Fortinet black logo

Separate endpoint profiles 7.0.3

Copy Link
Copy Doc ID c7e1b029-a797-11eb-b70b-00505692583a:938271
Download PDF

FortiClient EMS 7.0.3 introduces separate endpoint profiles to allow for a simpler and modular approach to endpoint profile management. You now configure separate Remote Access profiles, ZTNA Connection Rules profiles, Web Filter profiles, and so on. You then configure different profile combinations as part of an endpoint policy to deploy to endpoints.

For example, consider that you have two endpoint groups: Groups A and B. You want Group A and Group B to share identical FortiClient settings, except that Group A's antivirus scheduled scan is on a weekly basis, while Group B's is on a monthly basis. In 7.0.2 and earlier versions, you would need to create two endpoint profiles with the desired scan schedules on the Malware Protection tabs. All other settings on the profile's other tabs are identical between the two profiles. You would configure two endpoint policies that are configured with the two profiles. At a later point in time, if you wanted to configure a new VPN tunnel for both groups, you would need to configure the VPN tunnel on both endpoint profiles.

To accommodate this configuration in 7.0.3 and later versions, you would configure two Malware Protection profiles with the desired scan schedules to apply to the two groups, as well as two endpoint policies that are configured with the two profiles. Since all other FortiClient settings are identical across the two groups, you would configure the same Remote Access profile, Web Filter profile, Vulnerability Scan profile, and so on, for both policies. At a later point in time, if you wanted to configure a VPN tunnel for both groups, you would only need to do so in the shared Remote Access profile, rather than redundantly modifying multiple profiles.

You can view the new separate profiles in Endpoint Profiles. You can edit, clone, and delete profiles without affecting other profile types.

To import a profile:
  1. Go to Endpoint Profiles.
  2. Select the desired profile type.
  3. Click Import from File.
  4. In the Name field, enter the desired name.
  5. In the XML field, browse to and upload the desired profile.
  6. Do one of the following:
    1. To import all profile components, enable Import All Components.
    2. To import selected components, select the desired components from the Components dropdown list.

  7. Click Upload.
To assign endpoint profiles to a policy:
  1. Go to Endpoint Policy & Components > Manage Policies.
  2. Create a new policy or edit an existing policy.
  3. If desired, enable Profile (Off-Fabric).
  4. Configure the desired profiles for the desired features.
  5. You can use the Profile XML and Off-Fabric Profile XML buttons to download on- and off-net profiles in XML format.

  6. Click Save. You can view each policy's assigned profiles for each feature under Profile Components and Off Net Profile Components.

For a Chromebook policy, you can only assign Web Filter and System Settings profiles.

FortiClient EMS 7.0.3 introduces separate endpoint profiles to allow for a simpler and modular approach to endpoint profile management. You now configure separate Remote Access profiles, ZTNA Connection Rules profiles, Web Filter profiles, and so on. You then configure different profile combinations as part of an endpoint policy to deploy to endpoints.

For example, consider that you have two endpoint groups: Groups A and B. You want Group A and Group B to share identical FortiClient settings, except that Group A's antivirus scheduled scan is on a weekly basis, while Group B's is on a monthly basis. In 7.0.2 and earlier versions, you would need to create two endpoint profiles with the desired scan schedules on the Malware Protection tabs. All other settings on the profile's other tabs are identical between the two profiles. You would configure two endpoint policies that are configured with the two profiles. At a later point in time, if you wanted to configure a new VPN tunnel for both groups, you would need to configure the VPN tunnel on both endpoint profiles.

To accommodate this configuration in 7.0.3 and later versions, you would configure two Malware Protection profiles with the desired scan schedules to apply to the two groups, as well as two endpoint policies that are configured with the two profiles. Since all other FortiClient settings are identical across the two groups, you would configure the same Remote Access profile, Web Filter profile, Vulnerability Scan profile, and so on, for both policies. At a later point in time, if you wanted to configure a VPN tunnel for both groups, you would only need to do so in the shared Remote Access profile, rather than redundantly modifying multiple profiles.

You can view the new separate profiles in Endpoint Profiles. You can edit, clone, and delete profiles without affecting other profile types.

To import a profile:
  1. Go to Endpoint Profiles.
  2. Select the desired profile type.
  3. Click Import from File.
  4. In the Name field, enter the desired name.
  5. In the XML field, browse to and upload the desired profile.
  6. Do one of the following:
    1. To import all profile components, enable Import All Components.
    2. To import selected components, select the desired components from the Components dropdown list.

  7. Click Upload.
To assign endpoint profiles to a policy:
  1. Go to Endpoint Policy & Components > Manage Policies.
  2. Create a new policy or edit an existing policy.
  3. If desired, enable Profile (Off-Fabric).
  4. Configure the desired profiles for the desired features.
  5. You can use the Profile XML and Off-Fabric Profile XML buttons to download on- and off-net profiles in XML format.

  6. Click Save. You can view each policy's assigned profiles for each feature under Profile Components and Off Net Profile Components.

For a Chromebook policy, you can only assign Web Filter and System Settings profiles.