Administration Guide

Introduction
- FortiClient, FortiClient EMS, and FortiGate
- Fortinet product support for FortiClient
- FortiClient standalone and licensed version feature comparison
- Endpoint communication security
  - Recommended upgrade path
Getting started
- Getting started with FortiClient
- EMS and endpoint profiles
- Telemetry connection options
- EMS and automatic upgrade of FortiClient
Provisioning preparation
- Installation requirements
- Licensing
- Required services and ports
- Firmware images and tools
- Obtaining FortiClient installation files
Provisioning
- Manually installing FortiClient on computers
- Centralized FortiClient deployment
  - FortiClient EMS
  - Deploying FortiClient using Microsoft AD servers
    - Deploying FortiClient with Microsoft AD
    - Uninstalling FortiClient with Microsoft AD
- Uninstalling FortiClient
- Upgrading FortiClient
- Verifying ports and services and connection between EMS and FortiClient
User details
- Viewing user details
- Retrieving user details from cloud applications
- Adding your phone number and email address manually
- Specifying the user avatar manually
- User Profile notification
Zero Trust Telemetry
- FortiClient Telemetry
- Compliance with EMS and FortiOS
- On-/off-fabric status with EMS
  - Logging to FortiAnalyzer
- Quarantined endpoints
Remote Access
- Configuring VPN connections
  - Configuring an SSL VPN connection
  - Configuring an IPsec VPN connection
- Connecting VPNs
- SAML support for SSL VPN
- Advanced features (Windows)
- Advanced features (macOS)
  - Creating redundant IPsec VPNs
  - Creating priority-based SSL VPN connections
- VPN tunnel and script
  - Windows
  - macOS
- Internal resource lookup with IPv6 enabled on NIC interface
- Standalone VPN client
ZTNA Destination
Malware Protection
- Antivirus
- Cloud Based Malware Protection
- AntiExploit
  - Viewing detected exploit attempts
  - Evaluating the anti-exploit detection feature
- Removable media access
- Antiransomware
- Quarantined files
  - Viewing quarantined files
  - Submitting quarantined files for scanning
Sandbox Detection
- Scanning with FortiSandbox on-demand
- Viewing FortiSandbox scan results
- Using the popup window
Web & Video Filter
- Web browser plugin for HTTPS web filtering
- Viewing violations
- Troubleshooting Web Filter
Application Firewall
Vulnerability Scan
- Scanning on-demand
- Automatically fixing detected vulnerabilities
- Reviewing detected vulnerabilities before fixing
- Manually fixing detected vulnerabilities
- Viewing details about vulnerabilities
- Viewing vulnerability scan history
Notifications
Settings
- System
- Logging
  - Sending logs and Windows host events to FortiAnalyzer or FortiManager
  - Exporting the log file
- VPN options
- Advanced options
- FortiPAM agent client executable integrity check
- FortiTray
Diagnostic Tool
Forensic analysis
Appendix A - API
- Overview
- API reference
Appendix B - Vulnerability patches
Appendix C - Processes
- FortiClient (Windows) processes
- FortiClient (macOS) processes
Appendix D - CLI commands
- FortiClient (Windows) CLI commands
- FortiClient (macOS) CLI commands
- FortiClient (Linux) CLI commands
Appendix E - VPN autoconnect
- Configuring autoconnect with username and password authentication
- Configuring autoconnect with certificate authentication
Appendix F - SSL VPN prelogon
- SSL VPN prelogon using AD machine certificate
- FortiGate authentication configuration
- FortiGate SSL VPN configuration
- Enabling VPN prelogon in EMS
- Enabling automatic VPN prelogon in EMS
  - Configuring VPN to automatically connect before logon
  - Verifying and troubleshooting
- Troubleshooting the prelogon SSL VPN connection

Home FortiClient 7.2.4 Administration Guide

7.2.4

Required services and ports

You must enable required ports and services for use by FortiClient and its associated applications on your server. The required ports and services enable FortiClient to communicate with servers running associated applications.

Communication	Usage	Protocol	Port	Incoming/outgoing	How to customize
FortiClient Telemetry	Endpoint management (on-premise EMS), participation in the Fortinet Security Fabric	TCP	8013	Outgoing	GUI
SYSLOG	Upload logs to syslog server	UDP	514	Outgoing	N/A
FortiSandbox	Send files to FortiSandbox for analysis	TCP	514	Outgoing	N/A
Remote access - SSL VPN	Establish VPN connection to the FortiGate	TCP	443 (default)	Outgoing	GUI
FortiAnalyzer/FortiManager	Upload logs and Windows host events to FortiAnalyzer or FortiManager	TCP	514	Outgoing	N/A
Remote access - IPsec VPN	Establish VPN connection to the FortiGate	UDP	IKE 500 ESP (IP 50) NAT-T 4500	Outgoing	N/A
FortiAuthenticator/FortiGate	Single sign on (SSO) mobility agent, FortiClient SSO	TCP	8001 (default)	Outgoing	GUI
FortiManager	Use FortiManager for FortiClient software and signature updates	TCP	80 (default)	Outgoing	GUI
SMTP/FortiGuard	Virus submission	TCP	25	Outgoing	N/A
FortiPAM	Use FortiPAM for privilege access management	TCP	9191	Outgoing	N/A
FortiGuard	Cloud-based malware detection	TCP	8888	Outgoing	N/A

FortiClient can also connect to FortiClient Cloud instead of on-premise EMS for endpoint management. The following table summarizes required services for FortiClient to communicate with FortiClient Cloud:

Usage	Server URL	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient Cloud connection	forticlient-emsproxy.forticloud.com forticlient.forticloud.com	TCP	443 (default)	Outgoing

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud connection

forticlient-emsproxy.forticloud.com

forticlient.forticloud.com

TCP

443 (default)

Outgoing

FortiClient connects to FortiGuard to query for URL ratings for Web Filter and to download AV and vulnerability scan engine and signature updates. FortiClient can connect to legacy FortiGuard or FortiGuard Anycast. The EMS administrator configures FortiGuard server options. See Web Filter and System Settings. The following table summarizes required services for FortiClient to communicate with FortiGuard:

Usage	Server URL			Protocol	Port	Incoming/Outgoing	How to customize
Usage	Global	U.S.	Europe	Protocol	Port	Incoming/Outgoing	How to customize
URL rating with FortiGuard Anycast	fctguard.fortinet.net	fctusguard.fortinet.net	fcteuguard.fortinet.net	TCP	443	Outgoing	N/A The EMS administrator can configure Web Filter to use Anycast or legacy FortiGuard servers. See Web Filter.
URL rating with FortiGuard (legacy)	fgd1.fortigate.com	usfgd1.fortigate.com	N/A	UDP	8888 (default)	Outgoing	N/A The EMS administrator can configure Web Filter to use Anycast or legacy FortiGuard servers. See Web Filter.
AV/vulnerability signature update	forticlient.fortinet.net myforticlient.fortinet.net	usforticlient.fortinet.net	N/A	TCP	80	Outgoing	N/A
AV/vulnerability signature updates with FortiGuard Anycast	fctupdate.fortinet.net	fctusupdate.fortinet.net	fcteuupdate.fortinet.net	TCP	443	Outgoing	N/A

FortiClient can also connect to FortiClient Cloud Sandbox (SaaS) for integration with FortiSandbox. The following table summarizes required services for FortiClient to communicate with FortiClient Cloud Sandbox (SaaS):

Usage	Server URL	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient Cloud Sandbox (SaaS) connection	aptctrl1.fortinet.com aptctrl1.fortinet.com sends a list of Sandbox server addresses to FortiClient. There are no fixed IP addresses, FQDNs, or ports for these servers. However, the returned port is usually 514.	TCP	443 (default)	Outgoing	N/A

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud Sandbox (SaaS) connection

aptctrl1.fortinet.com

aptctrl1.fortinet.com sends a list of Sandbox server addresses to FortiClient. There are no fixed IP addresses, FQDNs, or ports for these servers. However, the returned port is usually 514.

TCP

443 (default)

Outgoing

N/A

FortiClient (iOS) and (Android) require the following access:

Usage	Server URL	Protocol	Port	Incoming/Outgoing	How to customize
Retrieve device public IP address	myforticlient.fortinet.net	TCP	443 (default)	Outgoing	N/A

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Retrieve device public IP address

myforticlient.fortinet.net

TCP

443 (default)

Outgoing

N/A

For the list of required services and ports for EMS, see the FortiClient EMS Administration Guide.

Required services and ports

Communication	Usage	Protocol	Port	Incoming/outgoing	How to customize
FortiClient Telemetry	Endpoint management (on-premise EMS), participation in the Fortinet Security Fabric	TCP	8013	Outgoing	GUI
SYSLOG	Upload logs to syslog server	UDP	514	Outgoing	N/A
FortiSandbox	Send files to FortiSandbox for analysis	TCP	514	Outgoing	N/A
Remote access - SSL VPN	Establish VPN connection to the FortiGate	TCP	443 (default)	Outgoing	GUI
FortiAnalyzer/FortiManager	Upload logs and Windows host events to FortiAnalyzer or FortiManager	TCP	514	Outgoing	N/A
Remote access - IPsec VPN	Establish VPN connection to the FortiGate	UDP	IKE 500 ESP (IP 50) NAT-T 4500	Outgoing	N/A
FortiAuthenticator/FortiGate	Single sign on (SSO) mobility agent, FortiClient SSO	TCP	8001 (default)	Outgoing	GUI
FortiManager	Use FortiManager for FortiClient software and signature updates	TCP	80 (default)	Outgoing	GUI
SMTP/FortiGuard	Virus submission	TCP	25	Outgoing	N/A
FortiPAM	Use FortiPAM for privilege access management	TCP	9191	Outgoing	N/A
FortiGuard	Cloud-based malware detection	TCP	8888	Outgoing	N/A

Usage	Server URL	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient Cloud connection	forticlient-emsproxy.forticloud.com forticlient.forticloud.com	TCP	443 (default)	Outgoing

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud connection

forticlient-emsproxy.forticloud.com

forticlient.forticloud.com

TCP

443 (default)

Outgoing

Usage	Server URL			Protocol	Port	Incoming/Outgoing	How to customize
Usage	Global	U.S.	Europe	Protocol	Port	Incoming/Outgoing	How to customize
URL rating with FortiGuard Anycast	fctguard.fortinet.net	fctusguard.fortinet.net	fcteuguard.fortinet.net	TCP	443	Outgoing	N/A The EMS administrator can configure Web Filter to use Anycast or legacy FortiGuard servers. See Web Filter.
URL rating with FortiGuard (legacy)	fgd1.fortigate.com	usfgd1.fortigate.com	N/A	UDP	8888 (default)	Outgoing	N/A The EMS administrator can configure Web Filter to use Anycast or legacy FortiGuard servers. See Web Filter.
AV/vulnerability signature update	forticlient.fortinet.net myforticlient.fortinet.net	usforticlient.fortinet.net	N/A	TCP	80	Outgoing	N/A
AV/vulnerability signature updates with FortiGuard Anycast	fctupdate.fortinet.net	fctusupdate.fortinet.net	fcteuupdate.fortinet.net	TCP	443	Outgoing	N/A

Usage	Server URL	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient Cloud Sandbox (SaaS) connection	aptctrl1.fortinet.com aptctrl1.fortinet.com sends a list of Sandbox server addresses to FortiClient. There are no fixed IP addresses, FQDNs, or ports for these servers. However, the returned port is usually 514.	TCP	443 (default)	Outgoing	N/A

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud Sandbox (SaaS) connection

aptctrl1.fortinet.com

aptctrl1.fortinet.com sends a list of Sandbox server addresses to FortiClient. There are no fixed IP addresses, FQDNs, or ports for these servers. However, the returned port is usually 514.

TCP

443 (default)

Outgoing

N/A

FortiClient (iOS) and (Android) require the following access:

Usage	Server URL	Protocol	Port	Incoming/Outgoing	How to customize
Retrieve device public IP address	myforticlient.fortinet.net	TCP	443 (default)	Outgoing	N/A

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Retrieve device public IP address

myforticlient.fortinet.net

TCP

443 (default)

Outgoing

N/A

For the list of required services and ports for EMS, see the FortiClient EMS Administration Guide.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Required services and ports

Required services and ports

Required services and ports

Required services and ports