Fortinet black logo

Administration Guide

Creating FortiClient profiles

Creating FortiClient profiles

You can create one or more FortiClient profiles in a FortiClient profile package. The FortiClient profile identifies the FortiGate compliance rules and the non-compliance action to apply to endpoints that fail to meet the compliance rules.

note icon

The FortiClient profile does not contain any configuration information for FortiClient. The FortiClient profile only identifies the compliance rules that FortiClient endpoints must meet to maintain access to the network.

You can enable compliance rules for the following categories in a FortiClient profile:

  • Endpoint Vulnerability Scan on Client
  • System Compliance
  • Security Posture Check

For each category, you can specify how to handle endpoints that fail to meet the compliance rules. You can choose to block not-compliant endpoints from network access, or you can warn not-compliant endpoints, but allow network access. For example, you could set the non-compliance action to Block for Endpoint Vulnerability Scan on Client, and you can set the non-compliance action to Warning for Security Posture Check.

For more information on configuring FortiClient Profiles and Endpoint Control, see the FortiOS Handbook and the FortiClient Administration Guide.

FortiClient profiles can be created, edited, deleted, and imported from devices using the right-click menu and toolbar selections.

In FortiOS, this feature is found at Security Profiles > FortiClient Profiles.

To create a new FortiClient profile:
  1. Go to FortiClient Manager > FortiClient Profiles.
  2. In the tree menu, select the FortiClient profile package in which to create profiles.
  3. In the content pane, click Create New.

    The Create New FortiClient Profile pane opens.

  4. Enter the following information:

    Profile Name

    Type a name for the new FortiClient profile.

    When creating a new FortiClient profile, XSS vulnerability characters are not allowed.

    Comments

    (Optional) Type a profile description.

    Assign Profile To

    Identify where to assign the profile:

    • Device Groups: Select device groups from the list.
    • User Groups: Select user groups from the list.
    • Users: Select users from the list.
    • Address: Select addresses from the list.

    You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

    On-Net Detection By Address

    Identify whether to use an address to detect when endpoints are on-net. Select the address(es) from the list.

  5. Set the compliance rules and non-compliance action for Endpoint Vulnerability Scan on Client:

    Endpoint Vulnerability Scan on Client

    Toggle ON to add a rule about Vulnerability Scanning on Client. When toggled ON, the Vulnerability Scanning module must be enabled in FortiClient on endpoints.

    Toggle OFF to exclude Vulnerability Scanning on Client from the compliance rules.

    Non-compliance action

    Specify how to handle endpoints that fail to meet the compliance rules for Endpoint Vulnerability Scan on Client. Select Block to block not-compliant endpoints from network access. Select Warning to warn not-compliant endpoints, but allow network access.

    Vulnerability quarantine level

    When Endpoint Vulnerability Scan on Client is toggled to ON, you can select a minimum quarantine level from the Vulnerability quarantine level list. Endpoints with detected vulnerabilities that hit the minimum severity level or higher are quarantined.

  6. Set the compliance rules and non-compliance action for System Compliance:

    System compliance

    Toggle ON to enable compliance rules for System compliance and display options for rules.

    Toggle OFF to exclude system compliance from the compliance rules.

    Minimum FortiClient Version

    Toggle ON to add a rule about minimum FortiClient version. When toggled ON, endpoints must have the minimum version or higher of FortiClient installed to remain compliant. Specify the minimum version in the Windows endpoints and Mac endpoints boxes.

    Toggle OFF to remove a rule about minimum FortiClient version from the compliance rules.

    Windows endpoints

    When Minimum FortiClient Version is toggled ON, you can type the minimum version of FortiClient that is required on endpoints running a Windows operating system.

    Mac endpoints

    When Minimum FortiClient Version is toggled ON, you can type the minimum version of FortiClient that is required on endpoints running a Macintosh operating system.

    Upload logs to FortiAnalyzer

    Toggle ON to add a rule about logging. When toggled ON, FortiClient must send logs to FortiAnalyzer for the endpoint to remain compliant. Select which of the following FortiClient logs must be sent to FortiAnalyzer:

    • Traffic
    • Vulnerability
    • Event

    Toggle OFF to remove a rule about logging from the compliance rules.

    Non-compliance action

    Specify how to handle endpoints that fail to meet the compliance rules for System Compliance. Select Block to block not-compliant endpoints from network access. Select Warning to warn not-compliant endpoints, but allow network access.

  7. Set the compliance rules and non-compliance action for Security Posture Check:

    Security Posture Check

    Toggle ON to enable compliance rules for Security Posture Check and display more options. When toggled ON, select which modules must be enabled in FortiClient for endpoints to remain compliant.

    Toggle OFF to remove rules about Security Posture Check from the compliance rules.

    Real-time Protection

    Toggle ON to add a rule about real-time protection to the compliance rules. When toggled ON, FortiClient must have real-time protection enabled for endpoints to remain compliant.

    Toggle OFF to remove a rule about real-time protection from the compliance rules.

    Up-to-date signatures

    Toggle ON to add a rule about up-to-date signatures to the compliance rules. When toggled ON, FortiClient real-time protection must have up-to-date signatures for endpoints to remain compliant.

    Toggle OFF to remove a rule about up-to-date signatures from the compliance rules.

    Scan with FortiSandbox

    Toggle ON to add a rule about FortiSandbox scanning to the compliance rules. When toggled ON, FortiClient real-time protection must have FortiSandbox scanning enabled for endpoints to remain compliant.

    Note: A FortiSandbox devices is required, and the device must be configured to work with FortiClient.

    Toggle OFF to remove a rule about FortiSandbox scanning from the compliance rules.

    Third party AntiVirus on Windows

    Toggle ON to add a rule about third-party antivirus software for endpoints running a Windows operating system to the compliance rules. When toggled ON, endpoints running a Windows operating system must have recognized third-party antivirus software installed for endpoints to remain compliant.

    Note: Real-time Protection must be toggled OFF before you can toggle on Third party AntiVirus on Windows.

    Toggle OFF to remove the rule about third-party antivirus software from the compliance rules.

    Web Filter

    Toggle ON to add a rule about Web Filter to the compliance rules and display more options.

    Toggle OFF to exclude a rule about Web Filter from the compliance rules.

    Profile

    When Web Filter is toggled ON, you can select a web filter profile. A default profile is selected by default.

    Application Firewall

    Toggle ON to add a rule about Application Firewall to the compliance rules and display more options.

    Toggle OFF to exclude the setting from the compliance rules.

    Application Control Sensor

    When Application Firewall is toggled ON, you can select an application control sensor. A default application control sensor is selected by default.

    Non-compliance action

    Specify how to handle endpoints that fail to meet the compliance rules for Security Posture Check. Select Block to block not-compliant endpoints from network access. Select Warning to warn not-compliant endpoints, but allow network access.

  8. Click OK.

Creating FortiClient profiles

You can create one or more FortiClient profiles in a FortiClient profile package. The FortiClient profile identifies the FortiGate compliance rules and the non-compliance action to apply to endpoints that fail to meet the compliance rules.

note icon

The FortiClient profile does not contain any configuration information for FortiClient. The FortiClient profile only identifies the compliance rules that FortiClient endpoints must meet to maintain access to the network.

You can enable compliance rules for the following categories in a FortiClient profile:

  • Endpoint Vulnerability Scan on Client
  • System Compliance
  • Security Posture Check

For each category, you can specify how to handle endpoints that fail to meet the compliance rules. You can choose to block not-compliant endpoints from network access, or you can warn not-compliant endpoints, but allow network access. For example, you could set the non-compliance action to Block for Endpoint Vulnerability Scan on Client, and you can set the non-compliance action to Warning for Security Posture Check.

For more information on configuring FortiClient Profiles and Endpoint Control, see the FortiOS Handbook and the FortiClient Administration Guide.

FortiClient profiles can be created, edited, deleted, and imported from devices using the right-click menu and toolbar selections.

In FortiOS, this feature is found at Security Profiles > FortiClient Profiles.

To create a new FortiClient profile:
  1. Go to FortiClient Manager > FortiClient Profiles.
  2. In the tree menu, select the FortiClient profile package in which to create profiles.
  3. In the content pane, click Create New.

    The Create New FortiClient Profile pane opens.

  4. Enter the following information:

    Profile Name

    Type a name for the new FortiClient profile.

    When creating a new FortiClient profile, XSS vulnerability characters are not allowed.

    Comments

    (Optional) Type a profile description.

    Assign Profile To

    Identify where to assign the profile:

    • Device Groups: Select device groups from the list.
    • User Groups: Select user groups from the list.
    • Users: Select users from the list.
    • Address: Select addresses from the list.

    You can assign the profile to user groups and users when using Active Directory authentication or RADIUS authentication for VPN.

    On-Net Detection By Address

    Identify whether to use an address to detect when endpoints are on-net. Select the address(es) from the list.

  5. Set the compliance rules and non-compliance action for Endpoint Vulnerability Scan on Client:

    Endpoint Vulnerability Scan on Client

    Toggle ON to add a rule about Vulnerability Scanning on Client. When toggled ON, the Vulnerability Scanning module must be enabled in FortiClient on endpoints.

    Toggle OFF to exclude Vulnerability Scanning on Client from the compliance rules.

    Non-compliance action

    Specify how to handle endpoints that fail to meet the compliance rules for Endpoint Vulnerability Scan on Client. Select Block to block not-compliant endpoints from network access. Select Warning to warn not-compliant endpoints, but allow network access.

    Vulnerability quarantine level

    When Endpoint Vulnerability Scan on Client is toggled to ON, you can select a minimum quarantine level from the Vulnerability quarantine level list. Endpoints with detected vulnerabilities that hit the minimum severity level or higher are quarantined.

  6. Set the compliance rules and non-compliance action for System Compliance:

    System compliance

    Toggle ON to enable compliance rules for System compliance and display options for rules.

    Toggle OFF to exclude system compliance from the compliance rules.

    Minimum FortiClient Version

    Toggle ON to add a rule about minimum FortiClient version. When toggled ON, endpoints must have the minimum version or higher of FortiClient installed to remain compliant. Specify the minimum version in the Windows endpoints and Mac endpoints boxes.

    Toggle OFF to remove a rule about minimum FortiClient version from the compliance rules.

    Windows endpoints

    When Minimum FortiClient Version is toggled ON, you can type the minimum version of FortiClient that is required on endpoints running a Windows operating system.

    Mac endpoints

    When Minimum FortiClient Version is toggled ON, you can type the minimum version of FortiClient that is required on endpoints running a Macintosh operating system.

    Upload logs to FortiAnalyzer

    Toggle ON to add a rule about logging. When toggled ON, FortiClient must send logs to FortiAnalyzer for the endpoint to remain compliant. Select which of the following FortiClient logs must be sent to FortiAnalyzer:

    • Traffic
    • Vulnerability
    • Event

    Toggle OFF to remove a rule about logging from the compliance rules.

    Non-compliance action

    Specify how to handle endpoints that fail to meet the compliance rules for System Compliance. Select Block to block not-compliant endpoints from network access. Select Warning to warn not-compliant endpoints, but allow network access.

  7. Set the compliance rules and non-compliance action for Security Posture Check:

    Security Posture Check

    Toggle ON to enable compliance rules for Security Posture Check and display more options. When toggled ON, select which modules must be enabled in FortiClient for endpoints to remain compliant.

    Toggle OFF to remove rules about Security Posture Check from the compliance rules.

    Real-time Protection

    Toggle ON to add a rule about real-time protection to the compliance rules. When toggled ON, FortiClient must have real-time protection enabled for endpoints to remain compliant.

    Toggle OFF to remove a rule about real-time protection from the compliance rules.

    Up-to-date signatures

    Toggle ON to add a rule about up-to-date signatures to the compliance rules. When toggled ON, FortiClient real-time protection must have up-to-date signatures for endpoints to remain compliant.

    Toggle OFF to remove a rule about up-to-date signatures from the compliance rules.

    Scan with FortiSandbox

    Toggle ON to add a rule about FortiSandbox scanning to the compliance rules. When toggled ON, FortiClient real-time protection must have FortiSandbox scanning enabled for endpoints to remain compliant.

    Note: A FortiSandbox devices is required, and the device must be configured to work with FortiClient.

    Toggle OFF to remove a rule about FortiSandbox scanning from the compliance rules.

    Third party AntiVirus on Windows

    Toggle ON to add a rule about third-party antivirus software for endpoints running a Windows operating system to the compliance rules. When toggled ON, endpoints running a Windows operating system must have recognized third-party antivirus software installed for endpoints to remain compliant.

    Note: Real-time Protection must be toggled OFF before you can toggle on Third party AntiVirus on Windows.

    Toggle OFF to remove the rule about third-party antivirus software from the compliance rules.

    Web Filter

    Toggle ON to add a rule about Web Filter to the compliance rules and display more options.

    Toggle OFF to exclude a rule about Web Filter from the compliance rules.

    Profile

    When Web Filter is toggled ON, you can select a web filter profile. A default profile is selected by default.

    Application Firewall

    Toggle ON to add a rule about Application Firewall to the compliance rules and display more options.

    Toggle OFF to exclude the setting from the compliance rules.

    Application Control Sensor

    When Application Firewall is toggled ON, you can select an application control sensor. A default application control sensor is selected by default.

    Non-compliance action

    Specify how to handle endpoints that fail to meet the compliance rules for Security Posture Check. Select Block to block not-compliant endpoints from network access. Select Warning to warn not-compliant endpoints, but allow network access.

  8. Click OK.