Fortinet black logo

Administration Guide

Compliance rules

Compliance rules

FortiGate compliance rules define what configuration FortiClient software and the endpoint must have for the endpoint to maintain access to the network through FortiGate.

FortiOS 6.0.0 and later versions use one of the following two methods to determine endpoint compliance. The FortiOS configuration determines which method is used. FortiOS versions prior to 6.0.0 only use the second method below to determine endpoint compliance. In both cases, FortiClient must be installed on the endpoint.

  1. An endpoint is considered compliant if FortiClient is managed by the EMS server authorized in FortiOS.
  2. An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The following list shows a sample of the compliance rules administrators can enable or disable in a FortiClient profile using the FortiOS GUI:
    • Telemetry data
    • Endpoint Vulnerability Scan on client
    • System compliance:
      • Minimum FortiClient version
      • What log types FortiClient will send to FortiAnalyzer
      • What applications/processes are running on client. May include requirements for specific signatures.

        Configuring compliance rules for running applications requires using the FortiOS CLI to set the following fields: application-check-rule, process-name, and app-sha256-signature. The app-sha256-signature field is optional. See the FortiOS CLI Reference.

    • Security posture check:
      • Realtime protection
      • Third party Antivirus on Windows
      • Web filter
      • Application firewall

Administrators can also define additional compliance rules using the FortiOS CLI.

Although the compliance rules define what configuration FortiClient software and the endpoint must have, the FortiClient profile from FortiGate does not include any configuration information. The endpoint user or administrator is responsible for configuring FortiClient to adhere to the compliance rules. An administrator can use EMS to configure FortiClient.

Compliance rules

FortiGate compliance rules define what configuration FortiClient software and the endpoint must have for the endpoint to maintain access to the network through FortiGate.

FortiOS 6.0.0 and later versions use one of the following two methods to determine endpoint compliance. The FortiOS configuration determines which method is used. FortiOS versions prior to 6.0.0 only use the second method below to determine endpoint compliance. In both cases, FortiClient must be installed on the endpoint.

  1. An endpoint is considered compliant if FortiClient is managed by the EMS server authorized in FortiOS.
  2. An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The following list shows a sample of the compliance rules administrators can enable or disable in a FortiClient profile using the FortiOS GUI:
    • Telemetry data
    • Endpoint Vulnerability Scan on client
    • System compliance:
      • Minimum FortiClient version
      • What log types FortiClient will send to FortiAnalyzer
      • What applications/processes are running on client. May include requirements for specific signatures.

        Configuring compliance rules for running applications requires using the FortiOS CLI to set the following fields: application-check-rule, process-name, and app-sha256-signature. The app-sha256-signature field is optional. See the FortiOS CLI Reference.

    • Security posture check:
      • Realtime protection
      • Third party Antivirus on Windows
      • Web filter
      • Application firewall

Administrators can also define additional compliance rules using the FortiOS CLI.

Although the compliance rules define what configuration FortiClient software and the endpoint must have, the FortiClient profile from FortiGate does not include any configuration information. The endpoint user or administrator is responsible for configuring FortiClient to adhere to the compliance rules. An administrator can use EMS to configure FortiClient.