Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

endpoint-control profile

Use this command to configure an Endpoint NAC profile.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config {forticlient-winmac-settings | forticlient-android-settings | forticlient-ios-settings}

set forticlient-ems-compliance {enable | disable}

set forticlient-ems-compliance-action {block | warning}

set forticlient-ems-entries [addr1] [addr2] [addr3]

next

...

New options to enforce FortiClient Enterprise Management Server (EMS) compliance.

config

set application-check-rule {present | absent}

next

...

Specify whether a process and/or application is present or absent for host checking.

In addition, FortiGate now only has to match the process name - matching the SHA256 signature is no longer mandatory (since the process may be updated dynamically and the signature may not match).

config forticlient-winmac-settings

config forticlient-operating-system

edit <id>

set os-type {mac-os | win-xx | ubuntu-linux | centos-linux | redhat-linux | fedora-linux}

next

set forticlient-lnux-ver <forticlient-version>

end

Added FortiClient for Linux (Ubuntu, CentOS, Red Hat, and Fedora) support.

config endpoint-control profile
    edit {profile-name}
    # Configure FortiClient endpoint control profiles.
        set profile-name {string}   Profile name. size[35]
        config forticlient-winmac-settings
            set forticlient-registration-compliance-action {block | warning}   FortiClient registration compliance action.
                    block    Block access for devices that are operating without a registered version of FortiClient.
                    warning  Display a warning for devices that are operating without a registered version of FortiClient.
            set forticlient-ems-compliance {enable | disable}   Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
            set forticlient-ems-compliance-action {block | warning}   FortiClient EMS compliance action.
                    block    Block clients if FortiClient does not have any of the specified EMS servers as online.
                    warning  Create a warning if FortiClient does not have any of the specified EMS servers as online.
            config forticlient-ems-entries
                edit {name}
                # FortiClient EMS entries.
                    set name {string}   FortiClient EMS name. size[64] - datasource(s): endpoint-control.forticlient-ems.name
                next
            set forticlient-security-posture {enable | disable}   Enable/disable FortiClient security posture check options.
            set forticlient-security-posture-compliance-action {block | warning}   FortiClient security posture compliance action.
                    block    Block devices that fail FortiClient security posture checking.
                    warning  Warn devices that fail FortiClient security posture checking.
            set forticlient-av {enable | disable}   Enable/disable FortiClient AntiVirus scanning.
            set av-realtime-protection {enable | disable}   Enable/disable FortiClient AntiVirus real-time protection.
            set av-signature-up-to-date {enable | disable}   Enable/disable FortiClient AV signature updates.
            set sandbox-analysis {enable | disable}   Enable/disable sending files to FortiSandbox for analysis.
            set sandbox-address {string}   FortiSandbox address. size[255]
            set os-av-software-installed {enable | disable}   Enable/disable checking for OS recognized AntiVirus software.
            set forticlient-application-firewall {enable | disable}   Enable/disable the FortiClient application firewall.
            set forticlient-application-firewall-list {string}   FortiClient application firewall rule list. size[35] - datasource(s): application.list.name
            set forticlient-wf {enable | disable}   Enable/disable FortiClient web filtering.
            set forticlient-wf-profile {string}   The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
            set forticlient-system-compliance {enable | disable}   Enable/disable enforcement of FortiClient system compliance.
            set forticlient-system-compliance-action {block | warning}   Block or warn clients not compliant with FortiClient requirements.
                    block    Block clients not in compliance with FortiClient requirements.
                    warning  Warn clients not in compliance with FortiClient requirements.
            set forticlient-minimum-software-version {enable | disable}   Enable/disable requiring clients to run FortiClient with a minimum software version number.
            set forticlient-win-ver {string}   Minimum FortiClient Windows version. size[63]
            set forticlient-mac-ver {string}   Minimum FortiClient Mac OS version. size[63]
            set forticlient-linux-ver {string}   Minimum FortiClient Linux version. size[63]
            config forticlient-operating-system
                edit {id}
                # FortiClient operating system.
                    set id {integer}   Operating system entry ID. range[0-4294967295]
                    set os-type {option}   Operating system type.
                            custom            Customize OS.
                            mac-os            Mac OS.
                            win-7             Windows 7.
                            win-80            Windows 8.0.
                            win-81            Windows 8.1.
                            win-10            Windows 10.
                            win-2000          Windows 2000.
                            win-home-svr      Windows Home Server.
                            win-svr-10        Windows Server 10.
                            win-svr-2003      Windows Server 2003.
                            win-svr-2003-r2   Windows Server 2003 R2.
                            win-svr-2008      Windows Server 2008.
                            win-svr-2008-r2   Windows Server 2008 R2.
                            win-svr-2012      Windows Server 2012.
                            win-svr-2012-r2   Windows Server 2012 R2.
                            win-sto-svr-2003  Windows Storage Server 2003.
                            win-vista         Windows Vista.
                            win-xp            Windows XP.
                            ubuntu-linux      Ubuntu Linux.
                            centos-linux      CentOS Linux.
                            redhat-linux      Redhat Linux.
                            fedora-linux      Fedora Linux.
                    set os-name {string}   Customize operating system name or Mac OS format:x.x.x size[127]
                next
            config forticlient-running-app
                edit {id}
                # Use FortiClient to verify if the listed applications are running on the client.
                    set id {integer}   Application ID. range[0-4294967295]
                    set app-name {string}   Application name. size[127]
                    set application-check-rule {present | absent}   Application check rule.
                            present  Compliant if application is present.
                            absent   Compliant if application is absent.
                    set process-name {string}   Process name. size[127]
                    set app-sha256-signature {string}   App's SHA256 signature. size[64]
                    set process-name2 {string}   Process name. size[127]
                    set app-sha256-signature2 {string}   App's SHA256 Signature. size[64]
                    set process-name3 {string}   Process name. size[127]
                    set app-sha256-signature3 {string}   App's SHA256 Signature. size[64]
                    set process-name4 {string}   Process name. size[127]
                    set app-sha256-signature4 {string}   App's SHA256 Signature. size[64]
                next
            config forticlient-registry-entry
                edit {id}
                # FortiClient registry entry.
                    set id {integer}   Registry entry ID. range[0-4294967295]
                    set registry-entry {string}   Registry entry. size[127]
                next
            config forticlient-own-file
                edit {id}
                # Checking the path and filename of the FortiClient application.
                    set id {integer}   File ID. range[0-4294967295]
                    set file {string}   File path and name. size[127]
                next
            set forticlient-log-upload {enable | disable}   Enable/disable uploading FortiClient logs.
            set forticlient-log-upload-level {traffic | vulnerability | event}   Select the FortiClient logs to upload.
                    traffic        Upload traffic logs.
                    vulnerability  Upload vulnerability logs.
                    event          Upload event logs.
            set forticlient-log-upload-server {string}   IP address or FQDN of the server to which to upload FortiClient logs. size[255]
            set forticlient-vuln-scan {enable | disable}   Enable/disable FortiClient vulnerability scanning.
            set forticlient-vuln-scan-compliance-action {block | warning}   FortiClient vulnerability compliance action.
                    block    Block clients if FortiClient vulnerability scanning finds a vulnerability.
                    warning  Create a warning if FortiClient vulnerability scanning finds a vulnerability.
            set forticlient-vuln-scan-enforce {option}   Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.
                    critical  Finding a critical-levle vulnerability  causes a FortiClient compliance action.
                    high      Finding a high-level vulnerability  causes a FortiClient compliance action.
                    medium    Finding a medium-levle vulnerability  causes a FortiClient compliance action.
                    low       Finding a low-level vulnerability  causes a FortiClient compliance action.
                    info      Finding an info-level vulnerability  causes a FortiClient compliance action.
            set forticlient-vuln-scan-enforce-grace {integer}   FortiClient vulnerability scan enforcement grace period (0 - 30 days, default = 1). range[0-30]
            set forticlient-vuln-scan-exempt {enable | disable}   Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.
        config forticlient-android-settings
            set forticlient-wf {enable | disable}   Enable/disable FortiClient web filtering.
            set forticlient-wf-profile {string}   The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
            set disable-wf-when-protected {enable | disable}   Enable/disable FortiClient web category filtering when protected by FortiGate.
            set forticlient-vpn-provisioning {enable | disable}   Enable/disable FortiClient VPN provisioning.
            set forticlient-advanced-vpn {enable | disable}   Enable/disable advanced FortiClient VPN configuration.
            set forticlient-advanced-vpn-buffer {string}   Advanced FortiClient VPN configuration. size[32768]
            config forticlient-vpn-settings
                edit {name}
                # FortiClient VPN settings.
                    set name {string}   VPN name. size[35]
                    set type {ipsec | ssl}   VPN type (IPsec or SSL VPN).
                            ipsec  IPsec VPN.
                            ssl    SSL VPN.
                    set remote-gw {string}   IP address or FQDN of the remote VPN gateway. size[255]
                    set sslvpn-access-port {integer}   SSL VPN access port (1 - 65535). range[1-65535]
                    set sslvpn-require-certificate {enable | disable}   Enable/disable requiring SSL VPN client certificate.
                    set auth-method {psk | certificate}   Authentication method.
                            psk          Pre-shared key.
                            certificate  Certificate.
                    set preshared-key {password_string}   Pre-shared secret for PSK authentication. size[128]
                next
        config forticlient-ios-settings
            set forticlient-wf {enable | disable}   Enable/disable FortiClient web filtering.
            set forticlient-wf-profile {string}   The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
            set disable-wf-when-protected {enable | disable}   Enable/disable FortiClient web category filtering when protected by FortiGate.
            set client-vpn-provisioning {enable | disable}   FortiClient VPN provisioning.
            config client-vpn-settings
                edit {name}
                # FortiClient VPN settings.
                    set name {string}   VPN name. size[35]
                    set type {ipsec | ssl}   VPN type (IPsec or SSL VPN).
                            ipsec  IPsec VPN.
                            ssl    SSL VPN.
                    set vpn-configuration-name {string}   Name of VPN configuration. size[35]
                    set vpn-configuration-content {string}   Content of VPN configuration. size[32768]
                    set remote-gw {string}   IP address or FQDN of the remote VPN gateway. size[255]
                    set sslvpn-access-port {integer}   SSL VPN access port (1 - 65535). range[1-65535]
                    set sslvpn-require-certificate {enable | disable}   Enable/disable requiring SSL VPN client certificate.
                    set auth-method {psk | certificate}   Authentication method.
                            psk          Pre-shared key.
                            certificate  Certificate.
                    set preshared-key {password_string}   Pre-shared secret for PSK authentication. size[128]
                next
            set distribute-configuration-profile {enable | disable}   Enable/disable configuration profile (.mobileconfig file) distribution.
            set configuration-name {string}   Name of configuration profile. size[35]
            set configuration-content {string}   Content of configuration profile. size[32768]
        set description {string}   Description. size[255]
        config src-addr
            edit {name}
            # Source addresses.
                set name {string}   Address object from available options. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config device-groups
            edit {name}
            # Device groups.
                set name {string}   Device group object from available options. size[64] - datasource(s): user.device-group.name,user.device-category.name
            next
        config users
            edit {name}
            # Users.
                set name {string}   User name. size[64] - datasource(s): user.local.name
            next
        config user-groups
            edit {name}
            # User groups.
                set name {string}   User group name. size[64] - datasource(s): user.group.name
            next
        config on-net-addr
            edit {name}
            # Addresses for on-net detection.
                set name {string}   Address object from available options. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set replacemsg-override-group {string}   Select an endpoint control replacement message override group from available options. size[35] - datasource(s): system.replacemsg-group.name
    next
end

Additional information

The following section is for those options that require additional explanation.

device-groups <groups>

Device groups to assign to this endpoint profile, as configured under config user device-group.

on-net-addr <addr>

Addresses for on-net detection.

replacemsg-override-group <group>

Endpoint control replacement message override group, as configured under config system replacemsg-group. Note that the group must have group-type set to ec.

src-addr <addr>

Source addresses to assign to this endpoint profile.

user-groups <groups>

User groups to assign to this endpoint profile. Note that this is not configurable for the default profile.

users <users>

Users to assign to this endpoint profile. Note that this is not configurable for the default profile.

config forticlient-winmac-settings

Use this configuration method to set FortiClient settings pertaining to Windows and Mac platforms.

av-realtime-protection {enable | disable}

Note: This entry is only available when forticlient-av is set to enable. Also, os-av-software-installed must be set to disable.

Enable or disable (by default) FortiClient antivirus realtime protection.

av-signature-up-to-date {enable | disable}

Note: This entry is only available when av-realtime-protection is set to enable.

Enable or disable (by default) FortiClient AntiVirus signature updates.

forticlient-application-firewall {enable | disable}

Note: This entry is only available when forticlient-security-posture is set to enable.

Enable or disable (by default) FortiClient application firewall.

forticlient-application-firewall-list

Note: This entry is only available when forticlient-application-firewall is set to enable.

FortiClient application firewall rule list, as configured under config application list.

forticlient-av {enable | disable}

Note: This entry is only available when forticlient-security-posture is set to enable.

Enable or disable (by default) FortiClient antivirus scanning.

forticlient-log-upload {enable | disable}

Note: This entry is only available when forticlient-system-compliance is set to enable.

Enable (by default) or disable uploading logs to FortiAnalyzer unit via FortiGate unit.

forticlient-log-upload-level {traffic | vulnerability | event}

Note: This entry is only available when forticlient-system-compliance is set to enable and forticlient-log-upload is set to enable.

Determine which kinds of logs will be reported: traffic log, vulnerability log, or and event log (all are enabled by default).

forticlient-log-upload-server <ip/fqdn>

Note: This entry is only available when forticlient-system-compliance is set to enable and forticlient-log-upload is set to enable.

IP address or FQDN of the FortiClient log upload server.

forticlient-mac-ver <version>

Note: This entry is only available when forticlient-minimum-software-version is set to enable.

Minimum FortiClient Mac OS version. The default is set to 5.4.1.

forticlient-minimum-software-version {enable | disable}

Note: This entry is only available when forticlient-system-compliance is set to enable.

Enable or disable (by default) enforcement of a minimum FortiClient software to meet compliance.

forticlient-security-posture {enable | disable}

Enable or disable (by default) FortiClient security posture. Enabling this feature allows additional options to be configured, including realtime protection, third-party AV, web filtering, and application control firewall.

forticlient-security-posture-compliance-action {block | warning}

Note: This entry is only available when forticlient-security-posture is set to enable.

Either block or issue a warning (set by default) when the security posture does not meet FortiClient compliance.

forticlient-system-compliance {enable | disable}

Enable (by default) or disable enforcement of FortiClient system compliance.

forticlient-system-compliance-action {block | warning}

Note: This entry is only available when forticlient-system-compliance is set to enable.

Either block or issue a warning (set by default) when the system does not meet FortiClient compliance.

forticlient-vuln-scan {enable | disable}

Enable (by default) or disable endpoint vulnerability scanning.

forticlient-vuln-scan-compliance-action {block | warning}

Note: This entry is only available when forticlient-vuln-scan is set to enable.

Either block or issue a warning (set by default) when vulnerability scanning detects non-compliance.

forticlient-vuln-scan-enforce {critical | high | medium | low | info}

Note: This entry is only available when forticlient-vuln-scan is set to enable.

Enable or disable FortiClient vulnerability scan enforcement levels. The default is set to high.

forticlient-vuln-scan-enforce-grace <days>

Note: This entry is only available when forticlient-vuln-scan is set to enable.

FortiClient vulnerability scan enforcement grace period in days. Set the range between 0-30. The default is set to 1.

forticlient-vuln-scan-exempt {enable | disable}

Note: This entry is only available when forticlient-vuln-scan is set to enable.

Enable or disable (by default) compliance exemption for vulnerabilities that cannot be patched automatically.

forticlient-wf {enable | disable}

Note: This entry is only available when forticlient-security-posture is set to enable.

Enable or disable (by default) FortiClient web category filtering.

forticlient-wf-profile <name>

Note: This entry is only available when forticlient-wf is set to enable.

FortiClient web filter profile name, as configured under config webfilter profile.

forticlient-win-ver <version>

Note: This entry is only available when forticlient-minimum-software-version is set to enable.

Minimum FortiClient Windows version. The default is set to 5.4.1.

os-av-software-installed {enable | disable}

Note: This entry is only available when forticlient-av is set to enable. Also, av-realtime-protection must be set to disable.

Enable or disable (by default) recognition of installed AntiVirus software.

sandbox-address <address>

Note: This entry is only available when sandbox-analysis is set to enable.

IP address of the FortiSandbox.

sandbox-analysis {enable | disable}

Note: This entry is only available when av-realtime-protection is set to enable.

Enable or disable (by default) sending files to FortiSandbox for analysis.

config forticlient-operating-system

Configure FortiClient operating system options.

os-type <os>

Operating system for FortiClient. Enter set os-type ? to view all available options for both Mac and Windows.

config forticlient-running-app

Configure FortiClient running application options.

app-name <name>

Application name.

{app-sha256-signature | app-sha256-signature2 | app-sha256-signature3 | app-sha256-signature4} <signature>

The application's SHA256 signatures (up to a maximum of four).

{process-name | process-name2 | process-name3 | process-name4} <name>

The application's process names (up to a maximum of four).

config forticlient-registry-entry

Configure registry entries.

registry-entry <entry>

Registry entry (up to 127 characters).

config forticlient-own-file

Configure own file paths and names.

file <path-name>

File path and name.

config forticlient-android-settings

Use this configuration method to set FortiClient settings pertaining to Android platforms.

disable-wf-when-protected {enable | disable}

Enable (by default) or disable FortiClient web category filtering when protected by FortiGate.

forticlient-advanced-vpn {enable | disable}

Note: This entry is only available when forticlient-vpn-provisioning is set to enable.

Enable or disable (by default) advanced FortiClient VPN configuration.

forticlient-advanced-vpn-buffer <content>

Note: This entry is only available when forticlient-advanced-vpn is set to enable.

Content of advanced FortiClient VPN configuration.

forticlient-vpn-provisioning {enable | disable}

Enable or disable (by default) FortiClient VPN provisioning.

forticlient-wf {enable | disable}

Enable or disable (by default) FortiClient web category filtering.

forticlient-wf-profile <name>

Note: This entry is only available when forticlient-wf is set to enable.

FortiClient web filter profile name, as configured under config webfilter profile.

config forticlient-vpn-settings

Note: This configuration method is only available when forticlient-vpn-provisioning is set to enable and forticlient-advanced-vpn is set to disable.

Configure FortiClient VPN provisioning options.

auth-method {psk | certificate}

Note: This entry is only available when type is set to ipsec.

Either pre-shared key (set by default) or certificate authentication.

preshared-key <key>

Note: This entry is only available when auth-method is set to psk.

Pre-shared key for PSK authentication.

remote-gw <ip/fqdn>

IP address or FQDN of the VPN gateway.

sslvpn-access-port <port>

Note: This entry is only available when type is set to ssl.

SSL VPN access port. Set the range between 1-65535. The default is set to 443.

sslvpn-require-certificate {enable | disable}

Note: This entry is only available when type is set to ssl.

Enable or disable (by default) requiring an SSL VPN client certificate.

type {ipsec | ssl}

Either IPsec (set by default) or SSL VPN.

config forticlient-ios-settings

Use this configuration method to set FortiClient settings pertaining to iOS platforms.

client-vpn-provisioning {enable | disable}

Enable or disable (by default) client VPN provisioning.

configuration-content <content>

Note: This entry is only available when distribute-configuration-profile is set to enable.

Content of the configuration profile.

configuration-name <name>

Note: This entry is only available when distribute-configuration-profile is set to enable.

Name of the configuration profile.

disable-wf-when-protected {enable | disable}

Enable (by default) or disable FortiClient web category filtering when protected by FortiGate.

distribute-configuration-profile {enable | disable}

Enable or disable (by default) configuration profile (.mobileconfig file) distribution.

forticlient-wf {enable | disable}

Enable or disable (by default) FortiClient web category filtering.

forticlient-wf-profile <name>

Note: This entry is only available when forticlient-wf is set to enable.

FortiClient web filter profile name, as configured under config webfilter profile.

config client-vpn-settings

Note: This configuration method is only available when client-vpn-provisioning is set to enable.

Configure client VPN provisioning options.

type {ipsec | ssl}

Either IPsec (set by default) or SSL VPN.

vpn-configuration-content <content>

Content of VPN configuration.

vpn-configuration-name <name>

Name of VPN configuration.

endpoint-control profile

Use this command to configure an Endpoint NAC profile.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config {forticlient-winmac-settings | forticlient-android-settings | forticlient-ios-settings}

set forticlient-ems-compliance {enable | disable}

set forticlient-ems-compliance-action {block | warning}

set forticlient-ems-entries [addr1] [addr2] [addr3]

next

...

New options to enforce FortiClient Enterprise Management Server (EMS) compliance.

config

set application-check-rule {present | absent}

next

...

Specify whether a process and/or application is present or absent for host checking.

In addition, FortiGate now only has to match the process name - matching the SHA256 signature is no longer mandatory (since the process may be updated dynamically and the signature may not match).

config forticlient-winmac-settings

config forticlient-operating-system

edit <id>

set os-type {mac-os | win-xx | ubuntu-linux | centos-linux | redhat-linux | fedora-linux}

next

set forticlient-lnux-ver <forticlient-version>

end

Added FortiClient for Linux (Ubuntu, CentOS, Red Hat, and Fedora) support.

config endpoint-control profile
    edit {profile-name}
    # Configure FortiClient endpoint control profiles.
        set profile-name {string}   Profile name. size[35]
        config forticlient-winmac-settings
            set forticlient-registration-compliance-action {block | warning}   FortiClient registration compliance action.
                    block    Block access for devices that are operating without a registered version of FortiClient.
                    warning  Display a warning for devices that are operating without a registered version of FortiClient.
            set forticlient-ems-compliance {enable | disable}   Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
            set forticlient-ems-compliance-action {block | warning}   FortiClient EMS compliance action.
                    block    Block clients if FortiClient does not have any of the specified EMS servers as online.
                    warning  Create a warning if FortiClient does not have any of the specified EMS servers as online.
            config forticlient-ems-entries
                edit {name}
                # FortiClient EMS entries.
                    set name {string}   FortiClient EMS name. size[64] - datasource(s): endpoint-control.forticlient-ems.name
                next
            set forticlient-security-posture {enable | disable}   Enable/disable FortiClient security posture check options.
            set forticlient-security-posture-compliance-action {block | warning}   FortiClient security posture compliance action.
                    block    Block devices that fail FortiClient security posture checking.
                    warning  Warn devices that fail FortiClient security posture checking.
            set forticlient-av {enable | disable}   Enable/disable FortiClient AntiVirus scanning.
            set av-realtime-protection {enable | disable}   Enable/disable FortiClient AntiVirus real-time protection.
            set av-signature-up-to-date {enable | disable}   Enable/disable FortiClient AV signature updates.
            set sandbox-analysis {enable | disable}   Enable/disable sending files to FortiSandbox for analysis.
            set sandbox-address {string}   FortiSandbox address. size[255]
            set os-av-software-installed {enable | disable}   Enable/disable checking for OS recognized AntiVirus software.
            set forticlient-application-firewall {enable | disable}   Enable/disable the FortiClient application firewall.
            set forticlient-application-firewall-list {string}   FortiClient application firewall rule list. size[35] - datasource(s): application.list.name
            set forticlient-wf {enable | disable}   Enable/disable FortiClient web filtering.
            set forticlient-wf-profile {string}   The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
            set forticlient-system-compliance {enable | disable}   Enable/disable enforcement of FortiClient system compliance.
            set forticlient-system-compliance-action {block | warning}   Block or warn clients not compliant with FortiClient requirements.
                    block    Block clients not in compliance with FortiClient requirements.
                    warning  Warn clients not in compliance with FortiClient requirements.
            set forticlient-minimum-software-version {enable | disable}   Enable/disable requiring clients to run FortiClient with a minimum software version number.
            set forticlient-win-ver {string}   Minimum FortiClient Windows version. size[63]
            set forticlient-mac-ver {string}   Minimum FortiClient Mac OS version. size[63]
            set forticlient-linux-ver {string}   Minimum FortiClient Linux version. size[63]
            config forticlient-operating-system
                edit {id}
                # FortiClient operating system.
                    set id {integer}   Operating system entry ID. range[0-4294967295]
                    set os-type {option}   Operating system type.
                            custom            Customize OS.
                            mac-os            Mac OS.
                            win-7             Windows 7.
                            win-80            Windows 8.0.
                            win-81            Windows 8.1.
                            win-10            Windows 10.
                            win-2000          Windows 2000.
                            win-home-svr      Windows Home Server.
                            win-svr-10        Windows Server 10.
                            win-svr-2003      Windows Server 2003.
                            win-svr-2003-r2   Windows Server 2003 R2.
                            win-svr-2008      Windows Server 2008.
                            win-svr-2008-r2   Windows Server 2008 R2.
                            win-svr-2012      Windows Server 2012.
                            win-svr-2012-r2   Windows Server 2012 R2.
                            win-sto-svr-2003  Windows Storage Server 2003.
                            win-vista         Windows Vista.
                            win-xp            Windows XP.
                            ubuntu-linux      Ubuntu Linux.
                            centos-linux      CentOS Linux.
                            redhat-linux      Redhat Linux.
                            fedora-linux      Fedora Linux.
                    set os-name {string}   Customize operating system name or Mac OS format:x.x.x size[127]
                next
            config forticlient-running-app
                edit {id}
                # Use FortiClient to verify if the listed applications are running on the client.
                    set id {integer}   Application ID. range[0-4294967295]
                    set app-name {string}   Application name. size[127]
                    set application-check-rule {present | absent}   Application check rule.
                            present  Compliant if application is present.
                            absent   Compliant if application is absent.
                    set process-name {string}   Process name. size[127]
                    set app-sha256-signature {string}   App's SHA256 signature. size[64]
                    set process-name2 {string}   Process name. size[127]
                    set app-sha256-signature2 {string}   App's SHA256 Signature. size[64]
                    set process-name3 {string}   Process name. size[127]
                    set app-sha256-signature3 {string}   App's SHA256 Signature. size[64]
                    set process-name4 {string}   Process name. size[127]
                    set app-sha256-signature4 {string}   App's SHA256 Signature. size[64]
                next
            config forticlient-registry-entry
                edit {id}
                # FortiClient registry entry.
                    set id {integer}   Registry entry ID. range[0-4294967295]
                    set registry-entry {string}   Registry entry. size[127]
                next
            config forticlient-own-file
                edit {id}
                # Checking the path and filename of the FortiClient application.
                    set id {integer}   File ID. range[0-4294967295]
                    set file {string}   File path and name. size[127]
                next
            set forticlient-log-upload {enable | disable}   Enable/disable uploading FortiClient logs.
            set forticlient-log-upload-level {traffic | vulnerability | event}   Select the FortiClient logs to upload.
                    traffic        Upload traffic logs.
                    vulnerability  Upload vulnerability logs.
                    event          Upload event logs.
            set forticlient-log-upload-server {string}   IP address or FQDN of the server to which to upload FortiClient logs. size[255]
            set forticlient-vuln-scan {enable | disable}   Enable/disable FortiClient vulnerability scanning.
            set forticlient-vuln-scan-compliance-action {block | warning}   FortiClient vulnerability compliance action.
                    block    Block clients if FortiClient vulnerability scanning finds a vulnerability.
                    warning  Create a warning if FortiClient vulnerability scanning finds a vulnerability.
            set forticlient-vuln-scan-enforce {option}   Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.
                    critical  Finding a critical-levle vulnerability  causes a FortiClient compliance action.
                    high      Finding a high-level vulnerability  causes a FortiClient compliance action.
                    medium    Finding a medium-levle vulnerability  causes a FortiClient compliance action.
                    low       Finding a low-level vulnerability  causes a FortiClient compliance action.
                    info      Finding an info-level vulnerability  causes a FortiClient compliance action.
            set forticlient-vuln-scan-enforce-grace {integer}   FortiClient vulnerability scan enforcement grace period (0 - 30 days, default = 1). range[0-30]
            set forticlient-vuln-scan-exempt {enable | disable}   Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.
        config forticlient-android-settings
            set forticlient-wf {enable | disable}   Enable/disable FortiClient web filtering.
            set forticlient-wf-profile {string}   The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
            set disable-wf-when-protected {enable | disable}   Enable/disable FortiClient web category filtering when protected by FortiGate.
            set forticlient-vpn-provisioning {enable | disable}   Enable/disable FortiClient VPN provisioning.
            set forticlient-advanced-vpn {enable | disable}   Enable/disable advanced FortiClient VPN configuration.
            set forticlient-advanced-vpn-buffer {string}   Advanced FortiClient VPN configuration. size[32768]
            config forticlient-vpn-settings
                edit {name}
                # FortiClient VPN settings.
                    set name {string}   VPN name. size[35]
                    set type {ipsec | ssl}   VPN type (IPsec or SSL VPN).
                            ipsec  IPsec VPN.
                            ssl    SSL VPN.
                    set remote-gw {string}   IP address or FQDN of the remote VPN gateway. size[255]
                    set sslvpn-access-port {integer}   SSL VPN access port (1 - 65535). range[1-65535]
                    set sslvpn-require-certificate {enable | disable}   Enable/disable requiring SSL VPN client certificate.
                    set auth-method {psk | certificate}   Authentication method.
                            psk          Pre-shared key.
                            certificate  Certificate.
                    set preshared-key {password_string}   Pre-shared secret for PSK authentication. size[128]
                next
        config forticlient-ios-settings
            set forticlient-wf {enable | disable}   Enable/disable FortiClient web filtering.
            set forticlient-wf-profile {string}   The FortiClient web filter profile to apply. size[35] - datasource(s): webfilter.profile.name
            set disable-wf-when-protected {enable | disable}   Enable/disable FortiClient web category filtering when protected by FortiGate.
            set client-vpn-provisioning {enable | disable}   FortiClient VPN provisioning.
            config client-vpn-settings
                edit {name}
                # FortiClient VPN settings.
                    set name {string}   VPN name. size[35]
                    set type {ipsec | ssl}   VPN type (IPsec or SSL VPN).
                            ipsec  IPsec VPN.
                            ssl    SSL VPN.
                    set vpn-configuration-name {string}   Name of VPN configuration. size[35]
                    set vpn-configuration-content {string}   Content of VPN configuration. size[32768]
                    set remote-gw {string}   IP address or FQDN of the remote VPN gateway. size[255]
                    set sslvpn-access-port {integer}   SSL VPN access port (1 - 65535). range[1-65535]
                    set sslvpn-require-certificate {enable | disable}   Enable/disable requiring SSL VPN client certificate.
                    set auth-method {psk | certificate}   Authentication method.
                            psk          Pre-shared key.
                            certificate  Certificate.
                    set preshared-key {password_string}   Pre-shared secret for PSK authentication. size[128]
                next
            set distribute-configuration-profile {enable | disable}   Enable/disable configuration profile (.mobileconfig file) distribution.
            set configuration-name {string}   Name of configuration profile. size[35]
            set configuration-content {string}   Content of configuration profile. size[32768]
        set description {string}   Description. size[255]
        config src-addr
            edit {name}
            # Source addresses.
                set name {string}   Address object from available options. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config device-groups
            edit {name}
            # Device groups.
                set name {string}   Device group object from available options. size[64] - datasource(s): user.device-group.name,user.device-category.name
            next
        config users
            edit {name}
            # Users.
                set name {string}   User name. size[64] - datasource(s): user.local.name
            next
        config user-groups
            edit {name}
            # User groups.
                set name {string}   User group name. size[64] - datasource(s): user.group.name
            next
        config on-net-addr
            edit {name}
            # Addresses for on-net detection.
                set name {string}   Address object from available options. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set replacemsg-override-group {string}   Select an endpoint control replacement message override group from available options. size[35] - datasource(s): system.replacemsg-group.name
    next
end

Additional information

The following section is for those options that require additional explanation.

device-groups <groups>

Device groups to assign to this endpoint profile, as configured under config user device-group.

on-net-addr <addr>

Addresses for on-net detection.

replacemsg-override-group <group>

Endpoint control replacement message override group, as configured under config system replacemsg-group. Note that the group must have group-type set to ec.

src-addr <addr>

Source addresses to assign to this endpoint profile.

user-groups <groups>

User groups to assign to this endpoint profile. Note that this is not configurable for the default profile.

users <users>

Users to assign to this endpoint profile. Note that this is not configurable for the default profile.

config forticlient-winmac-settings

Use this configuration method to set FortiClient settings pertaining to Windows and Mac platforms.

av-realtime-protection {enable | disable}

Note: This entry is only available when forticlient-av is set to enable. Also, os-av-software-installed must be set to disable.

Enable or disable (by default) FortiClient antivirus realtime protection.

av-signature-up-to-date {enable | disable}

Note: This entry is only available when av-realtime-protection is set to enable.

Enable or disable (by default) FortiClient AntiVirus signature updates.

forticlient-application-firewall {enable | disable}

Note: This entry is only available when forticlient-security-posture is set to enable.

Enable or disable (by default) FortiClient application firewall.

forticlient-application-firewall-list

Note: This entry is only available when forticlient-application-firewall is set to enable.

FortiClient application firewall rule list, as configured under config application list.

forticlient-av {enable | disable}

Note: This entry is only available when forticlient-security-posture is set to enable.

Enable or disable (by default) FortiClient antivirus scanning.

forticlient-log-upload {enable | disable}

Note: This entry is only available when forticlient-system-compliance is set to enable.

Enable (by default) or disable uploading logs to FortiAnalyzer unit via FortiGate unit.

forticlient-log-upload-level {traffic | vulnerability | event}

Note: This entry is only available when forticlient-system-compliance is set to enable and forticlient-log-upload is set to enable.

Determine which kinds of logs will be reported: traffic log, vulnerability log, or and event log (all are enabled by default).

forticlient-log-upload-server <ip/fqdn>

Note: This entry is only available when forticlient-system-compliance is set to enable and forticlient-log-upload is set to enable.

IP address or FQDN of the FortiClient log upload server.

forticlient-mac-ver <version>

Note: This entry is only available when forticlient-minimum-software-version is set to enable.

Minimum FortiClient Mac OS version. The default is set to 5.4.1.

forticlient-minimum-software-version {enable | disable}

Note: This entry is only available when forticlient-system-compliance is set to enable.

Enable or disable (by default) enforcement of a minimum FortiClient software to meet compliance.

forticlient-security-posture {enable | disable}

Enable or disable (by default) FortiClient security posture. Enabling this feature allows additional options to be configured, including realtime protection, third-party AV, web filtering, and application control firewall.

forticlient-security-posture-compliance-action {block | warning}

Note: This entry is only available when forticlient-security-posture is set to enable.

Either block or issue a warning (set by default) when the security posture does not meet FortiClient compliance.

forticlient-system-compliance {enable | disable}

Enable (by default) or disable enforcement of FortiClient system compliance.

forticlient-system-compliance-action {block | warning}

Note: This entry is only available when forticlient-system-compliance is set to enable.

Either block or issue a warning (set by default) when the system does not meet FortiClient compliance.

forticlient-vuln-scan {enable | disable}

Enable (by default) or disable endpoint vulnerability scanning.

forticlient-vuln-scan-compliance-action {block | warning}

Note: This entry is only available when forticlient-vuln-scan is set to enable.

Either block or issue a warning (set by default) when vulnerability scanning detects non-compliance.

forticlient-vuln-scan-enforce {critical | high | medium | low | info}

Note: This entry is only available when forticlient-vuln-scan is set to enable.

Enable or disable FortiClient vulnerability scan enforcement levels. The default is set to high.

forticlient-vuln-scan-enforce-grace <days>

Note: This entry is only available when forticlient-vuln-scan is set to enable.

FortiClient vulnerability scan enforcement grace period in days. Set the range between 0-30. The default is set to 1.

forticlient-vuln-scan-exempt {enable | disable}

Note: This entry is only available when forticlient-vuln-scan is set to enable.

Enable or disable (by default) compliance exemption for vulnerabilities that cannot be patched automatically.

forticlient-wf {enable | disable}

Note: This entry is only available when forticlient-security-posture is set to enable.

Enable or disable (by default) FortiClient web category filtering.

forticlient-wf-profile <name>

Note: This entry is only available when forticlient-wf is set to enable.

FortiClient web filter profile name, as configured under config webfilter profile.

forticlient-win-ver <version>

Note: This entry is only available when forticlient-minimum-software-version is set to enable.

Minimum FortiClient Windows version. The default is set to 5.4.1.

os-av-software-installed {enable | disable}

Note: This entry is only available when forticlient-av is set to enable. Also, av-realtime-protection must be set to disable.

Enable or disable (by default) recognition of installed AntiVirus software.

sandbox-address <address>

Note: This entry is only available when sandbox-analysis is set to enable.

IP address of the FortiSandbox.

sandbox-analysis {enable | disable}

Note: This entry is only available when av-realtime-protection is set to enable.

Enable or disable (by default) sending files to FortiSandbox for analysis.

config forticlient-operating-system

Configure FortiClient operating system options.

os-type <os>

Operating system for FortiClient. Enter set os-type ? to view all available options for both Mac and Windows.

config forticlient-running-app

Configure FortiClient running application options.

app-name <name>

Application name.

{app-sha256-signature | app-sha256-signature2 | app-sha256-signature3 | app-sha256-signature4} <signature>

The application's SHA256 signatures (up to a maximum of four).

{process-name | process-name2 | process-name3 | process-name4} <name>

The application's process names (up to a maximum of four).

config forticlient-registry-entry

Configure registry entries.

registry-entry <entry>

Registry entry (up to 127 characters).

config forticlient-own-file

Configure own file paths and names.

file <path-name>

File path and name.

config forticlient-android-settings

Use this configuration method to set FortiClient settings pertaining to Android platforms.

disable-wf-when-protected {enable | disable}

Enable (by default) or disable FortiClient web category filtering when protected by FortiGate.

forticlient-advanced-vpn {enable | disable}

Note: This entry is only available when forticlient-vpn-provisioning is set to enable.

Enable or disable (by default) advanced FortiClient VPN configuration.

forticlient-advanced-vpn-buffer <content>

Note: This entry is only available when forticlient-advanced-vpn is set to enable.

Content of advanced FortiClient VPN configuration.

forticlient-vpn-provisioning {enable | disable}

Enable or disable (by default) FortiClient VPN provisioning.

forticlient-wf {enable | disable}

Enable or disable (by default) FortiClient web category filtering.

forticlient-wf-profile <name>

Note: This entry is only available when forticlient-wf is set to enable.

FortiClient web filter profile name, as configured under config webfilter profile.

config forticlient-vpn-settings

Note: This configuration method is only available when forticlient-vpn-provisioning is set to enable and forticlient-advanced-vpn is set to disable.

Configure FortiClient VPN provisioning options.

auth-method {psk | certificate}

Note: This entry is only available when type is set to ipsec.

Either pre-shared key (set by default) or certificate authentication.

preshared-key <key>

Note: This entry is only available when auth-method is set to psk.

Pre-shared key for PSK authentication.

remote-gw <ip/fqdn>

IP address or FQDN of the VPN gateway.

sslvpn-access-port <port>

Note: This entry is only available when type is set to ssl.

SSL VPN access port. Set the range between 1-65535. The default is set to 443.

sslvpn-require-certificate {enable | disable}

Note: This entry is only available when type is set to ssl.

Enable or disable (by default) requiring an SSL VPN client certificate.

type {ipsec | ssl}

Either IPsec (set by default) or SSL VPN.

config forticlient-ios-settings

Use this configuration method to set FortiClient settings pertaining to iOS platforms.

client-vpn-provisioning {enable | disable}

Enable or disable (by default) client VPN provisioning.

configuration-content <content>

Note: This entry is only available when distribute-configuration-profile is set to enable.

Content of the configuration profile.

configuration-name <name>

Note: This entry is only available when distribute-configuration-profile is set to enable.

Name of the configuration profile.

disable-wf-when-protected {enable | disable}

Enable (by default) or disable FortiClient web category filtering when protected by FortiGate.

distribute-configuration-profile {enable | disable}

Enable or disable (by default) configuration profile (.mobileconfig file) distribution.

forticlient-wf {enable | disable}

Enable or disable (by default) FortiClient web category filtering.

forticlient-wf-profile <name>

Note: This entry is only available when forticlient-wf is set to enable.

FortiClient web filter profile name, as configured under config webfilter profile.

config client-vpn-settings

Note: This configuration method is only available when client-vpn-provisioning is set to enable.

Configure client VPN provisioning options.

type {ipsec | ssl}

Either IPsec (set by default) or SSL VPN.

vpn-configuration-content <content>

Content of VPN configuration.

vpn-configuration-name <name>

Name of VPN configuration.