Configuring profiles
Endpoint Protection requires that all hosts connecting to an interface have the FortiClient Endpoint Security application installed. Make sure that all endpoints behind the interface are able to install this application. Currently, FortiClient Endpoint Security is available for Microsoft Windows (2000 and later), Apple (Mac OS X and later), and Android devices only.
By default, the FortiGuard service provides the FortiClient installer. If you prefer to host it on your own server, see Changing the FortiClient installer download location, below.
To set up Endpoint Protection, complete the following:
- Create a FortiClient Profile or use the default profile. See Creating a FortiClient profile. Enable the application sensor and web category filtering profiles that you want to use.
- Configure the FortiGate unit to support endpoint registration using FortiTelemetry (under Network > Interfaces, allow FortiTelemetry admission control).
- Optionally, enforce FortiClient registration. See Enforcing FortiClient registration.
- Optionally, configure application sensors and web filter profiles as needed to monitor or block applications.
- Optionally, modify the Endpoint NAC Download Portal replacement messages (one per platform). See Replacement messages.
Creating a FortiClient profile
FortiClient profiles allow you to perform vulnerability scans on endpoints and make sure endpoints are running compliant versions of FortiClient. Also, security posture features cause FortiClient to apply realtime protection, AntiVirus, web filtering, and application control on endpoints.
It is possible for more than one profile to be assigned to a device type. As with security policies, clients are matched to FortiClient profiles in the order that the profiles appear in the list.
Features involving general settings have been removed from the FortiClient profile GUI in 5.4.1. Features emphasizing compliance of the endpoint devices have been added. These enhancements facilitate integration with the Security Fabric.
To create a FortiClient profile - GUI
- If you plan to use the Application Firewall feature in the FortiClient profile, go to Security Profiles > Application Control to create the Application Sensors that you will need.
- If you plan to use the Web Category Filtering, go to Security Profiles > Web Filter to create the Web Filter Profile that you will need.
- Go to Security Profiles > FortiClient Compliance. If there is only the default FortiClient profile, it will be displayed and ready to edit. At the top right of the page you can select or create other profiles.
- Select Create New or edit an existing profile.
- In Assign Profile To, select the device groups, user groups, and users to which this FortiClient profile applies. This is not available for the default profile.
- Set the Endpoint Vulnerability Scan on Client quarantine level. Similar to FortiOS 5.4, you can set the FortiClient Profile to run the FortiClient vulnerability scanner on endpoints and you can set the vulnerability quarantine level to quarantine endpoints that don't comply.The FortiGate will quarantine a host when a vulnerability with the level of severity selected, or higher, is detected. Options are: Critical, High, Medium, Low, and Information.
- System ComplianceFortiOS 5.6 system compliance settings are similar to those in 5.4 with the addition of a non-compliance action. System compliance checking is performed by FortiClient but the non-compliance action is applied by the FortiGate:
- select the Minimum FortiClient version, if necessary. The lowest supported version is 5.4.1.
- identify which logs, if any, you will upload to FortiAnalyzer
- set the Non-compliance action: Block or Warning.
- Under Security Posture Check, enable the required options for your network:
- Realtime Protection
- Third party AntiVirus on Windows is required for Windows endpoints
- identify which logs, if any, you will upload to FortiAnalyzer
- select whether to enable an Web Filter security profile, and / or anApplication Control sensor.
- set the Non-compliance action: Block or Warning.
- Select OK or Apply.
To create a FortiClient profile - CLI:
This example creates a profile for Windows and Mac computers.
config endpoint-control profile
edit ep-profile1
set device-groups mac windows-pc
config forticlient-winmac-settings
set forticlient-av enable
set forticlient-wf enable
set forticlient-wf-profile default
end
end
Support FortiClient for Linux
FortiClient for Linux (Ubuntu, CentOS, Red Hat, and Fedora) is also supported.
Syntax
config forticlient-winmac-settings
config forticlient-operating-system
edit <id>
set os-type {ubuntu-linux | centos-linux | redhat-linux | fedora-linux | ...}
next
set forticlient-linux-ver <forticlient-version>
end
Enforcing FortiClient registration
When you enable FortiTelemetry (formerly known as FortiHeartbeat) on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the FortiGate and install FortiClient before gaining access to network services.
The following example includes editing the default FortiClient Profile to enforce real time antivirus protection and malicious website blocking.
To enforce FortiClient registration on the internal interface - GUI:
- On the FortiGate, go to System > Feature Visibility and enable Endpoint Control.
- Go to Network > Interfaces and edit the internal interface.
- Under Administrative Access, enable FortiClient Telemetry.
- Under Admission Control, enable Enforce FortiClient Compliance Check. Once this is enabled, you have the option to Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.
- Go to Security Profiles > FortiClient Profiles.
- Under the Security Posture Check , enable Realtime Protection, Up-to-date signatures.
Endpoint compliance checking
Previously, as part of the Endpoint Compliance - Authorized Machine Detection feature, the administrator could specify a process name and SHA256 signature for a process, and only allow access to hosts with the specified process/application running. The FortiGate verifies if the process name and hash is matched on the connecting host to allow access.
In FortiOS 6.0, however, the FortiGate only matches the process name, and matching the SHA256 signature is optional (since the process may be updated dynamically and the signature may not match). The administrator can specify a process name and not specify a checksum, and so only the file name will be matched. If both file name and MD5 are specified, then both fields will still be matched.
A host check table has been added to the FortiClient Profile GUI, which is similar to a policy table; the match is performed from top to bottom. At the bottom of the table, there is an implicit entry, representing everything that does not match the higher entries. This implicit entry is always available, but the administrator can change the action to either present or absent (in reference to the specified process/application).
Syntax
A new attribute application-check-rule
determines if the entry is for checking the presence or absence of an application:
config endpoint-control profile
edit <name>
config forticlient-winmac-settings
....
config forticlient-running-app
edit 1
set app-name "MSOffice"
set application-check-rule {present | absent}
set process-name "word.exe"
next
...
In addition, the app-sha256-signature
entry is no longer mandatory, so long as the process-name
entry is set:
config endpoint-control profile
edit <name>
config forticlient-winmac-settings
....
config forticlient-running-app
edit <name>
set app-name <name>
set application-check-rule present
set process-name "word.exe"
set app-sha256-signature '' <== this field can be left empty
set process-name2 "excel.exe"
set app-sha256-signature2 '' <== not mandatory if process-name entry is set
set process-name3 ''
set app-sha256-signature3 '' <== not mandatory if process-name entry is set
set process-name4 ''
set app-sha256-signature4 '' <== not mandatory if process-name entry is set
next
...
Enforcing FortiClient EMS requirements
FortiClient Compliance Profiles allow you to add up to three Enterprise Management Server (EMS) servers under Security Profiles > FortiClient Compliance Profiles.
This replaces the feature-related configuration (i.e AV, WF configuration) for compliance checks. Instead, if a FortiClient endpoint is managed by the defined EMS and is "in-sync" with the EMS profile then it is considered compliant.
An endpoint is considered compliant (thus allowed network access) only when the following conditions are met:
- the endpoint has FortiClient software
- the FortiClient software is managed by the authorized EMS server
Any endpoint that does not meet the above criteria (unless exempted) will be blocked from network access, regardless of FortiClient settings on that endpoint.
Syntax
config endpoint-control profile
edit <name>
config {forticlient-winmac-settings | forticlient-android-settings | forticlient-ios-settings}
set forticlient-ems-compliance {enable | disable}
set forticlient-ems-compliance-action {block | warning}
set forticlient-ems-entries [addr1] [addr2] [addr3]
next
end
end
config endpoint-control settings
set forticlient-ems-rest-api-call-timeout <milliseconds>
end
Changing the FortiClient installer download location
By default, FortiClient installers are downloaded from the FortiGuard network. You can also host these installers on a server for your users to download. In that case, you must configure FortiOS with this custom download location. For example, to set the download location to a customer web server with address custom.example.com, enter the following command:
config endpoint-control settings
set download-location custom
set download-custom-link "http://custom.example.com"
end
Storing FortiClient configuration files
Advanced FortiClient configuration files of up to 32k may be stored:
- Enable the advanced FortiClient configuration option in the endpoint profile:
config endpoint-control profile
edit "default"
set forticlient-config-deployment enable
set fct-advanced-cfg enable
set fct-advanced-cfg-buffer "hello"
set forticlient-license-timeout 1
set netscan-discover-hosts enable
next
end
- Export the configuration from FortiClient (xml format).
- Copy the contents of the configuration file and paste in the advanced FortiClient configuration box.
If the configure file is greater than 32k, you need to use the following CLI:
config endpoint-control profile
edit <profile>
config forticlient-winmac-settings
config extra-buffer-entries
edit <entry_id>
set buffer xxxxxx
next
end
end
next
end
Blocking access to unsupported FortiClient endpoints
You can use the following command to deny registration of unsupported FortiClient endpoints. An unsupported FortiClient endpoint means the endpoint is running FortiClient but for some reason not all of the criteria are available to identify the endpoint, or the endpoint may be running an unsupported version of FortiClient. Information required that is not available could include the endpoint's IP address or MAC address is not visible.
config endpoint-control setting
set forticlient-dereg-unsupported-client enable
end
Configuring the FortiClient offline grace period
Administrators can configure an offline grace period for registered and offline FortiClients so that PROBE can be processed and, as a result, endpoint compliance is not triggered.
- The grace period is allowed for a client that is compliant, registered, and offline.
- The grace period has a used status which determines if the client is before, during, or after grace period.
- Online and compliant clients will reset the grace status to unused.
Syntax
config endpoint-control settings
set forticlient-offline-grace {enable | disable}
set forticlient-offline-grace-interval <seconds> <-- The default is 120
end