System Settings

System Settings

The majority of these configuration options are only available for Windows, macOS, and Linux profiles. The table indicates which options are available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager.

Some options are only available when Advanced view is enabled.

Configuration		Description
UI		Specify how the FortiClient user interface appears when installed on endpoints.
Require Password to Disconnect from EMS		Turn on password lock for FortiClient.
	Password	Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS.
Do Not Allow User to Back Up Configuration		Disallow users from backing up the FortiClient configuration.
Hide User Information		Hide the User Details panel where the user can provide user details (avatar, name, phone number, email address), and link to a social media (LinkedIn, Google, Salesforce) account.
Hide System Tray Icon		Hide the FortiClient system tray icon.
Show Host Tag on FortiClient GUI		Show the applied host tag on the FortiClient GUI. See Zero Trust Tags.
Language		Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following: os-default (System operating language, selected by default) zh-tw (Taiwanese Mandarin) cs-cz (Czech) de-de (German) en-us (United States English) fr-fr (French) hu-hu (Hungarian) ru-ru (Russian) ja-jp (Japanese) ko-kr (Korean) pt-br (Brazilian Portuguese) sk-sk (Slovak) es-es (Spanish) zh-cn (Chinese (Simplified)) et-ee (Estonian) lv-lv (Latvian) lt-lt (Lithuanian) fi-fi (Finnish) sv-se (Swedish) da-dk (Danish) pl-pl (Portuguese (Portugal)) nb-no (Norwegian) fr-ca (Canadian French)
Log		Specify FortiClient log settings.
Level		This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following: Emergency: The system becomes unstable. Alert: Immediate action is required. Critical: Functionality is affected. Error: An error condition exists and may affect functionality. Warning: Functionality could be affected. Notice: Information about normal events. Info: General information about system operations. Debug: Debug FortiClient. Detailed debug logs for the selected features are generated on the endpoint. You can request the creation and download of the diagnostic tool output, which includes these logs.
Features		Select features to generate logs for: AntiVirus Application Firewall Telemetry FSSOMA Proxy IPsec VPN AntiExploit SSL VPN Update Vulnerability Web Filter Sandbox
Client-Based Logging When On-Fabric		Include local log messages when FortiClient is on-fabric. See On-fabric Detection Rules.
Upload Logs to FortiAnalyzer/FortiManager		This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname.
	Upload UTM Logs	Upload unified threat management logs to FortiAnalyzer or FortiManager.
	Upload Vulnerability Logs	Upload vulnerability logs to FortiAnalyzer or FortiManager. This option only applies to FortiClient 6.4.2 and earlier versions.
	Upload Event Logs	Upload event logs to FortiAnalyzer or FortiManager. This option only applies to FortiClient 6.4.2 and earlier versions.
	Upload System Event	Upload system events to FortiAnalyzer or FortiManager. This includes logs for endpoint control, update, and FortiClient events.
	Upload Security Event	Upload security events to FortiAnalyzer or FortiManager. This includes logs for Malware Protection, Web Filter, Vulnerability Scan, and Application Firewall events.
	Send Software Inventory	EMS sends FortiClient software inventory to FortiAnalyzer or FortiManager. This feature requires the EPP license. See FortiClient EMS.
	Send OS Events	EMS sends endpoint host events to FortiAnalyzer or FortiManager. EMS supports this feature for Windows and macOS endpoints. For macOS endpoints, OS event logs are stored at `/var/log/system.log`.
	Event telemetry interval	Enter the telemetry interval in seconds.
	IP Address/Hostname	Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging. If using a port other than the default, use <address>:<port>.
	SSL Enabled	Enable SSL.
	Upload Schedule	Configure the upload schedule in minutes.
	Log Generation Timeout	Configure the log generation timeout in seconds.
	Log Retention	Configure the duration of time to retain logs in days.
Proxy
Use Proxy for Updates		Access FortiGuard using the configured proxy.
	Connect to FDN Directly If Proxy Is Offline	Connect to FDN directly if proxy is offline.
Use Proxy for Virus Submission		Use the configured proxy to submit viruses to FortiGuard.
	Type	Configure the type. Options include: http socks4 socks5
	IP Address/Hostname	Enter the proxy server's IP address/hostname.
	Port	Enter the proxy server's port number. The port range is from 1 to 65535.
	Username	If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username.
	Password	If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text.
Update		Specify whether to use FortiManager to update FortiClient on endpoints.
Use FortiManager for Client Signature Update		Enable FortiClient EMS to obtain AV signatures from the FortiManager at the specified IP address or hostname.
	IP Address/Hostname	Enter the FortiManager IP address/hostname.
	Port	Enter the port number.
	Failover Port	Enter the failover port.
	Timeout	Enter the timeout interval.
	Failover to FDN When FortiManager Is Not Available	Fail over to FDN when FortiManager is not available.
FortiGuard Server Location		Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server. FortiClient connects to FortiGuard to query for AV and vulnerability scan engine and signature updates. The URLs connected to for each server location are as follows: FortiGuard: Global: forticlient.fortinet.net U.S.: usforticlient.fortinet.net FortiGuard Anycast: Global: fctupdate.fortinet.net U.S.: fctusupdate.fortinet.net Europe: fcteuupdate.fortinet.net
Server		Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.
FortiProxy		Enable FortiProxy (disable only when troubleshooting). You must enable FortiProxy to use Web Filter and some AV options.
HTTPS Proxy		Enable HTTPS proxy. If disabled, FortiProxy no longer inspects HTTPS traffic.
	HTTP Timeout	Enter the HTTP connection timeout interval in seconds. FortiProxy determines if the remote server is available based on this timeout value. Lower this timeout value if your client requires a faster fail response.
POP3 Client Comforting		Enable POP3 client comforting. Client comforting helps to prevent POP3 clients from complaining that the server has not responded in time.
POP3 Server Comforting		Enable POP3 server comforting. Server comforting helps to prevent POP3 servers from complaining that the client has not responded in time. You may use this in a situation where FortiClient is installed on a mail server.
SMTP Client Comforting		Enable SMTP client comforting. SMTP comforting helps to prevent SMTP clients from complaining that the server has not responded in time.
Self Test		FortiProxy can detect if other software is disrupting internal traffic between FortiProxy's internal modules. It does this by sending packets periodically to 1.1.1.1, which are intercepted by FortiClient and dropped (they never leave the computer). If the packets are not detected, then it is deemed highly likely that third party software is intercepting the packets, signaling that FortiProxy cannot perform regular traffic filtering. Enable self tests. FortiProxy periodically checks its own connectivity to determine if it is able to proxy other applications' traffic.
	Notify	Display a bubble notification when self-testing detects that a third party program has blocked HTTP/HTTPS filtering and SMTP/POP3 AV scanning.
	Last Port	Enter the last port number used. This is the highest port number you want to allow FortiProxy to listen on. Use to prevent FortiProxy from binding to another port that another service normally uses. The available port range is 65535 to 10000.
Endpoint Control
Show Bubble Notifications		Show bubble notifications when FortiClient installs new policies on endpoints.
Log off When User Logs Out of Windows		Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in.
Disable Disconnect		Forbid users from disconnecting FortiClient from FortiClient EMS.
On-Fabric Subnets		Turn on to enable on-fabric subnets. FortiClient determines on-/off-fabric status using Determining on-fabric/off-fabric status. This option only applies for endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.2 and later versions, see On-fabric Detection Rules.
	IP Addresses/Subnet Masks	Enter IP addresses/subnet mask to connect to on-fabric subnets.
	Gateway MAC Address	Enable gateway MAC address.
	MAC Addresses	Enter MAC addresses.
Send Software Inventory		Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory. This feature requires the EPP license. See FortiClient EMS.
Invalid Certificate Action		Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate: Allow: allows FortiClient to connect to EMS with an invalid certificate. Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate. Deny: block FortiClient from connecting to EMS with an invalid certificate.
User Identity Settings
Allow Users to Specify Identity Using		Enable users to specify their identity in FortiClient using the following methods: Manually entering their details in FortiClient Logging in to their account for the following social media services: LinkedIn Google Salesforce By default, EMS obtains user details from the endpoint OS. If the user provides their details using one of the methods above, EMS obtains the user-specified details instead. If this option is disabled, EMS obtains and displays user details from the endpoint OS.
Notify Users to Submit User Identity Information		Displays a notification on the endpoint for the user to specify their identity. If the user closes the notification without specifying their identity, the notification displays every ten minutes until the user submits their identity information.
Other
Install CA Certificate on Client		Turn on to select and install a CA certificate on the FortiClient endpoint. You can add certificates by going to Endpoint Policy & Components > CA Certificates.
FortiClient Single Sign-On Mobility Agent		Enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator.
	IP Address/Hostname	Enter the FortiAuthenticator IP address or hostname.
	Port	Enter the port number.
	Pre-Shared Key	Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator.
iOS
Distribute Configuration Profile		Enable and browse for your `.mobileconfig` file to distribute the configuration profile.
Privacy
Send Usage Statistics to Fortinet		Submit virus information to FDS. Fortinet uses this information to improve product quality and user experience.

System Settings

Some options are only available when Advanced view is enabled.

Configuration		Description
UI		Specify how the FortiClient user interface appears when installed on endpoints.
Require Password to Disconnect from EMS		Turn on password lock for FortiClient.
	Password	Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS.
Do Not Allow User to Back Up Configuration		Disallow users from backing up the FortiClient configuration.
Hide User Information		Hide the User Details panel where the user can provide user details (avatar, name, phone number, email address), and link to a social media (LinkedIn, Google, Salesforce) account.
Hide System Tray Icon		Hide the FortiClient system tray icon.
Show Host Tag on FortiClient GUI		Show the applied host tag on the FortiClient GUI. See Zero Trust Tags.
Language		Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following: os-default (System operating language, selected by default) zh-tw (Taiwanese Mandarin) cs-cz (Czech) de-de (German) en-us (United States English) fr-fr (French) hu-hu (Hungarian) ru-ru (Russian) ja-jp (Japanese) ko-kr (Korean) pt-br (Brazilian Portuguese) sk-sk (Slovak) es-es (Spanish) zh-cn (Chinese (Simplified)) et-ee (Estonian) lv-lv (Latvian) lt-lt (Lithuanian) fi-fi (Finnish) sv-se (Swedish) da-dk (Danish) pl-pl (Portuguese (Portugal)) nb-no (Norwegian) fr-ca (Canadian French)
Log		Specify FortiClient log settings.
Level		This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following: Emergency: The system becomes unstable. Alert: Immediate action is required. Critical: Functionality is affected. Error: An error condition exists and may affect functionality. Warning: Functionality could be affected. Notice: Information about normal events. Info: General information about system operations. Debug: Debug FortiClient. Detailed debug logs for the selected features are generated on the endpoint. You can request the creation and download of the diagnostic tool output, which includes these logs.
Features		Select features to generate logs for: AntiVirus Application Firewall Telemetry FSSOMA Proxy IPsec VPN AntiExploit SSL VPN Update Vulnerability Web Filter Sandbox
Client-Based Logging When On-Fabric		Include local log messages when FortiClient is on-fabric. See On-fabric Detection Rules.
Upload Logs to FortiAnalyzer/FortiManager		This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname.
	Upload UTM Logs	Upload unified threat management logs to FortiAnalyzer or FortiManager.
	Upload Vulnerability Logs	Upload vulnerability logs to FortiAnalyzer or FortiManager. This option only applies to FortiClient 6.4.2 and earlier versions.
	Upload Event Logs	Upload event logs to FortiAnalyzer or FortiManager. This option only applies to FortiClient 6.4.2 and earlier versions.
	Upload System Event	Upload system events to FortiAnalyzer or FortiManager. This includes logs for endpoint control, update, and FortiClient events.
	Upload Security Event	Upload security events to FortiAnalyzer or FortiManager. This includes logs for Malware Protection, Web Filter, Vulnerability Scan, and Application Firewall events.
	Send Software Inventory	EMS sends FortiClient software inventory to FortiAnalyzer or FortiManager. This feature requires the EPP license. See FortiClient EMS.
	Send OS Events	EMS sends endpoint host events to FortiAnalyzer or FortiManager. EMS supports this feature for Windows and macOS endpoints. For macOS endpoints, OS event logs are stored at `/var/log/system.log`.
	Event telemetry interval	Enter the telemetry interval in seconds.
	IP Address/Hostname	Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging. If using a port other than the default, use <address>:<port>.
	SSL Enabled	Enable SSL.
	Upload Schedule	Configure the upload schedule in minutes.
	Log Generation Timeout	Configure the log generation timeout in seconds.
	Log Retention	Configure the duration of time to retain logs in days.
Proxy
Use Proxy for Updates		Access FortiGuard using the configured proxy.
	Connect to FDN Directly If Proxy Is Offline	Connect to FDN directly if proxy is offline.
Use Proxy for Virus Submission		Use the configured proxy to submit viruses to FortiGuard.
	Type	Configure the type. Options include: http socks4 socks5
	IP Address/Hostname	Enter the proxy server's IP address/hostname.
	Port	Enter the proxy server's port number. The port range is from 1 to 65535.
	Username	If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username.
	Password	If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text.
Update		Specify whether to use FortiManager to update FortiClient on endpoints.
Use FortiManager for Client Signature Update		Enable FortiClient EMS to obtain AV signatures from the FortiManager at the specified IP address or hostname.
	IP Address/Hostname	Enter the FortiManager IP address/hostname.
	Port	Enter the port number.
	Failover Port	Enter the failover port.
	Timeout	Enter the timeout interval.
	Failover to FDN When FortiManager Is Not Available	Fail over to FDN when FortiManager is not available.
FortiGuard Server Location		Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server. FortiClient connects to FortiGuard to query for AV and vulnerability scan engine and signature updates. The URLs connected to for each server location are as follows: FortiGuard: Global: forticlient.fortinet.net U.S.: usforticlient.fortinet.net FortiGuard Anycast: Global: fctupdate.fortinet.net U.S.: fctusupdate.fortinet.net Europe: fcteuupdate.fortinet.net
Server		Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.
FortiProxy		Enable FortiProxy (disable only when troubleshooting). You must enable FortiProxy to use Web Filter and some AV options.
HTTPS Proxy		Enable HTTPS proxy. If disabled, FortiProxy no longer inspects HTTPS traffic.
	HTTP Timeout	Enter the HTTP connection timeout interval in seconds. FortiProxy determines if the remote server is available based on this timeout value. Lower this timeout value if your client requires a faster fail response.
POP3 Client Comforting		Enable POP3 client comforting. Client comforting helps to prevent POP3 clients from complaining that the server has not responded in time.
POP3 Server Comforting		Enable POP3 server comforting. Server comforting helps to prevent POP3 servers from complaining that the client has not responded in time. You may use this in a situation where FortiClient is installed on a mail server.
SMTP Client Comforting		Enable SMTP client comforting. SMTP comforting helps to prevent SMTP clients from complaining that the server has not responded in time.
Self Test		FortiProxy can detect if other software is disrupting internal traffic between FortiProxy's internal modules. It does this by sending packets periodically to 1.1.1.1, which are intercepted by FortiClient and dropped (they never leave the computer). If the packets are not detected, then it is deemed highly likely that third party software is intercepting the packets, signaling that FortiProxy cannot perform regular traffic filtering. Enable self tests. FortiProxy periodically checks its own connectivity to determine if it is able to proxy other applications' traffic.
	Notify	Display a bubble notification when self-testing detects that a third party program has blocked HTTP/HTTPS filtering and SMTP/POP3 AV scanning.
	Last Port	Enter the last port number used. This is the highest port number you want to allow FortiProxy to listen on. Use to prevent FortiProxy from binding to another port that another service normally uses. The available port range is 65535 to 10000.
Endpoint Control
Show Bubble Notifications		Show bubble notifications when FortiClient installs new policies on endpoints.
Log off When User Logs Out of Windows		Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in.
Disable Disconnect		Forbid users from disconnecting FortiClient from FortiClient EMS.
On-Fabric Subnets		Turn on to enable on-fabric subnets. FortiClient determines on-/off-fabric status using Determining on-fabric/off-fabric status. This option only applies for endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.2 and later versions, see On-fabric Detection Rules.
	IP Addresses/Subnet Masks	Enter IP addresses/subnet mask to connect to on-fabric subnets.
	Gateway MAC Address	Enable gateway MAC address.
	MAC Addresses	Enter MAC addresses.
Send Software Inventory		Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory. This feature requires the EPP license. See FortiClient EMS.
Invalid Certificate Action		Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate: Allow: allows FortiClient to connect to EMS with an invalid certificate. Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate. Deny: block FortiClient from connecting to EMS with an invalid certificate.
User Identity Settings
Allow Users to Specify Identity Using		Enable users to specify their identity in FortiClient using the following methods: Manually entering their details in FortiClient Logging in to their account for the following social media services: LinkedIn Google Salesforce By default, EMS obtains user details from the endpoint OS. If the user provides their details using one of the methods above, EMS obtains the user-specified details instead. If this option is disabled, EMS obtains and displays user details from the endpoint OS.
Notify Users to Submit User Identity Information		Displays a notification on the endpoint for the user to specify their identity. If the user closes the notification without specifying their identity, the notification displays every ten minutes until the user submits their identity information.
Other
Install CA Certificate on Client		Turn on to select and install a CA certificate on the FortiClient endpoint. You can add certificates by going to Endpoint Policy & Components > CA Certificates.
FortiClient Single Sign-On Mobility Agent		Enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator.
	IP Address/Hostname	Enter the FortiAuthenticator IP address or hostname.
	Port	Enter the port number.
	Pre-Shared Key	Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator.
iOS
Distribute Configuration Profile		Enable and browse for your `.mobileconfig` file to distribute the configuration profile.
Privacy
Send Usage Statistics to Fortinet		Submit virus information to FDS. Fortinet uses this information to improve product quality and user experience.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

EMS Administration Guide

System Settings

System Settings

System Settings