FortiClient (Linux) CLI commands

FortiClient (Linux) supports an installer targeted towards the headless version of Linux server. FortiClient (Linux) 7.4.1 for servers (forticlient_server_7.4.1.xxxx) offers a command line interface and is intended to be used with the CLI-only (headless) installation. The same set of CLI commands also work with a FortiClient (Linux) GUI installation.

The following summarizes the CLI commands available for FortiClient (Linux) 7.4.1:

Endpoint control

FortiClient 7.4.1 must establish a Telemetry connection to EMS to receive license information. FortiClient features are only enabled after connecting to EMS.

Usage

You can access endpoint control features through the epctrl CLI command. This command offers the end user the ability to connect or disconnect from EMS and check the connection status. You can access usage information by using the following commands:

jameslee@sunshine:~$ forticlient epctrl -h
Endpoint Control CLI interface

Usage: forticlient epctrl [command]

Available Commands:
auth    Initializes the authentication process if user authentication is enabled on EMS
detail    Show detail of endpoint status
disconnect  Disconnect from an EMS
register  Register to a specified EMS IP, Hostname, or invitation code
trust   Trust or deny a pending invalid EMS certificate

Connecting to EMS or FortiClient Cloud

FortiClient can connect to on-premise EMS or FortiClient Cloud using the following commands. If EMS is listening on the default port, 8013, you do not need to specify the port number. If EMS is listening on another port, such as 8444, you must specify the port number with the EMS IP address. The example illustrates both use cases:

jameslee@sunshine:~$ forticlient epctrl register 172.17.60.251
Registering to EMS 172.17.60.251:8013 at site "default".

jameslee@sunshine:~$ forticlient epctrl register 172.17.60.251 -p 8444
Registering to EMS 172.17.60.251:8444.

If EMS multitenancy is enabled, you can also specify the site name. If connecting to the default site, you do not need to provide a site name. The example illustrates connecting to a site named "headquarters".

jameslee@sunshine:~$ forticlient epctrl register 172.17.60.251 -s headquarters

FortiClient can connect to on-premise EMS or FortiClient Cloud using an invitation code (ABCDEF123 in the example) that you received from the administrator:

jameslee@sunshine:~$ forticlient epctrl register ABCDEF123

Endpoint control status

You can check FortiClient endpoint control status details with the detail argument. When FortiClient is connected to EMS only, the command output is as follows:

jameslee@sunshine:~$ forticlient epctrl detail
=====================================
FortiClient License Details
=====================================
License Expiry:  Mon Oct 14 11:16:32 2024 PDT
VPN Expiry:      N/A (EMS Connected)
 
=====================================
FortiClient EMS Details
=====================================
IP:                192.168.34.30
Site:              default
Host:              ubuntu
SN:                FCTEMS123456
Status:            Connected
Last Access Time:  Thu Jun  6 11:56:35 2024 PDT
 
=====================================
Zero Trust Tags
=====================================
Ubuntu2204

If FortiClient is connected to EMS and notifying FortiGate, the endpoint control status displays the serial numbers and hostnames of the EMS and FortiGates as follows:

jameslee@sunshine:~$ forticlient epctrl detail

=====================================
FortiClient License Details
=====================================
License Expiry:  Mon Oct 14 11:16:32 2024 PDT
VPN Expiry:      N/A (EMS Connected)
 
=====================================
FortiClient EMS Details
=====================================
IP:                192.168.34.30
Site:              default
Host:              ubuntu
SN:                FCTEMS123456
Status:            Connected
Last Access Time:  Thu Jun  6 11:56:35 2024 PDT
 
=====================================
Zero Trust Tags
=====================================
Ubuntu2204

===================================== 
FortiGate Details 
===================================== 
IP: 172.17.60.40 
Host: FGVM02TM18001119 
SN: FGVM02TM18001119 
Status: Connected

When FortiClient is not connected to EMS, the endpoint control status has no Telemetry data available as shown:

jameslee@sunshine:~$ forticlient epctrl detail

=====================================
FortiClient License Details
=====================================
License Expiry:  Unlicensed
VPN Expiry:      Fri Jul  5 14:55:13 2024 PDT
 
=====================================
FortiClient EMS Details
=====================================
No telemetry data available.
 
=====================================
Zero Trust Tags
=====================================

Disconnecting from EMS

FortiClient can disconnect from EMS only if the configuration received from EMS allows it. You can disconnect using the disconnect command.

jameslee@sunshine:~$ forticlient epctrl disconnect
Unregistering from EMS.

AV scanning

You may run an AV scan from the CLI on the entire file system or on a specified directory. You can only run an AV scan as the root user. After completing an AV scan, FortiClient prints the scan results and detailed log file locations. You can run the following command to run an AV scan, where <directory_path> is the directory path to scan. You can perform a full scan by inputting / in place of <directory_path>.

forticlient fmon scan custom <directory_path>

The following shows an AV scan performed on the /var directory:

jameslee@sunshine:/var$ forticlient fmon scan custom /var 
Signature dir : forticlient/vir_sig/ 
Log dir : forticlient/ 
Fmon on daemon mode. 
Dest dir : /var 
CPU number : 1 
Server port : 40140 
AV Engine path : forticlient/libav.so 
AV Signature path : forticlient/vir_sig/vir_high:forticlient/vir_sig/vir_sandbox_sig 
Load AV signature success. 
<=== PID : 13821 Client Hello rc = 2185 
Child : 13821 ready 
===> Scan : /var/spool/anacron/cron.daily 
===> Scan : /var/spool/anacron/cron.weekly 
===> Scan : /var/spool/anacron/cron.monthly 
===> Scan : /var/crash/_usr_bin_gedit.1001.crash 
===> Scan : /var/crash/_opt_forticlient_fmon.1000.crash 
===> Scan : /var/backups/apt.extended_states.1.gz 
===> Scan : /var/backups/shadow.bak 
===> Scan : /var/backups/dpkg.statoverride.2.gz 
===> Scan : /var/backups/passwd.bak 
===> Scan : /var/backups/dpkg.diversions.1.gz 
===> Scan : /var/backups/apt.extended_states.0 
===> Scan : /var/backups/dpkg.arch.2.gz 
===> Scan : /var/backups/alternatives.tar.1.gz 
===> Scan : /var/backups/dpkg.arch.0 
===> Scan : /var/backups/dpkg.status.1.gz 
===> Scan : /var/backups/dpkg.statoverride.0 
===> Scan : /var/backups/dpkg.arch.1.gz 
===> Scan : /var/backups/gshadow.bak 
===> Scan : /var/backups/dpkg.diversions.2.gz 
===> Scan : /var/backups/alternatives.tar.2.gz 
................................ 
................................
 ................................
 -------------- scan_dispatch_worker finished ------------- 

Scan started at Mon Apr 22 14:43:45 2019 

Found virus : EICAR_TEST_FILE 
In file : /var/eicar.com 
Action : Quarantine success 
Quarantine file : forticlient/quarantine/eicar.com.1 

--------------- Scan summary --------------------- 
Total scan files : 10947 
Found virus : 1 
Worker crash : 0 
Worker timeout : 0 
-------------------------------------------------- 

Scan ended at Mon Apr 22 14:44:01 2019 

Full results can be found in forticlient/Daemon - Mon Apr 22 14:43:45 2019.log

You can restore a quarantined file. This releases the file from quarantine and makes it accessible to the user.

jameslee@sunshine:/home/jameslee$ sudo /opt/forticlient/fchelper -r <file>

Vulnerability scanning

You can run a vulnerability scan from the CLI to check for vulnerable applications on the machine. You can only run a vulnerability scan as the root user. After completing a vulnerability scan, FortiClient prints the number of vulnerabilities present on the machine, their severity levels, and detailed log file locations. You can run a vulnerability scan by running the following command:

jameslee@sunshine:/home/jameslee$ forticlient vulscan scan 
Vulnerability Scan Complete
--------------- Scan summary ---------------------
Critical : 7
High : 2
Medium : 7
Low : 0

You can patch existing vulnerabilities using FortiClient. FortiClient runs a vulnerability scan again after patching the vulnerabilities and prints the results. You can patch vulnerabilities as shown:

jameslee@sunshine:/home/jameslee$ forticlient vulscan patch 
[INFo} Distribution name is Ubuntu 
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver) 
[INFO] LoadVulSig 
[INFO] Decryption success! 
[INFO] LoadFromDb 
[INFO] Total sig : 13163 
[INFO] Signature version=1.38 
[INFO] Engine version=2.0.0.22 
[INFO] Build install list 
... 

Patching vid 55441 
Hit:1 http://ca.archive.ubuntu.com/ubuntu bionic InRelease 
Get:2 http://ca.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB] 
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB] 
Get:4 http://ca.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB] 
Get:5 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [278 kB] 
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [9,364 B] 
Get:7 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 48x48 Icons [66.7 kB] 
Get:8 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 64x64 Icons [123 kB] 
Get:9 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [222 kB] 
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 48x48 Icons [7,788 B] 
Get:11 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [35.7 kB] 
Get:12 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 48x48 Icons [194 kB] 
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 48x48 Icons [16.4 kB] 
Get:14 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [92.2 kB] 
Get:15 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 64x64 Icons [406 kB] 
Get:16 http://ca.archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2,468 B] 
Get:17 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2,464 B] 
Get:18 http://ca.archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [7,352 B] 
Fetched 1,716 kB in 3s (591 kB/s) 
Reading package lists... Done 
[INFO] install command is: apt-get -y install --only-upgrade firefox 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
Suggested packages: 
fonts-lyx 
The following packages will be upgraded: 
firefox 
1 upgraded, 0 newly installed, 0 to remove and 315 not upgraded. 
Need to get 0 B/48.1 MB of archives. 
After this operation, 7,509 kB of additional disk space will be used.
 (Reading database ... 162206 files and directories currently installed.) 
Preparing to unpack .../firefox_66.0.3+build1-0ubuntu0.18.04.1_amd64.deb ... 
Unpacking firefox (66.0.3+build1-0ubuntu0.18.04.1) over (59.0.2+build1-0ubuntu1) ... 
Processing triggers for mime-support (3.60ubuntu1) ... 
Processing triggers for desktop-file-utils (0.23-1ubuntu3.18.04.1) ... 
Setting up firefox (66.0.3+build1-0ubuntu0.18.04.1) ... 
Installing new version of config file /etc/apparmor.d/usr.bin.firefox ... 
Please restart all running instances of firefox, or you will experience problems. 
Processing triggers for man-db (2.8.3-2) ... 
Processing triggers for gnome-menus (3.13.3-11ubuntu1) ... 
Processing triggers for hicolor-icon-theme (0.17-2) ... 
[INFO] query command is: dpkg-query --show firefox 
Package version found is 66.0.3+build1-0ubuntu0.18.04.1 

Patching vid 55442 
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease 
Hit:2 http://ca.archive.ubuntu.com/ubuntu bionic InRelease 
Hit:3 http://ca.archive.ubuntu.com/ubuntu bionic-updates InRelease 
Hit:4 http://ca.archive.ubuntu.com/ubuntu bionic-backports InRelease 
Reading package lists... Done 
................................ 
................................ 
................................ 
--------------- Scan summary --------------------- 
Critical : 0 
High : 0 
Medium : 0 
Low : 0 
--------------------------------------------------

FortiClient updates

You can run a FortiClient update task from the CLI once FortiClient has connected to EMS and is licensed. The update task downloads the latest FortiClient engine and signatures. You can only run an update task as the root user. Following are the command and its output:

root@sunshine:/home/jameslee# /opt/forticlient/update 

****************Update starting*************** 
Sandbox test = 0 
Sandbox host to test = (null) 
log_level: 6 
Enable custom fds server :80 failover port: 8000 failover to fdg: 1 allow sw update: 0 
Updating FCTDATA: Update started forced update 
[INFO] Engine version=2.0.0.22 
[INFo} Distribution name is Ubuntu 
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver) 
[INFO] LoadVulSig [INFO] Decryption success! 
[INFO] LoadFromDb [INFO] Total sig : 13163 
[INFO] Signature version=1.38 
Getting current FortiClient Components information 
current av engine version: 6.2.126 
av engine id: 06002000FVEN04100-00006.00126-9999999999 
current av main sig full version: 67.1895 
av main sig id: 06002000FVDB04000-00067.01895-9999999999 
current av ext sig full version: 67.1892 
... 
... 
user jameslee, type:7, session:0, pid:6913 
user = jameslee 
sandbox server not configured. 
Updating FCTDATA: Update finished 
[INFO] Engine version=2.0.0.22 
[INFo} Distribution name is Ubuntu 
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver) 
[INFO] LoadVulSig 
[INFO] Decryption success! 
[INFO] LoadFromDb 
[INFO] Total sig : 13163 
[INFO] Signature version=1.38 
Downloading done ret = 0 
root@sunshine:/home/jameslee#

Existing signature details

You can check details of the existing FortiClient engine and signatures by running the version command:

jameslee@sunshine:/home/jameslee$ forticlient version

FortiClient Version: 7.4.1.XXXX
FortiClient Serial:  FCT123456
FortiClient UID:     3FF8BE62539...
 
=====================================
Engines
=====================================
AntiVirus:          7.00026
Vulnerability:      2.00032
 
=====================================
Signatures
=====================================
AntiVirus:          1.00000
AntiVirus Extended: Unavailable
Vulnerability:      2.00425
Sandbox:            Unavailable
ICDB:               1.00026

Update help

The update help option lists all options available for the update task. You can access this option as shown:

jameslee@sunshine:~$ /opt/forticlient/update -h 
FortiClient Update

Usage:
  /opt/forticlient/update [options...]

Options:
  -h Show the help screen
  -v Enable verbose log

VPN

You can access VPN features through the vpnCLI command. This command offers the end user the ability to connect to or disconnect from VPN and perform other VPN tasks.

VPN CLI interface
 
Usage:
forticlient vpn [command]
 
Available Commands:
connect     Connect to a VPN
disconnect  Disconnect from VPN
edit        Configure new/existing VPN profile
list        List VPN profiles
remove      Remove VPN profile
status      Print current VPN status
view        View VPN profile

Option	Description
connect <vpn_name>	Connect to a configured VPN tunnel. Use the --user=<username>, --password, --save-password, --always-up, and auto-connect options to provide the username and password, save the password, or configure the tunnel to always be up or autoconnect.
disconnect	Disconnect from VPN.
edit <vpn_name>	Create or edit a VPN tunnel configuration.
list	List existing VPN tunnel configurations.
remove <myvpn_name>	Remove the VPN tunnel configuration.
status	Show VPN status.
view <vpn_name>	View a VPN tunnel configuration's details.

Connecting to VPN using the Linux CLI may not function correctly on Ubuntu if gnome-keyring is not configured. See the Ubuntu Manpage.

To configure gnome-keyring:

1. Install gnome-keyring:

   sudo apt install gnome-keyring

2. Initialize and unlock the login keyring:

   killall gnome-keyring-daemon

   echo -n “your-login-password" | gnome-keyring-daemon --unlock