scan 37
update now 36
view quarantined threats 38
application firewall
application firewall rules 46
enable or disable 45
logging 47
view applications blocked 45

licensing 7

C
CLI
backup 67
export VPN tunnel configuration 67
import VPN tunnel 67
restore 67

M
MSI
custom MSI installation 17
FortiClient Configurator 17
Microsoft Active Directory 18
Microsoft System Center Configuration Manager 19

R
registration key 33

S
settings
advanced options 64
antivirus 63
backup or restore the full configuration file 61
certificate management 63
logging 62
SSO mobility agent 64
updates 62
VPN options 63

Enable Registration Key for FortiClient 32

tools
FortiClientConfigurator 111
MSI 111

forticlient
licensing 7
FortiClient Endpoint Registration 32
grayware 10

vulnerability scan
Bugtraq ID 59
logging 60
perform a vulnerability scan 58
update now 58
view scan results 59

installation
EULA 11, 14
forticlient 11, 14
language support 9
minimum system requirements 8
setup wizard 11, 14
supported operating systems 8

XML
always up 54
autoconnect 54
configuration file 66
connect VPN before logon 53
create a redundant IPsec VPN 55
priority based SSL-VPN connections 54

Page 112