Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

FortiGate compliance rules

When FortiClient is connected to FortiGate, FortiGate provides network security by defining compliance rules for FortiClient endpoints. In FortiOS, administrators can configure a FortiClient profile and apply the profile to endpoints. The profile achieves the following goals:

  • Defines compliance rules for endpoint access to the network through FortiGate
  • Defines the non-compliance action for FortiGate—that is, how FortiGate handles endpoints that fail to comply with compliance rules

Depending on the FortiOS configuration, FortiOS uses one of the following methods to determine endpoint compliance. The first option is only available in FortiOS 6.0.0 and later versions. In both cases, FortiClient must be installed on the endpoint and there must be a Fabric Telemetry connection between FortiClient and FortiGate.

  1. An endpoint is considered compliant if it FortiClient is managed by the EMS server authorized in FortiOS.
  2. An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The following list shows a sample of the compliance rules administrators can enable or disable in a FortiClient profile using the FortiOS GUI:
    • Telemetry data
    • Endpoint Vulnerability Scan on client
    • System compliance:
      • Minimum FortiClient version
      • What log types FortiClient will send to FortiAnalyzer
      • Processes running on client
    • Security posture check:
      • Realtime protection
      • Third party Antivirus on Windows
      • Web filter
      • Application firewall
  3. For information on configuring FortiGate compliance rules, see the FortiOS Handbook - Security Profiles.

FortiGate compliance rules

When FortiClient is connected to FortiGate, FortiGate provides network security by defining compliance rules for FortiClient endpoints. In FortiOS, administrators can configure a FortiClient profile and apply the profile to endpoints. The profile achieves the following goals:

  • Defines compliance rules for endpoint access to the network through FortiGate
  • Defines the non-compliance action for FortiGate—that is, how FortiGate handles endpoints that fail to comply with compliance rules

Depending on the FortiOS configuration, FortiOS uses one of the following methods to determine endpoint compliance. The first option is only available in FortiOS 6.0.0 and later versions. In both cases, FortiClient must be installed on the endpoint and there must be a Fabric Telemetry connection between FortiClient and FortiGate.

  1. An endpoint is considered compliant if it FortiClient is managed by the EMS server authorized in FortiOS.
  2. An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The following list shows a sample of the compliance rules administrators can enable or disable in a FortiClient profile using the FortiOS GUI:
    • Telemetry data
    • Endpoint Vulnerability Scan on client
    • System compliance:
      • Minimum FortiClient version
      • What log types FortiClient will send to FortiAnalyzer
      • Processes running on client
    • Security posture check:
      • Realtime protection
      • Third party Antivirus on Windows
      • Web filter
      • Application firewall
  3. For information on configuring FortiGate compliance rules, see the FortiOS Handbook - Security Profiles.