Enforcing network security using a FortiClient Profile
In this recipe, you will learn how to enforce a FortiClient Profile on an internal network such that only internal devices registered with FortiClient can access the Internet and the corporate network. You will edit the default FortiClient Profile to enforce realtime antivirus protection and malicious website blocking.
This recipe requires you to enable FortiHeartBeat on a FortiGate interface. When you enable FortiHeartBeat on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the FortiGate and install FortiClient before getting access to network services.
FortiGates come with a free FortiClient license allowing a limited number of devices to register to the FortiGate and download FortiClient. Your FortiGate gets the latest version of FortiClient for Mac and for Windows from FortiGuard. When devices register with the FortiGate they download and install one of these copies of FortiClient. You can see the status of your FortiClient licensing and purchase additional FortiClient licenses from the License Information Dashboard Widget.
This recipe was tested using FortiClient version 5.4 and FortiOS (FOS) version 5.4.
There was a change in the FortiClient security profile from FOS 5.4 to FOS 5.4.1. The VPN, Advanced and Mobile tabs do not appear in FOS versions 5.4.1 and above. Features emphasizing compliance of the endpoint devices have been added. These enhancements facilitate integration with the Cooperative Security Fabric (called “Security Fabric” in FOS 5.6). Read more in the What’s New for Security Profiles 5.4.1.
1. Enabling endpoint control on the FortiGate
On the FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled.
2. Enforcing FortiClient registration on the internal interface
Go to Network > Interfaces and select the internal interface.
Under Restrict Access, enable FortiHeartBeat.
Under Admission Control, enable Enforce FortiHeartBeat for all FortiClients. You can also Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.
3. Configuring the FortiClient Profile
Configuring a FortiClient Profile allows you to control the security features enabled on the registered endpoint. The profile is automatically downloaded to FortiClient when it registers to the FortiGate. You can add additional FortiClient Profiles to define exceptions to the default profile. The configuration of the exception profiles includes devices, users, or addresses to which the exception applies.
Go to Security Profiles > FortiClient Profiles and edit the default profile to provide realtime antivirus protection that scans files as they are downloaded or copied to the device, block malicious websites and block attack channels.
4. Results
In this image, an internal device has FortiClient installed but not registered with a FortiGate. This is indicated by the Attention banner, and also because the option to Register Endpoint is available.
When a user on this device attempts to browse the Internet, an Endpoint Security Required page appears instructing the user to install and register endpoint security in the form of FortiClient.
A download link is provided at the bottom of the page. When the user clicks on this link, the FortiGate responds with a download of the latest FortiClient software.
Similarly, since the device requires a registered FortiClient to access network services, internal servers (such as Exchange mail servers) will also be blocked, unless otherwise exempted - see 2. Enforcing FortiClient registration on the internal interface.
By comparison, a registered device appears below. The device shows as registered, with a lock icon next to the device name in the upper right corner.
FortiClient should automatically attempt to register to the nearest FortiGate, provided that FortiHeartBeat has been enabled and registration enforced.
A user on this device can verify their registration status by clicking on the device name.
FortiClient displays the device’s On-Net/Off-Net status, Hostname, Domain, registered FortiGate’s serial number (SN), and IP address.
Upon registration, the FortiGate updates the FortiClient configuration to match the FortiClient Profile and downloads the latest FortiGuard antivirus database to the device.
You can verify that the registered configuration update matches the FortiClient Profile.
Depending on the FortiClient Profile, the user may also have the option to Unregister the device. This can be disabled on the FortiGate in Security Profiles > FortiClient Profiles, under the Advanced tab.
The registered device can now access corporate network services and browse the Internet.
To verify the status of the endpoints on the FortiGate, go to User & Device > Device List. Note that this list also includes unregistered endpoints and any other connected device.
By default, this list shows On-Net/Off-Net Status, endpoint Device (Hostname and device name), endpoint IP Address, and the device’s operating system (OS).
To view only the status of FortiClient connections, go to Monitor > FortiClient Monitor. Note that this list also includes unregistered endpoints and any other connected device.
For further reading, check out the FortiClient Administration Guide.