Specify how the FortiClient user interface appears when installed on endpoints.

Turn on password lock for FortiClient.

Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS.

Disallow users from backing up the FortiClient configuration.

Hide the User Details panel where the user can provide user details (avatar, name, phone number, email address), and link to a social media (LinkedIn, Google, Salesforce) account.

Hide the FortiClient system tray icon.

Show the applied host tag on the FortiClient GUI. See Compliance Verification.

Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following:

• os-default (System operating language, selected by default)
• zh-tw (Taiwanese Mandarin)
• cs-cz (Czech)
• de-de (German)
• en-us (United States English)
• fr-fr (French)
• hu-hu (Hungarian)
• ru-ru (Russian)
• ja-jp (Japanese)
• ko-kr (Korean)
• pt-br (Brazilian Portuguese)
• sk-sk (Slovak)
• es-es (Spanish)
• zh-cn (Chinese (Simplified))
• et-ee (Estonian)
• lv-lv (Latvian)
• lt-lt (Lithuanian)
• fi-fi (Finnish)
• sv-se (Swedish)
• da-dk (Danish)
• pl-pl (Portuguese (Portugal))
• nb-no (Norwegian)
• fr-ca (Canadian French)

Specify FortiClient log settings.

This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following:

• Emergency: The system becomes unstable.
• Alert: Immediate action is required.
• Critical: Functionality is affected.
• Error: An error condition exists and may affect functionality.
• Warning: Functionality could be affected.
• Notice: Information about normal events.
• Info: General information about system operations.
• Debug: Debug FortiClient.

Select features to generate logs for:

• AntiVirus
• Application Firewall
• Telemetry
• FSSOMA
• Proxy
• IPsec VPN
• AntiExploit
• SSL VPN
• Update
• Vulnerability
• Web Filter
• Sandbox

Include local log messages when FortiClient is on-net. For information about the on-net feature, see the FortiClient Administration Guide.

This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname.

If the Send Software Inventory option below is also enabled, FortiClient also sends software inventory information to FortiAnalyzer or FortiManager.

Upload unified threat management logs to FortiAnalyzer or FortiManager.

Upload vulnerability logs to FortiAnalyzer or FortiManager.

Upload event logs to FortiAnalyzer or FortiManager.

Send software inventory to FortiAnalyzer or FortiManager.

Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging.

If using a port other than the default, use <address>:<port>.

Enable SSL.

Configure the upload schedule in minutes.

Configure the log generation timeout in seconds.

Configure the duration of time to retain logs in days.

Access FortiGuard using the configured proxy.

Connect to FDN directly if proxy is offline.

Use the configured proxy to submit viruses to FortiGuard.

Configure the type. Options include:

• http
• socks4
• socks5

Enter the proxy server's IP address/hostname.

Enter the proxy server's port number. The port range is from 1 to 65535.

If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username.

If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text.

Specify whether to use FortiManager or Micro-FortiGuard Server for FortiClient to update FortiClient on endpoints.

Enable FortiClient EMS to obtain AV signatures from the FortiManager or Micro-FortiGuard Server for FortiClient at the specified IP address or hostname.

Enter the FortiManager IP address/hostname.

Enter the port number.

Enter the failover port.

Enter the timeout interval.

Fail over to FDN when FortiManager or Micro-FortiGuard Server for FortiClient is not available.

Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server.

FortiClient connects to FortiGuard to query for AV and vulnerability scan engine and signature updates.

The URLs connected to for each server location are as follows:

• FortiGuard:

  • Global: forticlient.fortinet.net

  • U.S.: usforticlient.fortinet.net

• FortiGuard Anycast:

  • Global: fctupdate.fortinet.net

  • U.S.: fctusupdate.fortinet.net

  • Europe: fcteuupdate.fortinet.net

Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.

Enable FortiProxy (disable only when troubleshooting). You must enable FortiProxy to use Web Filter and some AV options.

Enable HTTPS proxy. If disabled, FortiProxy no longer inspects HTTPS traffic.

Enter the HTTP connection timeout interval in seconds. FortiProxy determines if the remote server is available based on this timeout value. Lower this timeout value if your client requires a faster fail response.

Enable POP3 client comforting. Client comforting helps to prevent POP3 clients from complaining that the server has not responded in time.

Enable POP3 server comforting. Server comforting helps to prevent POP3 servers from complaining that the client has not responded in time. This may be used in a situation where FortiClient is installed on a mail server.

Enable SMTP client comforting. SMTP comforting helps to prevent SMTP clients from complaining that the server has not responded in time.

FortiProxy can detect if other software is disrupting internal traffic between FortiProxy's internal modules. It does this by sending packets periodically to 1.1.1.1, which are intercepted by FortiClient and dropped (they never leave the computer). If the packets are not detected, then it is deemed highly likely that third party software is intercepting the packets, signaling that FortiProxy cannot perform regular traffic filtering.

Enable self tests. FortiProxy periodically checks its own connectivity to determine if it is able to proxy other applications' traffic.

Display a bubble notification when self-testing detects that a third party program has blocked HTTP/HTTPS filtering and SMTP/POP3 AV scanning.

Enter the last port number used. This is the highest port number you want to allow FortiProxy to listen on. Use to prevent FortiProxy from binding to another port that another service normally uses.

The available port range is 65535 to 10000.

Endpoint Control

Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in.

Forbid users from disconnecting FortiClient from FortiClient EMS.

Disable FortiGate switch. When the FortiGate switch is disabled, the following occurs:

• FortiClient does not probe the default gateway.
• FortiClient does not automatically connect to the default gateway.
• FortiClient ignores FortiGate broadcasts.
• The discovered list displays only predefined FortiGates, if discovered.

Hide the compliance enforcement feature message from the Compliance & Telemetry tab. This option is only enforced on FortiClients connected to FortiClient EMS. This option does not apply to monitored clients.

This option only applies for endpoints running FortiClient versions earlier than 6.2.0.

Enable on-net subnets.

For details on how FortiClient determines on-net/off-net status, see the FortiClient Administration Guide.

This option only applies for endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.2 and later versions, see On-net Detection Rules.

Enter IP addresses/subnet mask to connect to on-net subnets.

Enable gateway MAC address.

Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory.

Turn on to select and install a CA certificate on the FortiClient endpoint.

You can add certificates by going to Policy Components > Manage CA Certificates.

Enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator.

Enter the FortiAuthenticator IP address or hostname.

Enter the port number.

Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator.