Fortinet black logo

New Features

Home FortiClient 6.2.2 New Features

Endpoint profile provisioning based on on-net or off-net status

6.2.2
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID 98b4e085-ff54-11e9-8977-00505692583a:559062
Download PDF

Endpoint profile provisioning based on on-net or off-net status

You can configure an endpoint policy to apply a different profile to the endpoint when it is on-net, compared to when the endpoint is off-net.

To configure an on-net and off-net profile:
  1. Go to Endpoint Profiles > Manage Profiles. Create a new profile or modify an existing profile to configure the on-net profile. You will configure the policy to apply this profile to endpoints when they are on-net. The example Profile_OnNet profile only has VPN and Vulnerability Scan enabled.

  2. Create another profile or modify another existing profile to configure the off-net profile. You will configure the policy to apply this profile to endpoints when they are off-net. The example Profile_OffNet profile has a different feature set enabled than Profile_OnNet: Malware Protection, Sandbox Detection, and Web Filter in addition to VPN and Vulnerability Scan.

To configure an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable the rule by toggling Enable Rule on.
  5. In the IP Addresses/Subnet Masks field, enter the desired values. You can enter multiple values by clicking the + button.
  6. (Optional) In the Gateway MAC Addresses field, enter the desired values. You can enter multiple values by clicking the + button.
  7. Click Save. In this example, a policy with this rule set configured will determine an endpoint to be on-net if it is inside the 172.17.81.0/23 subnet.

To configure the endpoint policy:
  1. Go to Endpoint Policy > Manage Policies.
  2. Configure the policy:
    1. Click Add.
    2. In the Endpoint Policy Name field, enter the desired name.
    3. (Optional) In Endpoint domains, select the domains to apply the policy to.
    4. (Optional) In Endpoint workgroups, select the workgroups of endpoints to apply the policy to.
    5. In Endpoint Profile, select an endpoint profile from the dropdown list. This is the on-net profile. In this example, Profile_OnNet is selected.
    6. (Optional) In Endpoint profile (Off-net), select an endpoint profile in the policy to apply to the endpoint when it is off-net according to the on-net detection rules configured in this policy. In this example, Profile_OffNet is selected.
    7. (Optional) In On-Net Detection Rules, select the on-net detection rules to include in the policy. In this example, OnNet1 is selected.
    8. (Optional) In Telemetry gateway list, select the desired Telemetry gateway list from the dropdown list. You must have already configured a Telemetry gateway list in EMS for this option to be available. See Creating a Telemetry gateway list.
    9. (Optional) In Comments, enter any comments.
    10. Enable the policy by toggling Enable Policy on.
  3. Click Save.

Note

You cannot delete a profile, Telemetry gateway list, or on-net detection rule that is configured as part of a policy. If you attempt to delete such a profile, list, or rule, EMS displays a Cannot delete an assigned <profile/telemetry gateway list/on-net subnet component> message.

To delete a profile, list, or rule that is part of a policy, first edit the policy so that it no longer uses that profile, list, or rule, then delete the profile, list, or rule.
To view the results on the endpoint:

The following illustrates the results of configuring an on-net and off-net profile for a policy applied to an endpoint.

In this example, the policy applied to the endpoint does not have on-net detection rules configured. In this case, the endpoint has an online/on-net status and has the feature set enabled in the on-net profile.

In this example, the policy applied to the endpoint has on-net detection rules configured, and on-net and off-net profiles. In this case, the endpoint's IP address is in the configured subnet, so the endpoint has an online/on-net status and the feature set enabled in the on-net profile.

In this case, let's assume that the on-net detection rules have been modified so that endpoints inside the 172.17.93.0/23 subnet are considered-on net, not endpoints inside the 172.17.81.0/23 subnet. The endpoint's IP address, 172.17.81.131, is no longer in the on-net subnet. Therefore, the endpoint has an online/off-net status and the feature set enabled in the off-net profile.

In this case, let's assume that the on-net detection rules have been modified so that endpoints inside the 172.17.81.0/23 subnet are considered on-net. The endpoint's IP address, 172.17.81.131, is in the configured subnet, but the endpoint now cannot connect Telemetry to EMS. The endpoint has an offline/on-net status and EMS displays its location as unavailable.

Let's modify the on-net detection rules again so that endpoints inside the 172.17.93.0/23 subnet are considered on-net. In this case, the endpoint's IP address, 172.17.81, 131, is not in the configured subnet and the endpoint cannot connect Telemetry to EMS. The endpoint has an offline/off-net status and EMS displays its location as unavailable.

Previous
Next

Endpoint profile provisioning based on on-net or off-net status

You can configure an endpoint policy to apply a different profile to the endpoint when it is on-net, compared to when the endpoint is off-net.

To configure an on-net and off-net profile:
  1. Go to Endpoint Profiles > Manage Profiles. Create a new profile or modify an existing profile to configure the on-net profile. You will configure the policy to apply this profile to endpoints when they are on-net. The example Profile_OnNet profile only has VPN and Vulnerability Scan enabled.

  2. Create another profile or modify another existing profile to configure the off-net profile. You will configure the policy to apply this profile to endpoints when they are off-net. The example Profile_OffNet profile has a different feature set enabled than Profile_OnNet: Malware Protection, Sandbox Detection, and Web Filter in addition to VPN and Vulnerability Scan.

To configure an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable the rule by toggling Enable Rule on.
  5. In the IP Addresses/Subnet Masks field, enter the desired values. You can enter multiple values by clicking the + button.
  6. (Optional) In the Gateway MAC Addresses field, enter the desired values. You can enter multiple values by clicking the + button.
  7. Click Save. In this example, a policy with this rule set configured will determine an endpoint to be on-net if it is inside the 172.17.81.0/23 subnet.

To configure the endpoint policy:
  1. Go to Endpoint Policy > Manage Policies.
  2. Configure the policy:
    1. Click Add.
    2. In the Endpoint Policy Name field, enter the desired name.
    3. (Optional) In Endpoint domains, select the domains to apply the policy to.
    4. (Optional) In Endpoint workgroups, select the workgroups of endpoints to apply the policy to.
    5. In Endpoint Profile, select an endpoint profile from the dropdown list. This is the on-net profile. In this example, Profile_OnNet is selected.
    6. (Optional) In Endpoint profile (Off-net), select an endpoint profile in the policy to apply to the endpoint when it is off-net according to the on-net detection rules configured in this policy. In this example, Profile_OffNet is selected.
    7. (Optional) In On-Net Detection Rules, select the on-net detection rules to include in the policy. In this example, OnNet1 is selected.
    8. (Optional) In Telemetry gateway list, select the desired Telemetry gateway list from the dropdown list. You must have already configured a Telemetry gateway list in EMS for this option to be available. See Creating a Telemetry gateway list.
    9. (Optional) In Comments, enter any comments.
    10. Enable the policy by toggling Enable Policy on.
  3. Click Save.

Note

You cannot delete a profile, Telemetry gateway list, or on-net detection rule that is configured as part of a policy. If you attempt to delete such a profile, list, or rule, EMS displays a Cannot delete an assigned <profile/telemetry gateway list/on-net subnet component> message.

To delete a profile, list, or rule that is part of a policy, first edit the policy so that it no longer uses that profile, list, or rule, then delete the profile, list, or rule.
To view the results on the endpoint:

The following illustrates the results of configuring an on-net and off-net profile for a policy applied to an endpoint.

In this example, the policy applied to the endpoint does not have on-net detection rules configured. In this case, the endpoint has an online/on-net status and has the feature set enabled in the on-net profile.

In this example, the policy applied to the endpoint has on-net detection rules configured, and on-net and off-net profiles. In this case, the endpoint's IP address is in the configured subnet, so the endpoint has an online/on-net status and the feature set enabled in the on-net profile.

In this case, let's assume that the on-net detection rules have been modified so that endpoints inside the 172.17.93.0/23 subnet are considered-on net, not endpoints inside the 172.17.81.0/23 subnet. The endpoint's IP address, 172.17.81.131, is no longer in the on-net subnet. Therefore, the endpoint has an online/off-net status and the feature set enabled in the off-net profile.

In this case, let's assume that the on-net detection rules have been modified so that endpoints inside the 172.17.81.0/23 subnet are considered on-net. The endpoint's IP address, 172.17.81.131, is in the configured subnet, but the endpoint now cannot connect Telemetry to EMS. The endpoint has an offline/on-net status and EMS displays its location as unavailable.

Let's modify the on-net detection rules again so that endpoints inside the 172.17.93.0/23 subnet are considered on-net. In this case, the endpoint's IP address, 172.17.81, 131, is not in the configured subnet and the endpoint cannot connect Telemetry to EMS. The endpoint has an offline/off-net status and EMS displays its location as unavailable.

Previous
Next