Fortinet black logo

FortiClient with FortiGate

Copy Link
Copy Doc ID be528d81-a65c-11e8-8784-00505692583a:315931
Download PDF

FortiClient with FortiGate

In this scenario, FortiClient connects Telemetry to FortiGate and compliance is supported. There is no connection to EMS.

The following shows an example of the Compliance & Telemetry tab after FortiClient has connected Telemetry to a FortiGate that has the compliance feature enabled, and the endpoint is in compliance with the FortiGate compliance rules.

FortiOS sends a FortiClient Profile to FortiClient. The FortiClient Profile includes compliance rules and some minimal configuration required to resolve non-compliance issues. The FortiClient Profile includes all compliance rules, whether enabled or disabled. FortiClient ignores disabled rules as they do not affect endpoint compliance.

You cannot configure FortiClient using FortiGate. To configure FortiClient, use EMS.

After receiving the FortiClient Profile, FortiClient compares its configuration with the compliance rules and reports to FortiOS which rules it is compliant with and which rules it is not compliant with. If the endpoint is not compliant, the following occurs.

  • FortiOS blocks any endpoint where FortiClient is not installed or not connected to FortiOS. When FortiClient goes offline, it shows the compliance state, but the endpoint cannot access the Internet since FortiClient Telemetry is no longer connected.
  • If FortiClient is not compliant due to configuration issues, the user can change any configuration to make the endpoint compliant. If allowed by configuration, FortiClient can also be disconnected from FortiOS.

FortiClient with FortiGate

In this scenario, FortiClient connects Telemetry to FortiGate and compliance is supported. There is no connection to EMS.

The following shows an example of the Compliance & Telemetry tab after FortiClient has connected Telemetry to a FortiGate that has the compliance feature enabled, and the endpoint is in compliance with the FortiGate compliance rules.

FortiOS sends a FortiClient Profile to FortiClient. The FortiClient Profile includes compliance rules and some minimal configuration required to resolve non-compliance issues. The FortiClient Profile includes all compliance rules, whether enabled or disabled. FortiClient ignores disabled rules as they do not affect endpoint compliance.

You cannot configure FortiClient using FortiGate. To configure FortiClient, use EMS.

After receiving the FortiClient Profile, FortiClient compares its configuration with the compliance rules and reports to FortiOS which rules it is compliant with and which rules it is not compliant with. If the endpoint is not compliant, the following occurs.

  • FortiOS blocks any endpoint where FortiClient is not installed or not connected to FortiOS. When FortiClient goes offline, it shows the compliance state, but the endpoint cannot access the Internet since FortiClient Telemetry is no longer connected.
  • If FortiClient is not compliant due to configuration issues, the user can change any configuration to make the endpoint compliant. If allowed by configuration, FortiClient can also be disconnected from FortiOS.