Fortinet white logo
Fortinet white logo

Vulnerability scan

Vulnerability scan

The <vulnerability_scan></vulnerability_scan> XML tags contain vulnerability scan configurations.

<forticlient_configuration>

<vulnerability_scan>

<enabled>1</enabled>

<scan_on_registration>1</scan_on_registration>

<scan_on_signature_update>1</scan_on_signature_update>

<auto_patch>

<level>critical</level>

</auto_patch>

<windows_update>1</windows_update>

<proxy_enabled>0</proxy_enabled>

<exempt_manual>1</exempt_manual>

<exemptions>

<exemption>Google Chrome</exemption>

<exemption>Java JDK</exemption>

</exemptions>

<exempt_no_auto_patch>1</exempt_no_auto_patch>

<scheduled_scans>

<schedule>

<enable_schedule>1</enable_schedule>

<repeat>1</repeat>

<day>1</day>

<time>19:30</time>

</schedule>

<automatic_maintenance>

<scan_on_maintenance>0</scan_on_maintenance>

<maintenance_period></maintenance_period>

<maintenance_deadline></maintenance_deadline>

</automatic_maintenance>

</scheduled_scans>

<vcm_expire_days>10</vcm_expire_days>

</vulnerability_scan>

</forticlient_configuration>

The following table provides the XML tags for Vulnerability Scan, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable vulnerability scan.

<scan_on_registration>

Specifies whether to start a vulnerability scan when FortiClient registers to a FortiGate.

Boolean value: [0 | 1]

<scan_on_signature_update>

Specifies whether to start a vulnerability scan when FortiClient updates its signatures.

Boolean value: [0 | 1]

<auto_patch>

Specifies whether to automatically install patches. Use the <level> element to enable and disable automatic patch installation.

<level>

Specify whether to patch vulnerabilities with a severity higher than the defined level. When set to 0, this setting is disabled, and FortiClient does not automatically install patches when it detects vulnerabilities. When set to info, FortiClient automatically installs all patches when it detects vulnerabilities. Configure one of the following:

  • 0
  • critical
  • high
  • medium
  • low
  • info

<windows_update>

Specifies whether to scan Windows updates and third party application updates. When set to 1, FortiClient scans Windows updates and third party application updates. When set to 0, FortiClient scans only third party application updates.

Boolean value: [0 | 1]

<proxy_enabled>

Enable using proxy settings configured in FortiClient when downloading updates for vulnerability patches.

Boolean value: [0 | 1]

0

<exempt_manual>

Specifies whether to exempt from vulnerability scanning any applications that require the endpoint user to manually install patches.

Boolean value: [0 | 1]

<exemptions>

Identifies the names of applications that are exempted.

<exempt_no_auto_patch>

Specifies whether to exempt any applications that FortiClient can automatically patch from vulnerability scanning.

Boolean value: [0 | 1]

<scheduled_scans><schedule> elements

Currently there can only be one scheduled item. If <scan_on_maintenance> is enabled, other configured scheduled scans are discarded.

<enable_schedule>

Enable scheduled vulnerability scans.

Boolean value: [0 | 1]

<repeat>

Configure the frequency of scans:

  • 0: daily scan
  • 1: weekly scan
  • 2: monthly scan

<day>

Used only for weekly scan and monthly scan. If the <repeat> tag is set to 0 (daily), the <day> tag is ignored.
If the <repeat> tag is set to 1 (weekly), <day> is the day of the week to run scan. Select one of the following:

  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday

If the <repeat> tag is set to 2 (monthly), <day> is the date of each month to run a scan. Enter a number from 1 to 31.

The default is the date that the policy was installed from FortiGate.

<time>

Configure the time to run the scan. Specify a time value in 24-hour clock. The following shows an example configuration for a scan that runs at 7:30 PM (19:30 on a 24-hour clock) daily:

<schedule>

<repeat>0</repeat>

<time>19:30</time>

</schedule>

The default is the time that the policy was installed from FortiGate.

<scheduled_scans><automatic_maintenance> elements

This configures vulnerability scans to run as part of Windows automatic maintenance. Adding FortiClient vulnerability scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that minimally impact the user, PC performance, and energy efficiency. See Automatic Maintenance.

<scan_on_maintenance>

Enable running vulnerability scan as part of Windows automatic maintenance.

Boolean value: [0 | 1]

0

<maintenance_period>

Specify how often vulnerability scanning must be started during automatic maintenance. Enter the desired period in the format PnYnMnDTnHnMnS, where nY is the number of years, nM is the number of months, nD is the number of days, T is the date/time separator, nH is the number of hours, nM is the number of minutes, and nS is the number of seconds.

For example, to configure a period of five minutes, you would enter the following:

<maintenance_period>PT5M</maintenance_period>

To configure a period of one month, four days, two hours, and five minutes, you would enter the following:

<maintenance_period>P1M4DT2H5M</maintenance_period>

<maintenance_deadline>

Specify when Windows must start vulnerability scanning during emergency automatic maintenance, if vulnerability scanning did not complete during regular automatic maintenance. This value must be greater than the <maintenance_period> value. Enter the desired deadline in the format PnYnMnDTnHnMnS. For details on this format, see <maintenance_period> above.

<vcm_expire_days>

Configure the number of days after which FortiClient deletes Vulnerability Scan logs.

If this element is not configured, by default, FortiClient deletes Vulnerability Scan logs after 30 days.

Vulnerability scan

Vulnerability scan

The <vulnerability_scan></vulnerability_scan> XML tags contain vulnerability scan configurations.

<forticlient_configuration>

<vulnerability_scan>

<enabled>1</enabled>

<scan_on_registration>1</scan_on_registration>

<scan_on_signature_update>1</scan_on_signature_update>

<auto_patch>

<level>critical</level>

</auto_patch>

<windows_update>1</windows_update>

<proxy_enabled>0</proxy_enabled>

<exempt_manual>1</exempt_manual>

<exemptions>

<exemption>Google Chrome</exemption>

<exemption>Java JDK</exemption>

</exemptions>

<exempt_no_auto_patch>1</exempt_no_auto_patch>

<scheduled_scans>

<schedule>

<enable_schedule>1</enable_schedule>

<repeat>1</repeat>

<day>1</day>

<time>19:30</time>

</schedule>

<automatic_maintenance>

<scan_on_maintenance>0</scan_on_maintenance>

<maintenance_period></maintenance_period>

<maintenance_deadline></maintenance_deadline>

</automatic_maintenance>

</scheduled_scans>

<vcm_expire_days>10</vcm_expire_days>

</vulnerability_scan>

</forticlient_configuration>

The following table provides the XML tags for Vulnerability Scan, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable vulnerability scan.

<scan_on_registration>

Specifies whether to start a vulnerability scan when FortiClient registers to a FortiGate.

Boolean value: [0 | 1]

<scan_on_signature_update>

Specifies whether to start a vulnerability scan when FortiClient updates its signatures.

Boolean value: [0 | 1]

<auto_patch>

Specifies whether to automatically install patches. Use the <level> element to enable and disable automatic patch installation.

<level>

Specify whether to patch vulnerabilities with a severity higher than the defined level. When set to 0, this setting is disabled, and FortiClient does not automatically install patches when it detects vulnerabilities. When set to info, FortiClient automatically installs all patches when it detects vulnerabilities. Configure one of the following:

  • 0
  • critical
  • high
  • medium
  • low
  • info

<windows_update>

Specifies whether to scan Windows updates and third party application updates. When set to 1, FortiClient scans Windows updates and third party application updates. When set to 0, FortiClient scans only third party application updates.

Boolean value: [0 | 1]

<proxy_enabled>

Enable using proxy settings configured in FortiClient when downloading updates for vulnerability patches.

Boolean value: [0 | 1]

0

<exempt_manual>

Specifies whether to exempt from vulnerability scanning any applications that require the endpoint user to manually install patches.

Boolean value: [0 | 1]

<exemptions>

Identifies the names of applications that are exempted.

<exempt_no_auto_patch>

Specifies whether to exempt any applications that FortiClient can automatically patch from vulnerability scanning.

Boolean value: [0 | 1]

<scheduled_scans><schedule> elements

Currently there can only be one scheduled item. If <scan_on_maintenance> is enabled, other configured scheduled scans are discarded.

<enable_schedule>

Enable scheduled vulnerability scans.

Boolean value: [0 | 1]

<repeat>

Configure the frequency of scans:

  • 0: daily scan
  • 1: weekly scan
  • 2: monthly scan

<day>

Used only for weekly scan and monthly scan. If the <repeat> tag is set to 0 (daily), the <day> tag is ignored.
If the <repeat> tag is set to 1 (weekly), <day> is the day of the week to run scan. Select one of the following:

  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday

If the <repeat> tag is set to 2 (monthly), <day> is the date of each month to run a scan. Enter a number from 1 to 31.

The default is the date that the policy was installed from FortiGate.

<time>

Configure the time to run the scan. Specify a time value in 24-hour clock. The following shows an example configuration for a scan that runs at 7:30 PM (19:30 on a 24-hour clock) daily:

<schedule>

<repeat>0</repeat>

<time>19:30</time>

</schedule>

The default is the time that the policy was installed from FortiGate.

<scheduled_scans><automatic_maintenance> elements

This configures vulnerability scans to run as part of Windows automatic maintenance. Adding FortiClient vulnerability scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that minimally impact the user, PC performance, and energy efficiency. See Automatic Maintenance.

<scan_on_maintenance>

Enable running vulnerability scan as part of Windows automatic maintenance.

Boolean value: [0 | 1]

0

<maintenance_period>

Specify how often vulnerability scanning must be started during automatic maintenance. Enter the desired period in the format PnYnMnDTnHnMnS, where nY is the number of years, nM is the number of months, nD is the number of days, T is the date/time separator, nH is the number of hours, nM is the number of minutes, and nS is the number of seconds.

For example, to configure a period of five minutes, you would enter the following:

<maintenance_period>PT5M</maintenance_period>

To configure a period of one month, four days, two hours, and five minutes, you would enter the following:

<maintenance_period>P1M4DT2H5M</maintenance_period>

<maintenance_deadline>

Specify when Windows must start vulnerability scanning during emergency automatic maintenance, if vulnerability scanning did not complete during regular automatic maintenance. This value must be greater than the <maintenance_period> value. Enter the desired deadline in the format PnYnMnDTnHnMnS. For details on this format, see <maintenance_period> above.

<vcm_expire_days>

Configure the number of days after which FortiClient deletes Vulnerability Scan logs.

If this element is not configured, by default, FortiClient deletes Vulnerability Scan logs after 30 days.