Endpoint control
FortiClient usually downloads endpoint control configuration elements from FortiClient EMS after FortiClient connects to FortiClient EMS. There are two sections:
- The
<endpoint_control></endpoint_control>
XML tags contain general endpoint control attributes. - Configuration details relating to specific FortiClient services, such as antivirus, Web Filter, Application Firewall, Vulnerability Scan, and so on. You can find these in the respective configuration elements of the services affected.
The following lists general endpoint control attributes:
<forticlient_configuration>
<endpoint_control>
<checksum></checksum>
<enabled>1</enabled>
<socket_connect_timeouts>1:5</socket_connect_timeouts>
<system_data>Encrypted_String</system_data>
<disable_unregister>0</disable_unregister>
<invalid_cert_action>warn</invalid_cert_action>
<disable_fgt_switch>1</disable_fgt_switch>
<ping_server>172.17.61.178:8010</ping_server>
<fgt_name>FG_Hostname</fgt_name>
<fgt_sn>Encrypted_Serial_Number_String</fgt_sn>
<offnet_update>1</offnet_update>
<user>Encrypted_UsernameString</user>
<skip_confirmation>0</skip_confirmation>
<fgt_logoff_on_fct_shutdown>1</fgt_logoff_on_fct_shutdown>
<show_bubble_notifications>1</show_bubble_notifications>
<avatar_enabled>1</avatar_enabled>
<silent_registration>0</silent_registration>
<notify_fgt_on_logoff>1</notify_fgt_on_logoff>
<forensics_license>1</forensics_license>
<fgt_list>Enc256828d1e23febfa0b789324ea1fc9cf45acdc8af3888e7aa26677825bbf8d5d123fcbc2884f3cb3f2a03b5414ab01e6a6c22762add0c4f209224f052dec29491e1d15eee4a1a290a81b367c3d4a5251258ed14921e231547f52d9e3</fgt_list>
<send_software_inventory>1</send_software_inventory>
<onnet_addresses></onnet_addresses>
<onnet_mac_addresses></onnet_mac_addresses>
<onnet_rules>
<rule_set>
<dhcp_server>
<dhcp_code>
<criterion id="0">123456</criterion>
<criterion id="1">abcdef</criterion>
</dhcp_code>
</dhcp_server>
<local_ip>
<ip_address>
<criterion id="2">1234:abc:abcd:0012::0/64</criterion>
<criterion id="3">2.2.2.2/3</criterion>
</ip_address>
<mac_address>
<criterion id="4">11-11-11-11-11-11</criterion>
<criterion id="5">22-22-22-22-22-22</criterion>
</mac_address>
</local_ip>
</rule_set>
<rule_set>
<connection_media>
<wifi_ssid>
<criterion id="6">STAFF-NETWORK, WPA3</criterion>
</wifi_ssid>
<ethernet>
<criterion id="10">Connected</criterion>
</ethernet>
</connection_media>
<local_ip>
<ip_address>
<criterion id="7">1.1.1.1-2.2.2.2</criterion>
</ip_address>
<mac_address>
<criterion id="8">33-33-33-33-33-33</criterion>
</mac_address>
</local_ip>
<vpn>
<tunnel_name>
<criterion id="9">SSLVPN_VAN</criterion>
</tunnel_name>
</vpn>
</rule_set>
</onnet_rules>
<ui>
<display_antivirus>1</display_antivirus>
<display_sandbox>1</display_sandbox>
<display_webfilter>1</display_webfilter>
<display_firewall>1</display_firewall>
<display_vpn>1</display_vpn>
<display_vulnerability_scan>1</display_vulnerability_scan>
<display_ztna>1</display_ztna>
<display_compliance>1</display_compliance>
<hide_compliance_warning>0</hide_compliance_warning>
</ui>
<alerts>
<notify_server>1</notify_server>
<alert_threshold>1</alert_threshold>
</alerts>
<nac>
<processes>
<process id="1" name="MS Word" rule="present">
<signature name="processname.exe">SHA256 of file</signature>
<signature name="processname.exe">SHA256 of file</signature>
</process>
<process id="2" name="FortiToken" rule="absent">
<signature name="processname2.exe"/>
</process>
</processes>
<files>
<path id="1">Path to folder/file</path>
<path id="2">Path to folder/file</path>
</files>
<registry>
<path id="1">path to 32bit or 64bit registry key or value</path>
<path id="2">path to 32bit or 64bit registry key or value</path>
</registry>
</nac>
</endpoint_control>
</forticlient_configuration>
The following table provides the XML tags for endpoint control, as well as descriptions and default values where applicable:
XML tag |
Description |
Default value |
---|---|---|
<checksum> |
Configuration checksum that FortiGate and EMS calculate and enforce. |
|
<enabled> |
Enable endpoint control. |
|
<system_data> |
Endpoint control system information. This element is protected and not intended to be changed. |
|
<socket_connect_timeouts> |
Probe timeout for endpoint control registration and keep-alive message timeout in seconds. probe_timeout:keep_alive_timeout Changing socket connect time outs may affect performance. |
1:5 |
<ping_server> |
Ping server's IP address or FQDN. FortiClient updates this tag when it connects to FortiGate or EMS. FortiClient overwrites edits to this tag. You can safely delete this field. |
|
<fgt_name> |
The FortiGate hostname or EMS that FortiClient is currently connected to, if any. FortiClient updates this tag when it connects to the FortiGate or EMS. FortiClient overwrites edits to this tag. You can safely delete this field. |
|
<fgt_sn> |
The connected FortiGate or EMS's encrypted serial number, if any. Do not edit this field. You can safely delete this field. |
|
<offnet_update> |
Enable synchronization of configuration updates from the FortiGate or EMS. Boolean value: |
1 |
<user> |
Encrypted username. |
|
<skip_confirmation> |
Skip prompting the user before proceeding to complete connection with FortiGate or EMS. Boolean value: |
0 |
<disable_unregister> |
Prevent a connected client from being able to disconnect after successfully connecting to FortiGate or EMS. When this setting is configured as Boolean value: |
0 |
<invalid_cert_action> |
Configure the action to take when FortiClient attempts to connect to EMS with an invalid certificate:
When creating a new FortiClient installer on EMS, if EMS considers the certificate used for endpoint control invalid, the default action in the new installer is Boolean value: |
|
<disable_fgt_switch> |
Disable the FortiGate switch. Boolean value: This XML setting is intended for use with When
|
|
<fgt_logoff_on_fct_shutdown> |
Notify FortiGate or EMS when FortiClient is shut down. Boolean value: |
1 |
<show_bubble_notification> |
Show notifications in the system tray when a configuration update is received from the FortiGate or EMS. Boolean value: |
1 |
<avatar_enabled> |
Control whether FortiClient sends the user avatar to EMS and the FortiGate. Boolean value: |
1 |
<silent_registration> |
Connect to the FortiGate or EMS without prompting the user to accept connection. When enabled, no end user interaction is required to get the client to connect to FortiGate or EMS. Boolean value: This XML setting is intended to be used with |
0 |
<notify_fgt_on_logoff> |
Notify FortiGate or EMS when the FortiClient endpoint detects that a user logs off. When this setting is configured as 0, no message is sent to FortiGate or EMS. When this setting is configured as 1, a message is sent to FortiGate or EMS. Boolean value: |
|
<forensics_license> |
Enable the forensic analysis feature. You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS. Boolean value: |
|
<fgt_list> |
Encrypted list of remembered FortiGate or EMS units. Do not edit this field. You can safely delete this field. |
|
<send_software_inventory> |
Enable sending software inventory reports to EMS. Boolean value: |
1 |
<onnet_addresses> |
Use the |
|
<onnet_mac_addresses> |
Use the |
|
|
Configure rule sets to determine endpoint on-/off-fabric status. The endpoint must satisfy all rules within a rule set to be determined as on-fabric. An endpoint only needs to satisfy one rule set to be considered on-fabric. See On-fabric Detection Rules. Use the |
|
<dhcp_server> |
The endpoint is considered as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. Use the following subelements:
|
|
<dns_server> |
The endpoint is considered as satisfying the rule if it is connected to a DNS server that matches the specified configuration. Use the following subelements:
|
|
<ems_connection> |
The endpoint is considered as satisfying the rule if it is online with EMS. Configure this element as follows: <ems_connection> <online_status>Online with EMS</online_status> </ems_connection> |
|
<local_ip> |
The endpoint is considered as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if configured. Configuring the MAC address is optional. Use the following subelements:
|
|
<gateway> |
The endpoint is considered as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if configured. Configuring the MAC address is optional. Use the following subelements:
|
|
<ping_server> |
The endpoint is considered as satisfying the rule if it can access the server at the specified IP address. Use the |
|
<public_ip> |
The endpoint is considered as satisfying the rule if its public (WAN) IP address matches the one specified. Use the |
|
<connection_media> |
The endpoint is considered as satisfying the rule if its network settings match all configured fields. Use the |
|
<vpn> |
The endpoint is considered as satisfying the rule if its VPN settings match all configured fields. Use the |
|
|
||
<display_antivirus> |
Display the Malware Protection tab in FortiClient. Boolean value: When this setting is configured as 0, this feature does not display in the FortiClient console. |
|
<display_sandbox> |
Display the Sandbox Detection tab in FortiClient. Boolean value: When this setting is configured as 0, this feature does not display in the FortiClient console. |
|
<display_webfilter> |
Display the Web Filter tab in FortiClient. Boolean value: When this setting is configured as 0, this feature does not display in the FortiClient console. |
|
<display_firewall> |
Display the Application Firewall tab in FortiClient. Boolean value: When this setting is configured as 0, this feature does not display in the FortiClient console. |
|
<display_vpn> |
Display the Remote Access tab in FortiClient. Boolean value: When this setting is configured as 0, this feature does not display in the FortiClient console. |
|
<display_vulnerability_scan> |
Display the Vulnerability Scan tab in FortiClient. Boolean value: When this setting is configured as 0, this feature does not display in the FortiClient console. |
|
<display_ztna> |
Display the ZTNA Connection Rules tab in FortiClient. Boolean value: When this setting is configured as 0, this feature does not display in the FortiClient console. |
|
<display_compliance> |
This tag is not used in FortiClient 5.6.0 and newer versions. Display the Compliance tab in FortiClient. Boolean value: When this setting is configured as |
|
<hide_compliance_warning> |
Hide the compliance enforcement feature message from the Fabric Telemetry tab. This option is only enforced on FortiClient endpoints connected to EMS. This option does not apply to monitored clients. Boolean value: |
1 |
|
||
<notify_server> |
Enable FortiClient to send alerts to FortiClient EMS. Boolean value: |
1 |
<alert_threshold> |
Configures the threshold of alerts FortiClient sends to EMS. Enter one of the following:
|
1 |
This element (with its child elements) specifies up to three compliance rules for network access control (NAC). When an endpoint configuration does not comply with all compliance rules configured in the |
||
<processes> |
(Optional) Create a policy for an application and its signature. |
|
<process> |
Identify an application name and its signature. This element should be repeated for each unique application name. |
|
<process id="" name="" rule=""> |
ID of this process entry and name of the application that is associated with the signatures, for example, |
|
<signature name="" /> |
Identify the application name and signature. Repeat this element for different versions of the same application. |
|
<files> |
(Optional) Create a policy for a file and path. The policy is compliant when the file can be found. |
|
<path id=""/> |
ID of this path entry. Identify the path of the file for the policy. Repeat this element for each unique file path. |
|
<registry> |
(Optional) Create a policy for a registry key or value. |
|
<path id=""/> |
ID of this path entry. Identify the registry key or value. When the path ends with a forward slash (/), it identifies a key. When the path ends without a forward slash, it identifies a registry value. |
When you disable |