Fortinet black logo

Vulnerability Scan

Vulnerability Scan

Configurations for Vulnerability Scan are contained in the <vulnerability_scan></vulnerability_scan> XML tags.

<forticlient_configuration>

<vulnerability_scan>

<enabled>1</enabled>

<scan_on_registration>1</scan_on_registration>

<scan_on_signature_update>1</scan_on_signature_update>

<auto_patch>

<level>critical</level>

</auto_patch>

<windows_update>1</windows_update>

<proxy_enabled>0</proxy_enabled>

<exempt_manual>1</exempt_manual>

<exemptions>

<exemption>Google Chrome</exemption>

<exemption>Java JDK</exemption>

</exemptions>

<exempt_no_auto_patch>1</exempt_no_auto_patch>

<scheduled_scans>

<schedule>

<enable_schedule>1</enable_schedule>

<repeat>1</repeat>

<day>1</day>

<time>19:30</time>

</schedule>

</scheduled_scans>

</vulnerability_scan>

</forticlient_configuration>

The following table provides the XML tags for Vulnerability Scan, as well as the descriptions and default values where applicable.

XML Tag

Description

Default Value

<enabled>

Vulnerability Scan is enabled.

<scan_on_registration>

Specifies whether to start a vulnerability scan when FortiClient registers to FortiGate. When set to 1, start vulnerability scan on registration. When set to 0, do not start a vulnerability scan on registration.

In older versions of FortiClient, this tag was named <scan_on_fgt_registration>.

Boolean value: [0 | 1]

<scan_on_signature_update>

Specifies whether to start a vulnerability scan when signatures are updated. When set to 1, start vulnerability scan when signatures updated. When set to 0, do not start a vulnerability scan when signatures updated.

Boolean value: [0 | 1]

<auto_patch>

Specifies whether to automatically install patches. Use <level> to enable and disable automatic patch installation.

<level>

Specify whether to patch vulnerabilities with a severity higher than the defined level. Disabled when set to 0, and patches are not automatically installed when vulnerabilities are detected. When set to info, all patches are automatically installed when vulnerabilities are detected. Select one of the following:

  • 0
  • critical
  • high
  • medium
  • low
  • info

<windows_update>

Specifies whether to scan both Windows updates and third-party application updates. When set to 1, scan both Windows updates and third-party application updates. When set to 0, scan only third-party application updates.

Boolean value: [0 | 1]

<proxy_enabled>

Enable or disable using proxy settings configured in FortiClient when downloading updates for vulnerability patches.

Boolean value: [0 | 1]

0

<exempt_manual>

Specifies whether to exempt from vulnerability scanning any applications that require the endpoint user to manually install patches.

Boolean value: [0 | 1]

<exemptions>

Identifies the names of applications that are exempted.

<exempt_no_auto_patch>

Specifies whether to exempt any applications that FortiClient can automatically patch from vulnerability scanning.

Boolean value: [0 | 1]

<scheduled_scans><schedule> elements

Currently there can only be one scheduled item.

<enable_schedule>

Enable or disable scheduled vulnerability scans.

Boolean value: [0 | 1]

<repeat>

Frequency of scans. Select one of the following:

  • 0: daily scan
  • 1: weekly scan
  • 2: monthly scan

<day>

Used only for weekly scan and monthly scan. If the <repeat> tag is set to 0 (daily), the <day> tag is ignored.
If the <repeat> tag is set to 1 (weekly), <day> is the day of the week to run scan. Select one of the following:

  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday

If the <repeat> tag is set to 2 (monthly), <day> is the date of each month to run a scan. A number from 1 to 31.

The default is the date the policy was installed from FortiGate.

<time>

The time when to run the scan. Specify a time value in 24 hour clock.

The default is the time the policy was installed from FortiGate.

Vulnerability Scan

Configurations for Vulnerability Scan are contained in the <vulnerability_scan></vulnerability_scan> XML tags.

<forticlient_configuration>

<vulnerability_scan>

<enabled>1</enabled>

<scan_on_registration>1</scan_on_registration>

<scan_on_signature_update>1</scan_on_signature_update>

<auto_patch>

<level>critical</level>

</auto_patch>

<windows_update>1</windows_update>

<proxy_enabled>0</proxy_enabled>

<exempt_manual>1</exempt_manual>

<exemptions>

<exemption>Google Chrome</exemption>

<exemption>Java JDK</exemption>

</exemptions>

<exempt_no_auto_patch>1</exempt_no_auto_patch>

<scheduled_scans>

<schedule>

<enable_schedule>1</enable_schedule>

<repeat>1</repeat>

<day>1</day>

<time>19:30</time>

</schedule>

</scheduled_scans>

</vulnerability_scan>

</forticlient_configuration>

The following table provides the XML tags for Vulnerability Scan, as well as the descriptions and default values where applicable.

XML Tag

Description

Default Value

<enabled>

Vulnerability Scan is enabled.

<scan_on_registration>

Specifies whether to start a vulnerability scan when FortiClient registers to FortiGate. When set to 1, start vulnerability scan on registration. When set to 0, do not start a vulnerability scan on registration.

In older versions of FortiClient, this tag was named <scan_on_fgt_registration>.

Boolean value: [0 | 1]

<scan_on_signature_update>

Specifies whether to start a vulnerability scan when signatures are updated. When set to 1, start vulnerability scan when signatures updated. When set to 0, do not start a vulnerability scan when signatures updated.

Boolean value: [0 | 1]

<auto_patch>

Specifies whether to automatically install patches. Use <level> to enable and disable automatic patch installation.

<level>

Specify whether to patch vulnerabilities with a severity higher than the defined level. Disabled when set to 0, and patches are not automatically installed when vulnerabilities are detected. When set to info, all patches are automatically installed when vulnerabilities are detected. Select one of the following:

  • 0
  • critical
  • high
  • medium
  • low
  • info

<windows_update>

Specifies whether to scan both Windows updates and third-party application updates. When set to 1, scan both Windows updates and third-party application updates. When set to 0, scan only third-party application updates.

Boolean value: [0 | 1]

<proxy_enabled>

Enable or disable using proxy settings configured in FortiClient when downloading updates for vulnerability patches.

Boolean value: [0 | 1]

0

<exempt_manual>

Specifies whether to exempt from vulnerability scanning any applications that require the endpoint user to manually install patches.

Boolean value: [0 | 1]

<exemptions>

Identifies the names of applications that are exempted.

<exempt_no_auto_patch>

Specifies whether to exempt any applications that FortiClient can automatically patch from vulnerability scanning.

Boolean value: [0 | 1]

<scheduled_scans><schedule> elements

Currently there can only be one scheduled item.

<enable_schedule>

Enable or disable scheduled vulnerability scans.

Boolean value: [0 | 1]

<repeat>

Frequency of scans. Select one of the following:

  • 0: daily scan
  • 1: weekly scan
  • 2: monthly scan

<day>

Used only for weekly scan and monthly scan. If the <repeat> tag is set to 0 (daily), the <day> tag is ignored.
If the <repeat> tag is set to 1 (weekly), <day> is the day of the week to run scan. Select one of the following:

  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday

If the <repeat> tag is set to 2 (monthly), <day> is the date of each month to run a scan. A number from 1 to 31.

The default is the date the policy was installed from FortiGate.

<time>

The time when to run the scan. Specify a time value in 24 hour clock.

The default is the time the policy was installed from FortiGate.