endpoint-control profile
Use this command to configure an Endpoint NAC profile.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
| Command | Description |
|---|---|
|
config {forticlient-winmac-settings | forticlient-android-settings | forticlient-ios-settings} set forticlient-ems-compliance {enable | disable} set forticlient-ems-compliance-action {block | warning} set forticlient-ems-entries [addr1] [addr2] [addr3] next ... |
New options to enforce FortiClient Enterprise Management Server (EMS) compliance. |
|
config set application-check-rule {present | absent} next ... |
Specify whether a process and/or application is present or absent for host checking. In addition, FortiGate now only has to match the process name - matching the SHA256 signature is no longer mandatory (since the process may be updated dynamically and the signature may not match). |
|
config forticlient-winmac-settings config forticlient-operating-system edit <id> set os-type {mac-os | win-xx | ubuntu-linux | centos-linux | redhat-linux | fedora-linux} next set forticlient-lnux-ver <forticlient-version> end |
Added FortiClient for Linux (Ubuntu, CentOS, Red Hat, and Fedora) support. |
config endpoint-control profile
edit {profile-name}
# Configure FortiClient endpoint control profiles.
set profile-name {string} Profile name. size[35]
config forticlient-winmac-settings
set forticlient-registration-compliance-action {block | warning} FortiClient registration compliance action.
block Block access for devices that are operating without a registered version of FortiClient.
warning Display a warning for devices that are operating without a registered version of FortiClient.
set forticlient-ems-compliance {enable | disable} Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
set forticlient-ems-compliance-action {block | warning} FortiClient EMS compliance action.
block Block clients if FortiClient does not have any of the specified EMS servers as online.
warning Create a warning if FortiClient does not have any of the specified EMS servers as online.
config forticlient-ems-entries
edit {name}
# FortiClient EMS entries.
set name {string} FortiClient EMS name. size[64] - datasource(s): endpoint-control.forticlient-ems.name
next
set forticlient-security-posture {enable | disable} Enable/disable FortiClient security posture check options.
set forticlient-security-posture-compliance-action {block | warning} FortiClient security posture compliance action.
block Block devices that fail FortiClient security posture checking.
warning Warn devices that fail FortiClient security posture checking.
set forticlient-av {enable | disable} Enable/disable FortiClient AntiVirus scanning.
set av-realtime-protection {enable | disable} Enable/disable FortiClient AntiVirus real-time protection.
set av-signature-up-to-date {enable | disable} Enable/disable FortiClient AV signature updates.
set sandbox-analysis {enable | disable} Enable/disable sending files to FortiSandbox for analysis.
set sandbox-address {string} FortiSandbox address. size[255]
set os-av-software-installed {enable | disable} Enable/disable checking for OS recognized AntiVirus software.
set forticlient-application-firewall {enable | disable} Enable/disable the FortiClient application firewall.
set forticlient-application-firewall-list {string} FortiClient application firewall rule list. size[35] - datasource(s): application.list.name
set forticlient-wf {enable | disable} Enable/disable FortiClient web filtering.
set forticlient-wf-profile {string} The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
set forticlient-system-compliance {enable | disable} Enable/disable enforcement of FortiClient system compliance.
set forticlient-system-compliance-action {block | warning} Block or warn clients not compliant with FortiClient requirements.
block Block clients not in compliance with FortiClient requirements.
warning Warn clients not in compliance with FortiClient requirements.
set forticlient-minimum-software-version {enable | disable} Enable/disable requiring clients to run FortiClient with a minimum software version number.
set forticlient-win-ver {string} Minimum FortiClient Windows version. size[63]
set forticlient-mac-ver {string} Minimum FortiClient Mac OS version. size[63]
set forticlient-linux-ver {string} Minimum FortiClient Linux version. size[63]
config forticlient-operating-system
edit {id}
# FortiClient operating system.
set id {integer} Operating system entry ID. range[0-4294967295]
set os-type {option} Operating system type.
custom Customize OS.
mac-os Mac OS.
win-7 Windows 7.
win-80 Windows 8.0.
win-81 Windows 8.1.
win-10 Windows 10.
win-2000 Windows 2000.
win-home-svr Windows Home Server.
win-svr-10 Windows Server 10.
win-svr-2003 Windows Server 2003.
win-svr-2003-r2 Windows Server 2003 R2.
win-svr-2008 Windows Server 2008.
win-svr-2008-r2 Windows Server 2008 R2.
win-svr-2012 Windows Server 2012.
win-svr-2012-r2 Windows Server 2012 R2.
win-sto-svr-2003 Windows Storage Server 2003.
win-vista Windows Vista.
win-xp Windows XP.
ubuntu-linux Ubuntu Linux.
centos-linux CentOS Linux.
redhat-linux Redhat Linux.
fedora-linux Fedora Linux.
set os-name {string} Customize operating system name or Mac OS format:x.x.x size[127]
next
config forticlient-running-app
edit {id}
# Use FortiClient to verify if the listed applications are running on the client.
set id {integer} Application ID. range[0-4294967295]
set app-name {string} Application name. size[127]
set application-check-rule {present | absent} Application check rule.
present Compliant if application is present.
absent Compliant if application is absent.
set process-name {string} Process name. size[127]
set app-sha256-signature {string} App's SHA256 signature. size[64]
set process-name2 {string} Process name. size[127]
set app-sha256-signature2 {string} App's SHA256 Signature. size[64]
set process-name3 {string} Process name. size[127]
set app-sha256-signature3 {string} App's SHA256 Signature. size[64]
set process-name4 {string} Process name. size[127]
set app-sha256-signature4 {string} App's SHA256 Signature. size[64]
next
config forticlient-registry-entry
edit {id}
# FortiClient registry entry.
set id {integer} Registry entry ID. range[0-4294967295]
set registry-entry {string} Registry entry. size[127]
next
config forticlient-own-file
edit {id}
# Checking the path and filename of the FortiClient application.
set id {integer} File ID. range[0-4294967295]
set file {string} File path and name. size[127]
next
set forticlient-log-upload {enable | disable} Enable/disable uploading FortiClient logs.
set forticlient-log-upload-level {traffic | vulnerability | event} Select the FortiClient logs to upload.
traffic Upload traffic logs.
vulnerability Upload vulnerability logs.
event Upload event logs.
set forticlient-log-upload-server {string} IP address or FQDN of the server to which to upload FortiClient logs. size[255]
set forticlient-vuln-scan {enable | disable} Enable/disable FortiClient vulnerability scanning.
set forticlient-vuln-scan-compliance-action {block | warning} FortiClient vulnerability compliance action.
block Block clients if FortiClient vulnerability scanning finds a vulnerability.
warning Create a warning if FortiClient vulnerability scanning finds a vulnerability.
set forticlient-vuln-scan-enforce {option} Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.
critical Finding a critical-levle vulnerability causes a FortiClient compliance action.
high Finding a high-level vulnerability causes a FortiClient compliance action.
medium Finding a medium-levle vulnerability causes a FortiClient compliance action.
low Finding a low-level vulnerability causes a FortiClient compliance action.
info Finding an info-level vulnerability causes a FortiClient compliance action.
set forticlient-vuln-scan-enforce-grace {integer} FortiClient vulnerability scan enforcement grace period (0 - 30 days, default = 1). range[0-30]
set forticlient-vuln-scan-exempt {enable | disable} Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.
config forticlient-android-settings
set forticlient-wf {enable | disable} Enable/disable FortiClient web filtering.
set forticlient-wf-profile {string} The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
set disable-wf-when-protected {enable | disable} Enable/disable FortiClient web category filtering when protected by FortiGate.
set forticlient-vpn-provisioning {enable | disable} Enable/disable FortiClient VPN provisioning.
set forticlient-advanced-vpn {enable | disable} Enable/disable advanced FortiClient VPN configuration.
set forticlient-advanced-vpn-buffer {string} Advanced FortiClient VPN configuration. size[32768]
config forticlient-vpn-settings
edit {name}
# FortiClient VPN settings.
set name {string} VPN name. size[35]
set type {ipsec | ssl} VPN type (IPsec or SSL VPN).
ipsec IPsec VPN.
ssl SSL VPN.
set remote-gw {string} IP address or FQDN of the remote VPN gateway. size[255]
set sslvpn-access-port {integer} SSL VPN access port (1 - 65535). range[1-65535]
set sslvpn-require-certificate {enable | disable} Enable/disable requiring SSL VPN client certificate.
set auth-method {psk | certificate} Authentication method.
psk Pre-shared key.
certificate Certificate.
set preshared-key {password_string} Pre-shared secret for PSK authentication. size[128]
next
config forticlient-ios-settings
set forticlient-wf {enable | disable} Enable/disable FortiClient web filtering.
set forticlient-wf-profile {string} The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
set disable-wf-when-protected {enable | disable} Enable/disable FortiClient web category filtering when protected by FortiGate.
set client-vpn-provisioning {enable | disable} FortiClient VPN provisioning.
config client-vpn-settings
edit {name}
# FortiClient VPN settings.
set name {string} VPN name. size[35]
set type {ipsec | ssl} VPN type (IPsec or SSL VPN).
ipsec IPsec VPN.
ssl SSL VPN.
set vpn-configuration-name {string} Name of VPN configuration. size[35]
set vpn-configuration-content {string} Content of VPN configuration. size[32768]
set remote-gw {string} IP address or FQDN of the remote VPN gateway. size[255]
set sslvpn-access-port {integer} SSL VPN access port (1 - 65535). range[1-65535]
set sslvpn-require-certificate {enable | disable} Enable/disable requiring SSL VPN client certificate.
set auth-method {psk | certificate} Authentication method.
psk Pre-shared key.
certificate Certificate.
set preshared-key {password_string} Pre-shared secret for PSK authentication. size[128]
next
set distribute-configuration-profile {enable | disable} Enable/disable configuration profile (.mobileconfig file) distribution.
set configuration-name {string} Name of configuration profile. size[35]
set configuration-content {string} Content of configuration profile. size[32768]
set description {string} Description. size[255]
config src-addr
edit {name}
# Source addresses.
set name {string} Address object from available options. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
config device-groups
edit {name}
# Device groups.
set name {string} Device group object from available options. size[64] - datasource(s): user.device-group.name,user.device-category.name
next
config users
edit {name}
# Users.
set name {string} User name. size[64] - datasource(s): user.local.name
next
config user-groups
edit {name}
# User groups.
set name {string} User group name. size[64] - datasource(s): user.group.name
next
config on-net-addr
edit {name}
# Addresses for on-net detection.
set name {string} Address object from available options. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
set replacemsg-override-group {string} Select an endpoint control replacement message override group from available options. size[35] - datasource(s): system.replacemsg-group.name
next
end
Additional information
The following section is for those options that require additional explanation.
device-groups <groups>
Device groups to assign to this endpoint profile, as configured under config user device-group.
on-net-addr <addr>
Addresses for on-net detection.
replacemsg-override-group <group>
Endpoint control replacement message override group, as configured under config system replacemsg-group. Note that the group must have group-type set to ec.
src-addr <addr>
Source addresses to assign to this endpoint profile.
user-groups <groups>
User groups to assign to this endpoint profile. Note that this is not configurable for the default profile.
users <users>
Users to assign to this endpoint profile. Note that this is not configurable for the default profile.
config forticlient-winmac-settings
Use this configuration method to set FortiClient settings pertaining to Windows and Mac platforms.
av-realtime-protection {enable | disable}
Note: This entry is only available when forticlient-av is set to enable. Also, os-av-software-installed must be set to disable.
Enable or disable (by default) FortiClient antivirus realtime protection.
av-signature-up-to-date {enable | disable}
Note: This entry is only available when av-realtime-protection is set to enable.
Enable or disable (by default) FortiClient AntiVirus signature updates.
forticlient-application-firewall {enable | disable}
Note: This entry is only available when forticlient-security-posture is set to enable.
Enable or disable (by default) FortiClient application firewall.
forticlient-application-firewall-list
Note: This entry is only available when forticlient-application-firewall is set to enable.
FortiClient application firewall rule list, as configured under config application list.
forticlient-av {enable | disable}
Note: This entry is only available when forticlient-security-posture is set to enable.
Enable or disable (by default) FortiClient antivirus scanning.
forticlient-log-upload {enable | disable}
Note: This entry is only available when forticlient-system-compliance is set to enable.
Enable (by default) or disable uploading logs to FortiAnalyzer unit via FortiGate unit.
forticlient-log-upload-level {traffic | vulnerability | event}
Note: This entry is only available when forticlient-system-compliance is set to enable and forticlient-log-upload is set to enable.
Determine which kinds of logs will be reported: traffic log, vulnerability log, or and event log (all are enabled by default).
forticlient-log-upload-server <ip/fqdn>
Note: This entry is only available when forticlient-system-compliance is set to enable and forticlient-log-upload is set to enable.
IP address or FQDN of the FortiClient log upload server.
forticlient-mac-ver <version>
Note: This entry is only available when forticlient-minimum-software-version is set to enable.
Minimum FortiClient Mac OS version. The default is set to 5.4.1.
forticlient-minimum-software-version {enable | disable}
Note: This entry is only available when forticlient-system-compliance is set to enable.
Enable or disable (by default) enforcement of a minimum FortiClient software to meet compliance.
forticlient-security-posture {enable | disable}
Enable or disable (by default) FortiClient security posture. Enabling this feature allows additional options to be configured, including realtime protection, third-party AV, web filtering, and application control firewall.
forticlient-security-posture-compliance-action {block | warning}
Note: This entry is only available when forticlient-security-posture is set to enable.
Either block or issue a warning (set by default) when the security posture does not meet FortiClient compliance.
forticlient-system-compliance {enable | disable}
Enable (by default) or disable enforcement of FortiClient system compliance.
forticlient-system-compliance-action {block | warning}
Note: This entry is only available when forticlient-system-compliance is set to enable.
Either block or issue a warning (set by default) when the system does not meet FortiClient compliance.
forticlient-vuln-scan {enable | disable}
Enable (by default) or disable endpoint vulnerability scanning.
forticlient-vuln-scan-compliance-action {block | warning}
Note: This entry is only available when forticlient-vuln-scan is set to enable.
Either block or issue a warning (set by default) when vulnerability scanning detects non-compliance.
forticlient-vuln-scan-enforce {critical | high | medium | low | info}
Note: This entry is only available when forticlient-vuln-scan is set to enable.
Enable or disable FortiClient vulnerability scan enforcement levels. The default is set to high.
forticlient-vuln-scan-enforce-grace <days>
Note: This entry is only available when forticlient-vuln-scan is set to enable.
FortiClient vulnerability scan enforcement grace period in days. Set the range between 0-30. The default is set to 1.
forticlient-vuln-scan-exempt {enable | disable}
Note: This entry is only available when forticlient-vuln-scan is set to enable.
Enable or disable (by default) compliance exemption for vulnerabilities that cannot be patched automatically.
forticlient-wf {enable | disable}
Note: This entry is only available when forticlient-security-posture is set to enable.
Enable or disable (by default) FortiClient web category filtering.
forticlient-wf-profile <name>
Note: This entry is only available when forticlient-wf is set to enable.
FortiClient web filter profile name, as configured under config webfilter profile.
forticlient-win-ver <version>
Note: This entry is only available when forticlient-minimum-software-version is set to enable.
Minimum FortiClient Windows version. The default is set to 5.4.1.
os-av-software-installed {enable | disable}
Note: This entry is only available when forticlient-av is set to enable. Also, av-realtime-protection must be set to disable.
Enable or disable (by default) recognition of installed AntiVirus software.
sandbox-address <address>
Note: This entry is only available when sandbox-analysis is set to enable.
IP address of the FortiSandbox.
sandbox-analysis {enable | disable}
Note: This entry is only available when av-realtime-protection is set to enable.
Enable or disable (by default) sending files to FortiSandbox for analysis.
config forticlient-operating-system
Configure FortiClient operating system options.
os-type <os>
Operating system for FortiClient. Enter set os-type ? to view all available options for both Mac and Windows.
config forticlient-running-app
Configure FortiClient running application options.
app-name <name>
Application name.
{app-sha256-signature | app-sha256-signature2 | app-sha256-signature3 | app-sha256-signature4} <signature>
The application's SHA256 signatures (up to a maximum of four).
{process-name | process-name2 | process-name3 | process-name4} <name>
The application's process names (up to a maximum of four).
config forticlient-registry-entry
Configure registry entries.
registry-entry <entry>
Registry entry (up to 127 characters).
config forticlient-own-file
Configure own file paths and names.
file <path-name>
File path and name.
config forticlient-android-settings
Use this configuration method to set FortiClient settings pertaining to Android platforms.
disable-wf-when-protected {enable | disable}
Enable (by default) or disable FortiClient web category filtering when protected by FortiGate.
forticlient-advanced-vpn {enable | disable}
Note: This entry is only available when forticlient-vpn-provisioning is set to enable.
Enable or disable (by default) advanced FortiClient VPN configuration.
forticlient-advanced-vpn-buffer <content>
Note: This entry is only available when forticlient-advanced-vpn is set to enable.
Content of advanced FortiClient VPN configuration.
forticlient-vpn-provisioning {enable | disable}
Enable or disable (by default) FortiClient VPN provisioning.
forticlient-wf {enable | disable}
Enable or disable (by default) FortiClient web category filtering.
forticlient-wf-profile <name>
Note: This entry is only available when forticlient-wf is set to enable.
FortiClient web filter profile name, as configured under config webfilter profile.
config forticlient-vpn-settings
Note: This configuration method is only available when forticlient-vpn-provisioning is set to enable and forticlient-advanced-vpn is set to disable.
Configure FortiClient VPN provisioning options.
auth-method {psk | certificate}
Note: This entry is only available when type is set to ipsec.
Either pre-shared key (set by default) or certificate authentication.
preshared-key <key>
Note: This entry is only available when auth-method is set to psk.
Pre-shared key for PSK authentication.
remote-gw <ip/fqdn>
IP address or FQDN of the VPN gateway.
sslvpn-access-port <port>
Note: This entry is only available when type is set to ssl.
SSL VPN access port. Set the range between 1-65535. The default is set to 443.
sslvpn-require-certificate {enable | disable}
Note: This entry is only available when type is set to ssl.
Enable or disable (by default) requiring an SSL VPN client certificate.
type {ipsec | ssl}
Either IPsec (set by default) or SSL VPN.
config forticlient-ios-settings
Use this configuration method to set FortiClient settings pertaining to iOS platforms.
client-vpn-provisioning {enable | disable}
Enable or disable (by default) client VPN provisioning.
configuration-content <content>
Note: This entry is only available when distribute-configuration-profile is set to enable.
Content of the configuration profile.
configuration-name <name>
Note: This entry is only available when distribute-configuration-profile is set to enable.
Name of the configuration profile.
disable-wf-when-protected {enable | disable}
Enable (by default) or disable FortiClient web category filtering when protected by FortiGate.
distribute-configuration-profile {enable | disable}
Enable or disable (by default) configuration profile (.mobileconfig file) distribution.
forticlient-wf {enable | disable}
Enable or disable (by default) FortiClient web category filtering.
forticlient-wf-profile <name>
Note: This entry is only available when forticlient-wf is set to enable.
FortiClient web filter profile name, as configured under config webfilter profile.
config client-vpn-settings
Note: This configuration method is only available when client-vpn-provisioning is set to enable.
Configure client VPN provisioning options.
type {ipsec | ssl}
Either IPsec (set by default) or SSL VPN.
vpn-configuration-content <content>
Content of VPN configuration.
vpn-configuration-name <name>
Name of VPN configuration.