endpoint-control profile
Use this command to configure an Endpoint NAC profile.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
config {forticlient-winmac-settings | forticlient-android-settings | forticlient-ios-settings} set forticlient-ems-compliance {enable | disable} set forticlient-ems-compliance-action {block | warning} set forticlient-ems-entries [addr1] [addr2] [addr3] next ... |
New options to enforce FortiClient Enterprise Management Server (EMS) compliance. |
config set application-check-rule {present | absent} next ... |
Specify whether a process and/or application is present or absent for host checking. In addition, FortiGate now only has to match the process name - matching the SHA256 signature is no longer mandatory (since the process may be updated dynamically and the signature may not match). |
config forticlient-winmac-settings config forticlient-operating-system edit <id> set os-type {mac-os | win-xx | ubuntu-linux | centos-linux | redhat-linux | fedora-linux} next set forticlient-lnux-ver <forticlient-version> end |
Added FortiClient for Linux (Ubuntu, CentOS, Red Hat, and Fedora) support. |
config endpoint-control profile edit {profile-name} # Configure FortiClient endpoint control profiles. set profile-name {string} Profile name. size[35] config forticlient-winmac-settings set forticlient-registration-compliance-action {block | warning} FortiClient registration compliance action. block Block access for devices that are operating without a registered version of FortiClient. warning Display a warning for devices that are operating without a registered version of FortiClient. set forticlient-ems-compliance {enable | disable} Enable/disable FortiClient Enterprise Management Server (EMS) compliance. set forticlient-ems-compliance-action {block | warning} FortiClient EMS compliance action. block Block clients if FortiClient does not have any of the specified EMS servers as online. warning Create a warning if FortiClient does not have any of the specified EMS servers as online. config forticlient-ems-entries edit {name} # FortiClient EMS entries. set name {string} FortiClient EMS name. size[64] - datasource(s): endpoint-control.forticlient-ems.name next set forticlient-security-posture {enable | disable} Enable/disable FortiClient security posture check options. set forticlient-security-posture-compliance-action {block | warning} FortiClient security posture compliance action. block Block devices that fail FortiClient security posture checking. warning Warn devices that fail FortiClient security posture checking. set forticlient-av {enable | disable} Enable/disable FortiClient AntiVirus scanning. set av-realtime-protection {enable | disable} Enable/disable FortiClient AntiVirus real-time protection. set av-signature-up-to-date {enable | disable} Enable/disable FortiClient AV signature updates. set sandbox-analysis {enable | disable} Enable/disable sending files to FortiSandbox for analysis. set sandbox-address {string} FortiSandbox address. size[255] set os-av-software-installed {enable | disable} Enable/disable checking for OS recognized AntiVirus software. set forticlient-application-firewall {enable | disable} Enable/disable the FortiClient application firewall. set forticlient-application-firewall-list {string} FortiClient application firewall rule list. size[35] - datasource(s): application.list.name set forticlient-wf {enable | disable} Enable/disable FortiClient web filtering. set forticlient-wf-profile {string} The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name set forticlient-system-compliance {enable | disable} Enable/disable enforcement of FortiClient system compliance. set forticlient-system-compliance-action {block | warning} Block or warn clients not compliant with FortiClient requirements. block Block clients not in compliance with FortiClient requirements. warning Warn clients not in compliance with FortiClient requirements. set forticlient-minimum-software-version {enable | disable} Enable/disable requiring clients to run FortiClient with a minimum software version number. set forticlient-win-ver {string} Minimum FortiClient Windows version. size[63] set forticlient-mac-ver {string} Minimum FortiClient Mac OS version. size[63] set forticlient-linux-ver {string} Minimum FortiClient Linux version. size[63] config forticlient-operating-system edit {id} # FortiClient operating system. set id {integer} Operating system entry ID. range[0-4294967295] set os-type {option} Operating system type. custom Customize OS. mac-os Mac OS. win-7 Windows 7. win-80 Windows 8.0. win-81 Windows 8.1. win-10 Windows 10. win-2000 Windows 2000. win-home-svr Windows Home Server. win-svr-10 Windows Server 10. win-svr-2003 Windows Server 2003. win-svr-2003-r2 Windows Server 2003 R2. win-svr-2008 Windows Server 2008. win-svr-2008-r2 Windows Server 2008 R2. win-svr-2012 Windows Server 2012. win-svr-2012-r2 Windows Server 2012 R2. win-sto-svr-2003 Windows Storage Server 2003. win-vista Windows Vista. win-xp Windows XP. ubuntu-linux Ubuntu Linux. centos-linux CentOS Linux. redhat-linux Redhat Linux. fedora-linux Fedora Linux. set os-name {string} Customize operating system name or Mac OS format:x.x.x size[127] next config forticlient-running-app edit {id} # Use FortiClient to verify if the listed applications are running on the client. set id {integer} Application ID. range[0-4294967295] set app-name {string} Application name. size[127] set application-check-rule {present | absent} Application check rule. present Compliant if application is present. absent Compliant if application is absent. set process-name {string} Process name. size[127] set app-sha256-signature {string} App's SHA256 signature. size[64] set process-name2 {string} Process name. size[127] set app-sha256-signature2 {string} App's SHA256 Signature. size[64] set process-name3 {string} Process name. size[127] set app-sha256-signature3 {string} App's SHA256 Signature. size[64] set process-name4 {string} Process name. size[127] set app-sha256-signature4 {string} App's SHA256 Signature. size[64] next config forticlient-registry-entry edit {id} # FortiClient registry entry. set id {integer} Registry entry ID. range[0-4294967295] set registry-entry {string} Registry entry. size[127] next config forticlient-own-file edit {id} # Checking the path and filename of the FortiClient application. set id {integer} File ID. range[0-4294967295] set file {string} File path and name. size[127] next set forticlient-log-upload {enable | disable} Enable/disable uploading FortiClient logs. set forticlient-log-upload-level {traffic | vulnerability | event} Select the FortiClient logs to upload. traffic Upload traffic logs. vulnerability Upload vulnerability logs. event Upload event logs. set forticlient-log-upload-server {string} IP address or FQDN of the server to which to upload FortiClient logs. size[255] set forticlient-vuln-scan {enable | disable} Enable/disable FortiClient vulnerability scanning. set forticlient-vuln-scan-compliance-action {block | warning} FortiClient vulnerability compliance action. block Block clients if FortiClient vulnerability scanning finds a vulnerability. warning Create a warning if FortiClient vulnerability scanning finds a vulnerability. set forticlient-vuln-scan-enforce {option} Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action. critical Finding a critical-levle vulnerability causes a FortiClient compliance action. high Finding a high-level vulnerability causes a FortiClient compliance action. medium Finding a medium-levle vulnerability causes a FortiClient compliance action. low Finding a low-level vulnerability causes a FortiClient compliance action. info Finding an info-level vulnerability causes a FortiClient compliance action. set forticlient-vuln-scan-enforce-grace {integer} FortiClient vulnerability scan enforcement grace period (0 - 30 days, default = 1). range[0-30] set forticlient-vuln-scan-exempt {enable | disable} Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically. config forticlient-android-settings set forticlient-wf {enable | disable} Enable/disable FortiClient web filtering. set forticlient-wf-profile {string} The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name set disable-wf-when-protected {enable | disable} Enable/disable FortiClient web category filtering when protected by FortiGate. set forticlient-vpn-provisioning {enable | disable} Enable/disable FortiClient VPN provisioning. set forticlient-advanced-vpn {enable | disable} Enable/disable advanced FortiClient VPN configuration. set forticlient-advanced-vpn-buffer {string} Advanced FortiClient VPN configuration. size[32768] config forticlient-vpn-settings edit {name} # FortiClient VPN settings. set name {string} VPN name. size[35] set type {ipsec | ssl} VPN type (IPsec or SSL VPN). ipsec IPsec VPN. ssl SSL VPN. set remote-gw {string} IP address or FQDN of the remote VPN gateway. size[255] set sslvpn-access-port {integer} SSL VPN access port (1 - 65535). range[1-65535] set sslvpn-require-certificate {enable | disable} Enable/disable requiring SSL VPN client certificate. set auth-method {psk | certificate} Authentication method. psk Pre-shared key. certificate Certificate. set preshared-key {password_string} Pre-shared secret for PSK authentication. size[128] next config forticlient-ios-settings set forticlient-wf {enable | disable} Enable/disable FortiClient web filtering. set forticlient-wf-profile {string} The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name set disable-wf-when-protected {enable | disable} Enable/disable FortiClient web category filtering when protected by FortiGate. set client-vpn-provisioning {enable | disable} FortiClient VPN provisioning. config client-vpn-settings edit {name} # FortiClient VPN settings. set name {string} VPN name. size[35] set type {ipsec | ssl} VPN type (IPsec or SSL VPN). ipsec IPsec VPN. ssl SSL VPN. set vpn-configuration-name {string} Name of VPN configuration. size[35] set vpn-configuration-content {string} Content of VPN configuration. size[32768] set remote-gw {string} IP address or FQDN of the remote VPN gateway. size[255] set sslvpn-access-port {integer} SSL VPN access port (1 - 65535). range[1-65535] set sslvpn-require-certificate {enable | disable} Enable/disable requiring SSL VPN client certificate. set auth-method {psk | certificate} Authentication method. psk Pre-shared key. certificate Certificate. set preshared-key {password_string} Pre-shared secret for PSK authentication. size[128] next set distribute-configuration-profile {enable | disable} Enable/disable configuration profile (.mobileconfig file) distribution. set configuration-name {string} Name of configuration profile. size[35] set configuration-content {string} Content of configuration profile. size[32768] set description {string} Description. size[255] config src-addr edit {name} # Source addresses. set name {string} Address object from available options. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config device-groups edit {name} # Device groups. set name {string} Device group object from available options. size[64] - datasource(s): user.device-group.name,user.device-category.name next config users edit {name} # Users. set name {string} User name. size[64] - datasource(s): user.local.name next config user-groups edit {name} # User groups. set name {string} User group name. size[64] - datasource(s): user.group.name next config on-net-addr edit {name} # Addresses for on-net detection. set name {string} Address object from available options. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next set replacemsg-override-group {string} Select an endpoint control replacement message override group from available options. size[35] - datasource(s): system.replacemsg-group.name next end
Additional information
The following section is for those options that require additional explanation.
device-groups <groups>
Device groups to assign to this endpoint profile, as configured under config user device-group.
on-net-addr <addr>
Addresses for on-net detection.
replacemsg-override-group <group>
Endpoint control replacement message override group, as configured under config system replacemsg-group. Note that the group must have group-type
set to ec
.
src-addr <addr>
Source addresses to assign to this endpoint profile.
user-groups <groups>
User groups to assign to this endpoint profile. Note that this is not configurable for the default profile.
users <users>
Users to assign to this endpoint profile. Note that this is not configurable for the default profile.
config forticlient-winmac-settings
Use this configuration method to set FortiClient settings pertaining to Windows and Mac platforms.
av-realtime-protection {enable | disable}
Note: This entry is only available when forticlient-av
is set to enable
. Also, os-av-software-installed
must be set to disable
.
Enable or disable (by default) FortiClient antivirus realtime protection.
av-signature-up-to-date {enable | disable}
Note: This entry is only available when av-realtime-protection
is set to enable
.
Enable or disable (by default) FortiClient AntiVirus signature updates.
forticlient-application-firewall {enable | disable}
Note: This entry is only available when forticlient-security-posture
is set to enable
.
Enable or disable (by default) FortiClient application firewall.
forticlient-application-firewall-list
Note: This entry is only available when forticlient-application-firewall
is set to enable
.
FortiClient application firewall rule list, as configured under config application list.
forticlient-av {enable | disable}
Note: This entry is only available when forticlient-security-posture
is set to enable
.
Enable or disable (by default) FortiClient antivirus scanning.
forticlient-log-upload {enable | disable}
Note: This entry is only available when forticlient-system-compliance
is set to enable
.
Enable (by default) or disable uploading logs to FortiAnalyzer unit via FortiGate unit.
forticlient-log-upload-level {traffic | vulnerability | event}
Note: This entry is only available when forticlient-system-compliance
is set to enable
and forticlient-log-upload
is set to enable
.
Determine which kinds of logs will be reported: traffic log, vulnerability log, or and event log (all are enabled by default).
forticlient-log-upload-server <ip/fqdn>
Note: This entry is only available when forticlient-system-compliance
is set to enable
and forticlient-log-upload
is set to enable
.
IP address or FQDN of the FortiClient log upload server.
forticlient-mac-ver <version>
Note: This entry is only available when forticlient-minimum-software-version
is set to enable
.
Minimum FortiClient Mac OS version. The default is set to 5.4.1
.
forticlient-minimum-software-version {enable | disable}
Note: This entry is only available when forticlient-system-compliance
is set to enable
.
Enable or disable (by default) enforcement of a minimum FortiClient software to meet compliance.
forticlient-security-posture {enable | disable}
Enable or disable (by default) FortiClient security posture. Enabling this feature allows additional options to be configured, including realtime protection, third-party AV, web filtering, and application control firewall.
forticlient-security-posture-compliance-action {block | warning}
Note: This entry is only available when forticlient-security-posture
is set to enable
.
Either block or issue a warning (set by default) when the security posture does not meet FortiClient compliance.
forticlient-system-compliance {enable | disable}
Enable (by default) or disable enforcement of FortiClient system compliance.
forticlient-system-compliance-action {block | warning}
Note: This entry is only available when forticlient-system-compliance
is set to enable
.
Either block or issue a warning (set by default) when the system does not meet FortiClient compliance.
forticlient-vuln-scan {enable | disable}
Enable (by default) or disable endpoint vulnerability scanning.
forticlient-vuln-scan-compliance-action {block | warning}
Note: This entry is only available when forticlient-vuln-scan
is set to enable
.
Either block or issue a warning (set by default) when vulnerability scanning detects non-compliance.
forticlient-vuln-scan-enforce {critical | high | medium | low | info}
Note: This entry is only available when forticlient-vuln-scan
is set to enable
.
Enable or disable FortiClient vulnerability scan enforcement levels. The default is set to high
.
forticlient-vuln-scan-enforce-grace <days>
Note: This entry is only available when forticlient-vuln-scan
is set to enable
.
FortiClient vulnerability scan enforcement grace period in days. Set the range between 0-30. The default is set to 1
.
forticlient-vuln-scan-exempt {enable | disable}
Note: This entry is only available when forticlient-vuln-scan
is set to enable
.
Enable or disable (by default) compliance exemption for vulnerabilities that cannot be patched automatically.
forticlient-wf {enable | disable}
Note: This entry is only available when forticlient-security-posture
is set to enable
.
Enable or disable (by default) FortiClient web category filtering.
forticlient-wf-profile <name>
Note: This entry is only available when forticlient-wf
is set to enable
.
FortiClient web filter profile name, as configured under config webfilter profile.
forticlient-win-ver <version>
Note: This entry is only available when forticlient-minimum-software-version
is set to enable
.
Minimum FortiClient Windows version. The default is set to 5.4.1
.
os-av-software-installed {enable | disable}
Note: This entry is only available when forticlient-av
is set to enable
. Also, av-realtime-protection
must be set to disable
.
Enable or disable (by default) recognition of installed AntiVirus software.
sandbox-address <address>
Note: This entry is only available when sandbox-analysis
is set to enable
.
IP address of the FortiSandbox.
sandbox-analysis {enable | disable}
Note: This entry is only available when av-realtime-protection
is set to enable
.
Enable or disable (by default) sending files to FortiSandbox for analysis.
config forticlient-operating-system
Configure FortiClient operating system options.
os-type <os>
Operating system for FortiClient. Enter set os-type ?
to view all available options for both Mac and Windows.
config forticlient-running-app
Configure FortiClient running application options.
app-name <name>
Application name.
{app-sha256-signature | app-sha256-signature2 | app-sha256-signature3 | app-sha256-signature4} <signature>
The application's SHA256 signatures (up to a maximum of four).
{process-name | process-name2 | process-name3 | process-name4} <name>
The application's process names (up to a maximum of four).
config forticlient-registry-entry
Configure registry entries.
registry-entry <entry>
Registry entry (up to 127 characters).
config forticlient-own-file
Configure own file paths and names.
file <path-name>
File path and name.
config forticlient-android-settings
Use this configuration method to set FortiClient settings pertaining to Android platforms.
disable-wf-when-protected {enable | disable}
Enable (by default) or disable FortiClient web category filtering when protected by FortiGate.
forticlient-advanced-vpn {enable | disable}
Note: This entry is only available when forticlient-vpn-provisioning
is set to enable
.
Enable or disable (by default) advanced FortiClient VPN configuration.
forticlient-advanced-vpn-buffer <content>
Note: This entry is only available when forticlient-advanced-vpn
is set to enable
.
Content of advanced FortiClient VPN configuration.
forticlient-vpn-provisioning {enable | disable}
Enable or disable (by default) FortiClient VPN provisioning.
forticlient-wf {enable | disable}
Enable or disable (by default) FortiClient web category filtering.
forticlient-wf-profile <name>
Note: This entry is only available when forticlient-wf
is set to enable
.
FortiClient web filter profile name, as configured under config webfilter profile.
config forticlient-vpn-settings
Note: This configuration method is only available when forticlient-vpn-provisioning
is set to enable
and forticlient-advanced-vpn
is set to disable
.
Configure FortiClient VPN provisioning options.
auth-method {psk | certificate}
Note: This entry is only available when type
is set to ipsec
.
Either pre-shared key (set by default) or certificate authentication.
preshared-key <key>
Note: This entry is only available when auth-method
is set to psk
.
Pre-shared key for PSK authentication.
remote-gw <ip/fqdn>
IP address or FQDN of the VPN gateway.
sslvpn-access-port <port>
Note: This entry is only available when type
is set to ssl
.
SSL VPN access port. Set the range between 1-65535. The default is set to 443
.
sslvpn-require-certificate {enable | disable}
Note: This entry is only available when type
is set to ssl
.
Enable or disable (by default) requiring an SSL VPN client certificate.
type {ipsec | ssl}
Either IPsec (set by default) or SSL VPN.
config forticlient-ios-settings
Use this configuration method to set FortiClient settings pertaining to iOS platforms.
client-vpn-provisioning {enable | disable}
Enable or disable (by default) client VPN provisioning.
configuration-content <content>
Note: This entry is only available when distribute-configuration-profile
is set to enable
.
Content of the configuration profile.
configuration-name <name>
Note: This entry is only available when distribute-configuration-profile
is set to enable
.
Name of the configuration profile.
disable-wf-when-protected {enable | disable}
Enable (by default) or disable FortiClient web category filtering when protected by FortiGate.
distribute-configuration-profile {enable | disable}
Enable or disable (by default) configuration profile (.mobileconfig file) distribution.
forticlient-wf {enable | disable}
Enable or disable (by default) FortiClient web category filtering.
forticlient-wf-profile <name>
Note: This entry is only available when forticlient-wf
is set to enable
.
FortiClient web filter profile name, as configured under config webfilter profile.
config client-vpn-settings
Note: This configuration method is only available when client-vpn-provisioning
is set to enable
.
Configure client VPN provisioning options.
type {ipsec | ssl}
Either IPsec (set by default) or SSL VPN.
vpn-configuration-content <content>
Content of VPN configuration.
vpn-configuration-name <name>
Name of VPN configuration.