Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Endpoint Control

Endpoint Control configuration elements are usually downloaded from FortiGate or FortiClient EMS after FortiClient registers to the same FortiGate or FortiClient EMS. When FortiClient registers to FortiGate/EMS, it is connecting Telemetry to FortiGate/EMS. There are two sections:

  • Endpoint Control general attributes. These are contained in the <endpoint_control> </endpoint_control> XML tags.
  • Configuration details relating to specific FortiClient services, such as Antivirus, Web Filtering, Application Firewall, Vulnerability Scanner, and so on. These will be found in the respective configuration elements of the services affected.

Endpoint control general attributes are listed below.

<forticlient_configuration>

<endpoint_control>

<checksum></checksum>

<enabled>1</enabled>

<socket_connect_timeouts>1:5</socket_connect_timeouts>

<system_data>Encrypted_String</system_data>

<disable_unregister>0</disable_unregister>

<disable_fgt_switch>1</disable_fgt_switch>

<ping_server>172.17.61.178:8010</ping_server>

<fgt_name>FG_Hostname</fgt_name>

<fgt_sn>Encrypted_Serial_Number_String</fgt_sn>

<offnet_update>1</offnet_update>

<user>Encrypted_UsernameString</user>

<skip_confirmation>0</skip_confirmation>

<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>

<show_bubble_notifications>1</show_bubble_notifications>

<avatar_enabled>1</avatar_enabled>

<silent_registration>0</silent_registration>

<notify_fgt_on_logoff>1</notify_fgt_on_logoff>

<fgt_list>Enc256828d1e23febfa0b789324ea1fc9cf45acdc8af3888e7aa26677825bbf8d5d123fcbc2884f3cb3f2a03b5414ab01e6a6c22762add0c4f209224f052dec29491e1d15eee4a1a290a81b367c3d4a5251258ed14921e231547f52d9e3</fgt_list>

<ui>

<display_antivirus>1</display_antivirus>

<display_sandbox>1</display_sandbox>

<display_webfilter>1</display_webfilter>

<display_firewall>1</display_firewall>

<display_vpn>1</display_vpn>

<display_vulnerability_scan>1</display_vulnerability_scan>

<display_compliance>1</display_compliance>

<hide_compliance_warning>0</hide_compliance_warning>

</ui>

<onnet_addresses>

<address>1.1.1.0/255.255.255.0</address>

</onnet_addresses>

<onnet_mac_addresses>

<address>00:00:00:00:00:00</address>

</onnet_mac_addresses>

<alerts>

<notify_server>1</notify_server>

<alert_threshold>1</alert_threshold>

</alerts>

<fortigates>

<fortigate>

<serial_number></serial_number>

<name></name>

<registration_password></registration_password>

<addresses></addresses>

</fortigate>

</fortigates>

<notification_server>

<address>172.17.60.26:8013</address>

</notification_server>

<nac>

<processes>

<process id="1" name="MS Word" rule="present">

<signature name="processname.exe">SHA256 of file</signature>

<signature name="processname.exe">SHA256 of file</signature>

</process>

<process id="2" name="FortiToken" rule="absent">

<signature name="processname2.exe"/>

</process>

</processes>

<files>

<path id="1">Path to folder/file</path>

<path id="2">Path to folder/file</path>

</files>

<registry>

<path id="1">path to 32bit or 64bit registry key or value</path>

<path id="2">path to 32bit or 64bit registry key or value</path>

</registry>

</nac>

</endpoint_control>

</forticlient_configuration>

The following table provides endpoint control XML tags, the description, and the default value (where applicable).

XML Tag

Description

Default Value

<checksum>

Configuration checksum calculated on and enforced by FortiGate and EMS.

 

<enabled>

Enable endpoint control.

 

<system_data>

Endpoint control system information. This element is protected and is not intended to be changed.

 

<socket_connect_timeouts>

Probe timeout for endpoint control registration and keep-alive message timeout in seconds.

probe_timeout:keep_alive_timeout

Changing socket connect time outs might affect performance.

1:5

<ping_server>

The IP address or FQDN of the PING server.

FortiClient updates this tag when it registers to FortiGate or EMS. Edits to this tag will be overwritten by FortiClient.

This field can be safely deleted.

 

<fgt_name>

The name of the FortiGate (FortiGate Hostname) or EMS that FortiClient is currently registered to (if any).

FortiClient updates this tag when it registers to the FortiGate or EMS. Edits to this tag will be overwritten by FortiClient.

This field can be safely deleted.

 

<fgt_sn>

The encrypted serial number of the registered FortiGate or EMS (if any). Do not edit this field.

This field can be safely deleted.

 

<offnet_update>

Enable or disable synchronization of configuration updates from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<user>

Encrypted user name.

 

<skip_confirmation>

Do not prompt user before proceeding to complete registration with FortiGate or EMS.

Boolean value: [0 | 1]

0

<disable_unregister>

Prevent a registered client from being able to unregister after successfully registering to FortiGate or EMS.

Boolean value: [0 | 1]

When this setting is configured as 1, the FortiClient user is unable to unregister from the FortiGate or EMS after initial registration. This XML setting is intended to be used with <silent_registration>. If Enable Registration Key for FortiClient is enabled on FortiGate or EMS, configure this password in the <registration_password> XML tag, and enter the IP address or addresses of the FortiGate or EMS in the <addresses> XML tag.

0

<disable_fgt_switch>

Enable or disable the disabling of the FortiGate switch.

Boolean value: [0 | 1]

This XML setting intended for use with <silent_registration> and <disable_unregister>. If Enable Registration Key for FortiClient is enabled on the FortiGate,configure this password in the <registration_password> XML tag and enter the IP address or addresses of the FortiGate in the <addresses> XML tag.

When <disable_fgt_switch> is configured as 1, the FortiGate switch is disabled. As a result:

  • FortiClient does not probe default gateway.
  • FortiClient does not automatically register to the default gateway.
  • FortiClient ignores FortiGate broadcasts.
  • The discovered list dislays only predefined FortiGate devices (if discovered).

 

<fgt_logoff_on_fct_shutdown>

Notify FortiGate or EMS when FortiClient is shut down.

Boolean value: [0 | 1]

1

<show_bubble_notifications>

Notify the user when new policies are installed.

Boolean value: [0 | 1]

1

<show_bubble_notification>

Show notifications in the system tray when a configuration update is received from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<avatar_enabled>

Boolean value: [0 | 1]

1

<silent_registration>

Register to the FortiGate or EMS without prompting the user to accept registration. When enabled, no end user interaction is required to get the client to register to FortiGate or EMS.

Boolean value: [0 | 1]

This XML setting is intended to be used with <disable_unregister>.

0

<notify_fgt_on_logoff>

Notify FortiGate or EMS when the FortiClient endpoint detects that a user logs off. When this setting is configured as 0, no message is sent to FortiGate or EMS. When this setting is configured as 1, a message is sent to FortiGate or EMS.

Boolean value: [0 | 1]

 

<fgt_list>

Encrypted list of remembered FortiGate or EMS units. Do not edit this field.

This field can be safely deleted.

 

<ui> elements

<display_antivirus>

Display the Antivirus tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_sandbox>

Display the Sandbox Detection tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_webfilter>

Display the Web Filtering tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_firewall>

Display the Application Firewall tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_vpn>

Display the Remote Access (VPN) tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_vulnerability_scan>

Display the Vulnerability Scan tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_compliance>

This tag is not used in FortiClient 5.6.0 and newer versions.

Display the Compliance tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<hide_compliance_warning>

Enable to hide the compliance enforcement feature message from the Compliance tab. This option is only enforced on FortiClients connected to FortiClient EMS. This option does not apply to monitored clients.

Boolean value: [0 | 1]

1

<onnet_addresses>

Configure the subnet so that FortiClient in this subnet keeps the on-net prefix and subnet mask of the subnet.

 

<onnet_mac_addresses>

Configure the mac address of the default gateway so that FortiClient in the subnet specified by <onnet_address> that is using the default gateway configured by <onnet_mac_address> keeps the on-net mac address of the default gateway.

 

<alerts> element

<notify_server>

Enable or disable FortiClient to send alerts to FortiClient EMS.

Boolean value: [0 | 1]. When this setting is configured as 1, FortiClient sends alerts to FortiClient EMS. The priority of alerts sent by FortiClient depends on the <alert_threshold> setting.

1

<alert_threshold>

Configures the threshold of alerts sent by FortiClient to EMS. Enter one of the following:

  • 1: High priority alerts
  • 3: Medium priority alerts
  • 5: Low priority alerts

1

<fortigates> elements

This is a list of FortiGate that will immediately appear in the FortiClient console. The client will be capable of registering with them if they are online. If <endpoint_control><silent_registration> is set to 1 then the client will attempt to silently register. The list is in priority order.

<fortigate>

This element (with its child elements) should be repeated for each FortiGate that should appear in FortiClient's console interface.

 

<serial_number>

[Optional] The serial number of the FortiGate. Displayed to the end user. It may be updated with the real serial number from the FortiGate that the client registers with.

 

<name>

[Optional] The name of the FortiGate. Displayed to the end user. It may be updated with the real name from the FortiGate that the client registers with.

 

<registration_password>

When FortiClient registers/connects to FortiGate and Enable Registration Key for FortiClient is enabled on the FortiGate, configure the password in the <registration_password> XML setting. The <registration_password> element contains the registration password (encrypted or plain text) required to register to the FortiGate units listed in <endpoint_control><fortigates><fortigate><addresses>

When FortiClient registers/connects to EMS and EMS requires a connection key, configure the password in the <registration_password> XML setting. The <registration_password> element contains the connection key required to register to the EMS listed in <endpoint_control><notification_server><addresses>.

The element is not needed when FortiGate or EMS does not require a password

 

<addresses>

The FortiGate that appears in the console can be a list of FortiGate addresses. FortiClient will attempt to register to the first FortiGate listed here.

A 'redundancy list' of FortiGate IP:port pairs that represent this FortiGate. The list must have at least one FortiGate IP:port pair. Multiple FortiGate IP:port pairs are delimited with a semicolon.

Both IP addresses and FQDN are permitted. The list is in priority order.

If Enable Registration Key for FortiClient is enabled on the FortiGate, configure the IP address or FQDN of the FortiGate in the FortiClient <addresses> XML setting.

 

<local_subnets_only>

Boolean value: [0 | 1]

0

<notification_server>

Enable EMS to manage FortiClient after FortiClient registers to the FortiGate IP address and port numbers specified by EMS. Configure the IP address of EMS.

 

<nac> elements

This element (with its child elements) specifies up to three compliance rules for network access control (NAC). When an endpoint configuration does not comply with all of the complies rules configured in the <nac> elements, non-compliance is triggered, and network access might be blocked. For information about how compliance rules work, see the FortiClient Administration Guide. Compliance rules apply only when FortiClient is registered to FortiGate. When FortiClient is not registered to FortiGate, compliance rules are not used. You can configure none, one, or all three compliance rules.

<processes>

[Optional] Create a policy for an application and its signature.

 

<process>

Identify an application name and its signature. This element should be repeated for each unique application name.

 

<process id="" name="" rule="">

ID of this process entry and name of the application that is associated with the signatures, for example, <process id="1" name="MS Word">. Also shows whether FortiGate compliance rules require this process to be present or absent on the endpoint.

 

<signature name="" />

Identify the name of the application and its signature. Repeat this element for different versions of the same application.

 

<files>

[Optional] Create a policy for a file and path. The policy is compliant when the file can be found.

 

<path id=""/>

ID of this path entry. Identify the path of the file for the policy. Repeat this element for each unique file path.

 

<registry>

[Optional] Create a policy for a registry key or value.

 

<path id=""/>

ID of this path entry. Identify the registry key or value. When the path ends with a forward slash (/), it identifies a key. When the path ends without a forward slash, it identifies a registry value.

 

When you disable <ui> elements from being displayed in the FortiClient console, the modules are still installed as part of the FortiClient installation. To configure a VPN only installation, you can use the FortiClient Configurator tool. When selecting VPN only, all other modules are not part of the FortiClient installation.

The <fortigate> element is used to define the FortiGates in a roaming (or redundant) FortiGate configuration. One or more <fortigate> elements may be provided within <fortigates>.

Endpoint Control

Endpoint Control configuration elements are usually downloaded from FortiGate or FortiClient EMS after FortiClient registers to the same FortiGate or FortiClient EMS. When FortiClient registers to FortiGate/EMS, it is connecting Telemetry to FortiGate/EMS. There are two sections:

  • Endpoint Control general attributes. These are contained in the <endpoint_control> </endpoint_control> XML tags.
  • Configuration details relating to specific FortiClient services, such as Antivirus, Web Filtering, Application Firewall, Vulnerability Scanner, and so on. These will be found in the respective configuration elements of the services affected.

Endpoint control general attributes are listed below.

<forticlient_configuration>

<endpoint_control>

<checksum></checksum>

<enabled>1</enabled>

<socket_connect_timeouts>1:5</socket_connect_timeouts>

<system_data>Encrypted_String</system_data>

<disable_unregister>0</disable_unregister>

<disable_fgt_switch>1</disable_fgt_switch>

<ping_server>172.17.61.178:8010</ping_server>

<fgt_name>FG_Hostname</fgt_name>

<fgt_sn>Encrypted_Serial_Number_String</fgt_sn>

<offnet_update>1</offnet_update>

<user>Encrypted_UsernameString</user>

<skip_confirmation>0</skip_confirmation>

<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>

<show_bubble_notifications>1</show_bubble_notifications>

<avatar_enabled>1</avatar_enabled>

<silent_registration>0</silent_registration>

<notify_fgt_on_logoff>1</notify_fgt_on_logoff>

<fgt_list>Enc256828d1e23febfa0b789324ea1fc9cf45acdc8af3888e7aa26677825bbf8d5d123fcbc2884f3cb3f2a03b5414ab01e6a6c22762add0c4f209224f052dec29491e1d15eee4a1a290a81b367c3d4a5251258ed14921e231547f52d9e3</fgt_list>

<ui>

<display_antivirus>1</display_antivirus>

<display_sandbox>1</display_sandbox>

<display_webfilter>1</display_webfilter>

<display_firewall>1</display_firewall>

<display_vpn>1</display_vpn>

<display_vulnerability_scan>1</display_vulnerability_scan>

<display_compliance>1</display_compliance>

<hide_compliance_warning>0</hide_compliance_warning>

</ui>

<onnet_addresses>

<address>1.1.1.0/255.255.255.0</address>

</onnet_addresses>

<onnet_mac_addresses>

<address>00:00:00:00:00:00</address>

</onnet_mac_addresses>

<alerts>

<notify_server>1</notify_server>

<alert_threshold>1</alert_threshold>

</alerts>

<fortigates>

<fortigate>

<serial_number></serial_number>

<name></name>

<registration_password></registration_password>

<addresses></addresses>

</fortigate>

</fortigates>

<notification_server>

<address>172.17.60.26:8013</address>

</notification_server>

<nac>

<processes>

<process id="1" name="MS Word" rule="present">

<signature name="processname.exe">SHA256 of file</signature>

<signature name="processname.exe">SHA256 of file</signature>

</process>

<process id="2" name="FortiToken" rule="absent">

<signature name="processname2.exe"/>

</process>

</processes>

<files>

<path id="1">Path to folder/file</path>

<path id="2">Path to folder/file</path>

</files>

<registry>

<path id="1">path to 32bit or 64bit registry key or value</path>

<path id="2">path to 32bit or 64bit registry key or value</path>

</registry>

</nac>

</endpoint_control>

</forticlient_configuration>

The following table provides endpoint control XML tags, the description, and the default value (where applicable).

XML Tag

Description

Default Value

<checksum>

Configuration checksum calculated on and enforced by FortiGate and EMS.

 

<enabled>

Enable endpoint control.

 

<system_data>

Endpoint control system information. This element is protected and is not intended to be changed.

 

<socket_connect_timeouts>

Probe timeout for endpoint control registration and keep-alive message timeout in seconds.

probe_timeout:keep_alive_timeout

Changing socket connect time outs might affect performance.

1:5

<ping_server>

The IP address or FQDN of the PING server.

FortiClient updates this tag when it registers to FortiGate or EMS. Edits to this tag will be overwritten by FortiClient.

This field can be safely deleted.

 

<fgt_name>

The name of the FortiGate (FortiGate Hostname) or EMS that FortiClient is currently registered to (if any).

FortiClient updates this tag when it registers to the FortiGate or EMS. Edits to this tag will be overwritten by FortiClient.

This field can be safely deleted.

 

<fgt_sn>

The encrypted serial number of the registered FortiGate or EMS (if any). Do not edit this field.

This field can be safely deleted.

 

<offnet_update>

Enable or disable synchronization of configuration updates from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<user>

Encrypted user name.

 

<skip_confirmation>

Do not prompt user before proceeding to complete registration with FortiGate or EMS.

Boolean value: [0 | 1]

0

<disable_unregister>

Prevent a registered client from being able to unregister after successfully registering to FortiGate or EMS.

Boolean value: [0 | 1]

When this setting is configured as 1, the FortiClient user is unable to unregister from the FortiGate or EMS after initial registration. This XML setting is intended to be used with <silent_registration>. If Enable Registration Key for FortiClient is enabled on FortiGate or EMS, configure this password in the <registration_password> XML tag, and enter the IP address or addresses of the FortiGate or EMS in the <addresses> XML tag.

0

<disable_fgt_switch>

Enable or disable the disabling of the FortiGate switch.

Boolean value: [0 | 1]

This XML setting intended for use with <silent_registration> and <disable_unregister>. If Enable Registration Key for FortiClient is enabled on the FortiGate,configure this password in the <registration_password> XML tag and enter the IP address or addresses of the FortiGate in the <addresses> XML tag.

When <disable_fgt_switch> is configured as 1, the FortiGate switch is disabled. As a result:

  • FortiClient does not probe default gateway.
  • FortiClient does not automatically register to the default gateway.
  • FortiClient ignores FortiGate broadcasts.
  • The discovered list dislays only predefined FortiGate devices (if discovered).

 

<fgt_logoff_on_fct_shutdown>

Notify FortiGate or EMS when FortiClient is shut down.

Boolean value: [0 | 1]

1

<show_bubble_notifications>

Notify the user when new policies are installed.

Boolean value: [0 | 1]

1

<show_bubble_notification>

Show notifications in the system tray when a configuration update is received from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<avatar_enabled>

Boolean value: [0 | 1]

1

<silent_registration>

Register to the FortiGate or EMS without prompting the user to accept registration. When enabled, no end user interaction is required to get the client to register to FortiGate or EMS.

Boolean value: [0 | 1]

This XML setting is intended to be used with <disable_unregister>.

0

<notify_fgt_on_logoff>

Notify FortiGate or EMS when the FortiClient endpoint detects that a user logs off. When this setting is configured as 0, no message is sent to FortiGate or EMS. When this setting is configured as 1, a message is sent to FortiGate or EMS.

Boolean value: [0 | 1]

 

<fgt_list>

Encrypted list of remembered FortiGate or EMS units. Do not edit this field.

This field can be safely deleted.

 

<ui> elements

<display_antivirus>

Display the Antivirus tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_sandbox>

Display the Sandbox Detection tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_webfilter>

Display the Web Filtering tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_firewall>

Display the Application Firewall tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_vpn>

Display the Remote Access (VPN) tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_vulnerability_scan>

Display the Vulnerability Scan tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<display_compliance>

This tag is not used in FortiClient 5.6.0 and newer versions.

Display the Compliance tab in the console.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature will not be displayed in the FortiClient console.

 

<hide_compliance_warning>

Enable to hide the compliance enforcement feature message from the Compliance tab. This option is only enforced on FortiClients connected to FortiClient EMS. This option does not apply to monitored clients.

Boolean value: [0 | 1]

1

<onnet_addresses>

Configure the subnet so that FortiClient in this subnet keeps the on-net prefix and subnet mask of the subnet.

 

<onnet_mac_addresses>

Configure the mac address of the default gateway so that FortiClient in the subnet specified by <onnet_address> that is using the default gateway configured by <onnet_mac_address> keeps the on-net mac address of the default gateway.

 

<alerts> element

<notify_server>

Enable or disable FortiClient to send alerts to FortiClient EMS.

Boolean value: [0 | 1]. When this setting is configured as 1, FortiClient sends alerts to FortiClient EMS. The priority of alerts sent by FortiClient depends on the <alert_threshold> setting.

1

<alert_threshold>

Configures the threshold of alerts sent by FortiClient to EMS. Enter one of the following:

  • 1: High priority alerts
  • 3: Medium priority alerts
  • 5: Low priority alerts

1

<fortigates> elements

This is a list of FortiGate that will immediately appear in the FortiClient console. The client will be capable of registering with them if they are online. If <endpoint_control><silent_registration> is set to 1 then the client will attempt to silently register. The list is in priority order.

<fortigate>

This element (with its child elements) should be repeated for each FortiGate that should appear in FortiClient's console interface.

 

<serial_number>

[Optional] The serial number of the FortiGate. Displayed to the end user. It may be updated with the real serial number from the FortiGate that the client registers with.

 

<name>

[Optional] The name of the FortiGate. Displayed to the end user. It may be updated with the real name from the FortiGate that the client registers with.

 

<registration_password>

When FortiClient registers/connects to FortiGate and Enable Registration Key for FortiClient is enabled on the FortiGate, configure the password in the <registration_password> XML setting. The <registration_password> element contains the registration password (encrypted or plain text) required to register to the FortiGate units listed in <endpoint_control><fortigates><fortigate><addresses>

When FortiClient registers/connects to EMS and EMS requires a connection key, configure the password in the <registration_password> XML setting. The <registration_password> element contains the connection key required to register to the EMS listed in <endpoint_control><notification_server><addresses>.

The element is not needed when FortiGate or EMS does not require a password

 

<addresses>

The FortiGate that appears in the console can be a list of FortiGate addresses. FortiClient will attempt to register to the first FortiGate listed here.

A 'redundancy list' of FortiGate IP:port pairs that represent this FortiGate. The list must have at least one FortiGate IP:port pair. Multiple FortiGate IP:port pairs are delimited with a semicolon.

Both IP addresses and FQDN are permitted. The list is in priority order.

If Enable Registration Key for FortiClient is enabled on the FortiGate, configure the IP address or FQDN of the FortiGate in the FortiClient <addresses> XML setting.

 

<local_subnets_only>

Boolean value: [0 | 1]

0

<notification_server>

Enable EMS to manage FortiClient after FortiClient registers to the FortiGate IP address and port numbers specified by EMS. Configure the IP address of EMS.

 

<nac> elements

This element (with its child elements) specifies up to three compliance rules for network access control (NAC). When an endpoint configuration does not comply with all of the complies rules configured in the <nac> elements, non-compliance is triggered, and network access might be blocked. For information about how compliance rules work, see the FortiClient Administration Guide. Compliance rules apply only when FortiClient is registered to FortiGate. When FortiClient is not registered to FortiGate, compliance rules are not used. You can configure none, one, or all three compliance rules.

<processes>

[Optional] Create a policy for an application and its signature.

 

<process>

Identify an application name and its signature. This element should be repeated for each unique application name.

 

<process id="" name="" rule="">

ID of this process entry and name of the application that is associated with the signatures, for example, <process id="1" name="MS Word">. Also shows whether FortiGate compliance rules require this process to be present or absent on the endpoint.

 

<signature name="" />

Identify the name of the application and its signature. Repeat this element for different versions of the same application.

 

<files>

[Optional] Create a policy for a file and path. The policy is compliant when the file can be found.

 

<path id=""/>

ID of this path entry. Identify the path of the file for the policy. Repeat this element for each unique file path.

 

<registry>

[Optional] Create a policy for a registry key or value.

 

<path id=""/>

ID of this path entry. Identify the registry key or value. When the path ends with a forward slash (/), it identifies a key. When the path ends without a forward slash, it identifies a registry value.

 

When you disable <ui> elements from being displayed in the FortiClient console, the modules are still installed as part of the FortiClient installation. To configure a VPN only installation, you can use the FortiClient Configurator tool. When selecting VPN only, all other modules are not part of the FortiClient installation.

The <fortigate> element is used to define the FortiGates in a roaming (or redundant) FortiGate configuration. One or more <fortigate> elements may be provided within <fortigates>.