DOCUMENT LIBRARY

Administration Guide

Introduction
- FortiClient, FortiClient EMS, and FortiGate
- Fortinet product support for FortiClient
- FortiClient standalone and licensed version feature comparison
- Endpoint communication security
  - Recommended upgrade path
Getting started
- Getting started with FortiClient
- EMS and endpoint profiles
- Telemetry connection options
- EMS and automatic upgrade of FortiClient
Provisioning preparation
- Installation requirements
- Licensing
- Required services and ports
- Firmware images and tools
- Obtaining FortiClient installation files
Provisioning
- Manually installing FortiClient on computers
- Centralized FortiClient deployment
  - FortiClient EMS
  - Deploying FortiClient using Microsoft AD servers
    - Deploying FortiClient with Microsoft AD
    - Uninstalling FortiClient with Microsoft AD
- Uninstalling FortiClient
- Upgrading FortiClient
- Verifying ports and services and connection between EMS and FortiClient
User details
- Viewing user details
- Retrieving user details from cloud applications
- Adding your phone number and email address manually
- Specifying the user avatar manually
- User Profile notification
Zero Trust Telemetry
- FortiClient Telemetry
- Compliance with EMS and FortiOS
- On-/off-fabric status with EMS
  - Logging to FortiAnalyzer
- Quarantined endpoints
Remote Access
- Configuring VPN connections
  - Configuring an SSL VPN connection
  - Configuring an IPsec VPN connection
- Connecting VPNs
- SAML support for SSL VPN
- Advanced features (Windows)
- Advanced features (macOS)
  - Creating redundant IPsec VPNs
  - Creating priority-based SSL VPN connections
- VPN tunnel and script
  - Windows
  - macOS
- Internal resource lookup with IPv6 enabled on NIC interface
- Standalone VPN client
ZTNA Destination
Malware Protection
- Antivirus
- Cloud Based Malware Protection
- AntiExploit
  - Viewing detected exploit attempts
  - Evaluating the anti-exploit detection feature
- Removable media access
- Antiransomware
- Quarantined files
  - Viewing quarantined files
  - Submitting quarantined files for scanning
Sandbox Detection
- Scanning with FortiSandbox on-demand
- Viewing FortiSandbox scan results
- Using the popup window
Web & Video Filter
- Web browser plugin for HTTPS web filtering
- Viewing violations
- Troubleshooting Web Filter
Application Firewall
Vulnerability Scan
- Scanning on-demand
- Automatically fixing detected vulnerabilities
- Reviewing detected vulnerabilities before fixing
- Manually fixing detected vulnerabilities
- Viewing details about vulnerabilities
- Viewing vulnerability scan history
Notifications
Settings
- System
- Logging
  - Sending logs and Windows host events to FortiAnalyzer or FortiManager
  - Exporting the log file
- VPN options
- Advanced options
- FortiPAM agent client executable integrity check
- FortiTray
Diagnostic Tool
Forensic analysis
Appendix A - API
- Overview
- API reference
Appendix B - Vulnerability patches
Appendix C - Processes
- FortiClient (Windows) processes
- FortiClient (macOS) processes
Appendix D - CLI commands
- FortiClient (Windows) CLI commands
- FortiClient (macOS) CLI commands
- FortiClient (Linux) CLI commands
Appendix E - VPN autoconnect
- Configuring autoconnect with username and password authentication
- Configuring autoconnect with certificate authentication
Appendix F - SSL VPN prelogon
- SSL VPN prelogon using AD machine certificate
- FortiGate authentication configuration
- FortiGate SSL VPN configuration
- Enabling VPN prelogon in EMS
- Enabling automatic VPN prelogon in EMS
  - Configuring VPN to automatically connect before logon
  - Verifying and troubleshooting
- Troubleshooting the prelogon SSL VPN connection

Home FortiClient 7.2.6 Administration Guide

7.2.6

Configuring and applying a Remote Access profile

To configure a Remote Access profile on EMS:

In EMS, go to Endpoint Profiles > Remote Access. Click +Add to create a new profile.
For Name, enter Machine-VPN
In Advanced view, under General, enable Show VPN before Logon.
Under SSL VPN, enable Enable Invalid Server Certificate Warning.

Create the VPN tunnel:

Under VPN Tunnels, click +Add Tunnel.
In the VPN tunnel wizard, do the following:
Select the VPN Type Manual, then click Next.

Under Basic Settings, set the following values:

Field	Value/configuration
Name	machine-cert-tunnel
Type	SSL VPN
Remote Gateway	fgt.ztnademo.com/pki-ldap-machine fgt.ztnademo.com resolves to 10.0.3.254. /pki-ldap-machine is the realm used for this VPN.
Port	10443
Require Certificate	Enable
Prompt for Username	Disable

Under Advanced Settings, enable Allow Non-Administrators to Use Machine Certificates.
Click Save to save the tunnel.

Click Save to save the Remote Access profile.
In XML view, click Edit.
Locate the machine-cert-tunnel connection. Under this connection, set the following settings:
<machine>1</machine>
<keep_running>1</keep_running>
Click Save.

To apply the Remote Access profile to an endpoint policy:

From Endpoint Policy & Components > Manage Policies, select the policy that is being applied to your endpoint, and click Edit.
Under Profile, change the VPN selection to Machine-VPN.
Click Save.

Configuring and applying a Remote Access profile

To configure a Remote Access profile on EMS:

In EMS, go to Endpoint Profiles > Remote Access. Click +Add to create a new profile.
For Name, enter Machine-VPN
In Advanced view, under General, enable Show VPN before Logon.
Under SSL VPN, enable Enable Invalid Server Certificate Warning.

Create the VPN tunnel:

Under VPN Tunnels, click +Add Tunnel.
In the VPN tunnel wizard, do the following:
Select the VPN Type Manual, then click Next.

Under Basic Settings, set the following values:

Field	Value/configuration
Name	machine-cert-tunnel
Type	SSL VPN
Remote Gateway	fgt.ztnademo.com/pki-ldap-machine fgt.ztnademo.com resolves to 10.0.3.254. /pki-ldap-machine is the realm used for this VPN.
Port	10443
Require Certificate	Enable
Prompt for Username	Disable

Under Advanced Settings, enable Allow Non-Administrators to Use Machine Certificates.
Click Save to save the tunnel.

Click Save to save the Remote Access profile.
In XML view, click Edit.
Locate the machine-cert-tunnel connection. Under this connection, set the following settings:
<machine>1</machine>
<keep_running>1</keep_running>
Click Save.

To apply the Remote Access profile to an endpoint policy:

From Endpoint Policy & Components > Manage Policies, select the policy that is being applied to your endpoint, and click Edit.
Under Profile, change the VPN selection to Machine-VPN.
Click Save.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Configuring and applying a Remote Access profile

Configuring and applying a Remote Access profile

To configure a Remote Access profile on EMS:

To apply the Remote Access profile to an endpoint policy:

Configuring and applying a Remote Access profile

Configuring and applying a Remote Access profile

To configure a Remote Access profile on EMS:

To apply the Remote Access profile to an endpoint policy: