Fortinet white logo
Fortinet white logo

Endpoint control

Endpoint control

FortiClient usually downloads endpoint control configuration elements from FortiClient EMS after FortiClient connects to FortiClient EMS. There are two sections:

  • The <endpoint_control></endpoint_control> XML tags contain general endpoint control attributes.
  • Configuration details relating to specific FortiClient services, such as AV, Web Filter, Application Firewall, Vulnerability Scan, and so on. You can find these in the respective configuration elements of the services affected.

The following lists general endpoint control attributes:

<forticlient_configuration>

<endpoint_control>

<checksum></checksum>

<enabled>1</enabled>

<socket_connect_timeouts>1:5</socket_connect_timeouts>

<system_data>Encrypted_String</system_data>

<disable_unregister>0</disable_unregister>

<disable_fgt_switch>1</disable_fgt_switch>

<ping_server>172.17.61.178:8010</ping_server>

<fgt_name>FG_Hostname</fgt_name>

<fgt_sn>Encrypted_Serial_Number_String</fgt_sn>

<offnet_update>1</offnet_update>

<user>Encrypted_UsernameString</user>

<skip_confirmation>0</skip_confirmation>

<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>

<show_bubble_notifications>1</show_bubble_notifications>

<avatar_enabled>1</avatar_enabled>

<silent_registration>0</silent_registration>

<notify_fgt_on_logoff>1</notify_fgt_on_logoff>

<fgt_list>Enc256828d1e23febfa0b789324ea1fc9cf45acdc8af3888e7aa26677825bbf8d5d123fcbc2884f3cb3f2a03b5414ab01e6a6c22762add0c4f209224f052dec29491e1d15eee4a1a290a81b367c3d4a5251258ed14921e231547f52d9e3</fgt_list>

<send_software_inventory>1</send_software_inventory>

<onnet_addresses></onnet_addresses>

<onnet_mac_addresses></onnet_mac_addresses>

<onnet_rules>

<rule_set>

<dhcp_server>

<dhcp_code>

<criterion id="0">123456</criterion>

<criterion id="1">abcdef</criterion>

</dhcp_code>

</dhcp_server>

<local_ip>

<ip_address>

<criterion id="2">1234:abc:abcd:0012::0/64</criterion>

<criterion id="3">2.2.2.2/3</criterion>

</ip_address>

<mac_address>

<criterion id="4">11-11-11-11-11-11</criterion>

<criterion id="5">22-22-22-22-22-22</criterion>

</mac_address>

</local_ip>

</rule_set>

<rule_set>

<connection_media>

<wifi_ssid>

<criterion id="6">STAFF-NETWORK, WPA3</criterion>

</wifi_ssid>

<ethernet>

<criterion id="10">Connected</criterion>

</ethernet>

</connection_media>

<local_ip>

<ip_address>

<criterion id="7">1.1.1.1-2.2.2.2</criterion>

</ip_address>

<mac_address>

<criterion id="8">33-33-33-33-33-33</criterion>

</mac_address>

</local_ip>

<vpn>

<tunnel_name>

<criterion id="9">SSLVPN_VAN</criterion>

</tunnel_name>

</vpn>

</rule_set>

</onnet_rules>

<ui>

<display_antivirus>1</display_antivirus>

<display_sandbox>1</display_sandbox>

<display_webfilter>1</display_webfilter>

<display_firewall>1</display_firewall>

<display_vpn>1</display_vpn>

<display_vulnerability_scan>1</display_vulnerability_scan>

<display_ztna>1</display_ztna>

<display_compliance>1</display_compliance>

<hide_compliance_warning>0</hide_compliance_warning>

</ui>

<alerts>

<notify_server>1</notify_server>

<alert_threshold>1</alert_threshold>

</alerts>

<fortigates>

<fortigate>

<serial_number></serial_number>

<name></name>

<registration_password></registration_password>

<addresses></addresses>

</fortigate>

</fortigates>

<notification_server>

<address>172.17.60.26:8013</address>

</notification_server>

<nac>

<processes>

<process id="1" name="MS Word" rule="present">

<signature name="processname.exe">SHA256 of file</signature>

<signature name="processname.exe">SHA256 of file</signature>

</process>

<process id="2" name="FortiToken" rule="absent">

<signature name="processname2.exe"/>

</process>

</processes>

<files>

<path id="1">Path to folder/file</path>

<path id="2">Path to folder/file</path>

</files>

<registry>

<path id="1">path to 32bit or 64bit registry key or value</path>

<path id="2">path to 32bit or 64bit registry key or value</path>

</registry>

</nac>

</endpoint_control>

</forticlient_configuration>

The following table provides the XML tags for endpoint control, as well as descriptions and default values where applicable.

XML tag

Description

Default value

<checksum>

Configuration checksum calculated on and enforced by FortiGate and EMS.

<enabled>

Enable endpoint control.

<system_data>

Endpoint control system information. This element is protected and not intended to be changed.

<socket_connect_timeouts>

Probe timeout for endpoint control registration and keep-alive message timeout in seconds.

probe_timeout:keep_alive_timeout

Changing socket connect time outs may affect performance.

1:5

<ping_server>

Ping server's IP address or FQDN.

FortiClient updates this tag when it connects to FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_name>

The FortiGate hostname or EMS that FortiClient is currently connected to, if any.

FortiClient updates this tag when it connects to the FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_sn>

The connected FortiGate or EMS's encrypted serial number, if any. Do not edit this field.

You can safely delete this field.

<offnet_update>

Enable synchronization of configuration updates from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<user>

Encrypted username.

<skip_confirmation>

Skip prompting the user before proceeding to complete connection with FortiGate or EMS.

Boolean value: [0 | 1]

0

<disable_unregister>

Prevent a connected client from being able to disconnect after successfully connecting to FortiGate or EMS.

Boolean value: [0 | 1]

When this setting is configured as 1, the FortiClient user is unable to disconnect from the FortiGate or EMS after initial registration. This XML setting is intended to be used with <silent_registration>. If Enable Registration Key for FortiClient is enabled on FortiGate or EMS, configure this password in the <registration_password> XML tag, and enter the IP address or addresses of the FortiGate or EMS in the <addresses> XML tag.

0

<disable_fgt_switch>

Disable the FortiGate switch.

Boolean value: [0 | 1]

This XML setting is intended for use with <silent_registration> and <disable_unregister>. If Enable Registration Key for FortiClient is enabled on the FortiGate, configure this password in the <registration_password> XML tag and enter the IP address or addresses of the FortiGate in the <addresses> XML tag.

When <disable_fgt_switch> is configured as 1, the FortiGate switch is disabled. As a result:

  • FortiClient does not probe the default gateway.
  • FortiClient does not automatically connect to the default gateway.
  • FortiClient ignores FortiGate broadcasts.
  • The discovered list displays only predefined FortiGate devices, if discovered.

<fgt_logoff_on_fct_shutdown>

Notify FortiGate or EMS when FortiClient is shut down.

Boolean value: [0 | 1]

1

<show_bubble_notification>

Show notifications in the system tray when a configuration update is received from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<avatar_enabled>

Control whether FortiClient sends the user avatar to EMS and the FortiGate.

Boolean value: [0 | 1]

1

<silent_registration>

Connect to the FortiGate or EMS without prompting the user to accept connection. When enabled, no end user interaction is required to get the client to connect to FortiGate or EMS.

Boolean value: [0 | 1]

This XML setting is intended to be used with <disable_unregister>.

0

<notify_fgt_on_logoff>

Notify FortiGate or EMS when the FortiClient endpoint detects that a user logs off. When this setting is configured as 0, no message is sent to FortiGate or EMS. When this setting is configured as 1, a message is sent to FortiGate or EMS.

Boolean value: [0 | 1]

<fgt_list>

Encrypted list of remembered FortiGate or EMS units. Do not edit this field.

You can safely delete this field.

<send_software_inventory>

Enable sending software inventory reports to EMS.

Boolean value: [0 | 1]

1

<onnet_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's IP address matches the specified IP address, it is considered on-fabric.

<onnet_mac_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's MAC address matches the specified MAC address, it is considered on-fabric.

<onnet_rules> elements

Configure rule sets to determine endpoint on-/off-fabric status. The endpoint must satisfy all rules within a rule set to be determined as on-fabric. An endpoint only needs to satisfy one rule set to be considered on-fabric. See On-fabric Detection Rules.

Use the <criterion id> element as shown in the sample code to configure multiple criteria for each rule type.

<dhcp_server>

The endpoint is considered as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. Use the following subelements:

  • <dhcp_code>
  • <ip_address>
  • <mac_address>

<dns_server>

The endpoint is considered as satisfying the rule if it is connected to a DNS server that matches the specified configuration. Use the following subelements:

  • <ip_address>
  • <mac_address>

<ems_connection>

The endpoint is considered as satisfying the rule if it is online with EMS. Configure this element as follows:

<ems_connection>

<online_status>Online with EMS</online_status>

</ems_connection>

<local_ip>

The endpoint is considered as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if configured. Configuring the MAC address is optional. Use the following subelements:

  • <ip_address>
  • <mac_address>

<gateway>

The endpoint is considered as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if configured. Configuring the MAC address is optional. Use the following subelements:

  • <ip_address>
  • <mac_address>

<ping_server>

The endpoint is considered as satisfying the rule if it can access the server at the specified IP address. Use the <ip_address> subelement.

<public_ip>

The endpoint is considered as satisfying the rule if its public (WAN) IP address matches the one specified. Use the <ip_address> subelement.

<connection_media>

The endpoint is considered as satisfying the rule if its network settings match all configured fields. Use the <wifi_ssid> and <ethernet> subelements as the sample code shows. When using the Ethernet rule, you must add at least one network identification rule.

<vpn>

The endpoint is considered as satisfying the rule if its VPN settings match all configured fields. Use the <tunnel_name> subelement as the sample code shows.

<ui> elements

<display_antivirus>

Display the Malware Protection tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_sandbox>

Display the Sandbox Detection tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_webfilter>

Display the Web Filter tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_firewall>

Display the Application Firewall tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vpn>

Display the Remote Access tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vulnerability_scan>

Display the Vulnerability Scan tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_ztna>

Display the ZTNA Connection Rules tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_compliance>

This tag is not used in FortiClient 5.6.0 and newer versions.

Display the Compliance tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in FortiClient.

<hide_compliance_warning>

Hide the compliance enforcement feature message from the Fabric Telemetry tab. This option is only enforced on FortiClient endpoints connected to EMS. This option does not apply to monitored clients.

Boolean value: [0 | 1]

1

<alerts> elements

<notify_server>

Enable FortiClient to send alerts to FortiClient EMS.

Boolean value: [0 | 1]. When enabled, FortiClient sends alerts to FortiClient EMS. The priority of alerts sent by FortiClient depends on the <alert_threshold> setting.

1

<alert_threshold>

Configures the threshold of alerts FortiClient sends to EMS. Enter one of the following:

  • 1: High priority alerts
  • 3: Medium priority alerts
  • 5: Low priority alerts

1

<fortigates> elements

This is a list of FortiGates that immediately appears in the FortiClient console. The client is capable of connecting with them if they are online. If <endpoint_control><silent_registration> is set to 1, the client attempts to silently connect. The list is in priority order.

<fortigate>

This element (with its child elements) repeats for each FortiGate that should appear in FortiClient's console interface.

<serial_number>

(Optional] The FortiGate's serial number. Displays to the end user. It may be updated with the real serial number from the FortiGate that the client connects with.

<name>

(Optional] The FortiGate's name. Displays to the end user. It may be updated with the real name from the FortiGate that the client connects with.

<registration_password>

When FortiClient registers/connects to FortiGate and Enable Registration Key for FortiClient is enabled on the FortiGate, configure the password in the <registration_password> XML setting. The <registration_password> element contains the registration password (encrypted or plain text) required to register to the FortiGate units listed in <endpoint_control><fortigates><fortigate><addresses>

When FortiClient registers/connects to EMS and EMS requires a connection key, configure the password in the <registration_password> XML setting. The <registration_password> element contains the connection key required to register to the EMS listed in <endpoint_control><notification_server><addresses>.

The element is not needed when FortiGate or EMS does not require a password

<addresses>

The FortiGate that appears in the console can be a list of FortiGate addresses. FortiClient attempts to connect to the first FortiGate listed here.

A "redundancy list" of FortiGate IP:port pairs that represent this FortiGate. The list must have at least one FortiGate IP:port pair. Multiple FortiGate IP:port pairs are delimited with a semicolon.

Both IP addresses and FQDN are permitted. The list is in priority order.

If Enable Registration Key for FortiClient is enabled on the FortiGate, configure the IP address or FQDN of the FortiGate in the FortiClient <addresses> XML setting.

<local_subnets_only>

Boolean value: [0 | 1]

0

<notification_server>

Enable EMS to manage FortiClient after FortiClient connects to the FortiGate IP address and port numbers specified by EMS. Configure the EMS IP address.

<nac> elements

This element (with its child elements) specifies up to three compliance rules for network access control (NAC). When an endpoint configuration does not comply with all compliance rules configured in the <nac> elements, non-compliance is triggered, and network access might be blocked. For information about how compliance rules work, see the FortiClient Administration Guide. Compliance rules apply only when FortiClient is connected to FortiGate. When FortiClient is not connected to FortiGate, compliance rules are not used. You can configure none, one, or all three compliance rules.

<processes>

(Optional) Create a policy for an application and its signature.

<process>

Identify an application name and its signature. This element should be repeated for each unique application name.

<process id="" name="" rule="">

ID of this process entry and name of the application that is associated with the signatures, for example, <process id="1" name="MS Word">. Also shows whether FortiGate compliance rules require this process to be present or absent on the endpoint.

<signature name="" />

Identify the application name and signature. Repeat this element for different versions of the same application.

<files>

(Optional) Create a policy for a file and path. The policy is compliant when the file can be found.

<path id=""/>

ID of this path entry. Identify the path of the file for the policy. Repeat this element for each unique file path.

<registry>

(Optional) Create a policy for a registry key or value.

<path id=""/>

ID of this path entry. Identify the registry key or value. When the path ends with a forward slash (/), it identifies a key. When the path ends without a forward slash, it identifies a registry value.

When you disable <ui> elements from displaying in the FortiClient console, the modules are still installed as part of the FortiClient installation. To configure a VPN-only installation, you can use FortiClient EMS. When selecting VPN only, all other modules are not part of the FortiClient installation.

The <fortigate> element is used to define the FortiGates in a roaming (or redundant) FortiGate configuration. One or more <fortigate> elements may be provided within <fortigates>.

Endpoint control

Endpoint control

FortiClient usually downloads endpoint control configuration elements from FortiClient EMS after FortiClient connects to FortiClient EMS. There are two sections:

  • The <endpoint_control></endpoint_control> XML tags contain general endpoint control attributes.
  • Configuration details relating to specific FortiClient services, such as AV, Web Filter, Application Firewall, Vulnerability Scan, and so on. You can find these in the respective configuration elements of the services affected.

The following lists general endpoint control attributes:

<forticlient_configuration>

<endpoint_control>

<checksum></checksum>

<enabled>1</enabled>

<socket_connect_timeouts>1:5</socket_connect_timeouts>

<system_data>Encrypted_String</system_data>

<disable_unregister>0</disable_unregister>

<disable_fgt_switch>1</disable_fgt_switch>

<ping_server>172.17.61.178:8010</ping_server>

<fgt_name>FG_Hostname</fgt_name>

<fgt_sn>Encrypted_Serial_Number_String</fgt_sn>

<offnet_update>1</offnet_update>

<user>Encrypted_UsernameString</user>

<skip_confirmation>0</skip_confirmation>

<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>

<show_bubble_notifications>1</show_bubble_notifications>

<avatar_enabled>1</avatar_enabled>

<silent_registration>0</silent_registration>

<notify_fgt_on_logoff>1</notify_fgt_on_logoff>

<fgt_list>Enc256828d1e23febfa0b789324ea1fc9cf45acdc8af3888e7aa26677825bbf8d5d123fcbc2884f3cb3f2a03b5414ab01e6a6c22762add0c4f209224f052dec29491e1d15eee4a1a290a81b367c3d4a5251258ed14921e231547f52d9e3</fgt_list>

<send_software_inventory>1</send_software_inventory>

<onnet_addresses></onnet_addresses>

<onnet_mac_addresses></onnet_mac_addresses>

<onnet_rules>

<rule_set>

<dhcp_server>

<dhcp_code>

<criterion id="0">123456</criterion>

<criterion id="1">abcdef</criterion>

</dhcp_code>

</dhcp_server>

<local_ip>

<ip_address>

<criterion id="2">1234:abc:abcd:0012::0/64</criterion>

<criterion id="3">2.2.2.2/3</criterion>

</ip_address>

<mac_address>

<criterion id="4">11-11-11-11-11-11</criterion>

<criterion id="5">22-22-22-22-22-22</criterion>

</mac_address>

</local_ip>

</rule_set>

<rule_set>

<connection_media>

<wifi_ssid>

<criterion id="6">STAFF-NETWORK, WPA3</criterion>

</wifi_ssid>

<ethernet>

<criterion id="10">Connected</criterion>

</ethernet>

</connection_media>

<local_ip>

<ip_address>

<criterion id="7">1.1.1.1-2.2.2.2</criterion>

</ip_address>

<mac_address>

<criterion id="8">33-33-33-33-33-33</criterion>

</mac_address>

</local_ip>

<vpn>

<tunnel_name>

<criterion id="9">SSLVPN_VAN</criterion>

</tunnel_name>

</vpn>

</rule_set>

</onnet_rules>

<ui>

<display_antivirus>1</display_antivirus>

<display_sandbox>1</display_sandbox>

<display_webfilter>1</display_webfilter>

<display_firewall>1</display_firewall>

<display_vpn>1</display_vpn>

<display_vulnerability_scan>1</display_vulnerability_scan>

<display_ztna>1</display_ztna>

<display_compliance>1</display_compliance>

<hide_compliance_warning>0</hide_compliance_warning>

</ui>

<alerts>

<notify_server>1</notify_server>

<alert_threshold>1</alert_threshold>

</alerts>

<fortigates>

<fortigate>

<serial_number></serial_number>

<name></name>

<registration_password></registration_password>

<addresses></addresses>

</fortigate>

</fortigates>

<notification_server>

<address>172.17.60.26:8013</address>

</notification_server>

<nac>

<processes>

<process id="1" name="MS Word" rule="present">

<signature name="processname.exe">SHA256 of file</signature>

<signature name="processname.exe">SHA256 of file</signature>

</process>

<process id="2" name="FortiToken" rule="absent">

<signature name="processname2.exe"/>

</process>

</processes>

<files>

<path id="1">Path to folder/file</path>

<path id="2">Path to folder/file</path>

</files>

<registry>

<path id="1">path to 32bit or 64bit registry key or value</path>

<path id="2">path to 32bit or 64bit registry key or value</path>

</registry>

</nac>

</endpoint_control>

</forticlient_configuration>

The following table provides the XML tags for endpoint control, as well as descriptions and default values where applicable.

XML tag

Description

Default value

<checksum>

Configuration checksum calculated on and enforced by FortiGate and EMS.

<enabled>

Enable endpoint control.

<system_data>

Endpoint control system information. This element is protected and not intended to be changed.

<socket_connect_timeouts>

Probe timeout for endpoint control registration and keep-alive message timeout in seconds.

probe_timeout:keep_alive_timeout

Changing socket connect time outs may affect performance.

1:5

<ping_server>

Ping server's IP address or FQDN.

FortiClient updates this tag when it connects to FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_name>

The FortiGate hostname or EMS that FortiClient is currently connected to, if any.

FortiClient updates this tag when it connects to the FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_sn>

The connected FortiGate or EMS's encrypted serial number, if any. Do not edit this field.

You can safely delete this field.

<offnet_update>

Enable synchronization of configuration updates from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<user>

Encrypted username.

<skip_confirmation>

Skip prompting the user before proceeding to complete connection with FortiGate or EMS.

Boolean value: [0 | 1]

0

<disable_unregister>

Prevent a connected client from being able to disconnect after successfully connecting to FortiGate or EMS.

Boolean value: [0 | 1]

When this setting is configured as 1, the FortiClient user is unable to disconnect from the FortiGate or EMS after initial registration. This XML setting is intended to be used with <silent_registration>. If Enable Registration Key for FortiClient is enabled on FortiGate or EMS, configure this password in the <registration_password> XML tag, and enter the IP address or addresses of the FortiGate or EMS in the <addresses> XML tag.

0

<disable_fgt_switch>

Disable the FortiGate switch.

Boolean value: [0 | 1]

This XML setting is intended for use with <silent_registration> and <disable_unregister>. If Enable Registration Key for FortiClient is enabled on the FortiGate, configure this password in the <registration_password> XML tag and enter the IP address or addresses of the FortiGate in the <addresses> XML tag.

When <disable_fgt_switch> is configured as 1, the FortiGate switch is disabled. As a result:

  • FortiClient does not probe the default gateway.
  • FortiClient does not automatically connect to the default gateway.
  • FortiClient ignores FortiGate broadcasts.
  • The discovered list displays only predefined FortiGate devices, if discovered.

<fgt_logoff_on_fct_shutdown>

Notify FortiGate or EMS when FortiClient is shut down.

Boolean value: [0 | 1]

1

<show_bubble_notification>

Show notifications in the system tray when a configuration update is received from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<avatar_enabled>

Control whether FortiClient sends the user avatar to EMS and the FortiGate.

Boolean value: [0 | 1]

1

<silent_registration>

Connect to the FortiGate or EMS without prompting the user to accept connection. When enabled, no end user interaction is required to get the client to connect to FortiGate or EMS.

Boolean value: [0 | 1]

This XML setting is intended to be used with <disable_unregister>.

0

<notify_fgt_on_logoff>

Notify FortiGate or EMS when the FortiClient endpoint detects that a user logs off. When this setting is configured as 0, no message is sent to FortiGate or EMS. When this setting is configured as 1, a message is sent to FortiGate or EMS.

Boolean value: [0 | 1]

<fgt_list>

Encrypted list of remembered FortiGate or EMS units. Do not edit this field.

You can safely delete this field.

<send_software_inventory>

Enable sending software inventory reports to EMS.

Boolean value: [0 | 1]

1

<onnet_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's IP address matches the specified IP address, it is considered on-fabric.

<onnet_mac_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's MAC address matches the specified MAC address, it is considered on-fabric.

<onnet_rules> elements

Configure rule sets to determine endpoint on-/off-fabric status. The endpoint must satisfy all rules within a rule set to be determined as on-fabric. An endpoint only needs to satisfy one rule set to be considered on-fabric. See On-fabric Detection Rules.

Use the <criterion id> element as shown in the sample code to configure multiple criteria for each rule type.

<dhcp_server>

The endpoint is considered as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. Use the following subelements:

  • <dhcp_code>
  • <ip_address>
  • <mac_address>

<dns_server>

The endpoint is considered as satisfying the rule if it is connected to a DNS server that matches the specified configuration. Use the following subelements:

  • <ip_address>
  • <mac_address>

<ems_connection>

The endpoint is considered as satisfying the rule if it is online with EMS. Configure this element as follows:

<ems_connection>

<online_status>Online with EMS</online_status>

</ems_connection>

<local_ip>

The endpoint is considered as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if configured. Configuring the MAC address is optional. Use the following subelements:

  • <ip_address>
  • <mac_address>

<gateway>

The endpoint is considered as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if configured. Configuring the MAC address is optional. Use the following subelements:

  • <ip_address>
  • <mac_address>

<ping_server>

The endpoint is considered as satisfying the rule if it can access the server at the specified IP address. Use the <ip_address> subelement.

<public_ip>

The endpoint is considered as satisfying the rule if its public (WAN) IP address matches the one specified. Use the <ip_address> subelement.

<connection_media>

The endpoint is considered as satisfying the rule if its network settings match all configured fields. Use the <wifi_ssid> and <ethernet> subelements as the sample code shows. When using the Ethernet rule, you must add at least one network identification rule.

<vpn>

The endpoint is considered as satisfying the rule if its VPN settings match all configured fields. Use the <tunnel_name> subelement as the sample code shows.

<ui> elements

<display_antivirus>

Display the Malware Protection tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_sandbox>

Display the Sandbox Detection tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_webfilter>

Display the Web Filter tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_firewall>

Display the Application Firewall tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vpn>

Display the Remote Access tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vulnerability_scan>

Display the Vulnerability Scan tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_ztna>

Display the ZTNA Connection Rules tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_compliance>

This tag is not used in FortiClient 5.6.0 and newer versions.

Display the Compliance tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in FortiClient.

<hide_compliance_warning>

Hide the compliance enforcement feature message from the Fabric Telemetry tab. This option is only enforced on FortiClient endpoints connected to EMS. This option does not apply to monitored clients.

Boolean value: [0 | 1]

1

<alerts> elements

<notify_server>

Enable FortiClient to send alerts to FortiClient EMS.

Boolean value: [0 | 1]. When enabled, FortiClient sends alerts to FortiClient EMS. The priority of alerts sent by FortiClient depends on the <alert_threshold> setting.

1

<alert_threshold>

Configures the threshold of alerts FortiClient sends to EMS. Enter one of the following:

  • 1: High priority alerts
  • 3: Medium priority alerts
  • 5: Low priority alerts

1

<fortigates> elements

This is a list of FortiGates that immediately appears in the FortiClient console. The client is capable of connecting with them if they are online. If <endpoint_control><silent_registration> is set to 1, the client attempts to silently connect. The list is in priority order.

<fortigate>

This element (with its child elements) repeats for each FortiGate that should appear in FortiClient's console interface.

<serial_number>

(Optional] The FortiGate's serial number. Displays to the end user. It may be updated with the real serial number from the FortiGate that the client connects with.

<name>

(Optional] The FortiGate's name. Displays to the end user. It may be updated with the real name from the FortiGate that the client connects with.

<registration_password>

When FortiClient registers/connects to FortiGate and Enable Registration Key for FortiClient is enabled on the FortiGate, configure the password in the <registration_password> XML setting. The <registration_password> element contains the registration password (encrypted or plain text) required to register to the FortiGate units listed in <endpoint_control><fortigates><fortigate><addresses>

When FortiClient registers/connects to EMS and EMS requires a connection key, configure the password in the <registration_password> XML setting. The <registration_password> element contains the connection key required to register to the EMS listed in <endpoint_control><notification_server><addresses>.

The element is not needed when FortiGate or EMS does not require a password

<addresses>

The FortiGate that appears in the console can be a list of FortiGate addresses. FortiClient attempts to connect to the first FortiGate listed here.

A "redundancy list" of FortiGate IP:port pairs that represent this FortiGate. The list must have at least one FortiGate IP:port pair. Multiple FortiGate IP:port pairs are delimited with a semicolon.

Both IP addresses and FQDN are permitted. The list is in priority order.

If Enable Registration Key for FortiClient is enabled on the FortiGate, configure the IP address or FQDN of the FortiGate in the FortiClient <addresses> XML setting.

<local_subnets_only>

Boolean value: [0 | 1]

0

<notification_server>

Enable EMS to manage FortiClient after FortiClient connects to the FortiGate IP address and port numbers specified by EMS. Configure the EMS IP address.

<nac> elements

This element (with its child elements) specifies up to three compliance rules for network access control (NAC). When an endpoint configuration does not comply with all compliance rules configured in the <nac> elements, non-compliance is triggered, and network access might be blocked. For information about how compliance rules work, see the FortiClient Administration Guide. Compliance rules apply only when FortiClient is connected to FortiGate. When FortiClient is not connected to FortiGate, compliance rules are not used. You can configure none, one, or all three compliance rules.

<processes>

(Optional) Create a policy for an application and its signature.

<process>

Identify an application name and its signature. This element should be repeated for each unique application name.

<process id="" name="" rule="">

ID of this process entry and name of the application that is associated with the signatures, for example, <process id="1" name="MS Word">. Also shows whether FortiGate compliance rules require this process to be present or absent on the endpoint.

<signature name="" />

Identify the application name and signature. Repeat this element for different versions of the same application.

<files>

(Optional) Create a policy for a file and path. The policy is compliant when the file can be found.

<path id=""/>

ID of this path entry. Identify the path of the file for the policy. Repeat this element for each unique file path.

<registry>

(Optional) Create a policy for a registry key or value.

<path id=""/>

ID of this path entry. Identify the registry key or value. When the path ends with a forward slash (/), it identifies a key. When the path ends without a forward slash, it identifies a registry value.

When you disable <ui> elements from displaying in the FortiClient console, the modules are still installed as part of the FortiClient installation. To configure a VPN-only installation, you can use FortiClient EMS. When selecting VPN only, all other modules are not part of the FortiClient installation.

The <fortigate> element is used to define the FortiGates in a roaming (or redundant) FortiGate configuration. One or more <fortigate> elements may be provided within <fortigates>.