Fortinet black logo

Use Cases

6.0.3
6.0.3

Fixing non-compliant settings

Fixing non-compliant settings

Now you can go to FortiClient on the endpoint to see the effect of the newly configured compliance rules on the endpoint. The compliance rules take effect with the next Telemetry communication between FortiClient and the FortiGate.

First, let's see the effect of the Vulnerability Scan compliance rule: endpoints must not have any high or critical vulnerabilities. Otherwise, they will be blocked from accessing the network. The example endpoint currently has two critical vulnerabilities, which violates this rule.

In the screenshot, you can see that FortiClient is not compliant with the Security Fabric. In the Compliance Policy section, FortiClient also displays the compliance rule it is currently in violation of: the endpoint should not have any high or above vulnerabilities.

Click View Compliance Rules to see more detail about the compliance rules received from FortiGate. This displays all compliance rules, including those that FortiClient is currently compliant with. For the Vulnerability Scan compliance rule, there is a grace period of one day, during which the user is expected to patch the critical and high vulnerabilities. During the grace period, the endpoint is not yet blocked from the network.

If the grace period passes and the critical and high vulnerabilities have not been patched, the endpoint user is blocked from accessing the network.

For the sake of the example, let's patch the critical and high vulnerabilities on the endpoint. Follow the instructions in Patching endpoint vulnerabilities using EMS. After patching the vulnerabilities, the endpoint is compliant and can access the network.

Now let's consider what happens if the endpoint does not follow the second compliance rule, which is that forticlient.exe must be running. When forticlient.exe is not running on the endpoint, FortiClient displays the following.

Since this rule was configured to only warn the user in the case of non-compliance, the user can still access the network without fixing the non-compliant settings. The browser displays the following warning, and the user can click I Understand to acknowledge the compliance issue, then proceed. The user can fix the non-compliant settings at a later time.

When the endpoint is compliant with all compliance rules received from the FortiGate, the FortiClient Compliance & Telemetry tab displays the following.

Previous
Next

Fixing non-compliant settings

Now you can go to FortiClient on the endpoint to see the effect of the newly configured compliance rules on the endpoint. The compliance rules take effect with the next Telemetry communication between FortiClient and the FortiGate.

First, let's see the effect of the Vulnerability Scan compliance rule: endpoints must not have any high or critical vulnerabilities. Otherwise, they will be blocked from accessing the network. The example endpoint currently has two critical vulnerabilities, which violates this rule.

In the screenshot, you can see that FortiClient is not compliant with the Security Fabric. In the Compliance Policy section, FortiClient also displays the compliance rule it is currently in violation of: the endpoint should not have any high or above vulnerabilities.

Click View Compliance Rules to see more detail about the compliance rules received from FortiGate. This displays all compliance rules, including those that FortiClient is currently compliant with. For the Vulnerability Scan compliance rule, there is a grace period of one day, during which the user is expected to patch the critical and high vulnerabilities. During the grace period, the endpoint is not yet blocked from the network.

If the grace period passes and the critical and high vulnerabilities have not been patched, the endpoint user is blocked from accessing the network.

For the sake of the example, let's patch the critical and high vulnerabilities on the endpoint. Follow the instructions in Patching endpoint vulnerabilities using EMS. After patching the vulnerabilities, the endpoint is compliant and can access the network.

Now let's consider what happens if the endpoint does not follow the second compliance rule, which is that forticlient.exe must be running. When forticlient.exe is not running on the endpoint, FortiClient displays the following.

Since this rule was configured to only warn the user in the case of non-compliance, the user can still access the network without fixing the non-compliant settings. The browser displays the following warning, and the user can click I Understand to acknowledge the compliance issue, then proceed. The user can fix the non-compliant settings at a later time.

When the endpoint is compliant with all compliance rules received from the FortiGate, the FortiClient Compliance & Telemetry tab displays the following.

Previous
Next