In this example, you will use endpoint control on an ISFW FortiGate that is part of a Cooperative Security Fabric (CSF). To do this, you will create a FortiClient Profile that only allows traffic from compliant devices to flow through the FortiGate. The FortiClient Profile will also enforce the use of AntiVirus, Web Filtering, and Application Control, and make sure that a current version of FortiClient is used.
In the example, the ISFW FortiGate has the host name Marketing. The FortiClient Profile is applied on the Marketing FortiGate, rather than External, because the internal network connects directly to this FortiGate.
This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.
This recipe requires both FortiOS 5.4.1 (or higher) and FortiClient 5.4.1 (or higher). If you need to upgrade, make sure to upgrade registered FortiClient endpoints to FortiClient 5.4.1 before you upgrade FortiGate.
On the Marketing FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled.
Go to Network > Interfaces and edit the interface used for the internal network.
Under Administrative Access, enable FortiTelemetry.
UnderAdmission Control, enable Enforce FortiTelemetry for all FortiClients. You can also Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.
Configuring a FortiClient Profile allows you to control the security features enabled on the registered endpoint. The profile is automatically downloaded by FortiClient when it connects to the FortiGate. You can add additional FortiClient Profiles to define exceptions to the default profile. The configuration of the exception profiles includes devices, users, or addresses to which the exception applies.
Go to Security Profiles > FortiClient Profiles and edit the default profile.
Set Non-compliance action to Auto-update, to make sure any non-compliant endpoints will have their configurations updated to become compliant.
Enable AntiVirus, then enable both Realtime Protection and Up-do-date signatures.
Enable both Web Filter and Application Firewall and select the default filters.
Enable System compliance, then enable Minimum FortiClient version. Set both Windows endpoints and Mac endpoints to FortiClient 5.4.1 (or higher).
Use a PC on the internal network that does not have FortiClient installed and attempt to connect to the Internet. A message appears stating that endpoint compliance has failed. The message also contains instructions about how to become compliant.
Install FortiClient on the PC, then go to the Compliance screen. Set up a FortiTelemetry connection to the Marketing FortiGate.
After the connection is made, the device may still appear as Non-compliant because it has to receive and apply updates from the Marketing FortiGate.
Once FortiClient shows that your device is Compliant, you are able to connect to the Internet.
On the Marketing FortiGate, go to Monitor > FortiClient Monitor. The PC is listed as a Compliant device.
On the External FortiGate, go to FortiView > Physical Topology. The PC appears connected to the Marketing FortiGate.
Go to FortiView > Logical Topology. The PC appears connected to the Marketing FortiGate.
Go to Monitor > FortiClient Monitor. Because endpoint control is applied to the Marketing FortiGate, the PC is listed as an Exempt device.