Enable or disable remote access.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

General

Allow users to create, modify, and use personal VPN configurations.

Disable the Connect/Disconnect button when using Auto Connect with VPN.

Allow users to select a VPN connection before logging into the system.

If allowing users to select a VPN connection before logging into the system, enable this option to allow them to use their current Windows username and password.

Minimize FortiClient after successfully establishing a VPN connection.

Display information on FortiClient dashboard while establishing connections.

Block FortiClient from displaying any VPN connection or error notifications.

Use vendor ID. Enter the vendor ID in the Vendor ID field.

FortiClient denies or allows the endpoint to connect to a VPN tunnel based on the tunnel's Host Tag configuration. See the Host Tag field description in SSL VPN and IPsec VPN.

Select the current VPN tunnel.

Select a VPN tunnel for endpoints to automatically connect to when the end user logs into the endpoint. The end user must have established VPN connection manually at least once from FortiClient GUI.

Autoconnect to the selected VPN tunnel only when EMS considers the endpoint off-fabric. See On-fabric Detection Rules.

FortiClient (iOS) and (Android) do not support this feature.

Maximum number of attempts to retry a VPN connection lost due to network issues. If set to 0, it retries indefinitely.

Configure network lockdown for off-fabric endpoints when they are not connected to VPN.

When network lockdown is configured, when an endpoint goes off-fabric, a grace period that the EMS administrator configured comes into effect. During the grace period, an endpoint can continue to access LAN and the internet without restrictions.

If the endpoint does not connect to SSL VPN by the end of the grace period, the endpoint cannot access LAN and the internet. It can still access IP addresses and applications that the EMS administrator has configured as exceptions. FortiClient blocks both incoming and outgoing connection traffic unless the EMS administrator has configured it as an exception.

After the end of the grace period, the endpoint can connect to VPN to regain internet access. For a full tunnel VPN, LAN is only accessible if exclusive routing is disabled. The administrator configures a limited number of attempts for the end user to enter valid VPN credentials. Once the user reaches the limit, the endpoint is in network lockdown.

This feature only supports FortiClient (Windows) and (macOS).

Configure a grace period in seconds during which an off-fabric endpoint that is not connected to VPN can continue to access LAN and the internet without restrictions.

Configure the maximum number of attempts for the end user of an off-fabric endpoint to enter valid VPN credentials.

Enter the path to applications that an off-Fabric endpoint that is not connected to VPN can still access.

Enter IP addresses that an off-Fabric endpoint that is not connected to VPN can still access.

Enter domains or the fully qualified domain names (FQDN) that an off-Fabric endpoint that is not connected to VPN can still access.

Ensure that the FQDN is entered correctly. Options that include protocols (such as https://) are not part of the FQDN and are therefore incorrect, as are entries with extra / added to the URL (such as fortinet.com/).

Adding an entry like example.com will match both .example.com and example.com and an entry such as www.example.com will match .www.example.com and www.example.com.

Moreover, the Lockdown feature allows or blocks traffic based on the IP address extracted from the DNS response, so it does not rely on the top-level domain (TLD) or full URL. For instance, if we have added www.fortinet.com and then, in a lockdown state, attempt to access the site but are redirected to www.fortinet.com/subscription, access will still be allowed, and the client can reach the redirected page as well.