Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

XML Reference Guide

Update settings

Update-related information is contained inside the <update></update> XML tags. Use this field to specify how FortiClient performs updates from FortiGuard Distribution Network (FDN) servers.

<forticlient_configuration>

<system>

<update>

<use_custom_server>0</use_custom_server>

<restrict_services_to_regions/>

<server></server>

<port>80</port>

<fail_over_servers>server1.fortinet.com:8008;172.81.30.6:80;server2.fortinet.com:80</fail_over_servers>

<timeout>60</timeout>

<failoverport>8000</failoverport>

<fail_over_to_fdn>1</fail_over_to_fdn>

<use_proxy_when_fail_over_to_fdn>1</use_proxy_when_fail_over_to_fdn>

<auto_patch>1</auto_patch>

<update_action>notify_only</update_action>

<scheduled_update>

<enabled>1</enabled>

<type>interval</type>

<daily_at>03:00</daily_at>

<update_interval_in_hours>3</update_interval_in_hours>

</scheduled_update>

<submit_virus_info_to_fds>0</submit_virus_info_to_fds>

<submit_vuln_info_to_fds>1<submit_vuln_info_to_fds>

</update>

</system>

</forticlient_configuration>

The following table provides the XML tags for update settings, as well as the descriptions and default values where applicable.

XML Tag

Description

Default Value

<use_custom_server>

Define a custom server for updates. When the Boolean value is set to 0, use the default FDN server address. When the Boolean value is set to 1, you must specify the address in <update><server>. Typically used when specifying a FortiManager as your update server.

Boolean value: [0 | 1]

0

<restrict_services_to_regions>

Define whether to restrict the FortiGuard server location to U.S.-only, or to use the nearest FortiGuard server.

To restrict to U.S.-only FortiGuard server locations, set to USA, as follows: <restrict_services_to_regions>USA</restrict_services_to_regions>.

Otherwise, leave blank. This is the default configuration.

 

<server>

Update server's IP address or FQDN. Use when <use_custom_server> is set to 1.

Optionally, you can specify the port number. You can specify multiple addresses using a semicolon delimited list.

For example, 10.10.10.1:80;10.10.10.2:8080;172.16.10.80;www.myfortimanager.net. In this example, FortiClient tries each server specified in order until one works or they all fail.

<port>

Update server's port number. If a port number is not specified in <update><server>, this port is used.

Port range: 1 to 65535

80

<fail_over_servers>

Update servers to try if the primary server cannot be reached. Separate multiple servers with a semicolon. IP address or FQDN, followed by a colon and the port number if applicable.

<timeout>

Connection timeout, in seconds, when attempting to reach a custom update server. If a server is reachable but not responding to update requests, the actual timeout is longer.

The timeout specified is applied three times to one <server>:<port> pair before FortiClient gives up on this pair. If <failoverport> is specified, and greater than 0, there are a total of six attempts (three attempts for <server>:<port>, three attempts for <server>:<failoverport>).

60

<failoverport>

Failover port number. If the update server cannot be reached via the port specified in <server> or <port>, FortiClient tries the same address with this port.

Port range: 1 to 65535

8000

<fail_over_to_fdn>

Determines whether or not to use FortiGuard servers if communication with custom <server> fails. If the Boolean value is set to 1, <use_custom_server> is set to 1, and the update server specified by <server> cannot be reached, then FortiClient tries the default public FDN server. This is tried only if FortiClient has exhausted all other custom update server options.

Boolean value: [0 | 1]

1

<use_proxy_when_fail_over_to_fdn>

Supports failover to FortiGuard servers if FortiClient uses a proxy server defined with <forticlient_configuration><system><proxy> and <fail_over_to_fndn> is set to 1. Set <use_proxy_when_fail_over_to_fdn> to 1 to fail over to FortiGuard servers. This element is ignored when no proxy server is defined with <forticlient_configuration><system><proxy>.

Boolean value: [0 | 1]

1

<auto_patch>

Determines whether to automatically check for software updates. Used with <update_action>. If the Boolean value is set to 1, FortiClient automatically checks for updates and takes the action specified by <update_action>.

Boolean value: [0 | 1]

0

<update_action>

Update action applies to software updates only. FortiClient (macOS) supports only the notify_only and disable options. Select one of the following:

  • download_and_install: Automatically downloads and installs software updates with no user intervention. It reboots the computer if needed. FortiClient (macOS) does not support this option.
  • download_only: Automatically downloads software updates, but does not install them. The user can install by following the message prompt. FortiClient (macOS) does not support this option.
  • notify_only: Displays a message when a software update becomes available. The user triggers the update by following the message prompt.
  • disable: Disables online software updates. Software updates can only be achieved by manually downloading and installing newer installation packages.
notify_only

<submit_virus_info_to_fds>

Enable or disable submission of virus information to FortiGuard.

Boolean value: [0 | 1]

1

<submit_vuln_info_to_fds>

Enable or disable submission of vulnerability statistics to FortiGuard Distribution Network. When set to 1, send vulnerability detection statistics from the vulnerability scanner to FortiGuard. When set to 0, do not send vulnerability statistics to FortiGuard.

Boolean value: [0 | 1]

1

<scheduled_update> elements

Use these elements to define when FortiClient should look for engine, signature and software updates (if enabled).

<enabled>

Enable or disable scheduled updates. When the Boolean value is set to 1, scheduled update is enabled. When set to 0, scheduled update is disabled.

Boolean value: [0 | 1]

1

<type>

Update frequency: daily or at regular hourly intervals. Select one of the following:

  • daily
  • interval
interval

<daily_at>

Time of the day, in the format HH:MM (24-hour clock), this field is mandatory if the <type> tag is set to daily. This field specifies the time that FortiClient should check for updates.

<update_interval_in_hours>

Update interval in hours if the <type> tag is set to interval. This field specifies the frequency that FortiClient should check for updates. The minimum value is 1, the maximum value is 24.

3

When <use_custom_server> is 0 or both <server> and <fail_over_servers> are each an empty (null) string, FortiClient only uses the default FortiGuard server for software updates. If a string is specified in <server> and communication fails with that server, each of the servers specified in <fail_over_servers> are tried until one succeeds. If that also fails, then software updates are not possible unless <fail_over_to_fdn> is set to 1.

If communication fails with the server(s) specified in both <server> and <fail_over_servers>, <fail_over_to_fdn> determines the next course of action as listed below:

<server>

<fail_over_to_fdn>

Result

“” (empty strings)

0

Only FortiGuard server is used.

“” (empty strings)

1

Only FortiGuard server is used.

“xyz” (valid IP address)

0

FortiGuard server is never used.

“xyz” (valid IP address)

1

FortiGuard server is used only as failover.

Update settings

Update-related information is contained inside the <update></update> XML tags. Use this field to specify how FortiClient performs updates from FortiGuard Distribution Network (FDN) servers.

<forticlient_configuration>

<system>

<update>

<use_custom_server>0</use_custom_server>

<restrict_services_to_regions/>

<server></server>

<port>80</port>

<fail_over_servers>server1.fortinet.com:8008;172.81.30.6:80;server2.fortinet.com:80</fail_over_servers>

<timeout>60</timeout>

<failoverport>8000</failoverport>

<fail_over_to_fdn>1</fail_over_to_fdn>

<use_proxy_when_fail_over_to_fdn>1</use_proxy_when_fail_over_to_fdn>

<auto_patch>1</auto_patch>

<update_action>notify_only</update_action>

<scheduled_update>

<enabled>1</enabled>

<type>interval</type>

<daily_at>03:00</daily_at>

<update_interval_in_hours>3</update_interval_in_hours>

</scheduled_update>

<submit_virus_info_to_fds>0</submit_virus_info_to_fds>

<submit_vuln_info_to_fds>1<submit_vuln_info_to_fds>

</update>

</system>

</forticlient_configuration>

The following table provides the XML tags for update settings, as well as the descriptions and default values where applicable.

XML Tag

Description

Default Value

<use_custom_server>

Define a custom server for updates. When the Boolean value is set to 0, use the default FDN server address. When the Boolean value is set to 1, you must specify the address in <update><server>. Typically used when specifying a FortiManager as your update server.

Boolean value: [0 | 1]

0

<restrict_services_to_regions>

Define whether to restrict the FortiGuard server location to U.S.-only, or to use the nearest FortiGuard server.

To restrict to U.S.-only FortiGuard server locations, set to USA, as follows: <restrict_services_to_regions>USA</restrict_services_to_regions>.

Otherwise, leave blank. This is the default configuration.

 

<server>

Update server's IP address or FQDN. Use when <use_custom_server> is set to 1.

Optionally, you can specify the port number. You can specify multiple addresses using a semicolon delimited list.

For example, 10.10.10.1:80;10.10.10.2:8080;172.16.10.80;www.myfortimanager.net. In this example, FortiClient tries each server specified in order until one works or they all fail.

<port>

Update server's port number. If a port number is not specified in <update><server>, this port is used.

Port range: 1 to 65535

80

<fail_over_servers>

Update servers to try if the primary server cannot be reached. Separate multiple servers with a semicolon. IP address or FQDN, followed by a colon and the port number if applicable.

<timeout>

Connection timeout, in seconds, when attempting to reach a custom update server. If a server is reachable but not responding to update requests, the actual timeout is longer.

The timeout specified is applied three times to one <server>:<port> pair before FortiClient gives up on this pair. If <failoverport> is specified, and greater than 0, there are a total of six attempts (three attempts for <server>:<port>, three attempts for <server>:<failoverport>).

60

<failoverport>

Failover port number. If the update server cannot be reached via the port specified in <server> or <port>, FortiClient tries the same address with this port.

Port range: 1 to 65535

8000

<fail_over_to_fdn>

Determines whether or not to use FortiGuard servers if communication with custom <server> fails. If the Boolean value is set to 1, <use_custom_server> is set to 1, and the update server specified by <server> cannot be reached, then FortiClient tries the default public FDN server. This is tried only if FortiClient has exhausted all other custom update server options.

Boolean value: [0 | 1]

1

<use_proxy_when_fail_over_to_fdn>

Supports failover to FortiGuard servers if FortiClient uses a proxy server defined with <forticlient_configuration><system><proxy> and <fail_over_to_fndn> is set to 1. Set <use_proxy_when_fail_over_to_fdn> to 1 to fail over to FortiGuard servers. This element is ignored when no proxy server is defined with <forticlient_configuration><system><proxy>.

Boolean value: [0 | 1]

1

<auto_patch>

Determines whether to automatically check for software updates. Used with <update_action>. If the Boolean value is set to 1, FortiClient automatically checks for updates and takes the action specified by <update_action>.

Boolean value: [0 | 1]

0

<update_action>

Update action applies to software updates only. FortiClient (macOS) supports only the notify_only and disable options. Select one of the following:

  • download_and_install: Automatically downloads and installs software updates with no user intervention. It reboots the computer if needed. FortiClient (macOS) does not support this option.
  • download_only: Automatically downloads software updates, but does not install them. The user can install by following the message prompt. FortiClient (macOS) does not support this option.
  • notify_only: Displays a message when a software update becomes available. The user triggers the update by following the message prompt.
  • disable: Disables online software updates. Software updates can only be achieved by manually downloading and installing newer installation packages.
notify_only

<submit_virus_info_to_fds>

Enable or disable submission of virus information to FortiGuard.

Boolean value: [0 | 1]

1

<submit_vuln_info_to_fds>

Enable or disable submission of vulnerability statistics to FortiGuard Distribution Network. When set to 1, send vulnerability detection statistics from the vulnerability scanner to FortiGuard. When set to 0, do not send vulnerability statistics to FortiGuard.

Boolean value: [0 | 1]

1

<scheduled_update> elements

Use these elements to define when FortiClient should look for engine, signature and software updates (if enabled).

<enabled>

Enable or disable scheduled updates. When the Boolean value is set to 1, scheduled update is enabled. When set to 0, scheduled update is disabled.

Boolean value: [0 | 1]

1

<type>

Update frequency: daily or at regular hourly intervals. Select one of the following:

  • daily
  • interval
interval

<daily_at>

Time of the day, in the format HH:MM (24-hour clock), this field is mandatory if the <type> tag is set to daily. This field specifies the time that FortiClient should check for updates.

<update_interval_in_hours>

Update interval in hours if the <type> tag is set to interval. This field specifies the frequency that FortiClient should check for updates. The minimum value is 1, the maximum value is 24.

3

When <use_custom_server> is 0 or both <server> and <fail_over_servers> are each an empty (null) string, FortiClient only uses the default FortiGuard server for software updates. If a string is specified in <server> and communication fails with that server, each of the servers specified in <fail_over_servers> are tried until one succeeds. If that also fails, then software updates are not possible unless <fail_over_to_fdn> is set to 1.

If communication fails with the server(s) specified in both <server> and <fail_over_servers>, <fail_over_to_fdn> determines the next course of action as listed below:

<server>

<fail_over_to_fdn>

Result

“” (empty strings)

0

Only FortiGuard server is used.

“” (empty strings)

1

Only FortiGuard server is used.

“xyz” (valid IP address)

0

FortiGuard server is never used.

“xyz” (valid IP address)

1

FortiGuard server is used only as failover.