Fortinet black logo

New Features

Home FortiClient 6.4.0 New Features

Blocking removable devices by class ID 6.4.2

6.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID 0649062b-898a-11ea-9384-00505692583a:601786
Download PDF

Blocking removable devices by class ID 6.4.2

You can define multiple rules to block, monitor, or allow removable devices, such as the following:

  • Human interface devices
  • Windows portable devices
  • Bluetooth devices
  • CD-ROM drive
  • Smart card reader
  • USB device
  • Camera device

You can configure rules using device properties including the class, manufacturer, vendor ID, product ID, and revision. You can enter regular expressions in PERL or simple format (exact match). One profile supports multiple rules. FortiClient EMS ignores empty fields. If FortiClient detects an existing removable device's properties matches a rule, it applies the configured action (block, allow, or monitor).

You can find the hardware properties of a removable device using Hardware Manager or USBDeView.

To configure Removable Media Access:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. On the Malware tab, enable Removable Media Access.
  3. Configure the following:

    Options

    Description

    Show bubble notifications

    Display a bubble notification when FortiClient takes action with a removable media device.

    Action

    Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:

    • Allow: Allow access to removable media devices connected to the endpoint that match this rule.
    • Block: Block access to removable media devices connected to the endpoint that match this rule.
    • Monitor: Log removable media device connections to the endpoint that match this rule.

    Description

    Enter the desired rule description.

    Type

    Select Simple or Regular Expression for the rule type.

    When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

    When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

    Class

    Enter the device class.

    Manufacturer

    Enter the device manufacturer.

    Vendor ID

    Enter the device vendor ID.

    Product ID

    Enter the device product ID.

    Revision

    Enter the device revision number.

    Remove this rule

    Remove this rule from the profile.

    Add a new rule

    Add a new removable media access rule.

    Move this rule up/down

    Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.

    Default removable media access

    Configure the action to take with removable media devices that do not match any configured rules. Available options are:

    • Allow: Allow access to removable media devices connected to the endpoint that do not match any configured rules.
    • Block: Block access to removable media devices connected to the endpoint that do not match any configured rules.
    • Monitor: Log removable media device connections to the endpoint that do not match any configured rules.
  4. Click Save.

The FortiClient GUI currently does not display all defined removable media rules. It only displays the default action, which is applied if the removable device does not match all defined rules.

To view endpoint removable media events:
  1. In EMS, go to Endpoints and go to the desired endpoint.
  2. Click the endpoint, then select the USB Monitor Events tab.

Previous
Next

Blocking removable devices by class ID 6.4.2

You can define multiple rules to block, monitor, or allow removable devices, such as the following:

  • Human interface devices
  • Windows portable devices
  • Bluetooth devices
  • CD-ROM drive
  • Smart card reader
  • USB device
  • Camera device

You can configure rules using device properties including the class, manufacturer, vendor ID, product ID, and revision. You can enter regular expressions in PERL or simple format (exact match). One profile supports multiple rules. FortiClient EMS ignores empty fields. If FortiClient detects an existing removable device's properties matches a rule, it applies the configured action (block, allow, or monitor).

You can find the hardware properties of a removable device using Hardware Manager or USBDeView.

To configure Removable Media Access:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. On the Malware tab, enable Removable Media Access.
  3. Configure the following:

    Options

    Description

    Show bubble notifications

    Display a bubble notification when FortiClient takes action with a removable media device.

    Action

    Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:

    • Allow: Allow access to removable media devices connected to the endpoint that match this rule.
    • Block: Block access to removable media devices connected to the endpoint that match this rule.
    • Monitor: Log removable media device connections to the endpoint that match this rule.

    Description

    Enter the desired rule description.

    Type

    Select Simple or Regular Expression for the rule type.

    When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

    When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.

    Class

    Enter the device class.

    Manufacturer

    Enter the device manufacturer.

    Vendor ID

    Enter the device vendor ID.

    Product ID

    Enter the device product ID.

    Revision

    Enter the device revision number.

    Remove this rule

    Remove this rule from the profile.

    Add a new rule

    Add a new removable media access rule.

    Move this rule up/down

    Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.

    Default removable media access

    Configure the action to take with removable media devices that do not match any configured rules. Available options are:

    • Allow: Allow access to removable media devices connected to the endpoint that do not match any configured rules.
    • Block: Block access to removable media devices connected to the endpoint that do not match any configured rules.
    • Monitor: Log removable media device connections to the endpoint that do not match any configured rules.
  4. Click Save.

The FortiClient GUI currently does not display all defined removable media rules. It only displays the default action, which is applied if the removable device does not match all defined rules.

To view endpoint removable media events:
  1. In EMS, go to Endpoints and go to the desired endpoint.
  2. Click the endpoint, then select the USB Monitor Events tab.

Previous
Next