Fortinet white logo
Fortinet white logo

Endpoint control

Endpoint control

FortiClient usually downloads endpoint control configuration elements from FortiClient EMS after FortiClient connects to FortiClient EMS. There are two sections:

  • The <endpoint_control></endpoint_control> XML tags contain general endpoint control attributes.
  • Configuration details relating to specific FortiClient services, such as antivirus, Web Filter, Application Firewall, Vulnerability Scan, and so on. You can find these in the respective configuration elements of the services affected.

The following lists general endpoint control attributes:

<forticlient_configuration>

<endpoint_control>

<checksum></checksum>

<enabled>1</enabled>

<socket_connect_timeouts>1:5</socket_connect_timeouts>

<system_data>Encrypted_String</system_data>

<disable_unregister>0</disable_unregister>

<invalid_cert_action>warn</invalid_cert_action>

<disable_fgt_switch>1</disable_fgt_switch>

<ping_server>172.17.61.178:8010</ping_server>

<fgt_name>FG_Hostname</fgt_name>

<fgt_sn>Encrypted_Serial_Number_String</fgt_sn>

<offnet_update>1</offnet_update>

<user>Encrypted_UsernameString</user>

<skip_confirmation>0</skip_confirmation>

<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>

<show_bubble_notifications>1</show_bubble_notifications>

<avatar_enabled>1</avatar_enabled>

<silent_registration>0</silent_registration>

<notify_fgt_on_logoff>1</notify_fgt_on_logoff>

<forensics_license>1</forensics_license>

<fgt_list>Enc256828d1e23febfa0b789324ea1fc9cf45acdc8af3888e7aa26677825bbf8d5d123fcbc2884f3cb3f2a03b5414ab01e6a6c22762add0c4f209224f052dec29491e1d15eee4a1a290a81b367c3d4a5251258ed14921e231547f52d9e3</fgt_list>

<send_software_inventory>1</send_software_inventory>

<onnet_addresses></onnet_addresses>

<onnet_mac_addresses></onnet_mac_addresses>

<onnet_rules>

<rule_set>

<dhcp_server>

<dhcp_code>

<criterion id="0">123456</criterion>

<criterion id="1">abcdef</criterion>

</dhcp_code>

</dhcp_server>

<local_ip>

<ip_address>

<criterion id="2">1234:abc:abcd:0012::0/64</criterion>

<criterion id="3">2.2.2.2/3</criterion>

</ip_address>

<mac_address>

<criterion id="4">11-11-11-11-11-11</criterion>

<criterion id="5">22-22-22-22-22-22</criterion>

</mac_address>

</local_ip>

</rule_set>

<rule_set>

<connection_media>

<wifi_ssid>

<criterion id="6">STAFF-NETWORK, WPA3</criterion>

</wifi_ssid>

<ethernet>

<criterion id="10">Connected</criterion>

</ethernet>

</connection_media>

<local_ip>

<ip_address>

<criterion id="7">1.1.1.1-2.2.2.2</criterion>

</ip_address>

<mac_address>

<criterion id="8">33-33-33-33-33-33</criterion>

</mac_address>

</local_ip>

<vpn>

<tunnel_name>

<criterion id="9">SSLVPN_VAN</criterion>

</tunnel_name>

</vpn>

</rule_set>

</onnet_rules>

<ui>

<display_antivirus>1</display_antivirus>

<display_sandbox>1</display_sandbox>

<display_webfilter>1</display_webfilter>

<display_firewall>1</display_firewall>

<display_vpn>1</display_vpn>

<display_vulnerability_scan>1</display_vulnerability_scan>

<display_ztna>1</display_ztna>

<display_compliance>1</display_compliance>

<hide_compliance_warning>0</hide_compliance_warning>

</ui>

<alerts>

<notify_server>1</notify_server>

<alert_threshold>1</alert_threshold>

</alerts>

<nac>

<processes>

<process id="1" name="MS Word" rule="present">

<signature name="processname.exe">SHA256 of file</signature>

<signature name="processname.exe">SHA256 of file</signature>

</process>

<process id="2" name="FortiToken" rule="absent">

<signature name="processname2.exe"/>

</process>

</processes>

<files>

<path id="1">Path to folder/file</path>

<path id="2">Path to folder/file</path>

</files>

<registry>

<path id="1">path to 32bit or 64bit registry key or value</path>

<path id="2">path to 32bit or 64bit registry key or value</path>

</registry>

</nac>

</endpoint_control>

</forticlient_configuration>

The following table provides the XML tags for endpoint control, as well as descriptions and default values where applicable:

XML tag

Description

Default value

<checksum>

Configuration checksum that FortiGate and EMS calculate and enforce.

<enabled>

Enable endpoint control.

<system_data>

Endpoint control system information. This element is protected and not intended to be changed.

<socket_connect_timeouts>

Probe timeout for endpoint control registration and keep-alive message timeout in seconds.

probe_timeout:keep_alive_timeout

Changing socket connect time outs may affect performance.

1:5

<ping_server>

Ping server's IP address or FQDN.

FortiClient updates this tag when it connects to FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_name>

The FortiGate hostname or EMS that FortiClient is currently connected to, if any.

FortiClient updates this tag when it connects to the FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_sn>

The connected FortiGate or EMS's encrypted serial number, if any. Do not edit this field.

You can safely delete this field.

<offnet_update>

Enable synchronization of configuration updates from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<user>

Encrypted username.

<skip_confirmation>

Skip prompting the user before proceeding to complete connection with FortiGate or EMS.

Boolean value: [0 | 1]

0

<disable_unregister>

Prevent a connected client from being able to disconnect after successfully connecting to FortiGate or EMS.

When this setting is configured as 1, the FortiClient user is unable to disconnect from the FortiGate or EMS after initial registration. This XML setting is intended to be used with <silent_registration>. If Enable Registration Key for FortiClient is enabled on FortiGate or EMS, configure this password in the <registration_password> XML tag, and enter the IP address or addresses of the FortiGate or EMS in the <addresses> XML tag.

Boolean value: [0 | 1]

0

<invalid_cert_action>

Configure the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

  • allow: allows FortiClient to connect to EMS with an invalid certificate.
  • warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
  • deny: block FortiClient from connecting to EMS with an invalid certificate.

When creating a new FortiClient installer on EMS, if EMS considers the certificate used for endpoint control invalid, the default action in the new installer is allow. The EMS administrator can modify this setting as desired.

Boolean value: [0 | 1]

<disable_fgt_switch>

Disable the FortiGate switch.

Boolean value: [0 | 1]

This XML setting is intended for use with <silent_registration> and <disable_unregister>. If Enable Registration Key for FortiClient is enabled on the FortiGate, configure this password in the <registration_password> XML tag and enter the IP address or addresses of the FortiGate in the <addresses> XML tag.

When <disable_fgt_switch> is configured as 1, the FortiGate switch is disabled. As a result:

  • FortiClient does not probe the default gateway.
  • FortiClient does not automatically connect to the default gateway.
  • FortiClient ignores FortiGate broadcasts.
  • The discovered list displays only predefined FortiGate devices, if discovered.

<fgt_logoff_on_fct_shutdown>

Notify FortiGate or EMS when FortiClient is shut down.

Boolean value: [0 | 1]

1

<show_bubble_notification>

Show notifications in the system tray when a configuration update is received from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<avatar_enabled>

Control whether FortiClient sends the user avatar to EMS and the FortiGate.

Boolean value: [0 | 1]

1

<silent_registration>

Connect to the FortiGate or EMS without prompting the user to accept connection. When enabled, no end user interaction is required to get the client to connect to FortiGate or EMS.

Boolean value: [0 | 1]

This XML setting is intended to be used with <disable_unregister>.

0

<notify_fgt_on_logoff>

Notify FortiGate or EMS when the FortiClient endpoint detects that a user logs off. When this setting is configured as 0, no message is sent to FortiGate or EMS. When this setting is configured as 1, a message is sent to FortiGate or EMS.

Boolean value: [0 | 1]

<forensics_license>

Enable the forensic analysis feature. You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.

Boolean value: [0 | 1]

<fgt_list>

Encrypted list of remembered FortiGate or EMS units. Do not edit this field.

You can safely delete this field.

<send_software_inventory>

Enable sending software inventory reports to EMS.

Boolean value: [0 | 1]

1

<onnet_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's IP address matches the specified IP address, it is considered on-fabric.

<onnet_mac_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's MAC address matches the specified MAC address, it is considered on-fabric.

<onnet_rules> elements

Configure rule sets to determine endpoint on-/off-fabric status. The endpoint must satisfy all rules within a rule set to be determined as on-fabric. An endpoint only needs to satisfy one rule set to be considered on-fabric. See On-fabric Detection Rules.

Use the <criterion id> element as shown in the sample code to configure multiple criteria for each rule type.

<dhcp_server>

The endpoint is considered as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. Use the following subelements:

  • <dhcp_code>
  • <ip_address>
  • <mac_address>

<dns_server>

The endpoint is considered as satisfying the rule if it is connected to a DNS server that matches the specified configuration. Use the following subelements:

  • <ip_address>
  • <mac_address>

<ems_connection>

The endpoint is considered as satisfying the rule if it is online with EMS. Configure this element as follows:

<ems_connection>

<online_status>Online with EMS</online_status>

</ems_connection>

<local_ip>

The endpoint is considered as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if configured. Configuring the MAC address is optional. Use the following subelements:

  • <ip_address>
  • <mac_address>

<gateway>

The endpoint is considered as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if configured. Configuring the MAC address is optional. Use the following subelements:

  • <ip_address>
  • <mac_address>

<ping_server>

The endpoint is considered as satisfying the rule if it can access the server at the specified IP address. Use the <ip_address> subelement.

<public_ip>

The endpoint is considered as satisfying the rule if its public (WAN) IP address matches the one specified. Use the <ip_address> subelement.

<connection_media>

The endpoint is considered as satisfying the rule if its network settings match all configured fields. Use the <wifi_ssid> and <ethernet> subelements as the sample code shows. When using the Ethernet rule, you must add at least one network identification rule.

<vpn>

The endpoint is considered as satisfying the rule if its VPN settings match all configured fields. Use the <tunnel_name> subelement as the sample code shows.

<ui> elements

<display_antivirus>

Display the Malware Protection tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_sandbox>

Display the Sandbox Detection tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_webfilter>

Display the Web Filter tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_firewall>

Display the Application Firewall tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vpn>

Display the Remote Access tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vulnerability_scan>

Display the Vulnerability Scan tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_ztna>

Display the ZTNA Connection Rules tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_compliance>

This tag is not used in FortiClient 5.6.0 and newer versions.

Display the Compliance tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in FortiClient.

<hide_compliance_warning>

Hide the compliance enforcement feature message from the Fabric Telemetry tab. This option is only enforced on FortiClient endpoints connected to EMS. This option does not apply to monitored clients.

Boolean value: [0 | 1]

1

<alerts> elements

<notify_server>

Enable FortiClient to send alerts to FortiClient EMS.

Boolean value: [0 | 1]. When enabled, FortiClient sends alerts to FortiClient EMS. The priority of alerts sent by FortiClient depends on the <alert_threshold> setting.

1

<alert_threshold>

Configures the threshold of alerts FortiClient sends to EMS. Enter one of the following:

  • 1: High priority alerts
  • 3: Medium priority alerts
  • 5: Low priority alerts

1

<nac> elements

This element (with its child elements) specifies up to three compliance rules for network access control (NAC). When an endpoint configuration does not comply with all compliance rules configured in the <nac> elements, non-compliance is triggered, and network access might be blocked. For information about how compliance rules work, see the FortiClient Administration Guide. Compliance rules apply only when FortiClient is connected to FortiGate. When FortiClient is not connected to FortiGate, compliance rules are not used. You can configure none, one, or all three compliance rules.

<processes>

(Optional) Create a policy for an application and its signature.

<process>

Identify an application name and its signature. This element should be repeated for each unique application name.

<process id="" name="" rule="">

ID of this process entry and name of the application that is associated with the signatures, for example, <process id="1" name="MS Word">. Also shows whether FortiGate compliance rules require this process to be present or absent on the endpoint.

<signature name="" />

Identify the application name and signature. Repeat this element for different versions of the same application.

<files>

(Optional) Create a policy for a file and path. The policy is compliant when the file can be found.

<path id=""/>

ID of this path entry. Identify the path of the file for the policy. Repeat this element for each unique file path.

<registry>

(Optional) Create a policy for a registry key or value.

<path id=""/>

ID of this path entry. Identify the registry key or value. When the path ends with a forward slash (/), it identifies a key. When the path ends without a forward slash, it identifies a registry value.

When you disable <ui> elements from displaying in the FortiClient console, the modules are still installed as part of the FortiClient installation. To configure a VPN-only installation, you can use FortiClient EMS. When selecting VPN only, all other modules are not part of the FortiClient installation.

Endpoint control

Endpoint control

FortiClient usually downloads endpoint control configuration elements from FortiClient EMS after FortiClient connects to FortiClient EMS. There are two sections:

  • The <endpoint_control></endpoint_control> XML tags contain general endpoint control attributes.
  • Configuration details relating to specific FortiClient services, such as antivirus, Web Filter, Application Firewall, Vulnerability Scan, and so on. You can find these in the respective configuration elements of the services affected.

The following lists general endpoint control attributes:

<forticlient_configuration>

<endpoint_control>

<checksum></checksum>

<enabled>1</enabled>

<socket_connect_timeouts>1:5</socket_connect_timeouts>

<system_data>Encrypted_String</system_data>

<disable_unregister>0</disable_unregister>

<invalid_cert_action>warn</invalid_cert_action>

<disable_fgt_switch>1</disable_fgt_switch>

<ping_server>172.17.61.178:8010</ping_server>

<fgt_name>FG_Hostname</fgt_name>

<fgt_sn>Encrypted_Serial_Number_String</fgt_sn>

<offnet_update>1</offnet_update>

<user>Encrypted_UsernameString</user>

<skip_confirmation>0</skip_confirmation>

<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>

<show_bubble_notifications>1</show_bubble_notifications>

<avatar_enabled>1</avatar_enabled>

<silent_registration>0</silent_registration>

<notify_fgt_on_logoff>1</notify_fgt_on_logoff>

<forensics_license>1</forensics_license>

<fgt_list>Enc256828d1e23febfa0b789324ea1fc9cf45acdc8af3888e7aa26677825bbf8d5d123fcbc2884f3cb3f2a03b5414ab01e6a6c22762add0c4f209224f052dec29491e1d15eee4a1a290a81b367c3d4a5251258ed14921e231547f52d9e3</fgt_list>

<send_software_inventory>1</send_software_inventory>

<onnet_addresses></onnet_addresses>

<onnet_mac_addresses></onnet_mac_addresses>

<onnet_rules>

<rule_set>

<dhcp_server>

<dhcp_code>

<criterion id="0">123456</criterion>

<criterion id="1">abcdef</criterion>

</dhcp_code>

</dhcp_server>

<local_ip>

<ip_address>

<criterion id="2">1234:abc:abcd:0012::0/64</criterion>

<criterion id="3">2.2.2.2/3</criterion>

</ip_address>

<mac_address>

<criterion id="4">11-11-11-11-11-11</criterion>

<criterion id="5">22-22-22-22-22-22</criterion>

</mac_address>

</local_ip>

</rule_set>

<rule_set>

<connection_media>

<wifi_ssid>

<criterion id="6">STAFF-NETWORK, WPA3</criterion>

</wifi_ssid>

<ethernet>

<criterion id="10">Connected</criterion>

</ethernet>

</connection_media>

<local_ip>

<ip_address>

<criterion id="7">1.1.1.1-2.2.2.2</criterion>

</ip_address>

<mac_address>

<criterion id="8">33-33-33-33-33-33</criterion>

</mac_address>

</local_ip>

<vpn>

<tunnel_name>

<criterion id="9">SSLVPN_VAN</criterion>

</tunnel_name>

</vpn>

</rule_set>

</onnet_rules>

<ui>

<display_antivirus>1</display_antivirus>

<display_sandbox>1</display_sandbox>

<display_webfilter>1</display_webfilter>

<display_firewall>1</display_firewall>

<display_vpn>1</display_vpn>

<display_vulnerability_scan>1</display_vulnerability_scan>

<display_ztna>1</display_ztna>

<display_compliance>1</display_compliance>

<hide_compliance_warning>0</hide_compliance_warning>

</ui>

<alerts>

<notify_server>1</notify_server>

<alert_threshold>1</alert_threshold>

</alerts>

<nac>

<processes>

<process id="1" name="MS Word" rule="present">

<signature name="processname.exe">SHA256 of file</signature>

<signature name="processname.exe">SHA256 of file</signature>

</process>

<process id="2" name="FortiToken" rule="absent">

<signature name="processname2.exe"/>

</process>

</processes>

<files>

<path id="1">Path to folder/file</path>

<path id="2">Path to folder/file</path>

</files>

<registry>

<path id="1">path to 32bit or 64bit registry key or value</path>

<path id="2">path to 32bit or 64bit registry key or value</path>

</registry>

</nac>

</endpoint_control>

</forticlient_configuration>

The following table provides the XML tags for endpoint control, as well as descriptions and default values where applicable:

XML tag

Description

Default value

<checksum>

Configuration checksum that FortiGate and EMS calculate and enforce.

<enabled>

Enable endpoint control.

<system_data>

Endpoint control system information. This element is protected and not intended to be changed.

<socket_connect_timeouts>

Probe timeout for endpoint control registration and keep-alive message timeout in seconds.

probe_timeout:keep_alive_timeout

Changing socket connect time outs may affect performance.

1:5

<ping_server>

Ping server's IP address or FQDN.

FortiClient updates this tag when it connects to FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_name>

The FortiGate hostname or EMS that FortiClient is currently connected to, if any.

FortiClient updates this tag when it connects to the FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_sn>

The connected FortiGate or EMS's encrypted serial number, if any. Do not edit this field.

You can safely delete this field.

<offnet_update>

Enable synchronization of configuration updates from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<user>

Encrypted username.

<skip_confirmation>

Skip prompting the user before proceeding to complete connection with FortiGate or EMS.

Boolean value: [0 | 1]

0

<disable_unregister>

Prevent a connected client from being able to disconnect after successfully connecting to FortiGate or EMS.

When this setting is configured as 1, the FortiClient user is unable to disconnect from the FortiGate or EMS after initial registration. This XML setting is intended to be used with <silent_registration>. If Enable Registration Key for FortiClient is enabled on FortiGate or EMS, configure this password in the <registration_password> XML tag, and enter the IP address or addresses of the FortiGate or EMS in the <addresses> XML tag.

Boolean value: [0 | 1]

0

<invalid_cert_action>

Configure the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

  • allow: allows FortiClient to connect to EMS with an invalid certificate.
  • warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
  • deny: block FortiClient from connecting to EMS with an invalid certificate.

When creating a new FortiClient installer on EMS, if EMS considers the certificate used for endpoint control invalid, the default action in the new installer is allow. The EMS administrator can modify this setting as desired.

Boolean value: [0 | 1]

<disable_fgt_switch>

Disable the FortiGate switch.

Boolean value: [0 | 1]

This XML setting is intended for use with <silent_registration> and <disable_unregister>. If Enable Registration Key for FortiClient is enabled on the FortiGate, configure this password in the <registration_password> XML tag and enter the IP address or addresses of the FortiGate in the <addresses> XML tag.

When <disable_fgt_switch> is configured as 1, the FortiGate switch is disabled. As a result:

  • FortiClient does not probe the default gateway.
  • FortiClient does not automatically connect to the default gateway.
  • FortiClient ignores FortiGate broadcasts.
  • The discovered list displays only predefined FortiGate devices, if discovered.

<fgt_logoff_on_fct_shutdown>

Notify FortiGate or EMS when FortiClient is shut down.

Boolean value: [0 | 1]

1

<show_bubble_notification>

Show notifications in the system tray when a configuration update is received from the FortiGate or EMS.

Boolean value: [0 | 1]

1

<avatar_enabled>

Control whether FortiClient sends the user avatar to EMS and the FortiGate.

Boolean value: [0 | 1]

1

<silent_registration>

Connect to the FortiGate or EMS without prompting the user to accept connection. When enabled, no end user interaction is required to get the client to connect to FortiGate or EMS.

Boolean value: [0 | 1]

This XML setting is intended to be used with <disable_unregister>.

0

<notify_fgt_on_logoff>

Notify FortiGate or EMS when the FortiClient endpoint detects that a user logs off. When this setting is configured as 0, no message is sent to FortiGate or EMS. When this setting is configured as 1, a message is sent to FortiGate or EMS.

Boolean value: [0 | 1]

<forensics_license>

Enable the forensic analysis feature. You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.

Boolean value: [0 | 1]

<fgt_list>

Encrypted list of remembered FortiGate or EMS units. Do not edit this field.

You can safely delete this field.

<send_software_inventory>

Enable sending software inventory reports to EMS.

Boolean value: [0 | 1]

1

<onnet_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's IP address matches the specified IP address, it is considered on-fabric.

<onnet_mac_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's MAC address matches the specified MAC address, it is considered on-fabric.

<onnet_rules> elements

Configure rule sets to determine endpoint on-/off-fabric status. The endpoint must satisfy all rules within a rule set to be determined as on-fabric. An endpoint only needs to satisfy one rule set to be considered on-fabric. See On-fabric Detection Rules.

Use the <criterion id> element as shown in the sample code to configure multiple criteria for each rule type.

<dhcp_server>

The endpoint is considered as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. Use the following subelements:

  • <dhcp_code>
  • <ip_address>
  • <mac_address>

<dns_server>

The endpoint is considered as satisfying the rule if it is connected to a DNS server that matches the specified configuration. Use the following subelements:

  • <ip_address>
  • <mac_address>

<ems_connection>

The endpoint is considered as satisfying the rule if it is online with EMS. Configure this element as follows:

<ems_connection>

<online_status>Online with EMS</online_status>

</ems_connection>

<local_ip>

The endpoint is considered as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if configured. Configuring the MAC address is optional. Use the following subelements:

  • <ip_address>
  • <mac_address>

<gateway>

The endpoint is considered as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if configured. Configuring the MAC address is optional. Use the following subelements:

  • <ip_address>
  • <mac_address>

<ping_server>

The endpoint is considered as satisfying the rule if it can access the server at the specified IP address. Use the <ip_address> subelement.

<public_ip>

The endpoint is considered as satisfying the rule if its public (WAN) IP address matches the one specified. Use the <ip_address> subelement.

<connection_media>

The endpoint is considered as satisfying the rule if its network settings match all configured fields. Use the <wifi_ssid> and <ethernet> subelements as the sample code shows. When using the Ethernet rule, you must add at least one network identification rule.

<vpn>

The endpoint is considered as satisfying the rule if its VPN settings match all configured fields. Use the <tunnel_name> subelement as the sample code shows.

<ui> elements

<display_antivirus>

Display the Malware Protection tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_sandbox>

Display the Sandbox Detection tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_webfilter>

Display the Web Filter tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_firewall>

Display the Application Firewall tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vpn>

Display the Remote Access tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vulnerability_scan>

Display the Vulnerability Scan tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_ztna>

Display the ZTNA Connection Rules tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_compliance>

This tag is not used in FortiClient 5.6.0 and newer versions.

Display the Compliance tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in FortiClient.

<hide_compliance_warning>

Hide the compliance enforcement feature message from the Fabric Telemetry tab. This option is only enforced on FortiClient endpoints connected to EMS. This option does not apply to monitored clients.

Boolean value: [0 | 1]

1

<alerts> elements

<notify_server>

Enable FortiClient to send alerts to FortiClient EMS.

Boolean value: [0 | 1]. When enabled, FortiClient sends alerts to FortiClient EMS. The priority of alerts sent by FortiClient depends on the <alert_threshold> setting.

1

<alert_threshold>

Configures the threshold of alerts FortiClient sends to EMS. Enter one of the following:

  • 1: High priority alerts
  • 3: Medium priority alerts
  • 5: Low priority alerts

1

<nac> elements

This element (with its child elements) specifies up to three compliance rules for network access control (NAC). When an endpoint configuration does not comply with all compliance rules configured in the <nac> elements, non-compliance is triggered, and network access might be blocked. For information about how compliance rules work, see the FortiClient Administration Guide. Compliance rules apply only when FortiClient is connected to FortiGate. When FortiClient is not connected to FortiGate, compliance rules are not used. You can configure none, one, or all three compliance rules.

<processes>

(Optional) Create a policy for an application and its signature.

<process>

Identify an application name and its signature. This element should be repeated for each unique application name.

<process id="" name="" rule="">

ID of this process entry and name of the application that is associated with the signatures, for example, <process id="1" name="MS Word">. Also shows whether FortiGate compliance rules require this process to be present or absent on the endpoint.

<signature name="" />

Identify the application name and signature. Repeat this element for different versions of the same application.

<files>

(Optional) Create a policy for a file and path. The policy is compliant when the file can be found.

<path id=""/>

ID of this path entry. Identify the path of the file for the policy. Repeat this element for each unique file path.

<registry>

(Optional) Create a policy for a registry key or value.

<path id=""/>

ID of this path entry. Identify the registry key or value. When the path ends with a forward slash (/), it identifies a key. When the path ends without a forward slash, it identifies a registry value.

When you disable <ui> elements from displaying in the FortiClient console, the modules are still installed as part of the FortiClient installation. To configure a VPN-only installation, you can use FortiClient EMS. When selecting VPN only, all other modules are not part of the FortiClient installation.