Fortinet black logo

Update settings

Update settings

The <update></update> XML tags contain update-related information. Use this field to specify how FortiClient performs updates from FDN servers.

<forticlient_configuration>

<system>

<update>

<use_custom_server>0</use_custom_server>

<restrict_services_to_regions/>

<use_legacy_fdn>1</use_legacy_fdn>

<server></server>

<port>80</port>

<fail_over_servers>server1.fortinet.com:8008;172.81.30.6:80;server2.fortinet.com:80</fail_over_servers>

<timeout>60</timeout>

<failoverport>8000</failoverport>

<fail_over_to_fdn>1</fail_over_to_fdn>

<use_proxy_when_fail_over_to_fdn>1</use_proxy_when_fail_over_to_fdn>

<scheduled_update>

<enabled>1</enabled>

<type>interval</type>

<daily_at>03:00</daily_at>

<update_interval_in_hours>3</update_interval_in_hours>

</scheduled_update>

<submit_virus_info_to_fds>0</submit_virus_info_to_fds>

<submit_vuln_info_to_fds>1<submit_vuln_info_to_fds>

</update>

</system>

</forticlient_configuration>

The following table provides the XML tags for update settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<use_custom_server>

Define a custom server for updates. When the Boolean value is set to 0, FortiClient uses the default FDN server address. When the Boolean value is set to 1, you must specify the address in <update><server>. This setting is typically used when specifying a FortiManager as your update server.

Boolean value: [0 | 1]

0

<restrict_services_to_regions>

Define whether to restrict the FDN server location to U.S.-only, or to use the nearest FDN server.

To restrict to U.S.-only FDN server locations, set to USA, as follows: <restrict_services_to_regions>USA</restrict_services_to_regions>.

Otherwise, leave blank. This is the default configuration.

<use_legacy_fdn>

When enabled, update tasks use HTTP to connect to myforticlient.fortinet.net.

When disabled, the following occurs:

  • Update tasks use HTTPS to connect to:
    • fctupdate.fortinet.net (global region)
    • fctusupdate.fortinet.net (US region)
    • fcteuupdate.fortinet.net (EU region)
  • FortiClient checks the FortiGuard certificate validity:
    • Expires in the future
    • Has a valid domain name
    • Is signed by one of the three CAs: Verisign, Digicert, and Comodo
  • FortiClient checks that the certificate is not revoked. By default, FortiClient connects to FDS via HTTPS. You can configure strict mode to check the certificate before connecting to FDS servers.

1

<server>

Enter the update server's IP address or FQDN. Use when <use_custom_server> is set to 1.

Optionally, you can specify the port number. You can specify multiple addresses using a semicolon delimited list.

For example, 10.10.10.1:80;10.10.10.2:8080;172.16.10.80;www.myfortimanager.net. In this example, FortiClient tries each server specified in order until one works or they all fail.

<port>

Enter the update server's port number. If a port number is not specified in <update><server>, FortiClient uses this port.

Port range: 1 to 65535

80

<fail_over_servers>

Enter the update servers to try if FortiClient cannot reach the primary server. Separate multiple servers with a semicolon. Enter the IP address or FQDN, followed by a colon and the port number if applicable.

<timeout>

Enter the connection timeout, in seconds, when attempting to reach a custom update server. If a server is reachable but not responding to update requests, the actual timeout is longer.

The timeout specified is applied three times to one <server>:<port> pair before FortiClient gives up on this pair. If <failoverport> is specified, and greater than 0, there are a total of six attempts (three attempts for <server>:<port>, three attempts for <server>:<failoverport>).

60

<failoverport>

Failover port number. If FortiClient cannot reach the update server via the port specified in <server> or <port>, FortiClient tries the same address with this port.

Port range: 1 to 65535

8000

<fail_over_to_fdn>

Determines whether or not to use FDN servers if communication with custom <server> fails. If the Boolean value is set to 1, <use_custom_server> is set to 1, and the update server specified by <server> cannot be reached, then FortiClient tries the default public FDN server. This is tried only if FortiClient has exhausted all other custom update server options.

Boolean value: [0 | 1]

1

<use_proxy_when_fail_over_to_fdn>

Supports failover to FDN servers if FortiClient uses a proxy server defined with <forticlient_configuration><system><proxy> and <fail_over_to_fndn> is set to 1. Set <use_proxy_when_fail_over_to_fdn> to 1 to fail over to FDN servers. This element is ignored when no proxy server is defined with <forticlient_configuration><system><proxy>.

Boolean value: [0 | 1]

1

<submit_virus_info_to_fds>

Enable submitting virus information to FDN.

Boolean value: [0 | 1]

1

<submit_vuln_info_to_fds>

Enable submitting vulnerability statistics to FDN. When set to 1, send vulnerability detection statistics from the vulnerability scanner to FDN. When set to 0, do not send vulnerability statistics to FDN.

Boolean value: [0 | 1]

1

<scheduled_update> elements

Use these elements to define when FortiClient should look for engine, signature, and software updates, if enabled.

<enabled>

Enable scheduled updates.

Boolean value: [0 | 1]

1

<type>

Update frequency: daily or at regular hourly intervals. Enter one of the following:

  • daily
  • interval
interval

<daily_at>

Time of the day, in the format HH:MM (24-hour clock), this field is mandatory if the <type> tag is set to daily. This field specifies the time that FortiClient should check for updates.

<update_interval_in_hours>

Update interval in hours if the <type> tag is set to interval. This field specifies the frequency that FortiClient should check for updates. The minimum value is 1, the maximum value is 24.

3

When <use_custom_server> is 0 or both <server> and <fail_over_servers> are each an empty (null) string, FortiClient only uses the default FDN server for software updates. If a string is specified in <server> and communication fails with that server, each of the servers specified in <fail_over_servers> are tried until one succeeds. If that also fails, then software updates are not possible unless <fail_over_to_fdn> is set to 1.

If communication fails with the server(s) specified in both <server> and <fail_over_servers>, <fail_over_to_fdn> determines the next course of action as listed:

<server>

<fail_over_to_fdn>

Result

“” (empty strings)

0

FortiClient only uses the FDN server.

“” (empty strings)

1

FortiClient only uses the FDN server.

“xyz” (valid IP address)

0

FortiClient never uses the FDN server.

“xyz” (valid IP address)

1

FortiClient only uses the FDN server as failover.

Update settings

The <update></update> XML tags contain update-related information. Use this field to specify how FortiClient performs updates from FDN servers.

<forticlient_configuration>

<system>

<update>

<use_custom_server>0</use_custom_server>

<restrict_services_to_regions/>

<use_legacy_fdn>1</use_legacy_fdn>

<server></server>

<port>80</port>

<fail_over_servers>server1.fortinet.com:8008;172.81.30.6:80;server2.fortinet.com:80</fail_over_servers>

<timeout>60</timeout>

<failoverport>8000</failoverport>

<fail_over_to_fdn>1</fail_over_to_fdn>

<use_proxy_when_fail_over_to_fdn>1</use_proxy_when_fail_over_to_fdn>

<scheduled_update>

<enabled>1</enabled>

<type>interval</type>

<daily_at>03:00</daily_at>

<update_interval_in_hours>3</update_interval_in_hours>

</scheduled_update>

<submit_virus_info_to_fds>0</submit_virus_info_to_fds>

<submit_vuln_info_to_fds>1<submit_vuln_info_to_fds>

</update>

</system>

</forticlient_configuration>

The following table provides the XML tags for update settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<use_custom_server>

Define a custom server for updates. When the Boolean value is set to 0, FortiClient uses the default FDN server address. When the Boolean value is set to 1, you must specify the address in <update><server>. This setting is typically used when specifying a FortiManager as your update server.

Boolean value: [0 | 1]

0

<restrict_services_to_regions>

Define whether to restrict the FDN server location to U.S.-only, or to use the nearest FDN server.

To restrict to U.S.-only FDN server locations, set to USA, as follows: <restrict_services_to_regions>USA</restrict_services_to_regions>.

Otherwise, leave blank. This is the default configuration.

<use_legacy_fdn>

When enabled, update tasks use HTTP to connect to myforticlient.fortinet.net.

When disabled, the following occurs:

  • Update tasks use HTTPS to connect to:
    • fctupdate.fortinet.net (global region)
    • fctusupdate.fortinet.net (US region)
    • fcteuupdate.fortinet.net (EU region)
  • FortiClient checks the FortiGuard certificate validity:
    • Expires in the future
    • Has a valid domain name
    • Is signed by one of the three CAs: Verisign, Digicert, and Comodo
  • FortiClient checks that the certificate is not revoked. By default, FortiClient connects to FDS via HTTPS. You can configure strict mode to check the certificate before connecting to FDS servers.

1

<server>

Enter the update server's IP address or FQDN. Use when <use_custom_server> is set to 1.

Optionally, you can specify the port number. You can specify multiple addresses using a semicolon delimited list.

For example, 10.10.10.1:80;10.10.10.2:8080;172.16.10.80;www.myfortimanager.net. In this example, FortiClient tries each server specified in order until one works or they all fail.

<port>

Enter the update server's port number. If a port number is not specified in <update><server>, FortiClient uses this port.

Port range: 1 to 65535

80

<fail_over_servers>

Enter the update servers to try if FortiClient cannot reach the primary server. Separate multiple servers with a semicolon. Enter the IP address or FQDN, followed by a colon and the port number if applicable.

<timeout>

Enter the connection timeout, in seconds, when attempting to reach a custom update server. If a server is reachable but not responding to update requests, the actual timeout is longer.

The timeout specified is applied three times to one <server>:<port> pair before FortiClient gives up on this pair. If <failoverport> is specified, and greater than 0, there are a total of six attempts (three attempts for <server>:<port>, three attempts for <server>:<failoverport>).

60

<failoverport>

Failover port number. If FortiClient cannot reach the update server via the port specified in <server> or <port>, FortiClient tries the same address with this port.

Port range: 1 to 65535

8000

<fail_over_to_fdn>

Determines whether or not to use FDN servers if communication with custom <server> fails. If the Boolean value is set to 1, <use_custom_server> is set to 1, and the update server specified by <server> cannot be reached, then FortiClient tries the default public FDN server. This is tried only if FortiClient has exhausted all other custom update server options.

Boolean value: [0 | 1]

1

<use_proxy_when_fail_over_to_fdn>

Supports failover to FDN servers if FortiClient uses a proxy server defined with <forticlient_configuration><system><proxy> and <fail_over_to_fndn> is set to 1. Set <use_proxy_when_fail_over_to_fdn> to 1 to fail over to FDN servers. This element is ignored when no proxy server is defined with <forticlient_configuration><system><proxy>.

Boolean value: [0 | 1]

1

<submit_virus_info_to_fds>

Enable submitting virus information to FDN.

Boolean value: [0 | 1]

1

<submit_vuln_info_to_fds>

Enable submitting vulnerability statistics to FDN. When set to 1, send vulnerability detection statistics from the vulnerability scanner to FDN. When set to 0, do not send vulnerability statistics to FDN.

Boolean value: [0 | 1]

1

<scheduled_update> elements

Use these elements to define when FortiClient should look for engine, signature, and software updates, if enabled.

<enabled>

Enable scheduled updates.

Boolean value: [0 | 1]

1

<type>

Update frequency: daily or at regular hourly intervals. Enter one of the following:

  • daily
  • interval
interval

<daily_at>

Time of the day, in the format HH:MM (24-hour clock), this field is mandatory if the <type> tag is set to daily. This field specifies the time that FortiClient should check for updates.

<update_interval_in_hours>

Update interval in hours if the <type> tag is set to interval. This field specifies the frequency that FortiClient should check for updates. The minimum value is 1, the maximum value is 24.

3

When <use_custom_server> is 0 or both <server> and <fail_over_servers> are each an empty (null) string, FortiClient only uses the default FDN server for software updates. If a string is specified in <server> and communication fails with that server, each of the servers specified in <fail_over_servers> are tried until one succeeds. If that also fails, then software updates are not possible unless <fail_over_to_fdn> is set to 1.

If communication fails with the server(s) specified in both <server> and <fail_over_servers>, <fail_over_to_fdn> determines the next course of action as listed:

<server>

<fail_over_to_fdn>

Result

“” (empty strings)

0

FortiClient only uses the FDN server.

“” (empty strings)

1

FortiClient only uses the FDN server.

“xyz” (valid IP address)

0

FortiClient never uses the FDN server.

“xyz” (valid IP address)

1

FortiClient only uses the FDN server as failover.