Enable or disable the eye icon to show or hide the remote access feature from the end user in FortiClient.

This option has no effect on FortiClient Android and iOS where the remote access feature is always enabled regardless of the EMS configuration.

General

Allow users to create, modify, and use personal VPN configurations.

Disable the Connect/Disconnect button when using Auto Connect with VPN.

Allow users to select a VPN connection before logging into the system.

If allowing users to select a VPN connection before logging into the system, enable this option to allow them to use their current Windows username and password.

For VPN connections requiring SAML authentication, configure one of FortiClient's embedded browsers. A different engine powers each browser:

• WebBrowser (Internet Explorer)
• Electron (Chromium)
• WebView2 (Microsoft Edge)

Using Microsoft Edge WebView2 or Electron is recommended as they provide enhanced security and align with modern web standards.

When Microsoft Entra ID is used as an identity provider and the endpoint is Azure-joined or added to an Azure account, if the SAML authentication framework is set to WebBrowser, the VPN connection establishes seamlessly without prompting for Azure credentials. In this case, disabling Save Password has no effect.

If FortiEndpoint is connected to one VPN tunnel, the FortiEndpoint console minimizes automatically after the tunnel is successfully established.

This setting has no effect when FortiEndpoint is connected to multiple concurrent IKEv2 VPN tunnels, in which case the console window does not minimize automatically after the tunnel is successfully established even if this option is enabled.

Block FortiClient from displaying any VPN connection or error notifications.

When you disable this setting, VPN autoconnect only starts FortiClient can access the internet. When enabled, VPN autoconnect starts even if FortiClient cannot access the internet.

Use vendor ID. Enter the vendor ID in the Vendor ID field.

FortiClient denies or allows the endpoint to connect to a VPN tunnel based on the tunnel's Tags configuration. See the Tags field description in SSL VPN and IPsec VPN.

This option does not work for FortiClient Android or iOS.

Select the VPN tunnel that FortiClient starts when the OS boots up. If using a certificate, the certificate must exist in the computer certificate store.

If the stored tunnel credentials are incorrect, FortiClient prompts the user for credentials to establish the tunnel connection.

This feature may not work for IPsec VPN tunnels using certificates when per-user autoconnect is configured.

This option is available only if a tunnel is selected in Prelogon Auto Connect Tunnel.

• When enabled, the selected tunnel (in Prelogon Auto Connect Tunnel) takes priority over any per-user tunnel and remains connected after user logon.

• When disabled, FortiClient connects to a per-user VPN tunnel after user logon. If FortiClient was previously connected to any Prelogon Auto Connect Tunnel, it disconnects from that tunnel to connect to the per-user tunnel.

Select the current VPN tunnel.

Select a VPN tunnel for endpoints to automatically connect to when the end user logs into the endpoint. The end user must have established VPN connection manually at least once from FortiClient GUI.

Disable Connect/Disconnect button when using autoconnect VPN.

Autoconnect to the selected VPN tunnel only when EMS considers the endpoint off-fabric. See On-fabric Detection Rules.

When enabled, the endpoint automatically connects to the VPN tunnel specified in Auto Connect after FortiClient receives an endpoint profile update.

Maximum number of attempts to retry a VPN connection lost due to network issues. If set to 0, it retries indefinitely.

Configure the password for users to disconnect FortiClient from FortiOS. The password will be encrypted using the PBKDF2 method. The default is no password.

When a disconnect password is set, the Disconnect option will remain visible to end users using autoconnect VPN even if Disable Connect/Disconnect is selected.

This field changes the status of the following registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DisableSmartNameResolution or in a group policy, Computer Configuration > Administrative Templates > Network > DNS Client > Turn off smart multi-homed name resolution.

When using IPsec or SSL VPN split DNS, if this field is enabled, it may prevent the client from sending simultaneous DNS queries on multiple network interfaces. However, in cases where DNS queries via the FortiClient VPN virtual network interface are slow or fail, Windows may still attempt to resolve DNS queries through the physical network adapter. If you want to route DNS queries primarily through the FortiClient VPN interface, enabling the element helps ensure that queries are typically restricted to a single interface, though this behavior cannot be fully guaranteed.

Enable FortiClient to connect to multiple tunnels concurrently. This feature is in beta and only supports IPsec VPN IKEv2 tunnels.

When you enable Enable Multi-Connect on Eligible Tunnels, DNS Priority lists all IPsec VPN IKEv2 tunnels configured on this profile. There can be a maximum of 50 such tunnels configured per profile.

Drag and drop the tunnels to configure the list in order of DNS priority.

The priority list determines which tunnel interface has higher priority for DNS queries on Windows. When performing a DNS query, Windows queries the DNS server from the tunnel with the highest priority. If the query fails, then Windows queries the DNS server from the tunnel with the next highest priority, and so on. The DNS priority is the same as the VPN tunnel interface metric.

Enable for FortiClient to display pinned tunnels by default.

If disabled, the FortiClient GUI displays all configured VPN tunnels. The user can select View > Selected VPNs to only display pinned tunnels. FortiClient remembers this setting and only shows pinned tunnels for that user when they open the FortiClient console in the future. FortiClient respects the local setting over the EMS setting in this case.

Configure network lockdown for off-fabric endpoints when they are not connected to VPN.

When network lockdown is configured, when an endpoint goes off-fabric, a grace period that the EMS administrator configured comes into effect. During the grace period, an endpoint can continue to access LAN and the internet without restrictions.

If the endpoint does not connect to VPN by the end of the grace period, the endpoint cannot access LAN and the internet. It can still access IP addresses and applications that the EMS administrator has configured as exceptions. FortiClient blocks both incoming and outgoing connection traffic unless the EMS administrator has configured it as an exception.

After the end of the grace period, the endpoint can connect to VPN to regain internet access. For a full tunnel VPN, LAN is only accessible if exclusive routing is disabled. The administrator configures a limited number of attempts for the end user to enter valid VPN credentials. Once the user reaches the limit, the endpoint is in network lockdown.

This feature only supports FortiClient (Windows) and (macOS).

Configure captive portal detection options, which are XML-only (see VPN options).

A captive portal is a webpage that users must interact with before gaining broader access to the network. Captive portals are commonly used in public or semi-public networks, such as those in hotels, where users must authenticate, accept terms of service, or log in before they can access the internet or other network resources.

Configure a grace period in seconds during which an off-fabric endpoint that is not connected to VPN can continue to access LAN and the internet without restrictions before network lockdown. Enter a value between 20 and 3600.

When <detect_captive_portal> is enabled (see VPN options), the grace period setting does not affect access to the captive portal login page. Users will always be redirect to the captive portal login page even if the grace period has passed.

Configure the maximum number of attempts for the end user of an off-fabric endpoint to enter valid VPN credentials.

Enter the path to applications that an off-Fabric endpoint that is not connected to VPN can still access.

Enter IP addresses that an off-Fabric endpoint that is not connected to VPN can still access.

Enter domains or the fully qualified domain names (FQDN) that an off-Fabric endpoint that is not connected to VPN can still access.

Ensure to enter the FQDN correctly. Options that include protocols (such as https://) are not part of the FQDN and are therefore incorrect, as are entries with extra / added to the URL (such as fortinet.com/).

Adding an entry like example.com matches both .example.com and example.com and an entry such as www.example.com matches .www.example.com and www.example.com.

Moreover, network lockdown allows or blocks traffic based on the IP address extracted from the DNS response, so it does not rely on the top-level domain (TLD) or full URL. For instance, if we have added www.fortinet.com and then, in a lockdown state, attempt to access the site but are redirected to www.fortinet.com/subscription, access will still be allowed, and the client can reach the redirected page as well.