From the User in AD Group dropdown list, select the desired Active Directory (AD) group that users should be members of. You can also use the Negate option for the rule to require that the user not be a part of the selected AD group.

Viewing users and groups from an AD server requires an LDAP server configuration.

The endpoint must satisfy all configured conditions to satisfy this rule.

From the AntiVirus dropdown list, select the desired conditions. You can require that an endpoint have antivirus (AV) software installed and running and that the AV signature is up-to-date. You can also use the Negate option for the rule to require that the endpoint does not have AV software installed or running or that the AV signature is not up-to-date. This rule applies for FortiClient AV.

For Windows endpoints, this rule type also applies for third-party AV software that registers to the Windows Security Center. The third-party software notifies the Windows Security Center of the status of its signatures. FortiClient queries the Windows Security Center to determine what third-party AV software is installed and if the software reports signatures as up-to-date.

The endpoint must satisfy all configured conditions to satisfy this rule.

In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can also use the Negate option to indicate that the rule requires that a certain certificate is not present for the endpoint. FortiClient checks certificates in the current user personal store and local computer personal store. It does not check in trusted root or other stores.

The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and not certificate C, then the endpoint must have both certificates A and B and not certificate C.

In the Domain field, enter the domain name. If the rule is configured for multiple domains, FortiSASE considers the endpoint as satisfying the rule if it belongs to one of the configured domains.

FortiSASE considers the endpoint as satisfying the rule if the endpoint has FortiClient installed and Telemetry is connected.

In the File field, enter the file path. You can also use the Negate option to indicate that the rule requires that a certain file is not present on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C.

In the IP Range field, enter the IP address, IP address range, or IP address with subnet. If multiple IP ranges and/or addresses are configured, FortiSASE considers the endpoint as satisfying the rule if its IP address matches one of the configured ranges or addresses.

From the Operating System Version field, select the OS version. If the rule is configured for multiple OS versions, FortiSASE considers the endpoint as satisfying the rule if it has one of the configured OS versions installed.

In the Key field, enter the registry path or value name. End the path with \ to indicate a registry path, or without \ to indicate a registry value name. You can also use the Negate option to indicate that the rule requires that a certain registry path or value name is not present on the endpoint. This rule does not support using the value data.

For example, the following shows a system where Firefox is installed. In this example, the registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\88.0 (x64 en-US)\Main. The value name is Install Directory, and the value data is C:\Program Files\Mozilla Firefox. You can configure a registry key rule to match HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\88.0 (x64 en-US)\Main as the path or Install Directory as the registry value name, but you cannot configure a rule to match C:\Program Files\Mozilla Firefox. Do not use square brackets when configuring this rule type.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require registry key A, registry key B, and NOT registry key C, then the endpoint must have both registry keys A and B and not registry key C.

In the Process Name field, enter the process name. You can also use the Negate option to indicate that the rule requires that a certain process is not running on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running.

From the Sandbox Detection dropdown list, select the desired condition. You can require that Sandbox detected malware on the endpoint in the last seven days. You can also use the Negate option for the rule to require that Sandbox did not detect malware on the endpoint in the last seven days.

From the Severity Level dropdown list, select the desired vulnerability severity level.

Under User Identity, select the following:

• User Specified: endpoint user manually entered their personal information in FortiClient.
• Social Network Login: endpoint user provided their personal information by logging in to their Google, LinkedIn, or Salesforce account in FortiClient. You can further select one of the following:
  • All Accounts: all endpoints where the user logged in to the specified social network account type.
  • Specified: enter a specific Google, LinkedIn, or Salesforce account. For example, you can enter joanexample@gmail.com to configure the rule to apply specifically to only that Google account. You can specify multiple social network accounts.

FortiSASE considers the endpoint as satisfying the rule if it satisfies one of the conditions.

You can also use the Negate option for the rule to require that the endpoint user has not manually entered user details or logged in to a social network account to allow FortiClient to obtain user details.

FortiClient iOS does not support social network login with LinkedIn or Salesforce. FortiClient Android does not support social network login with Salesforce.